The Truth: Google Criticised for Stadia Launch, Monero Binaries Included Coin-Stealer Trojan, Rape Allegations Against Assange Dropped

Wednesday, 20 November 2019

I got a bit sidetracked today by Red Dead Redemption 2 after I finally got it to run properly on my PC. I managed to tear myself away long enough to review some tech news for you, though.

“Thousands of Oracle E-Business Suite customers are vulnerable a security bug that can be exploited for bank fraud.” The reflected SQL injection vulnerabilities CVE-2019-2633 and CVE-2019-2648 allow attackers to send arbitrary commands to vulnerable EBS servers, provided they can access them via HTTPS. The Register sees some bank fraud in the making: “While this flaw is dangerous to EBS as a whole, it is particularly bad for servers that use the Payments module included with the suite. The Payments tool allows companies to set up and schedule direct deposits and automatic money transfers to suppliers or partners as well as handle invoices and orders. The bank routing and account numbers for transfer orders are kept on the server as text files and automatically loaded when needed. You can guess where this is going. An attacker who exploited either of the SQL injection flaws would be able to remotely modify those transfer order files to include instructions to move cash to an account of their choosing. Instant bank fraud.”

Mozilla is drastically expanding its bug bounty program.

Google seems to be having a rough launch with its cloud gaming platform Stadia. The Verge is reporting that many early adopters aren’t receiving the codes to activate their accounts and are thus missing out on getting the username they wanted oh so badly. “On June 6th, Google opened up preorders for the $130 Founder’s Edition of its Stadia cloud gaming service, promising those buyers would be the first to experience the future of gaming – and reserve a unique username. Though Stadia went live on November 19th, many buyers are still reporting they haven’t received the most crucial piece of the entire Stadia package: the invite email that opens the door to actually let them in.” Not a good look for Google.

AR outfit Magic Leap has lost its creative director and chief financial officer. This whole VR/AR ship is sinking fast now.

More trouble with drones at Gatwick: “Two airline pilots reported a near-miss with a drone while just 30 seconds from touchdown at London Gatwick airport earlier this year, an official report has revealed. Both the captain and first officer of an Airbus A320 landing at Gatwick in the evening of 8 July this year saw the errant drone, which the first officer said he recognised as a DJI Inspire quadcopter.”

Monero, known pretty much as the crypto currency of choice for criminals and thus the currency most often used by mining trojans, has had its official wallet binaries compromised. Someone snuck Monero-stealing code into their downloads, which to be honest is pretty ironic. The Next Web reports: “Although the investigation is ongoing, core developers for the project have issued an update confirming that the binaries of the CLI wallet had been compromised for a short time.” The developers warn: “If the hashes do not match, do NOT run what you downloaded. If you have already run them, transfer the funds out of all wallets that you opened with the (probably malicious) executables immediately, using a safe version of the Monero wallet (the one online as we speak is safe – but check the hashes).”

Microsoft, IBM, the Linux Foundation and the Open Innovation Network (OIN) have kicked off the anti-patent-troll initiative they’d announced a while back. “Specifically, the group will help fund the Open Source Zone of Unified Patents, an organisation which provides legal services to deter unsubstantiated or invalid patent assertions.” Apparently the currently ongoing litigation against the GNOME Foundation was not the reason to pivot the OIN in this direction. “GNOME is just a further reinforcement of the fact the threat exists. It wasn’t a motivating factor, this has been in the works for a year and very directly for five months. These things take time to put together.”

Sweden has dropped the rape investigation into Assange. The Register reports: “Deputy director of public prosecutions Eva-Marie Persson told journalists that the case against Assange had been discontinued, around seven years after allegations were first made against him by two complainants related to incidents that allegedly took place in August 2010.” Of course, “Assange remains an involuntary guest of HM Prison Belmarsh in southeast London, with American prosecutors seeking his extradition and trial on a charge of conspiracy to commit computer intrusion for agreeing to break a password to a classified US government computer. The Australian was remanded in custody as a flight risk, being refused bail, after famously entering Ecuador’s London embassy to evade the British justice system. That little stunt cost his rich backers more than £90,000 in forfeited bail sureties – and eventually earned him a 50-week prison sentence once British police captured him. He faces a full extradition hearing at Westminster Magistrates' Court in February 2020, with the inevitable appeal probably being heard at the High Court in the second half of next year.”

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.