FOXTROT/ALFA: Trump vs. Twitter, SAP Execs Quitting in Droves, May 2020 Update for Windows 10

Well, another week comes to an end. Here’s FOXTROT/ALFA issue 124 for Friday, 29 May 2020 with your tech news for today.

Critical Exim Vulnerability

Apparently, the Russians are at it again. At least according to the NSA. Well, they would say that, wouldn’t they? But that vuln is probably worth paying attention to anyway.

The NSA has raised the alarm over what it says is Russia’s active exploitation of a remote-code execution flaw in Exim for which a patch exists. The American surveillance super-agency said on Thursday the Kremlin’s military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent (MTA) that was fixed last June.

“The Russian actors, part of the General Staff Main Intelligence Directorate’s (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker’s dream access – as long as that network is using an unpatched version of Exim MTA,” the NSA said.

The Register has all the details, if you want to know more.

Patch Load Drops for the First Time in 10 Years

Good news: There are less bugs to patch. Bad news: It’s not because software is getting more secure.

Over the first quarter of 2020, the number of security bugs disclosed by software makers fell 20 per cent though not for any of the right reasons, it seems. Analysts at Risk Based Security cited both internal data and public reports from vendors in putting the number of security vulnerabilities reported over the first three months of the year at 4,968, down from 6,198 over the same period in 2019. This marks the first time in 10 years that the biz has seen a drop from the previous year’s quarter.

While the analysts are not certain why there was such a sharp fall, they say it’s probable that the dip had more to do with COVID-19 coronavirus outbreak, and resulting economic downturn, than any sudden improvements in the quality of code being written.

“The big outlier and unknown is COVID-19,” Brian Martin, Risk Based Security’s vice president of vulnerability intelligence, told The Reg. “That speculation is what we were thinking months ago, though we didn’t expect [the number] to go down so much.”

One likely explanation, Martin told us, is that there are simply more vulnerability reports incoming than there are people at vendors who can handle them. With workplace interruption and job cuts becoming more prevalent, many software makers could be struggling to keep up, with Chinese vendors getting hit earliest, followed by Europe and the US. “A company may say we are down on our staff, we might only write advisories for critical vulnerabilities,” Martin said. “At the end of the year as companies staff their security teams back up we might see them retroactively release advisories.”

Trump vs. Twitter

You’ve probably heard about the big spat between Trump and Twitter. But unlike what most of the tech news outlets are reporting, it’s actually much ado about nothing. At least at the moment. The Register has a good analysis.

Following a fit of indignation at Twitter’s decision to apply a fact check notice to some of his recent Twitter messages, US President Donald Trump on Thursday signed an executive order that purports to limit the liability protection afforded to internet platforms when they take action on user posts. But the nonsensical order doesn’t really do much at all. As Eric Goldman, law professor at Santa Clara University, put it in a phone interview with The Register, “It’s political theater.”

“Currently social media giants like Twitter receive an unprecedented liability shield based on the theory that they’re a neutral platform – which they are not – not an editor with a viewpoint,” Trump said. “My executive order calls for new regulations under Section 230 of the Communications Decency Act to make it that social media companies that engage in censoring or any political conduct will not be able to keep their liability shield. That’s a big deal.”

The Communications Decent Act Section gives internet platforms blanket legal protections concerning the content posted by others on, or through, their services. Websites that are mere conduits can’t, generally speaking, be held responsible for what’s shared by their users. But websites don’t have to be dumb conduits in order to be shielded from lawsuits: the law allows for editorial intervention under subparagraph (c)(2)(A) for material that is “obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected.” So when Twitter adds a fact checking notification to Trump’s tweets, as it did for the first time on Tuesday, it can do without taking on editorial liability if it believes the material is objectionable, whether it’s protected speech or not.

Trump’s executive order says, “When an interactive computer service provider removes or restricts access to content and its actions do not meet the criteria of subparagraph (c)(2)(A), it is engaged in editorial conduct.” But the allowable criteria for intervention are broad enough that it’s difficult to see how a service provider could take action on content in a way that does not meet the specified criteria. And, what’s more, Section 230 tackles user-generated content; fact-checking notes added by Twitter itself, as it did with Trump, should fall outside these rules, anyway.

Harvard law professor Lawrence Tribe was similarly dismissive. “Nothing the President or agencies like the FCC and FTC can legally do could successfully censor such private internet comment, so the executive order that Trump has unfurled is a big nothingburger in terms of responding to what Twitter did to provoke Trump’s outrage,” he said, via Twitter.

Goldman said it’s important to recognize the real audience for this order: Trump’s political campaign donors, and, we imagine, his conservative base. “It’s his way of showing he’s sticking it to the powers that be,” Goldman said. “He doesn’t care if it does anything. Trump has already won even if he didn’t change the law one bit because he dominated the news cycle and we all took the bait.”

And then Twitter decided to get petty.

Overnight, Twitter hid a Trump tweet, posted amid civil unrest in Minneapolis and elsewhere over the killing of George Floyd by a police officer, that said the US military should open fire on people on American soil. The tweet “violated the Twitter Rules about glorifying violence,” according to the social network.

Nobody had ever seen the GUI for something like this before, which most likely means Twitter quickly coded that up and deployed it to get back at Trump. I’ll of course keep an eye on how this develops going forward.

SAP is Haemorrhaging Execs

Another SAP executive just quit.

