The Truth is my newsletter on tech news and policy. This is an archive of the issues of week 47 of 2019.

Get the newsletter delivered directly to your inbox every weekday. I promise I won’t send more than one email a day and you won’t get any spam from me. Sign up here:

powered by TinyLetter

The Truth: UK Banks Have a Black Friday, New EU Anti-Trust Probe Headed for Google, Russian Hackers (Again)

Monday, 2 December 2019

Good evening! Look at that, I’m back! After an extended week of holidays and some last minute NaNoWriMo shenanigans, I’m ready to serve again. So here we go, a fresh edition of The Truth, featuring the most important and most interesting tech news of the last few days.

A number of network security products from Fortinet have hardcoded crypto keys and use laughably weak encryption – if you can even call an XOR operation that. The vulnerabilities were discovered by German security firm SEC Consult. If you use the AntiSpam, AntiVirus or Web Filter features of FortiGate or Forticlient, you should upgrade these systems to their latest software version immediately.

That checkm8 jailbreak for iOS devices? Still works in iOS 13.2.3 it seems.

According to The Register Google has warned 12,000 users of GMail, YouTube and Google Drive between July and September “that they were being targeted by government-backed attackers”. These users were in 149 different countries – so pretty much everywhere around the world. If you’re now thinking that, clearly, the cyber wars are heating up, you’d be mistaken. At least according to Google because “this was consistent with the same number of warnings sent during the same periods of 2017 and 2018.” Almost all of this was credential phishing via email. Google did mention a state-sponsored group they named Sandworm though, “which in 2017 started deploying Android-based malware to the Google Play store and evolved over time to simply phishing and compromising legit devs before deploying malicious updates to previously trusted apps.” Apparently they are from Russia. It’s always the Russians.

The websites of the UK banks NatWest, its subsidiaries Royal Bank of Scotland and Ulster Bank as well as the website of the HSBC subsidiary FirstDirect all went down on Friday. On a payday. Amidst the second biggest shopping holiday of the year, right after Christmas. Kinda looks like they couldn’t handle everyone withdrawing all that money.

The EU is investigating Google for anti-trust violations again. Reuters reports: “The Commission has sent out questionnaires as part of a preliminary investigation into Google’s practices relating to Google’s collection and use of data. The preliminary investigation is ongoing. A document seen by Reuters shows the EU’s focus is on data related to local search services, online advertising, online ad targeting services, login services, web browsers and others.” Sounds like they going after them under the GDPR now.

The Spanish security company UC Global, which provided security at the Ecuadorian embassy in London between 2012 and 2018 is accused of having spied on Julian Assange. Assange is set to be interviewed via video link by a Spanish judge about this on 20 December at Westminster Magistrates' Court, The Register reports.

A court in the UK has decided that Cambridge-based video game developer Jagex (mostly known for the MMORPG RuneScape) was not allowed to fire its lead concept artist after the man “found a document on an office printer that stated a senior veep’s salary and mentioned it to colleagues”. In fact, the judge even pointed out that the vice president “could have been argued to have committed a technical breach of his own contract of employment by failing to mark the document in accordance with the Jagex information security system”. He he. Makes me smile.

When asked about his organisation’s sale of the .org registry to a private equity firm, the CEO and president of the nonprofit Internet Society (ISOC) says he didn’t see a need to consult the public beforehand. And who cares anyway? “If you look there is a relatively small number of people complaining. We may be overstating the feeling; most people haven’t noticed. Most people don’t care one way or another”, he said when asked by The Register about the deal. It sure looks like this deal isn’t going to be stopped. Least of all by a petition.

A company is shooting artificial meteors into space aboard a commercial rocket to create shooting stars during the opening ceremony for the 2020 Olympic Games in Tokyo. As if there wasn’t enough crap in orbit already. Christ…

The Truth: The Vatican is Under Attack (in Minecraft), US Trade War with France Heats Up, The FBI Discovers FaceApp

Tuesday, 3 December 2019

Yeah, I know. I’m a bit late today with this. Again. Spent most of the day launching a new podcast. Anyway, tech news …that’s what you’re here for! Let’s go!

It’s Patch Day for Android. Get your security fixes for December now!

