Pricesmart

People continue to ask why there are so many data breaches happening in Trinidad and Tobago. I’m not someone who would call himself a security expert by a stretch, but it’s an intriguing enough question that I decided to look into it.

Commonalities in Website Technology?

First, I checked the websites of those that had been breached, which might reveal some commonalities. Bear in mind, it’s possible that the websites weren’t how the information was accessed.

TSTT, which had the most noteworthy breach, runs Wix – which was quite a surprise if only because of the vendor lock-in associated with it. I was expecting a more commonly used content management system but instead, Wix.

The Office of the Attorney General’s website, attacked earlier this year and probably the 2nd most important breach overall since it paralyzed the Judiciary is using WordPress. It also is actually not the first time; a teen was charged in 2007 for hacking into the Attorney General’s Office.

MassyStorestt.com also runs WordPress, but is substantially behind in upgrades. Pricesmart.com runs mostly BloomReach and a bit of Drupal. Their breach was reported yesterday.

It’s apparent that this isn’t an issue of common platforms being compromised. Yet there is a hint in here. MassyStoresTT.com being substantially behind in WordPress updates.

Maintenance.

When I was heavily into developing CMS websites, I tried doing that locally in Trinidad and Tobago and found that people thought they could just buy a website and it would simply be done and they could go about their business without maintenance contracts. It simply doesn’t work that way.

Maybe even after years, that hasn’t changed. Maybe these websites aren’t being maintained and kept up to date with technology, which includes patching for exploits that allow their data to be breached or otherwise attacked. Maybe.

Personally, with my experience in dealing with local companies and government offices, I don’t see them seeing maintenance as a priority. In fact, I didn’t do business with companies in Trinidad and Tobago for that same reason because… I didn’t want my name associated with poorly maintained sites.

Is this the only conclusion? Definitely not.

Who Has Access Anyway?

Everyone talks about the breaches, but the public always assumes that the people with access to the information had a reason to access the information. In the TSTT data breach, scanned copies of people’s identification were found and I have to wonder what TSTT’s information policy is. Who needs access to that level of information, and why?

I’d be surprised if it were available through the website because that would be just asking for trouble.

Assuming they themselves can be trusted with your personal information, there’s social engineering, which the video below explains.

We forget at times that the people with access to information themselves are open to attack to get to something bigger. Maybe their own computer systems they use to access the data are compromised, maybe they’ve been compromised.

Conclusions

Again, I’m no security expert. Some of the information available from these breaches and the way attacks happened on some websites was clearly associated with the websites themselves. TSTT’s data breach seems different in that regard because no sane company would have that information accessible through their website.

Altogether, it seems like a lack of maintenance for most of these breaches – and maybe there were deeper issues with all of them, but in particular the TSTT data breach.

What is most disturbing is that these are the breaches we’re worried about, which could be a fraction of the number of breaches that happened. The announced breaches we found out about because either someone showed evidence or it created an issue that impacted products and services.

The insidious breaches, the ones where people simply mine the information and don’t get caught or brag, we don’t know about. That’s what concerns me most.

We should be worried.

I had a problem. In my apartment here in South Oropouche, I had the need for a sort of media PC in the living room.

Sometimes I want to kick back and write on my old Chromebook while watching Netflix or a streaming news/space service on YouTube. Sometimes I want to write from my dining table – really, a patio table I have indoors because I like it. Sometimes, I want to listen to music while I’m working out in the living room. Sometimes, I want to have multimedia ability in the living room when I have visitors who aren’t in the bedroom (can I write that publicly?).

I’m in Trinidad and Tobago, so options are limited as far as what I can find locally. When I visited Pricesmart, I saw a Lenovo ‘Yoga Pad’ I almost got until I tried the keyboard (ugh!) and thought through what I actually wanted. They had a Haier Mini-PC that looked promising, but there were no boxes and a web search on my phone only showed a link to The Wizz whose site was down for maintenance.