The departure could not have come at a worse time for SAP, but Todd McElhatton, veep and chief beancounter for the Cloud Business Group, is the latest person to hang up their hat at the German database giant. Just a week after shareholders vented frustration at the chopping and changing of SAP’s leadership team, it was confirmed that McElhatton is set to join cloud-based subscription management platform Zuora.

In McElhatton’s most recent role he was in charge of finances at SAP’s most strategic lines of businesses including SAP Concur, Fieldglass, Ariba, SuccessFactors, C/4HANA, and Qualtrics. Prior to being on SAP’s Global Finance Leadership Team, he was the CFO for SAP North America. Before joining SAP, McElhatton also held senior positions at Oracle, VMware and HP.

Bill McDermott, the long-standing CEO who used acquisitions to bulk up revenues at SAP over a 15-year reign, left in October 2019 to be succeeded by the combination of Jennifer Morgan and Christian Klein as co-CEOs. Morgan then left in April as SAP revised its model in order to take “swift, determined action… supported by a very clear leadership structure” in the face of business challenges presented by COVID-19.

In other big moves, cloud president Robert Enslin left to lead the sales unit of Google’s cloud business in 2019, while human resources chief Stefan Ries and the head of SAP’s Digital Business Services, Michael Kleinemeier, left in February this year. Last week, investors said the “personnel hullabaloo” should come to an end. Well, it seems it has not.

Things are not looking good over there.

Bombardier Software Bug

Looks like Boeing isn’t the only airliner manufacturer with software bugs.

The bug, discovered on Bombardier CRJ-200 aircraft fitted with Rockwell Collins Aerospace-made flight management systems (FMSes), led to airliners trying to follow certain missed approaches turning right instead of left – or vice versa.

Missed approaches are used when pilots aren’t confident that they’re going to land safely. They are a published path that helps the pilot safely position the aeroplane for another attempt.

First discovered in 2017, the flaw was only apparent when pilots manually edited a pre-set “climb to” altitude programmed into a “missed approach” procedure following an Instrument Landing System approach. It also arose if pilots used the FMS’s temperature compensation function in extremely cold weather. In theory the bug could have led to airliners crashing into the ground, though the presence of two trained and alert humans in the cockpit monitoring what the aircraft was doing made this a remote possibility.

The bug was first uncovered when a CRJ-200 crew flying into Canada’s Fort St John airport used the FMS’s temperature correction function. They discovered that the software turned their aeroplane in the wrong direction while it was following the published missed approach, something that generally does not happen.

Temperature correction is a function of modern FMSes that helps keep aeroplanes at a safe height above ground while following published approach paths under instrument flight rules (or the autopilot). Airport approaches are designed with a given set of atmospheric conditions, including a standard temperature, in mind. When real-world temperatures drop below certain limits, pilots must apply a correction to their altimeters in order to stay at a safe height above ground. Lower temperatures, for a given atmospheric pressure, introduce a progressively greater error in the altimeter reading.

Although mitigations and workarounds for the bug were published relatively quickly, Bombardier and Rockwell Collins disagreed with the FAA on the formal steps to be taken about it; a mandatory airworthiness directive ordering operators of CRJ-200 aircraft to disable the automatic temperature compensation was published in Europe this week and goes into force in mid-June.

May 2020 Windows Update

The Windows 10 May 2020 Update (also known as versions 2004 and 20H1) has been released.

Squeaking in at the end of May, version 2004 is one of Microsoft’s “big” Windows updates, following the jumped-up patch that was delivered in the form of 1909 last year. While it lacks the keynote-pleasing fluffware of yesteryear (such as Timeline and its ilk), the custom Linux kernel of WSL (a considerable improvement over the original WSL translation layer) will raise a developer eyebrow or two.

Linux loving aside, the release also brings a swathe of features aimed at making the venerable OS work just a little bit better. Bluetooth pairing is marginally less painful now and those with the necessary hardware can opt to go passwordless. Those who have discovered the Virtual Desktop feature can give them names more helpful than “Desktop 1” and “Desktop 2”, while changes to memory management means that enabled Win32 apps (such as Edge) should burn through less.

Linux is one of the headline features of a Windows update. What a time to be alive!

Nerd Entertainment News

I’ve seen mixed reviews of Space Force. Now Ars Technica says it’s great.

Returning to TV comedy for the first time since The Office wrapped seven years ago, Steve Carell plays a general assigned the unenviable task of founding a new military branch in the new Netflix comedy series, Space Force. And the Ars staff verdict is in: the series is a winner, eminently bingeable, and our favorite new show of 2020 so far.

I doubt very much that it’s better than Tales from the Loop, but I guess I’ll have to give it a chance now.

In other news, they’re doing a sequel to the Sonic the Hedgehog movie.

Here’s something to lift you out of the lockdown blues: the Sonic the Hedgehog film, infamous for that initial trailer with human-like Sonic and Gangsta’s Paradise, is getting a sequel. Hopefully without needing to redesign the principal character this time.

I admit, I wasn’t entirely convinced but I do kinda wanna see more of Fungus-Mad Jim Carrey…

Also Noteworthy

Other stories I’ve been reading:

When I started writing this newsletter, I had no idea who Richard Lindgren was. Then Spotify recommended this song to me:

What a voice! Been listening to his 2019 album Death & Love for the whole time of writing this thing now. Amazing music for the weekend. Enjoy!

See you on Monday. Maybe Elon will have his space men by then…

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.