Don’t expect this to make your Android device secure, though, as ZDnet is reporting on an as yet unfixed critical Android vulnerability its discoverers have named “StrandHogg” (it doesn’t have a CVE number right now). “The research team said the vulnerability can be used to trick users into granting intrusive permissions to malicious apps when they tap and interact with legitimate ones.” The vulnerability is being actively exploited in the wild. The researchers found 36 different apps in the Play Store doing so. “These were installed on users' devices as second-stage payloads. Users initially installed other malicious apps from the Play Store, which then downloaded the StrandHogg-infected apps for more intrusive attacks. StrandHogg is a bug in the OS component that handles multitasking – the mechanism that allows the Android operating system to run multiple processes at once and switch between them once an app goes in or out of the users' view. A malicious app installed on an Android smartphone can exploit the StrandHogg bug to trigger malicious code when the user starts another app – via a feature called task reparenting. Basically, a user taps on a legitimate app, but executes code from a malicious one.”

That sale of the .org registry by the nonprofit Internet Society to a private equity firm? It netted the ISOC $1.14 billion. Bloody hell. I own a few .org’s …I should ask for a cut!

There’s the China vs. US trade war and then there’s the US vs. France one. Because France is imposing a 3% tax on all digital sales and advertising revenue, the US is striking back now and imposing tariffs on goods imported to the USA from La France. The US Trade Representative (USTR) feels the US is unfairly targeted by these online revenue taxes which are being discussed, and implemented, all over Europe.

British startup Den Automation (sounds more Durch, but what the hell) wanted to reinvent the light switch. Now they’ve gone bankrupt. It turns out, it seems, the light switch is quite OK as it is. “Den Automation was founded in 2014 by Yasser Khattak, a 17-year-old wunderkind from Maidstone, Kent, who came up with the idea for the business while studying for his A Levels. Khattak subsequently dropped out to focus on the business full time. The concept behind Den Automation was simple. It built smart light switches and wall sockets that were visually indistinguishable from their dumb equivalents and could be installed by a layman, rather than a trained electrician. The concept took flight, attracting investors across seven equity crowdfunding rounds, the most recent of which concluded on 15 February 2019. It also steadily accrued media interest, culminating in an appearance on Channel 5’s cult Gadget Show programme. Unfortunately, Den Automation struggled to convert that enthusiasm into a sustainable, cashflow-positive business.” No shit. It’s hard to imagine how one could actually improve the light switch, if you think about is. Especially since “smart” mostly means “insecure spyware” these days.

Lot’s of companies have all kinds of sensible shit in unprotected AWS buckets. If you administer AWS buckets, you might want to check them with Amazon’s new Access Analyzer for S3. Says The Register: “Customers can enable Access Analyzer via a new option in the console for IAM (Identity and Access Management). The tool will then alert you when a bucket (an area of storage in S3) is configured to allow public access or access to other AWS accounts. The implication of the tool, of course, is that this is sometimes done accidentally via misconfigured policies or access control lists (ACLs). A new single-click option will block public access – hopefully letting you avoid unauthorised use of the data before it is too late. The tool will also let you see which policy or ACL allows the access so that you know what to fix.”

Months after everyone on Twitter was issuing worried hot takes about Russian selfie software FaceApp, the Feds finally have also cottoned on to this idea. Apparently “the FBI considers any mobile application or similar product developed in Russia, such as FaceApp, to be a potential counterintelligence threat”. Well, thanks for sharing your opinon, comrade.

God help us! The Vatican’s Minecraft sever is under DDoS attack! No, I’m not making this up. Luckily, Padre Robert Ballecer, the self-proclaimed “digital Jesuit” is on the case. “There’s currently no time frame for getting everything straightened out but they’re working on it, and Ballecer said the test server will become the whitelist server once everything is switched over.” Yes, that guy really has set up a Minecraft server for the Pontifex. “In September Father Robert Ballecer, a former tech blogger and host of This Week in Tech as well as a Catholic priest, asked his 23,000 Twitter followers which game he should spin up a few servers for in the Vatican. Given the options of Minecraft, Rust, Ark, and Team Fortress 2, 64% of them voted for the classic crafting game. And that’s why the Vatican now has its own Minecraft server.” Man, I would’ve loved to see a Rust server. Preferabily a legacy version where everyone starts naked. But joking aside, do we think it’s a good idea these Vatican assholes are luring in a bunch of kids with a Minecraft server? Isn’t that cyber-gooming?

The Truth: NASA Finds Crashed Indian Moon Lander, Page and Brin Quit Alphabet, Firefox 71 Brings Built-In VPN

Welcome to The Truth for Wednesday, 4 December 2019. I’m changing up the layout of the newsletter a bit to make it more readable. I hope you like it. If you have any feedback about this, simply reply to this email and tell me about it. But let’s get into the tech news, shall we?

Google founders Larry Page and Sergey Brin have left Google’s parent company Alphabet. Google CEO Sundar Pichai now also becomes CEO of Alphabet.

