FOXTROT/ALFA: The Doc Gets Banned, Browsers to Only Trust TLS Certificates for a Year, New TCAS Attacks

Welcome to the 130th issue of FOXTROT/ALFA! Today is Tuesday, 30 June 2020 and as you can tell by the absence of a newsletter in your inbox yesterday, my work schedule is still a bit touch and go at the moment. Plus my seasonal allergies have started hitting me full force a few days ago and there’s just days where I need 10+ hours of sleep now. It is what it is. I’ll do my best to recap the tech and tech policy news from the weekend and Monday for you now. Additionally, I have some stuff that’s been reported earlier today, of course.

Dr. Disrespect Perma-Banned on Twitch, Nobody Knows Why

Let’s start with the biggest story of the weekend. Twitch has permanently banned Dr. Disrespect, a former AAA video game community manager and map designer and the most popular streamer on its platform. And nobody knows why.

What you might be thinking: it’s too much of a coincidence for his channel’s abrupt disappearance to happen a single day after Twitch announced it would start permanently banning streamers for sexual harassment and assault.

We do not currently know whether Twitch has even banned Beahm, much less the facts around why Disrespect disappeared on Friday, because the company has repeatedly refused to confirm even a ban to The Verge – and declined to deny a new statement from Beahm this evening that claims Twitch won’t even tell him what’s going on.

Well, what we do know is this statement was apparently released by Twitch:

As is our process, we take appropriate action when we have evidence that a streamer has acted in violation of our Community Guidelines or Terms of Service. These apply to all streamers regardless of status or prominence in the community.

Apparently, people have also had their subscriptions to The Doc’s channel refunded over the weekend. But back to The Verge’s coverage…

To be blunt, we’ve seen nothing that rules out the possibility that Disrespect pulled himself off Twitch for some reason, however unlikely that may seem.

The idea that he’s been permanently banned originally came secondhand, from sources who spoke anonymously through others on Twitter – and both of the people tweeting have since explained that they were unwilling or unable to share the reason why. Kotaku has since corroborated a ban with three additional sources, but for some currently inexplicable reason Twitch won’t go that far. Occasionally, in the past, we’ve seen companies do that because they prefer the world’s current understanding of a situation, even when that understanding is wrong.

The Doc is kinda in good company with this ban, though. Over the weekend, Twitch also banned (albeit temporarily) the President of the United States of America.

Trump’s account was banned for “hateful conduct” that was aired on stream, and Twitch says the offending content has now been removed. One of the streams in question was a rebroadcast of Trump’s infamous kickoff rally, where he said that Mexico was sending rapists to the United States. Twitch also flagged racist comments at Trump’s recent rally in Tulsa.

Twitch said last week that it would begin issuing permanent bans to streamers in response to the allegations coming out. The first major ban that came down appears to be on Dr Disrespect, one of the site’s most popular streamers. Twitch has repeatedly declined to confirm why (or even whether) Dr Disrespect was banned – there were not public allegations against him – and the streamer has said he has not been told why his channel disappeared.

Just minutes before Twitch suspended Trump, Reddit said it had banned a number of subreddits for harassment, including r/The_Donald. The subreddit is not directly affiliated with the president, as the Twitch channel is.

Somehow, all of this doesn’t look coincidental. What a crazy story. I’ll update you on this once we know more.

A Wobbly Monday for Google

In other news: more cloud outages. This time, it’s Google.

Google Cloud is having a wobbly Monday. Its Kubernetes platform and networking services were partially unavailable for hours today, and its virtual-machine hosting and in-memory storage systems had a limited outage.

The web giant’s Cloud Networking service fell over around 0800 PT (1500 UTC) today due to a power supply failure. Connections to virtual machines in Google’s us-east1-c and us-east1-d zones started failing, and the breakdown spread to other Google Cloud services, such as its Persistent Disk product.

Browser Makers are Slashing TLS Cert Lifetimes

Apple, Google and Mozilla (the major browser makers) have announced that, in future, SSL/TLS certificates will only be valid for about a year, as far as they are concerned.

From September 1, Apple software, from Safari to macOS to iOS, will reject new HTTPS and other SSL/TLS certificates that are valid for more than 398 days, plus or minus some caveats. “Connections to TLS servers violating these new requirements will fail,” Apple warned in its official note. “This might cause network and app failures and prevent websites from loading.”

Google’s Chrome is set to follow suit, judging by this commit to the Chromium browser engine source code last week:

Enforce publicly trusted TLS server certificates have a lifetime of 398 days or less, if they are issued on or after 2020-09-01. Certificates that violate this will be rejected with ERR_CERT_VALIDITY_TOO_LONG and will be treated as misissued.

