FOXTROT/ALFA: Glitches and Critical Vulnerabilities, Apple Arcade Might be in Trouble, Linux Mint 20

Well, a lot has been happening and I’ve been very busy, which is why you’re getting issue 131 of FOXTROT/ALFA for Wednesday, 1 July 2020 delivered into your inbox after the bell has already tolled midnight. But better late then never, right? And it’s a big one. Today’s newsletter is packed with stories!

But before we begin, here’s a shameless plug: Part of why I was so busy all day was me preparing and recording episode 27 of my podcast The Private Citizen.

As things are slowly returning to some semblance of normalcy in Germany, this episode of the podcast reflects on how our perception of privacy and of our rights and freedoms has changed in the wake of the COVID-19 pandemic.

If that sounds like something you might be interested in, please have a listen and tell me what you think of the show. I’d appreciate it very much! But now, let’s get stuck into the tech news. That’s what you’re here for after all.

Glitches, Outages and Bugs

Many things have been going wrong with technology over the last couple of days. Here’s a quick rundown:

Frankfurt-based electronic trading system Xetra was experiencing a “technical issue,” affecting all securities traded on the platform, a Deutsche Boerse spokesman said on Wednesday. Trading volumes on German blue-chip index DAX was stuck at 0.15% of the long-term daily average, while the broader STOXX 600 saw 3% of daily average go through at 0733 GMT, according to Refinitiv data. The technical snag is a further blow to Deutsche Boerse, which saw one of its longest outages in April when the Frankfurt stock exchange was halted for more than four hours.

On the morning of Monday, June 29, customers filed into Canadian Tire stores in Lindsay and Whitby as usual, filling baskets as they browsed through the aisles. However, upon getting to a point of sale, people quickly realized that there was something completely bizarre happening. Cash register attendants were left bewildered after every single item they scanned came up reading “Mr. Potato Head.” No matter what staff tried, the glitch couldn’t be corrected, and workers were eventually forced to temporarily close their stores. The company attributed the unappeeling issue to a downloading error, which caused item names to instead appear the same as the popular children’s toy.

Of course, we’ve also had a number of security vulnerabilities that needed fixing.

Microsoft has published unscheduled fixes for two vulnerabilities, one of them with a severity rating of critical, that make it possible for attackers to execute malicious code on computers running any version of Windows 10. Unlike the vast majority of Windows patches, the ones released on Tuesday were delivered through the Microsoft Store. The normal channel for operating System security fixes is Windows Update. Advisories said users need not take any action to automatically receive and install the fixes. The person who discovered the vulnerabilities, Abdul-Aziz Hariri of Trend Micro’s Zero Day Initiative, wrote: “The library affected is hevcdecoder_store.dll, That library is responsible for parsing HEIC images with HEVC codec. That library (extension) is available through the Windows Store. And since it’s a media codec downloaded from the Windows Store, I assume MS updated it through the Windows Store and not the Windows Update.”

The US Cyber Command has issued an alert advising American organisations to immediately patch a critical vulnerability in Palo Alto Network’s (PAN) firewall and corporate VPN products, which could enable remote hackers to bypass authentication and take full control of vulnerable systems. The bug, indexed as CVE-2020-2021, is a 10-out-of-10 critical vulnerability which exists in the way how the PAN-OS software implements SAML. On Monday, the company released security updates to fix the bug, as well as detailed workarounds to mitigate the risk. According to PAN security advisory, CVE-2020-2021 could enable remote attackers to run arbitrary code on a vulnerable system without requiring a password, and then fully take control of the system. After that, hackers can leverage their presence to gain access to the rest of the network. PAN said that the issue affects PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; and all versions of PAN-OS 8.0 (EOL).

As part of its Online Protection functionality, Bitdefender Antivirus will inspect secure HTTPS connections. Rather than leaving error handling to the browser, Bitdefender for some reason prefers to display their own error pages. This is similar to how Kaspersky used to do it but without most of the adverse effects. The consequence is nevertheless that websites can read out some security tokens from these error pages. These security tokens cannot be used to override errors on other websites, but they can be used to start a session with the Chromium-based Safepay browser. This API was never meant to accept untrusted data, so it is affected by the same vulnerability that we’ve seen in Avast Secure Browser before: command line flags can be injected, which in the worst case results in arbitrary applications starting up.

