The Truth: A New Xbox, NHS Patient Data for Sale, Siemens Power Plant Control System Vulnerabilities

Welcome to The Truth for Friday, 13 December 2019. Sorry again for leaving you hanging yesterday. Here’s a tech news update:

Researchers from Qualys have disclosed a local privilege escalation in OpenBSD (CVE-2019-19726): “The vulnerability could allow local users or malicious software to gain full root privileges.”

Are you a state-sponsored (probably Russian) hacker looking for vulnerabilities to exploit in industrial control systems from Siemens? If you are, you’re in luck today as researchers have published a report of 54 security flaws in the SPPA-T3000 system, which is designed to control power plants.

According to Siemens this week, the control system is “mostly used in fossil and large scale renewable power plants.” The vulnerable components are usually protected by a firewall, meaning a hacker would most likely have to be positioned appropriately on the local network to exploit the bugs. Crucially, the miscreant would need access to a so-called highway component behind the firewall before they could attack the app server.

Among the more serious flaws is CVE-2019-18283 and CVE-2019-18284, flaws that do not require any authentication to exploit. “The AdminService is available without authentication on the Application Server,” Siemens said of these flaws. “An attacker can gain remote code execution by sending specifically crafted objects to one of its functions.”

Ouch. That’s cyberwar in the making, that is.

If you use NPM, you should probably update to version 6.13.4 of the packaging software’s command-line tool. Vulnerabilities in previous versions of the tool enable “proof-of-concept exploits that write or overwrite arbitrary files and allow unauthorized file access.” At least there don’t seem to be any packages currently in the registry that exploit this problem.

Adobe’s numbers for the fourth quarter should make some folks over there happy.

Total revenue for the three months ended 29 November came in at $2.992bn, up 21.4 per cent year-on-year. Subscription sales rocketed to $2.686bn from $2.184bn; product was 11 per cent to $167m; and services edged up by a little less than $8m to $138m.

Looks like constantly milking your customers with subscriptions is a great idea. If you’re the one on the receiving end of the money, that is.

Meanwhile, Oracle ain’t doing that hot – at least that’s what the market thinks. “Oracle stock falls as earnings show continuing struggle for revenue growth” titles Marketwatch.

Revenue for the November quarter rose to $9.61 billion from $9.57 billion, coming in a bit below the FactSet consensus of $9.65 billion. The company disclosed that it generated cloud-services and license-support revenue of $6.8 billion. Revenue from cloud licenses and on-premise licenses totaled $1.1 billion.

I’d be happy. But I then, I don’t have shareholders.

Microsoft has finally made its new console official: The Xbox Series X. Good to see they’re continuing to take the piss with their naming scheme. It also looks funny. It probably won’t fit in that shelf under your TV, because, as The Register puts it, it looks like “a Gateway tower PC from the 1990s.” Otherwise, it’s gonna be faster, better and have more Ks on the display …all that shit.

The Register seems to have gotten hold of some documents that show that NHS medical records are being peddled to the highest bidder.

Discussions are already in progress over the future use of patients' personal records and related information, said to be valued at roughly £10bn a year. NHS England’s top brass met big tech and pharma executives at an invite-only event in October this year to discuss collecting patient data to improve healthcare services, fund this whole data-management project, and potentially even profit from it. This record-organizing programme includes the creation of a “single, standardised, event-based, longitudinal patient record” repository for as many as 65 million Brits. Basically, everything you can imagine collected, cleaned up, curated, and searchable, in one place.

Private sector involvement in the data-collection project, which our sources say looks like a private finance initiative, was represented by Amazon UK boss Doug Gurr, Microsoft UK CEO Cindy Rose, and Dr Jim Weatherall, veep for data science and AI at drug giant AstraZeneca.

The proposed medical record repository will pull together information from GPs and hospitals, mental health professionals, death and demographics registers, information from the private healthcare sector, prescription records, and environmental and social statistics, as well as data flows from embedded medical devices and patient-supplied and entered details.


Police in Moscow has raided an office of web server maker Nginx because a company the head programmer worked for years ago has claimed they own the server’s source code.

We understand the cops showed up after Russian company Rambler Group formally complained it owned the code, and that Nginx was thus infringing its rights, highlighting the country’s rather interesting approach to intellectual property. Nginx, which is today headquartered in San Francisco, USA, and operates as a subsidiary of American tech giant F5 Networks, did not return a request for comment.

In the cross-hairs of the source code copyright claim is Nginx creator Igor Sysoev, who was an employee of Rambler in the 2000s, and at the time wrote the code for what would become the open-source Nginx web server and proxy platform. He claims he wrote the software in his spare time, and thus it belongs to him, though Rambler appears to disagree and has claimed ownership of the blueprints.

Nginx is licensed under the 2-clause BSD license, by the way.

In astronomy news, there are objects in the night sky that disappear or blink in a way that we don’t understand.

A hundred red objects blinking in and out of existence across Earth’s skies over the past 70 years have left scientists giddy: they believe this could be evidence of previously unseen astronomical phenomena or – and hold tight, now – alien civilizations.

I don’t know about you, but I’m quite worried by this current tendency of astronomers to attribute everything we can’t understand to aliens immediately. Just because we don’t understand how something works doesn’t mean it’s caused by mysterious forces. How is just assuming that immediately without any further indicators good scientific work? Have these people never heard of Occam’s razor?

Anyway, speaking of aliens: Season 4 of The Expanse just launched on Amazon Prime today. Which is what I’m gonna go binge watch right now. See you next week!

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.