FOXTROT/ALFA: EasyJet Hack, The Tech Industry is Loving the Pandemic, Gnome Foundation Settles Patent Troll Lawsuit

Welcome to FOXTROT/ALFA issue 121, for Friday, 22 May 2020. Sorry to have left you hanging for so long. I was really quite busy travelling – for work and personal reasons. But now I’m back with the first and final newsletter for this week and I’ll resume usual service on Monday.

But before we get into the tech news, it’s been pointed out to me in response to my hot take on the planned new Star Trek series that Discovery has already wrapped up filming on Season 3. So I guess they’ll kill it after that season then. Which probably means they’d decided this beforehand and built it into the plot. And they announced the new series now so people aren’t shocked when season 3 of Discovery airs.

BTW… am I the only one who’s worried about this?

Post-production took place remotely due to the COVID-19 pandemic.

I dunno, man. Discovery already wasn’t great when they were working without these restrictions. I doubt very much that it’ll make that show better… And that show definitely doesn’t need to be worse.

Anyway, enough of that. Let’s talk news.

EasyJet Hack

One of the news I missed to to taking a few days off with the newsletter was the EasyJet hack. More details on this have now come to light.

Victims of the Easyjet hack are now being told their entire travel itineraries were accessed by hackers who helped themselves to nine million people’s personal details stored by the budget airline.

As reported earlier this week, the data was stolen from the airline between October 2019 and January this year. Easyjet kept quiet about the hack until mid-May, though around 2,200 people whose credit card details were stolen during the cyber-raid were told of this in early April, months after the attack.

Today emails from the company began arriving with customers. There was no mention in the message to customers of compensation being paid as a result of the hack.

News of a hacker attack is a last thing they needed at this moment. EasyJet, like all airlines, is in trouble anyway.

Separately, an Easyjet company general meeting held this morning to sack its CEO and key execs ended with company founder Stelios Haji-Ioannou being outvoted by his shareholders. Stelios wanted to replace them with people who would cancel a £4.5bn order for new Airbus aircraft, which he says is unnecessary spending at a critical moment.

Stelios did not take news of his loss well, issuing a statement accusing Easyjet and Airbus of “voting fraud,” threatening to sue the Daily Telegraph for pouring scorn on his anti-Airbus campaign, and branding Airbus itself “the scoundrels”. The Guardian reported Easyjet finance chief John Barton as saying: “The company has no right to unilaterally terminate the contract [with Airbus]. The one-off costs associated with termination would be very material and taken with the future value of contract, termination would be hugely detrimental and seriously impact the company’s ability to operate as a low-cost airline.”

Who’s Profiting from COVID-19?

Isn’t it interesting that all the tech companies are all-in with these lockdown measures “to keep everyone safe” as they say, when at the same time many of the same companies are among the tiny section of the economy that is actually profiting from these measures? Unlike small shops and independent service businesses, these guys are doing great. Here three stories I came across just today:

  1. The British government has been buying tens of thousands of new devices and likely spent more than a million pounds on Office 365 and Zoom licenses
  2. Nvidia’s revenue in Q1 is up 39% year-over-year, with an increase of more than a billion dollars in data centre chip sales
  3. The guys producing tracking gadgets are also smelling a bonanza

You know who’s also loving this stuff? The hackers. Amid all the UNPRECEDENTED events right now, it’s really easy to scam people. People who aren’t used to work from home as well as people who aren’t used to manage people who aren’t used to work from home. GitLab decided to run a little test and try phishing their own staff. The results aren’t encouraging, as this is what happened at a company that has prided itself with the tech-savy-ness of its employees and its remote working chops for years. Just imagine how this would go at your work place with the people who can’t even print a Word document without calling IT…

Code hosting biz GitLab recently concluded a security exercise to test the susceptibility of its all-remote workforce to phishing – and a fifth of the participants submitted their credentials to the fake login page.

The mock attack simulated a targeted phishing campaign designed to get GitLab employees to give up their credentials. The GitLab Red Team – security personnel playing the role of an attacker – obtained the domain name gitlab.company and set it up using the open source GoPhish framework and Google’s GSuite to send phishing emails. The messages were designed to look like a laptop upgrade notification from GitLab’s IT department.

“Targets were asked to click on a link in order to accept their upgrade and this link was instead a fake GitLab.com login page hosted on the domain ‘gitlab.company’,” explained security manager Steve Manzuik in a GitLab post.

Fifty emails went out and 17 (34 per cent) clicked on the link in the messages that led to the simulated phishing website. Of those, 10 (59 per cent of those who clicked through or 20 per cent of the total test group) went on to enter credentials. And just 6 of the 50 message recipients (12 per cent) reported the phishing attempt to GitLab security personnel.

GitLab 13.0 Released, Can Issue CVE Numbers

Speaking of GitLab, they’ve just released a new version.

GitLab version 13.0, the company’s major release of 2020, is out today.

There is a focus on security in this release, including easier responsible disclosure – since GitLab is now a CVE Numbering Authority. It will soon be possible to request a CVE from within the GitLab user interface. There is also new static analysis security testing for .NET Framework code; previously this only covered .NET Core, and DAST (Dynamic Application Security Testing) for REST APIs, a key part of many modern applications.

Users of the Community Edition get a significant new feature in 13.0, which is design management, previously a GitLab Premium feature.

Progressive Delivery, the idea of targeting releases at a subset of users rather than rolling out new features to everyone immediately, is another theme. Feature flags lists, a collection of tagged features for inclusion or exclusion from a release, now has API support for creating, editing and deleting them. A/B testing based on feature flags is promised soon, as is the ability to create feature flags from merge requests.

