I’d be very surprised if can see any workouts from me on Strava today.
I’m just eyebrow raising for now… all speculative… Let’s say millions of people have their data Garmin data published. Home addresses, passwords, devices, Garmin Pay information (?)… they know what you did last summer. They know when you are sleeping. They even have activity trackers for kids. That’s a scary amount of information in the wrong hands. /tinfoilhat.
Your workout isn’t interesting. Neither is mine (no really, I didn’t upload one today). Millions of them together are.
Bigger picture: Reports of the Garmin production lines being shut. That’s big.
I work in health, and I can tell you that we really give a shit about cyber security and data privacy. But what we are seeing is a massive shift towards applications being cloud first, or even cloud only and a lot of these organisations are nowhere on cloud security, especially the smaller ones.
We insist on yearly independent penetration tests, and data security reviews and it’s a regular struggle to get enough information from companies to enable us to make an objective assessment.
I hope for Garmin that it doesn’t shit properly.
Ransomware could be really tricky, often Security Systems detect them to late,
it could be possible that the first ransomware attack is sleeping on old backups for a year ago or so,
that means you can restore backups, but ransomware is still there and change every third day little things in your network till the outbreak
As much as I like to dig into the data created in such situations I get some spare time free of charge for other activities.
Talking to my wife
Sitting in my garden enjoying the sunshine and birds flying around
Watching the grass growing
etc.
Life is still good, very good.
Here is what I wonder. How prepared are TrainerRoad and Strava for the same kind of attack? It literally only takes one person to make one big mistake or many people to make very small mistakes. With 20+ years in the security field in both offensive and defensive roles, I can tell you that the attackers will find a way and the less protected remote workforce is becoming the ticket. So many companies take this for granted but when it happens, the money they saved by not engaging qualified people to run a full scope security program is fully eclipsed by loss of revenue and confidence. Garmin likely has too large of a physical footprint to quickly become a relic but for companies who are in a market where others provide similar services, what does that loss of confidence mean for them?
I can tell you that some companies didn’t use intrusion systems before TJ Max got hacked because they thought the cost of a hack would be a million or two and it wasn’t worth the investment. After TJ Max’s $256+ million in damages, those companies changed their mind. And that was for premise systems that were well understood. Cloud sounds cool but most environments are a mess waiting for an attacker to provide their special brand of love.
Please be ready TrainerRoad and Strava. We really want you to be around for the long haul.
I can imagine the current lockdown and remote working is making this one a 1000 times hard to resolve. If they have no email or call system running I wonder if their internal email and calls are also down. Hopefully, they’re on something like o365 and can break out from the VPN but if that’s all on-premise as part of their wider architecture this could be a nightmare. How do you update the external comms teams and exec when you can’t email them or get on a VC. You can’t get to your email to find the contact of that vendor that could help something, you can’t get around a whiteboard or even do a VC call to try and work out the best options for fixes. If the VPN is down presumably no-one can work on the fixes remotely so has to go into the office etc
Am I the only one who finds it interesting that all the news that goes into more detail then Garmin is down is coming from tech web sites and not the sports web sites? So the people who have contacts with internal Garmin people aren’t trying to tell us more
Actually this should be possible. If you have a the .fit file just connect your head unit via usb and copy and paste it to the workouts folder on the unit.
IIRC there are two workout folders, one on the unit itself and one on SD card (if fitted) I believe it is the former but if not copy it to the other one.
what you wont get is a successful upload of the workout when completed
ahh right, so you can’t manually download a .fit file for a trainerroad workout before you have ridden it. but if you have previously you can, I believe.
so if you’ve done the workout before, and download the completed .fit file and copy to garmin as I have suggested would that give you the base workout to follow?
Easier and more efficient to not be sandboxed. Security always gets in the way and so gets ignored. Plus I’ve seen setups that are sandboxed in that you can’t talk between networks but there are computers that can talk to both. So once the computer that can talk to both gets compromised…
My own experience of ransomware attacks is not a pretty memory: (I was called in after an airport got savaged by one in 2019). A normal office user opens an email, clicks on a link and suddenly all of the many years of cutting corners on IT security & best practice and poor IT management and cost savings come home to roost when you lose everything, and i mean everything: all of your files and data and diagrams and spreadsheets and applications, all gone. In the airport’s case all of their backups were also encrypted because of a general cluelessness and total lack of advanced technical skills. Going over the wreckage it was a horror show of crapness at every level and it costs them millions to fix.
So my advice to corporations is to employ the best IT people & Defense in Depth!
Good luck Garmin. I hope you fix it soon because i have an unimpressive morning 5 mile run i need to upload.
Because the tech sites are basically just spinning rumors and speculation. They may end up being right, but it’s surprising how little factual information there is in most of those articles. It’s just each article copying each other and saying “someone else said something”. Even the oft-cited ZDNet article that said “employees were on Twitter saying virus things” didn’t link to any such tweets. Seems pretty basic they would have involve that, after all, they linked to someone saying ‘just plug it in’.
It makes complete and total sense for Garmin to not say anything specific at this point, especially if ransomware or such is involved. The service is down, and until they know the exact details and have resolved it, all it does is feed the cycle - one only needs to look at the Twitter hacks of last week to see that. What Garmin could be doing is issuing another Twitter update with a variant of “It’s gonna be a while”.
I expect I’ll be able to go old skool and download the tile-bagging routes I’ve recently created over USB for the time being, if they don’t sort it soon.
To be honest, I’ve found wireless route downloading to be such a pain anyway. Being forced to stop using it may be a blessing. GC just exists as a way to get stuff up/downloaded for me anyway. TP, TR and Strava should have everything.
The next level would be the ransomware people (if that’s what it is) managing to hold end-user devices hostage.
