FOXTROT/ALFA: Tech Culture Wars, Big-IP Vulnerabilities, Internet Archive Misused as CDN

Hello and welcome to issue 134 of FOXTROT/ALFA! Today is Monday, 6 July 2020 and here is all you need to know today when it comes to the world of technology news.

Fair warning, though: There’s been a lot of stupidity going on recently and the last few days have not been an exception. So the first collection of news have prompted a bit of a rant on my part. Just saying what I think needs to be said. Just be warned, you might not like it.

Black Hat, White Hat, Slave and Master

OK, let’s sit down here for a minute and think about what the great problems that are plaguing technology right now are. The fact that every single service using the internet is dominated by companies that want to spy on us? That governments routinely try to get at this information about us? The fact that we are increasingly moving vital functions of our state (including integral mechanisms of our democratic processes) online without spending time to properly secure them? The idea that entire generations that grow completely depended on these systems have, by and large, no clue about how they work and no interest in it either? That the majority of people going online can’t tell truth from fiction because the people that are supposed to be telling them which is which, journalists like me, are often not doing their job properly because their own political convictions are more important to them than figuring out what is true? Or because they have no clue what they are reporting on and no time to change that? Or is the actual problem that many people who consume online content have forgotten how to read more than a few lines of anything, much less asking critical questions about it?

Of course not. The real problems of our times are our terms for supposedly “good” and “bad” hackers. Or the terminology we use for the relationship between two computers.

The information security (infosec) community has angrily reacted today to calls to abandon the use of the “black hat” and “white hat” terms, citing that the two, and especially “black hat”, have nothing to do with racial stereotyping.

Discussions about the topic started late last night after David Kleidermacher, VP of Engineering at Google, and in charge of Android Security and the Google Play Store, withdrew from a scheduled talk he was set to give in August at the Black Hat USA 2020 security conference. In his withdrawal announcement, Kleidermacher asked the infosec industry to consider replacing terms like black hat, white hat, and man-in-the-middle with neutral alternatives.

This is of course utter nonsense. The terms white hat and black hat literally refer to the colour of the hats worn by heroes and villains in early Western movies, where the righteous cow poke (think McQueen in The Magnificent Seven) often wore a white hat that symbolised his clean honour and which could also stain nicely to show his hard-working attitude. Meanwhile the villain, or anti-hero, would classically wear a black hat (think Van Cleef in The Good, The Bad & The Ugly).

Steve McQueen in The Magnificent Seven, a typical white hat

Lee Van Cleef in The Good, The Bad & The Ugly, who as an unscrupulous villain naturally wears a black hat

Actually, this kind of thing is probably one of the only themes in Westerns that isn’t racist. There’s enough actually overt racism, either by design or accident, in those movies to worry about, I should think. And the discussion about the abstract infosec terms is even more ridiculous.

In the light of the 2020 “global reckoning on race relations” the Linux kernel developers have stepped up with proposed new inclusive terminology guidelines for their coding community. The proposal has come from Intel Principal Engineer Dan Williams and won support from other Linux maintainers including Chris Mason and Greg Kroah-Hartman.

Words to be avoided include “slave”, with suggested substitutions such as secondary, subordinate, replica or follower, and “blacklist”, for which the replacements could be blocklist or denylist. The proposal has allowed for exceptions when maintaining a userspace API or when updating a code for a specification that mandates those terms.

Great. More virtue signalling. Hey, guys… Don’t you think there’s some actual social injustices we should concentrate on instead of wasting mind space on this crap?

The proposal is to add a new document, to be called Linux kernel inclusive technology, which will give the rationale for the changes. Referencing the fact that “the African slave trade was a brutal system of human misery deployed at global scale,” the document has acknowledged that “word choice decisions in a modern software project does next to nothing to compensate for that legacy.”

No shit. How about you start voting for people who have an actual agenda to compensate actual descendants of former slaves? Or fight against daily racism at your job, in your gym or on the street when you witness it? How about doing something that’s actually worth doing instead of wasting everyone’s time with bullshit like this which only serves to telegraph to the world how amazing you are for having championed it. Nah. Thought so. Too much effort. You’d rather change a few variable names in your GitHub project.

Bonus story: Oracle sued by a shareholder who alleges its lack of progress in diversity amounts to “dishonesty”

Oracle is being sued by a shareholder that alleges the company has not been truthful and honest in its efforts to create greater racial diversity within its workforce.

The claim was filed on Thursday last week, the day before America shut up shop for the 4 July long weekend, in the US District Court for the Northern District of California. The 106-page complaint alleged that despite public statements committing to greater racial diversity in the company’s leadership and board level, a failure to make progress meant the statements amounted to dishonesty. It is claiming a breach of fiduciary duty against the Board and 30 execs as well as “abuse of control” by CTO Larry Ellison and CEO Safra Catz specifically.