Microsoft Solitaire Turns 30

What killed more productivity than this pandemic and probably also put a sizeable dent into the economy over the last thirty years? Right. Windows Solitaire just turned 30 together with Windows 3.0. When I switched my parents' away from Windows years ago, the first question was – naturally – where “the solitaire” was.

It’s a double anniversary today as we take a moment to ponder 30 years since Windows 3.0 set Microsoft on the road to desktop GUI dominance and celebrate three decades of Microsoft Solitaire. After a glitzy launch (for Microsoft at the time), Windows 3.0 shifted a million copies worldwide in the first three months alone. In a harbinger of things to come, it also turned up pre-installed on many machines.

Ranking as one of the most played video games of all time, Solitaire started life in 1989 as a project for intern Wes Cherry. Initially planned to familiarise users with how a mouse worked and introduce concepts such as drag and drop, the simple card game also ranks as one of the greatest productivity sponges of all time. Despite its immense popularity (and inclusion in subsequent versions of Windows) Cherry did not net the big bucks for his efforts. In an interview with British web site b3ta.com, he was asked if he was a little bitter about this. He responded: “Yeah, especially since you are all probably paid to play it!”

Cherry also went on to reveal a feature that could have saved many an employee’s career, but was stripped from the app: “There was a ‘boss-key’ which when pressed would display some random C code,” he said. “Microsoft made me remove that.”

The game suffered minor tweaks for Windows XP, and was tinkered with during the dark days of Vista and the brighter horizons of Windows 7, before an ill-advised redesign was inflicted from Windows 8, sullying the purity of the original incarnation. We understand that Cherry has since left the world of computing behind in favour of the crisp delights of cider making. The Register plans an experiment to compare the productivity impairment arising from cider consumption versus a tantalising Solitaire window. We think the card game might have it in the bag.

LOL.

And damn… I feel old now. Windows 3.11 was my first graphical user interface back in the day.

Dutch Grandma Sued under the GDPR over Pictures of Grandkids

Yeah, you read that right. For all their professed difference from us, the Dutch act mighty German sometimes.

A court in the Netherlands ruled this month that a grandmother must remove pictures of her grandchildren from her social media accounts after her daughter filed a privacy complaint. The grandmother, according to a Gelderland District Court summary, has not been in contact with her daughter for more than a year due to a family argument.

Her daughter has three minor children who appear in pictures the grandmother posted to social media accounts on Facebook and Pinterest. In February, the daughter wrote to her mother, noting that her requests made via the police to remove the photos of her children from social media have been ignored and giving her mother until March 5 to comply or face legal action. After the grandmother failed to take the photos down, the mother took her complaint to court.

When the court took up the matter in April, the grandmother had removed photos, except for one from Facebook. She wanted that one picture, of the grandson she had cared for from April 2012 through April 2019 while the boy and his father, separated from the mother, lived with her. Image copyright did not get considered in this case. Nor did the emotion considerations raised by the grandmother, as the summary filing says.

The case summary says that while GDPR exempts purely personal activity, it’s not clear that postings to Facebook, with possible exposure to internet searches, qualify for that exemption. Accordingly, the judge gave the grandmother ten days to remove the picture. If it isn’t not removed by then, a fine of €50.00 (£45, $55) will be imposed each day the images remain in place, up to a maximum of €1,000 (£900, $1,095).

What the fuck. If a grandma posting a picture of her grandchildren on a personal page isn’t considered to be “purely personal activity”, I don’t know what is. If you think this argument through, basically anything on the internet doesn’t apply to this exemption. The internet is, per default, publicly accessible. That’s the whole idea of the thing. Even if makers of walled gardens want to make us believe otherwise to get us to pay money for “services”.

Also: Who asks their own mother via the police to pull photos off of Facebook? I have no idea what happened between these people but it also doesn’t really matter. If you get to that point, at any point in your life, it’s seriously time to re-evaluate some choices you’ve made.

Gnome Foundation Settles Patent Troll Lawsuit

The Gnome Foundation has settled their patent troll lawsuit. Gnomes, trolls… Got no idea what’s going on? Here are the specifics from The Register:

The GNOME Foundation has settled a US lawsuit brought against it by Rothschild Patent Imaging, complete with an undertaking by the patent assertion entity that it will not sue GNOME for IP infringment again. In a so-called “walk away” settlement, Rothschild Patent Imaging (RPI) and the open-source body are discontinuing their legal battle that began in October last year. RPI sued for alleged IP infringement of one of its patents by the GNOME photo-organising tool Shotwell, marking the first time a free software project had been targeted in that way.

In a statement at the time, the GNOME Foundation said RPI “offered to let us settle for a high five-figure amount, for which they would drop the case”, something it said would be “wrong” to do. The open-sourcers thus countersued RPI, aided by lawyers from New York law firm Shearman Sterling who agreed to work on the case for free.

Not only did GNOME score a settlement with RPI that halted the lawsuit altogether, it also received an undertaking to prevent it being sued again for patent infringement by RPI (with the caveat that the software in question is open source). That settlement covers a bundle of around 100 patents, we are told.

GNOME described RPI as a “patent troll” – as Reg readers know, patent trolling consists of a so-called non-practising entity buying patents and then charging licensing fees for using the patent’s contents, often much higher than would otherwise be expected.

That’s pretty cool. Especially since the Gnome Foundation says they didn’t pay for the settlement. It would have been very disappointing if the money the open source community raised for Gnome’s defence had gone to a patent troll.

Also Noteworthy

Other stories I’ve been reading:

For this weekend, may I recommend a full album to you? The OST for Subnautica is among my favourite writing music. When I put this stuff on, I can just go like nobody’s business. Try it. Put one some headphones and this album to tune out the world if you want to get some work done!


This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.