Tuesday, 1 October 2019

Today on The Truth: PDF encryption is busted, German cookie regulations aren’t strict enough for the EU, Samsung Galaxy S4 buyers are getting some money and Stack Exchange is embroiled in a gender war. Oh yeah, and F-35s might not be as easily uncloakable as has been reported elsewhere.

There’s a security vulnerability (CVE-2019-16928) in the Exim mail transfer agent that allows remote attackers to crash the server and might even be used to execute malicious code. “All versions from (and including) 4.92 up to (and including) 4.92.2 are vulnerable”, report the developers. Better download and install the fixed version 4.92.3 as soon as possible.

Remember that vBulletin zero-day? If you run such a forum, you better patch fast. You don’t want to end up like security vendor Comodo. They advertise a “breech proof” operation over there but forgot to update their vBulletin forums – which were hacked, putting the data of around 245,000 users at risk.

Well, here’s something we knew already: PDF encryption is not secure. It’s pretty broken: “During our security analysis, we identified two standard compliant attack classes which break the confidentiality of encrypted PDF files. Our evaluation shows that among 27 widely-used PDF viewers, all of them are vulnerable to at least one of those attacks, including popular software such as Adobe Acrobat, Foxit Reader, Evince, Okular, Chrome, and Firefox.”

If you’ve ever bought a Samsung Galaxy S4 – a phone that originally came out in 2013 – you can apply to get about $10 from Samsung. This is because the manufacturer has just settled a long-running class-action lawsuit in the US. The whole thing will cost the company $13.4 million, $1.5 million of which will go to the winning lawyers. As The Register recaps: “The case was brought back in 2014 when testers revealed that Samsung appeared to be cheating on benchmark tests – frequently used to compare the speeds of different phones in reviews – by adding source code that detected whether a benchmarking app was running on the phone, and if so, ran the phone at a faster speed (532MHz rather than 480MHz).”

Great. The German solution of letting websites store cookies on a system if the website simply tells the user this is happening is illegal under European law, the European Court of Justice has decided. That means users have to explicitly opt in if a website wants to save cookies in their browser. Which means more obnoxious cookie warnings on websites.

Apparently Stack Exchange is changing its code of conduct (CoC) to require its users to stick to the pronouns someone specifies for themselves. In other words: If you refuse to call a person by the pronouns they want to be called by, they can throw you off their platform. You’re not even allowed to use the neutral they/them if the person in question has specified other pronouns. This CoC change has not been made public yet, but it seems a Stack Exchange moderator has already been removed because she objected to this. As a result, about 20 of the platform’s volunteer moderators have resigned or suspended their work. As The Register points out, this all seems to stem from a deluded advocacy group called Gay, Lesbian & Straight Education (GLSEN) which is of the opinion that a person can mandate how other people address them and that any deviation from that should be punishable.

Sony is reducing the price of its PlayStation Now gaming subscription: “The company announced today that the monthly subscription price is dropping to $9.99 a month, compared to the previous price of $19.99. Quarterly pricing will be $24.99 (down from $44.99), while the annual price will be $59.99 (down from $99.99).” They are also adding Grand Theft Auto V, God of War and Uncharted 4 to the service.

It’s been reported that a German radar manufacturer tracked two F-35 stealth jets for 150 kilometres after an airshow in Berlin in 2018. The company makes a passive radar system called TwInvis that uses reflections from electromagnetic emissions by commercial sources like cell and broadcast towers to track its targets. The Aviationist calls the validity of the test in question through, as the planes were not in stealth mode at the time – being equipped with radar reflectors and transmitting their position voluntarily via ADS-B transponders. In any case, “the technology is not yet accurate enough to guide missiles, though it could be used to send infrared-homing weapons close to a target.”

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.