NASA has found and photographed the remains of the Indian landing craft Vikram on the moon. Vikram, part of the Chandrayaan-2 mission, had crashed on the moon on 6 September following a problem with its software.

Russia has blocked the stock photo website Shutterstock because it includes a picture of a small russian flag in a piece of dog poo. “Russia’s media regulator, Roskomnadzor, explained that Shutterstock was blocked for insulting state symbols”. In the past, the Russian regulators have gone after VPN providers, the messenger Telegram and also the German mail provider Mailbox.org (German), which runs my own email accounts.

The Council of the European Union has warned EU member states that 5G networks pose increased security risks. Their objections seem to be mostly aimed at Huawei. With other words: same old, same old…

Firefox 71 has been released and includes better tracking protection and a test of a new built-in VPN system called FPN. The Register says the following about the VPN feature:

FPN creates a secure tunnel from the user’s browser or device to the internet, protecting any data passing through a Wi-Fi hotspot – if you must log into a public WiFi hotspot, you should use a VPN. Instead of providing the user’s IP address, it presents its own IP address, which makes tracking more difficult.

In response to Mozilla’s post about FPN, Tavis Ormandy, a noted security researcher at Google, expressed skepticism on Twitter about the value of VPNs outside of hostile network scenarios. He pointed to a widely cited GitHub post that argues the legitimate uses for VPNs are very limited.

The FPN browser extension is powered by Cloudflare; the FPN full-device VPN uses WireGuard, a relatively new VPN technology, on servers operated by Mullvad, a service provider based in Sweden that says it doesn’t log user activity. Mozilla is opening up a waitlist where would-be users of FPN’s full-device service can sign up. Those who are eligible – US-based Firefox Account holders with Windows 10 devices – are promised an eventual signup link for FPN access at the introductory price of $4.99 per month, which is about what it costs to run one’s own Outline VPN server through a service provider like Digital Ocean.

Mozilla has also pulled extensions from anti-virus vendor Avast from the Fitefox add-on store because they are of the opinion that they violate the user’s privacy. “The Avast extensions, when installed in your browser, track the URL and title of every webpage you visit, and how you got to that page, along with a per-user identifier and details about your operating system and browser version, plus other metadata, and then transmit all that info back to Avast’s backend servers.” This is reported in The Register based on research done by Adblock Plus founder Wladimir Palant.

Keep in mind that Adblock Plus and Palant’s company Eyeo have themselves been criticized in the past on privacy grounds. Eyeo maintains an ad whitelist and shows ads to Adblock Plus users that it deems safe. This is based on doing business with Eyeo’s own partners in the advertising industry who pay for these ads being placed, rather than following the interests of adblocker users. Eyeo says these ads are safe and don’t track users, but there is no independent oversight in place.

The Verge is reporting from the Elon Musk “pedo guy” trial:

There were so many lawyers, and they were all wearing nondescript suits in blue or gray that are cut badly in the upper arm area. I have seen many shapes and styles of shoulder pads, all of them bad. I have seen an improbable amount of hair gel. I have seen loafers, flimsy and sturdy. I have seen, among the trial’s observers, a man wearing two sets of glasses, one over the other, presumably to avoid having to buy bifocals. The best-dressed people in the room are in the jury, and it’s not close. (The jury has been instructed not to read the press, so it’s not like I’m sucking up here.)

I love their style.

He said Musk could “stick his submarine where it hurts.” For some reason, everyone who has spoken so far, including Musk, construes this as “stick it up his ass” though a submarine would probably hurt in plenty parts of one’s body if enough pressure were applied. An armpit, for instance. A belly button.

Apparently Musk’s defence is that calling someone a pedophile is a “fill-in-the-blank insult”, not actually an “allegation of crimes” and “joking, taunting in a fight between men.” He also claimed he isn’t influential on Twitter.

In the case of the raid on a “bulletproof” server farm in an old NATO bunker in Germany the DA’s office is reporting that charges will soon be brought [German] against 13 suspects, 7 of which are currently in held in jail. A Dutch citizen, who had bought the bunker in 2013, stands accused as having masterminded the “darknet” hosting operation.

The Register has summarised the three-hour keynote of Amazon’s AWS conference re:Invent. If you’re into cloud computing, it’s well worth a read with many interesting announcements sprinkled throughout.