→ Side note: This blog post is by Wladimir Palant, who created Adblock Plus and founded the company Eyeo to monetise it. Yes, he created an ad-blocker that shows you ads if the company behind it deems them okay. They somehow earn money doing this kind of stuff. Please keep that in mind when you consider his security research.

Apple is Restructuring its Gaming Service Arcade

Something tells me things aren’t going that great at Apple Arcade.

Earlier this year, Apple reportedly canceled several contracts for games that were set to launch on Arcade, the company’s game subscription service known for its library of high-quality titles that don’t have ads or in-app purchases. It allegedly canceled each of them for the same reason: Apple wants new games that will keep players coming back to the service.

A report from Bloomberg notes that an Arcade executive told some developers who were on contract that Apple is seeking out games that have a high level of “engagement,” as it was put by one of the publication’s sources. For developers wondering where Apple’s bar for engagement currently lies, the report mentions that an Apple Arcade representative cited Grindstone, Capybara Games' charming, multilevel puzzler, as a model example.

According to this report, Apple paid the affected studios for meeting development milestones, and it told developers that it would work with them in the future if they meet Apple’s requirement for engagement. However, Bloomberg mentions that some of these developers faced financial woes as a result of the canceled contracts. Presumably, these games are allowed to release on other platforms, like Google’s similar Play Pass service for Android devices, though that may not be enough to recoup the losses. According to my colleague Andrew Webster’s interview with indie developers who published games on Apple Arcade, Play Pass pays developers based on user engagement metrics, whereas Apple negotiates deals with developers for their games.

The reason why Apple may be changing its requirements at all almost certainly comes down to keeping subscribers. Arcade had a lot of momentum in late 2019, partially helped by a free one-month trial that came as an introductory offer with the service, which otherwise costs $4.99 each month or $49.99 per year. The other big component of that momentum, of course, came from the excellent games, most of which are exclusive to the platform. How exactly Apple measures engagement in its upcoming games might change the kinds of games we’ll see coming to the service. It’s hard to see Apple walking back on requiring no ads or microtransactions, but it could mean that shorter games, like ustwo’s Assemble with Care, may not fit within Apple’s new direction for engagement. It could also mean fewer games, but for Apple’s sake, hopefully there will be some good ones in the mix.

I dunno. However you spin words around what is happening, it looks to me like their service didn’t take off like they thought it would. Sounds kind of Mixer-ish to me, to be honest…

Linux Mint 20 Released

Are people out there still using Ubuntu? What about Mint? Is that still the go-to distro to convert people from Windows? Is converting people from Windows still a thing? If you answered “yes” to any of these questions, you might be interested in the newest release of Linux Mint.

The Linux Mint team has released Mint 20 Cinnamon, a long-term support (LTS) release. It is based on Ubuntu 20.04, will be supported until 2025, and new Mint versions will use the same package base until 2022. Mint is based on Debian and Ubuntu, and the new releases are based on Ubuntu 20.04, released in April. Ubuntu itself is also linked to Debian. The question of what’s new in Mint 20 is therefore a matter of perspective. It all starts with the Linux kernel 5.4, which is also a long-term support release.

What is new and specific to Linux Mint 20? One thing is a file transfer application called Warpinator, inspired by an obsolete 10-year-old application called Giver. “FTP, NFS, Samba is overkill for casual file transfers” is the claim, and Warpinator (based on gRPC) is a simple utility for copying a file across the network. It works, but feels a step backwards from the ability to browse and copy files using a file share – which is perhaps why Giver is no more. Mint also has new support for Nvidia Optimus, which is designed for systems with more than one GPU, one embedded in the motherboard plus a standalone Nvidia graphics card. New features let you switch between cards for processing, though output remains via the embedded GPU. There is also improved support for high-resolution displays. The display settings now allow scaling to be configured separately for each display, and to set scaling at fractional levels such as 125 or 150 per cent – though this feature is described as “experimental and may not work well with all hardware and drivers”.

