FOXTROT/ALFA: Patch Tuesday, Amazon Suffers Setback in JEDI Lawsuit, COVID-1984

Welcome to FOXTROT/ALFA, issue 101, for Wednesday, 15 April 2020. I’m again delivering this newsletter pretty late in the day, but that’s not because I’ve been lazy. In fact I’ve worked about 40 hours in the last three days.

Today, among many other things, I recorded and released an episode of my privacy podcast The Private Citizen, for example. I’m pretty proud of this one. In it, I cover the Operation Rubicon / Crypto AG story from earlier in the year:

Let me tell you a story about how the CIA and BND for decades completely backdoored the crypto machines used by many of the world’s governments for top secret messages. And not only that, they also made good money doing it!

If you think that sounds interesting, check out The Private Citizen 14: The Intelligence Coup of the Century.

But enough shameless self-promotion, here’s your newsletter for today.

Patch Tuesday

Yesterday was Patch Tuesday and there was a lot of action this month.

Microsoft

The April edition of Patch Tuesday sees the release of fixes for 113 CVE-listed bugs. Four really important ones are already being exploited in the wild. Of those, two target font code, another goes for an old VBScript error and the last one requires local access. “In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” Microsoft warns. “An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine.” A fifth flaw, (CVE-2020-0935) was publicly disclosed but not exploited in the wild. That flaw was an elevation of privilege bug in OneDrive.

The massive patch load is no accident, say experts. “If you feel like there have been a lot of patches this year, you’re not wrong,” notes Dustin Childs of the Trend Micro Zero Day Initiative. “Microsoft has seen a 44 per cent increase in the number of CVEs patched between January to April of 2020 compared to the same time period in 2019.”

Adobe

Meanwhile, Adobe skipped updates for Flash this month, opting instead to put out fixes for a local privilege escalation flaw in ColdFusion, an information disclosure hole in After Effects, and an information disclosure flaw in Digital Editions.

Intel

Over in the realm of Chipzilla, we have six patches for various firmware flaws. They include escalation of privilege flaws in the NUC firmware, escalation of privilege bugs in the Intel Binary Configuration Tool, escalation of privilege errors in the Modular Server Compute Module , Denial of Service bugs in the Driver and Support Assistant, and elevation of privilege flaw in ProSet/Wireless Wifi, and an escalation of privilege error in the Intel Data Migration Software.

Amazon Hit By Setback in JEDI Contract Lawsuit

Apparently it ain’t Trump’s fault that the Pentagon gave that huge defence cloud computing contract to Microsoft instead of Amazon. I mean, are we sure? I thought everything was Trump’s fault? Maybe he’s too busy killing us all with The ‘Rona?

The Defense Department’s watchdog found no evidence that the Pentagon’s controversial decision to award a $10 billion cloud-computing contract to Microsoft Corp. was the result of interference from President Donald Trump, though it said its probe was limited by the White House.

While the Joint Enterprise Defense Infrastructure project was hotly disputed by rival technology companies from the start, the project gained broader attention when Trump publicly expressed concern about the assumption that the contract would go to Amazon.com Inc.

After Microsoft was given the award instead, Amazon Web Services, Amazon’s cloud services unit, filed a lawsuit alleging that political interference by Trump cost the company the cloud deal. Amazon said in the suit that the Defense Department failed to fairly judge its bid because Trump viewed Amazon Chief Executive Officer Jeff Bezos as his “political enemy.”

In its report, the inspector general’s office said, “We believe the evidence we received showed that the DoD personnel who evaluated the contract proposals and awarded Microsoft the JEDI Cloud contract were not pressured regarding their decision on the award of the contract by any DoD leaders more senior to them, who may have communicated with the White House.”

Amazon is Doing Quite Well, Though

Speaking of Bezos and Amazon, don’t worry about them… they’re doing quite fine amid this horrible global crisis. And of course, they’re thinking of amassing more wealth instead of sharing some of it. Naturally.

On Tuesday, Amazon told members of its affiliate marketing program that it will reduce the commissions it pays them to promote products on their websites. The Amazon Affiliates Program provides a way for third-party web publishers to post links on their websites that take buyers to Amazon.com to complete the sale, in exchange for a referral commission. Amazon notified its affiliates of the new rate schedule via email. The reduced rates, effective April 21, 2020, differ depending on the product category. Furniture and home improvement product commissions, for example, will drop from 8 per cent to 3 per cent. Beauty product commissions will be reduced from 6 per cent to 3 per cent. Grocery product commissions are dropping from 5 per cent to 1 per cent.