The Truth: Malicious Python Packages, Boeing Chief Engineer Steps Down, Elementary OS 5.1

Hi there and welcome to The Truth for Thursday, 5 December 2019! This will be the last newsletter for this week as I’m on the road all day tomorrow. You can expect the next issue on Monday. But let’s get into what we have for today:

There’s a new fileless trojan for macOS flying around out there. The Register ties it to a state-sponsored hacking group called Lazarus from North Korea.

As with other infections from the Lazarus group, the attack begins as a fake cryptocurrency application that uses social engineering to trick the user into installing and running what they think is a legitimate app. After the trojan is launched, however, the malware shows off its new trick: the secondary payload, the one where the actual spying or data theft would occur, can be performed in-memory without having to install further files on the hard drive.

Atlassian and IBM are working to fix a security vulnerability (CVE-2019-15006) that well-known infosec Twitter account @SwiftOnSecurity disclosed by accident. The Confluence companion app uses an URL with a downloadable private certificate that can be used for man-in-the-middle attacks. IBM’s Aspera plugin client was subsequently found to have a very similar issue.

Bug bounty platform HackerOne was notified about a security vulnerability in its website through its own bug bounty program. Very meta. HackerOne has now fixed the problem ("Account Takeover via Disclosed Session Cookie") and paid out a bounty of $20,000 to the guy who discovered it.

ZDNet is reporting on two malware packages that have been removed from the PyPI software library for the programming language Python.

The Python security team removed two trojanized Python libraries that were caught stealing SSH and GPG keys from the projects of infected developers. The two libraries were created by the same developer and mimicked other more popular libraries – using a technique called typosquatting to register similarly-looking names. The first is python3-dateutil, which imitated the popular dateutil library. The second is jeIlyfish (the first L is an I), which mimicked the jellyfish library.

The chief engineer for Boeing’s Commercial Airplanes group is stepping down. John Hamilton was, among other things, chief project engineer for the 757, 737 NG and P-8A projects. In March he was appointed to lead Boeing’s response to the two disastrous 737 MAX crashes (the 737 NG is the direct predecessor to the 737 MAX). “From April 2016 through March, Hamilton was vice president of engineering for Boeing Commercial Airplanes, responsible for all the company’s engineering design and airplane-certification work, including the final certification of the 737 MAX”, the Seattle Times is reporting.

The news was conveyed in an internal memo from the new head of Boeing Commercial Airplanes, Stan Deal, and Boeing’s chief engineer, Greg Hyslop. “John had planned to retire last year, but we asked him to stay on to help us with the 737 MAX investigations and return to service efforts,” they wrote. “We are immensely grateful to John for lending his expertise and leadership during a very challenging time.”

The latest version of the Linux distribution Elementary OS, version 5.1 “Hera”, now includes support for the packaging format Flatpack. They also tout “a brand new first-run experience” with a new greeter application.

Microsoft is financially doing very well lately, mostly driven by cloud and software subscriptions. But it is having some trouble with workers complaining about not getting paid enough and those pesky government contracts with agencies like Immigration Customs and Enforcement (ICE) and the Department of Defense (DoD). At the recent shareholder meeting, proposals aiming to put employee representation on the Microsoft board got very thoroughly squashed.

The proposal to prepare a report on employee representation on the board of directors – put forward by NorthStar Asset Management – received just 4.42 per cent of votes “For”. As it turned out, as well as an overwhelming “NO”, there were also more abstentions.

Pensions fund manager Northstar, as it turns out, has form at rousing rabble at the odd tech titan’s AGM. It treated Facebook to a grilling on privacy in 2018 and has asked Google to open up membership of the management insiders' share class to the rest of the (cash-flush) plebs. Spoiler alert: They said no.

Meanwhile, Carl Icahn is further threatening HP to accept an acquisition by Xerox. The Register has a recap of recent developments in the story.

And a former Oracle product manager is suing his old employer, saying “he was forced out for refusing to lie about the functionality of the company’s software.” The civil complaint alleges Oracle forced the manager to sell vaporware – ie. software the company could not deliver on. He says that, in firing him after he reported this to the US Securities and Exchange Commission (SEC), “Oracle violated whistleblower protections under the Sarbanes-Oxley Act and the Dodd-Frank Act, the RICO Act, and the California Labor Code.”

Surprise! “Two months after promising customers that its past practices of automatically registering, and charging, customers for .uk domains was all a big misunderstanding, pushy registrar 123-Reg is at it again”.

A Register reader noticed last month that he was now the unhappy owner of no less than five .uk domains that he never ordered and for which he had been charged £71.93. That is despite 123-Reg assuring us that it does not charge customers for domains they do not explicitly request.

More like 123-Ripoff.

Header image credit: Marcus P.