One thing that’s remarkable is Mint’s stance on Canonical’s newest it-will-revolutionise-Linux-project Snaps:

The relationship with Ubuntu now looks strained thanks to Canonical’s commitment to its Snap Store, a mechanism for installing packages which uses virtualization to enable greater compatibility and simplify package maintenance. There are downsides too, and the Mint team is opposed to Snap, saying that it links too tightly to the Ubuntu store and breaks compatibility with the APT package manager.

I find this opinion interesting because my Manjaro install seems to have no issues seamlessly integrating snaps into an Arch base. If you can do that on Arch, I find it hard to believe that doing it on a Debian base is such a problem. Sounds like mainly a political issue to me.

Firefox 78

Speaking of releases, there’s also a new version of Firefox out:

Mozilla has released Firefox 78 with a new Protections Dashboard and a bunch of updates for web developers. This is also the last supported version of Firefox for macOS El Capitan (10.11) and earlier.

The main new user-facing feature in Firefox 78 is the Protections Dashboard, a screen which shows trackers and scripts blocked, a link to the settings, a link to Firefox Monitor for checking your email address against known data breaches, and a button for password management. Handy, but does the Protections Dashboard have much real value? It is doubtful; the more revealing thing is to click the shield icon to the left of the address bar on a web page, which tells you what is blocked on that site.

WebRender is a feature which “changes the way the rendering engine works to make it more like a 3D game engine.”. This is all about using the GPU for rendering web pages, alongside the CPU, and it is a complex process. (As the 7,500-word linked article demonstrates. It has also taken a while to get right; the article is from 2017.) Firefox 78 implements WebRender for Windows 10 PCs, with a few exceptions for laptops with AMD or older Intel GPUs. It looks like WebRender is coming to macOS and Linux soon, probably in Firefox 79. Will you notice? That will depend; users are most likely to see a benefit with graphically-rich and busy pages on high resolution displays, because this is where the renderer has most work to do.

On the security side, Firefox will no longer load pages over TLS 1.0 or 1.1. If this is the only version of TLS available, an error page is shown.

Is Cisco in the US Enforcing Indian Caste Hierarchies?

This story is pretty wild:

A senior engineer working at Cisco headquarters in Silicon Valley claims he was mistreated by coworkers and managers because of his Indian caste status – and that HR ignored his complaints about the matter. Cisco denies any wrongdoing.

The John Doe plaintiff, represented by California’s Department of Fair Employment and Housing, has 20 years of software development experience, and immigrated to the US from India, we’re told. He alleges that, after taking a job at Cisco in San Jose in 2015, his Indian colleagues at the networking giant abused him because he was a member of the Dalit caste, a group at the bottom of India’s caste social structure and considered “untouchable” by some in higher castes. considered “untouchable” by some in higher castes. “Although de jure segregation ended in India, lower caste persons like Dalits continue to face de facto segregation and discrimination in all spheres,” claimed the lawsuit’s paperwork, filed this week in a federal district court in the Golden State. “Not only do Dalits endure the most severe inequality and unfair treatment in both the public and private sectors, they are often targets of hate violence and torture.”

The plaintiff states that he went to the Indian Institute of Technology with one Cisco mananger, Sundar Iyer, who is of the highest Brahmin caste. Iyer is accused of sharing Doe’s untouchable status with another Indian manager and using that information to make the plaintiff’s working life difficult. “Because both knew Doe is Dalit, they had certain expectations for him at Cisco,” the lawsuit alleged. “Doe was expected to accept a caste hierarchy within the workplace where Doe held the lowest status within the team and, as a result, received less pay, fewer opportunities, and other inferior terms and conditions of employment because of his religion, ancestry, national origin/ethnicity, and race/color. “They also expected him to endure a hostile work environment. When Doe unexpectedly opposed the unlawful practices, contrary to the traditional order between the Dalit and higher castes, Defendants retaliated against him.” That retaliation allegedly included reducing the plaintiff’s responsibilities, passing him up for promotions and raises, and taking other team members off of his projects in an attempt to isolate him.

Also Noteworthy

Some other stories I’ve been reading:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.