That same day, Amazon stock – up 24 per cent this year – reached an all-time high thanks in part to the surge in online shopping from home-bound consumers. The company’s market capitalization is now about $1.15tr and CEO Jeff Bezos’s net worth has reached $138.5bn.

The fee reduction comes at a particularly bad time given the coronavirus pandemic’s effect on the US economy. Between March 7 and March 28, unemployment claims surged from 211,000 in the week ending March 7 to 6.6 million in the week ending March 28, according to the US Department of Labor.

Meanwhile, they’re doing the COVID-PR-thing everyone’s doing.

Yet where Amazon has tightened the affiliate tap, it has also let cash flow elsewhere in an effort to mitigate the financial impact of the global health pandemic on its workers. Amazon last month launched a $25m relief fund for employees and contractors with COVID-19 – that’s 15 per cent of the $165m Bezos reportedly paid for a house in February.

Corporate concern for the less fortunate looks to be contagious, or at least good public relations. The two online ad giants, Google and Facebook, have launched funding initiatives and grant programs for publishers. Cisco on Tuesday announced a $2.5 billion financial relief program for customers and partners. HPE rolled out a similar initiative last week.

Because Corona!

Today on the list of things we do BECAUSE CORONA: Google switches FTP back on in Chrome 81.

Google has switched File Transfer Protocol (FTP) back on in Chrome 81 in response to the COVID-19 situation. The change was made “via server-side configuration.” The Chocolate Factory has been keen to kill off the venerable protocol for some time, and after a succession of prunings, disabled it by default in version 81 having tinkered with disablement in version 80. The plan, according to Google, was “to deprecate and remove this remaining functionality rather than maintain an insecure FTP implementation.” At least up until the pandemic hit.

Last week, a Google engineer posted: “In light of the current crisis, we are going to “undeprecate” FTP on the Chrome stable channel. I.e. FTP will start working again.” The reprieve is temporary, as he added: “We’ll recommence the deprecation once people are in a better position to deal with potential outages and migrations.”

Also: Longer support for the 1809 version of Windows 10 from Microsoft.

Reports of the death of The Update Of The Damned (aka Windows 10 1809) appear to have been premature as Microsoft flung a lifeline to those with a little too much on their plate. A number of Microsoft products got a life extension late yesterday, but the most eye-catching is the move from 12 May 2020 to 10 November 2020 for Windows 10 1809’s end of support. The delay affects the Home, Pro, Pro Education, Pro for Workstations, and IoT Core editions of Windows 10 1809 and is in light of Microsoft’s evaluation of the public health situation and its impact.

Indeed, one IT administrator, welcoming the move, told The Register that hastily flung up remote-working infrastructure might struggle to handle a large update for thousands of machines, and a failure might leave a user with a borked workstation and no easy way of fixing it. The rethink means that the OS, which was infamously pulled after a multitude of sins (including deleting user data), will continue to receive updates with the last occurring on 10 November 2020.

COVID-1984

No even the people with the slowest uptake are starting to realise that all of this surveillance that everyone is apparently clamouring for might not be a good idea. You really don’t need to be one of The Guardian’s self-proclaimed “experts” to notice this.

The coronavirus pandemic has led to an unprecedented global surge in digital surveillance, researchers and privacy advocates around the world have said, with billions of people facing enhanced monitoring that may prove difficult to roll back. Governments in at least 25 countries are employing vast programmes for mobile data tracking, apps to record personal contact with others, CCTV networks equipped with facial recognition, permission schemes to go outside and drones to enforce social isolation regimes.

The methods have been adopted by authoritarian states and democracies alike and have opened lucrative new markets for companies that extract, sell, and analyse private data. One of the world’s foremost experts on mobile phone surveillance said the pandemic had created a “9/11 on steroids” that could lead to grave abuses of power.

No shit. Would it really have been too much to ask for you to notice this before you scared everyone into accepting this with your breathless shitty coverage? Now you notice? Douchebags. We saw this coming weeks and months ago.

By the way, I’m voting to rename this disease COVID-1984.

Also Noteworthy

Some other stories I’ve been reading today:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.