And Mozilla is preparing to adopt the policy in its Firefox browser. Moz program manager Kathleen Wilson said in March she would have preferred broad industry consensus in favor of the policy before committing to it, though noted: “However, the ball is already rolling.” Mozilla and other tech giants previously lobbied the CA/Browser Forum – a collective of certificate issuers and browser makers – for shorter cert lifetimes. After those proposals were shot down in a vote, Apple went ahead anyway with a one-year-max policy and bypassed the industry forum, a move backed by the Chromium team.

Now… can someone explain to me where the extra 33 days on the year come from?

New TCAS Attacks

Once again, security researchers have found ways to attack the collision detection system of modern airliners.

Five researchers in the US – Paul M. Berges, Timothy Graziano, and Ryan Gerdes from Virginia Tech, with Basavesh Ammanaghatta Shivakumar and Z. Berkay Celik from Purdue University – recently put TCAS to the test and found it wanting. In a paper distributed through ArXiv, “On the Feasibility of Exploiting Traffic Collision Avoidance System Vulnerabilities,” the cybersecurity boffins found TCAS is vulnerable to spoofing, at least in a laboratory setting. Specifically, they tried to spoof TCAS signals to make phantom planes appear on a collision course, forcing the software to recommend evasive action to pilots. They were able to show it can be done, in theory, though lacked the precision required to pull it off in reality.

TCAS – known as Airborne Collision Avoidance System or ACAS internationally – is used to prevent near mid-air collisions (NMAC); it’s a separate system from Air Traffic Control (ATC). It relies on an onboard transponder that transmits and receives messages between aircraft. The transponder interrogates nearby aircraft for position and identification data over the 1030 MHz frequency band and listens for replies on the 1090 MHz frequency band.

These replies can prompt a Traffic Advisory (TA), which helps the pilot locate the approaching plane, or a Resolution Advisory (RA), which directs the pilot to take specific action or maintain heading to avoid a possible collision. Creating a malicious RA has the potential to cause flight delays, injuries through sudden maneuvers, or, in the worst case scenario, a crash since pilots are obliged to follow them. A year after the July 2002 crash of a Bashkirian Airlines passenger jet and DHL cargo jet over southern Germany, the International Civil Aviation Organization (ICAO) amended its regulations to state that pilots should follow TCAS advisories even in the face of alternative guidance from ATC. And that’s been adopted by America’s FAA and other civil aviation agencies.

The attack relies on a GNU Radio-based application, software-defined radio (SDR) hardware from Ettus Research (Universal Software Radio Peripheral B210 and N2010), and a PC powered by an Intel Core i7-6800K with six 3.4 GHz cores and 16GB RAM to dupe TCAS into tracking a phantom aircraft. Making it work, Berges explained, requires that the system handling the TCAS interrogation minimize latency between detecting a reply signal and recording the time the reply is detected as precisely as possible “because these are radio signals traveling at light speed where the slightest variance in a series timestamps translates to thousands of meters of variance in apparent range.”

A professional pilot who spoke with The Register and asked not to be identified for this story said that even if this particular attack isn’t fully formed, it raises concerns that the aviation community should consider.

Microsoft Open-Sources Python Web App Monitoring Library

Microsoft has open-sourced Lumos, a Python library that is used to detect when components of a cloud application experience sudden performance problems.

In a technical paper, company researchers claim Lumos has been deployed in millions of sessions across the developer teams at Skype and Microsoft Teams, enabling engineers to detect hundreds of changes in metrics and reject thousands of false alarms surfaced by anomaly detectors. Online services' health is typically monitored by tracking key performance indicator (KPI) metrics over time. Regressions in these require a follow-up as they could indicate major problems, resulting in costs and the potential of loss of users. But it’s time-consuming to track down the root cause of every KPI regression because a single anomaly can take days or weeks to investigate.

Lumos is a novel methodology that encompasses existing, domain-specific anomaly detectors but reduces the false-positive alert rate by a claimed over 90%. It eliminates the process of establishing whether a change is due to a shift in population or a product update by providing a prioritized list of the most important variables in explaining changes in the metric value.

The Microsoft researchers say Lumos serves as the primary tool for scenario monitoring of hundreds of metrics related to the reliability of calling, meetings, and public switched telephone network (PSTN) services at Microsoft. It’s running on Azure Databricks, the company’s Apache Spark-based big data analytics service, with multiple jobs configured based on priority, complexity, and metrics type. And jobs complete asynchronously such that whenever an anomaly is detected, it triggers the Lumos workflow, raising an incident alert (ticket) if the library determines it to be a legitimate issue. The Microsoft researchers caution that Lumos isn’t guaranteed to catch all regressions in services and that it can’t provide insights without a sufficiently large amount of data. In an effort to address this, they plan to focus on expanding support for continuous metrics, perform feature ranking using multi-variate features, and introduce feature clustering to tackle the problem of multicollinearity in feature ranking.

Also Noteworthy

Some other stories I’ve been reading:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.