Summary:
We note with sadness the sudden passing of Drew Dean, a researcher who contributed greatly to our field. His friends and colleagues are now preparing tributes to him, but they are not yet available. The computer security research community is over 50 years old, and it has lost enough notable people to warrant a community memorial page, where Drew will be remembered.

Summary:
Over a hundred million Americans have signed up to TikTok accounts. The company is owned by the Chinese tech giant Bytedance, and that has given US regulators pause. However, the exact dangers of the app remain unknown, despite being talking points in the US midterm elections. This vagueness has not stopped the current administration from planning to doubledown on the current bans against its use on military devices and for some agencies, such as TSA. An upcoming executive order is said to address TikTok and the ability of China to collect data on Americans. This might interfere with US investment in China.

The relationship between TikTok and Bytedance is structured to protect the data of US users, at least on paper. TikTok is a US company, subject to US data privacy laws. Can Bytedance engineers access TikTok user data? Perhaps. Do they? If they do, they would purportedly have to make a request to TikTok, and TikTok would have to keep a record of that. TikTok says that no requests have been made. Is that good enough? Meta's notoriously porous controls over Facebook data are a poor example, but perhaps not all social media companies should be tarnished with the same brush.

Why is TikTok, among all social media apps, seen as such a looming danger? Even if its data were being harvested by the Chinese government, it seems unlikely to yield any more information than is available already on the "dark web". Perhaps there is some concern about having foreign agents conduct focused disinformation campaigns leading up to the next US general election. Whatever the concern, the US citizen remains in the dark.

Summary:
North Koreans are alleged to have stolen lots of money from the Vietnamese gaming company Sky Mavis. The thefts $30 mil is a nice chunk of change, and it is a feel-good headline about stopping international cryptocurrency thefts. But, the flip side of the news is: "... the seizures still only account for a sliver of the billions of dollars made through cybercrime annually. Cybercriminals received more than $1.2 billion in ransom payments in 2020 and 2021 combined, according to Chainalysis." But wait a minute! The article also mentions that Sky Mavis lost $600 million. So that single Vietnamese company loss accounted for 50% of all cybertheft last year?

In any case, the "recovered" money is said to be "frozen" at a cryptocurrency "mixer". Increasingly, the FBI targets these services in order to make it harder for hackers to get their stolen cryptocurrency secured with the cloak of anonymity.

Summary:
The good news is that Nigeria has a state health agency that uses AWS services to manage data on 37K of its clients. The bad news is that all their personal data was unsecured online from April to late July of this year. This situation is "typical of widespread cybersecurity issues in Nigeria, where regulations are ineffective, bad practices run rampant, and public disclosures of security breaches are often slow and insufficient." Security awareness remains low, despite the guidelines established by their National Information Technology Development Agency (NITDA). Good news, they have such an agency, bad news, no one pays any attention to it.

Summary:
If you want to move a group of files and their directory structure to a new environment, and you want to package all those files into one file for transfer, "tar" is time-honored format for doing that. It is as common as mud, a workhorse of portability. Yet, with great power comes great responsibility. Unpacking a tar file can spray files anywhere, and the "untar" function has to be used with caution, lest it overwrite things that are important. Code for creating and unpacking tar files is part of Python and has been for some time, but the library function has no safeguards to keep it confined to a single part of the file system. Technically, this is not a bug, it is just a failure to include handrails for a powerful function. However, researchers found that the tar function is included in many thousands of github projects, and it is unlikely that all those uses are carefully confined, so the possibility of misuse is great. No known exploits have been reported.

Summary:
Optus is an Australian company that registers identity information about cellphone users. Brett Callow, a threat analyst, posted on Twitter that names and email addresses for 1.1 million Optus customers had been for sale online since 17 September. Bayer Rosmarin of Optus could not say whether that was true, but the total exposure could be as great as their total customer base of 9.8 million.