I mean, yeah. That’s probably a valid complaint. But again, don’t you think your focus is off a bit? With everything we’ve heard from inside and outside of Oracle about the company for decades, there’s a lot more wrong with how they treat people there. If this suit is successful, a lot of other people could probably sue Larry & company for all kinds of shit. And maybe one could argue they should.

But maybe a more reasonable approach would be to advocate for actual employee protection laws that have teeth and are enforceable? That might be a start. And it doesn’t have to be about dividing employees by skin colour or gender, either. Maybe we could just get fair laws that apply to everyone the same? No? Am I too much of a starry-eyed optimist here? Okay…

Ennio Morricone is Dead

Speaking of Westerns… in other very sad news that have nothing to do with tech but are nonetheless very important to me, Ennio Morricone has died at 91. The man was a genius and scored many of my favourite movies of all time, including The Good, The Bad & The Ugly, which I personally consider probably the best movie ever made.

Grazie, maestro! Rest in peace.

Critical Big-IP Vulnerabilities

If you’re running Big-IP load balancers from F5, you should probably patch them immediately.

Network administrators are urged to patch their F5 BIG-IP application delivery controllers following the disclosure of a pair of critical remote takeover bugs. The flaws in question, CVE-2020-5902 and CVE-2020-5903, lie within in a configuration tool known as the Traffic Management User Interface. Successful exploitation results in full admin control over the device.

In the case of CVE-2020-5902, the hole puts the equipment at risk of arbitrary code execution, while CVE-2020-5903 is a JavaScript-based cross-site-scripting vulnerability. CVE-2020-5902 has a CVSS score of 10 out of 10, which is not good, while CVE-2020-5903 has a lower, but still serious, score of 7.5.

“The attacker can create or delete files, disable services, intercept information, run arbitrary system commands and Java code, completely compromise the system, and pursue further targets, such as the internal network,” said Mikhail Klyuchnikov of Positive Technologies who discovered and reported the vulnerabilities to F5.

To make matters worse, there is now exploit code out there so actual attacks are probably just around the corner.

Exploit code for the pair of nasty vulnerabilities in F5 Networks' BIG-IP application delivery controllers is now doing the rounds, so make sure you’re all patched up. Miscreants are scanning the internet for machines to attack, judging from reports by infosec bods running honeypots. Any vulnerable kit facing the ‘net is likely to be probed at some point this week, if not already, to see if it can be hijacked.

Yikes. Better get patching!

Barclays Stupidly Uses Internet Archive as a CDN

Okay, let’s end today’s newsletter with a funny story, I think we could all use it. So here, courtesy of one time Premier League title sponsor Barclays:

Barclays Bank appears to have been using no less than the Internet Archive’s Wayback Machine as a “content distribution network” to serve up a Javascript file.

The bizarre discovery was made by Twitter user @immunda, who discovered on Thursday that the British financial institute was calling JS from the Internet Archive. Shortly after an abortive tussle with Barclays’ automated Twitter DM chatbot, he declared that he had got through to a human who had promised to fix the alarming howler.

If went down, it would presumably break Barclays' website as well. Worse, if someone managed to change the JS file at that URL, they could inject … well, whatever they liked. JS is a favourite attack vector of, among other things, the Magecart financial creds-stealing gang.

Professor Alan Woodward of the University of Surrey told The Register: “It’s just the sort of thing that a Magecart attack would thrive on. At the end of the day, it is the organisation who integrates all of these assets, including those drawn in from other sites, to ensure that they have a secure site, and that can only ever be true if you know what your site comprises.” He continued: “Who would use the Internet Archive to draw in an important asset like a Javascript file, or any file for that matter?”

We have asked Barclays for its explanation and it would only say: “We take our responsibility to protect our customers' data extremely seriously and it is a top priority. We want to reassure our customers that their data was not at risk as a result of this error.”

Mark Graham, director, the Wayback Machine, Internet Archive “The mission of the Wayback Machine is to help make the Web more useful and reliable. “We are often surprised by all the creative ways people use the Wayback Machine to help advance that mission. Especially journalists, students, researchers, academics, fact checkers, activists and the general public. But usually not banks! “Clearly someone at Barclays made a mistake (who among us has not done that!). If this incident helps more people learn about the free services the Wayback Machine has to offer it will have been of benefit. Onward!”

Gotta love how the Internet Archive handled that.

Also Noteworthy

A few other stories I’ve been reading:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.