I visited an Apple reseller and stared at the old and somewhat disappointing specs of the Apple Mini, which has become the one thing that Apple doesn’t seem to want to advance. And for the cost? Oh, Apple, your systems are so pretty, and OS-X is nice, but my word, your prices suck. Apple lovers, sorry, I see how you like spending your money but I can buy a lot of beer with the difference in price.

So I ended up at The Wizz in San Fernando, mainly to chase down the Haier and see what it looked like outside of a Pricesmart display that managed to tell everyone nothing. A gentleman helped me out, and dutifully trotted out the competition. That competition included the Biostar Racing P1, which I ended up with, as well as it’s little sibling, an Android version.

I’ll commend The Wizz here – over the years, on the rare occasions when I visited them, they have always been good – even over a decade ago when they were in some ways competition (I had a brief flirtation with wholesaling with one of their competitors). This was, hands down, my best experience with them. I picked up a keyboard, mouse and modest monitor for the system.

I got home. That’s when the troubles began.

Setting Up The Biostar Racing P1.

The box says that it’s Windows 10 compatible – and I mistakenly thought it actually came with Windows 10 on it. No such luck. Instead, it came with a CD for a system that – oh, this has got to take the cake – doesn’t have an optical drive. In fact, it’s so small, an optical drive couldn’t fit in it. So why on Earth would Biostar do this?

The documentation that comes with the system, a folded sheet of color printing, looks informative at a glance until you try to use it – they believe you know more than you do – and it’s actually not much better than their FAQ on installing Windows 10 on the Biostar Racing P1, dancing between informative and ‘WTF?’. It’s then I realized that my other systems also lacked optical drives – who uses those anymore? So here, I have a CD with no way to use it and cagey documentation on how to use the CD.

So I went with Linux. Lubuntu, Kubuntu – I went through quite a few distros in the course of an hour, using Rufus as noted in the FAQ, and every time there was no love for the AP6255 Wifi on the system. Oh, and the sound didn’t work. 3 hours in, I found myself scanning through kernel logs and considering hacking through all of it when I realized:

(1) I’m tired.
(2) I did not buy the machine to be a project, I bought it to be an appliance.
(3) I wasn’t committed to any course of action, I was committed to getting the results I wanted.

As it happened, a helpful cousin lent me a portable optical drive – so I (mistakenly) thought I’d install Windows from it. No joy – there is no Windows on that CD, I found, only drivers (not for Linux). At that point I realized I actually had to install Windows – I was tired – so I went to Microsoft and downloaded the ISO for Rufus to install via USB – that download took all night. I attempted to purchase a Windows 10 License, having figured out that it was necessary, but Microsoft gave me no joy. Amazon.com did. I punched in the product key during the installation on the Biostar Racing P1, and after an hour or so I used the borrowed optical drive to install the drivers.

It works, but honestly, this was annoying for me. Sure, I could have hacked through, sure, I could have done other things, but the documentation sucks and is a little misleading in my opinion. So, what do you need to know?

It’s a pain to get running, largely because no OS is pre-installed (to keep the price down, probably) and because the driver media is in a form that doesn’t come with the machine. You quite literally need another working machine to set the Biostar Racing P1 up, and if you don’t have an optical drive, you’ll have to navigate to Biostar to download the drivers, put them on a USB key, and hope you manage that without problems.

Now, using it once it’s all set up with Windows 10? Not bad. In fact, I wrote this entire entry using the system. Do I like it? Now that the annoyance of setting it up has passed, yes.

Would I suggest buying it for the casual user? Not unless you have a portable optical drive and access to a Windows 10 ISO as well as license. The lack of those two things is infuriating. It could easily be resolved by Biostar if they chose to install the OS at the factory – and honestly, they could toss a Linux distro on it themselves and save everyone some heartache. And money.

KnowProSE.com

Where one line can make a difference.

Running The Biostar Racing P1

Setting Up The Biostar Racing P1.