FOXTROT/ALFA: Critical Cisco Vulnerability, Teslas Think Burger King Logo is a Stop Sign, Why Apple Really Went to ARM

G’Day, everyone! Here’s the final newsletter for the week, issue 129 of FOXTROT/ALFA for Friday, 26 June 2020. Today we learn something interesting about Teslas and why Apple really switched to ARM.

Critical Vulnerability in Cisco Routers

A number of Cisco routers are vulnerable to a Telnet attack (CVE-2020-10188) that can take over the affected device. No software update is available yet, but Cisco says exploit code is already circulating.

Cisco IOS XE Software is affected only if the device is configured with the persistent Telnet feature. The Telnet service that is used for TTY lines in Cisco IOS Software and Cisco IOS XE Software is not affected. To determine whether the persistent Telnet feature is enabled for a device, log in to the device and use the show running-config | include transport type persistent telnet command in the CLI to check for the presence of the transport type persistent telnet input <name> command in the global configuration. If the command returns no output or an error message, then persistent Telnet is not configured and the device is not vulnerable.

Until a software update is available, admins should probably use this workaround:

Disable the persistent Telnet feature and use persistent Secure Shell (SSH) instead.

Tesla Autopilot Thinks Burger King Logo is a Stop Sign

Autonomous driving is totally ready for real life roads. I mean, it’s basically flawless.

In April, Tesla started to push an Autopilot update with the ability to detect and stop the vehicles at traffic lights and stop signs. The new feature is called “Traffic Light and Stop Sign Control.” It is still in beta and it doesn’t always work as intended.

Burger King apparently figured out that sometimes, the new Autopilot feature can confuse its restaurant sign for a stop sign – prompting the car to slow down and stop for it.

Guys… “It’s in beta” is a fine excuse when you’re making an email client. This is a car we’re talking about. That car is used by thousands of people on real roads. Daily. “It’s in beta” doesn’t fucking cut it when people’s lives are at stake! What’s next? The third 373 MAX crashes and Boeing just says “Ooops! Sorry! Our bad. The landing feature is still in beta”? What the fuck.

Indirect Dependencies are a Big Security Problem

Indirect dependencies are a huge security risk in modern software stacks. I mean …we know this. But still, it’s worth reiterating, I think.

The Snyk survey is based on responses from 500 developers, security pros and operations bods, together with data from the company’s own vulnerability database and “correlated data from the hundreds of thousands of projects currently monitored” by Snyk, and data published by sources such as GitHub, GitLab and Bitbucket, each of which manages a large number of code repositories.

The majority of problems, the report said, come from indirect dependencies, which are least visible to developers. In the case of npm.js, around 80 per cent of the vulnerabilities are in indirect dependencies. The good news is that new vulnerabilities are down by almost 20 per cent across “the most popular ecosystems”, but there is still plenty to worry about.

What kind of vulnerabilities? Top of the list is cross-site scripting, where JavaScript is injected into a site via techniques such as user input that is not properly sanitised. The second top vulnerability last year was malicious packages, where a trusted package is contaminated with one crafted for an attack.

Apple Left Intel Behind Because the Skylake QA was Horrible

A former Intel top engineer says that Apple is going to ARM because Intel’s quality assurance was really bad.

The “bad quality assurance of Skylake” was responsible for Apple finally making the decision to ditch Intel and focus on its own ARM-based processors for high-performance machines. That’s the claim made by outspoken former Intel principal engineer, François Piednoël.

It’s been one of the big stories from this last week; Apple finally announcing its two-year transition away from Intel for its Mac desktop and notebook lines. There has been a lot of speculation about why this has happened, with the main consideration being that it’s aiming to consolidate the architectures across all its different platforms, from iPhone, through iPad, and finally into its laptop and desktop range.

That makes complete sense from a business and an architectural point of view, but while it’s something Piednoël says was always under consideration by Apple, he believes if the company hadn’t found so many issues within the Skylake architecture it would still be onboard the Intel chip train. It was the straw that broke the Apple’s back, so to speak.

“The quality assurance of Skylake was more than a problem,” says Piednoël during a casual Xplane chat and stream session. “It was abnormally bad. We were getting way too much citing for little things inside Skylake. Basically our buddies at Apple became the number one filer of problems in the architecture. And that went really, really bad. “When your customer starts finding almost as much bugs as you found yourself, you’re not leading into the right place.”

Also Noteworthy

Some other stories I’ve been reading:

That’s it for this week. See you again on Monday. Here’s a classic swamp rock song for a nice and sunny summer weekend. Take care!

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.