FOXTROT/ALFA: Apple Signs Mac Malware, Amazon is a Horrible Employer, Small Nuclear Reactors

September has arrived and with it, autumn has begun. At least here in Hamburg, where the air is definitely starting to smell of snow and fires that burn on the horizon in the evening. With the days getting shorter and everybody staying in more, chances are, tech news are only going to increase. So let’s have a look at what happened today, for issue 142 of FOXTROT/ALFA. Here’s the news for Tuesday, 1 September 2020:

QNAP Vulnerabilities

If you have a NAS from QNAP you probably want to make sure it’s patched. And you probably want to disconnect it from the internet. There’s a remote code execution out in the wild.

From April 21, 2020, 360Netlab Anglerfish honeypot started to see a new QNAP NAS vulnerability being used to launch attack against QNAP NAS equipment. We noticed that this vulnerability has not been announced on the Internet, and the attacker is cautious in the process of exploiting it. When we enter the sample into the 360 FirmwareTotal system, we found that this vulnerability appeared in the CGI program /httpd/cgi-bin/authLogout.cgi. This CGI is used when user logout, and it select the corresponding logout function based on the field name in the Cookie. The problem is QPS_SID, QMS_SID and QMMS_SID does not filter special characters and directly calls the snprintf function to splice curl command string and calls the system function to run the string, thus making command injection possible.

Vulnerability fix: We contacted the vendor and shared the PoC on May/13, and on Aug 12, QNAP PSIRT replied and indicated the vulnerability had been fixed in previous update but there still are devices on the network that have not been patched. We looked into the vendors’ firmwares and discovered that on July 21, 2017, QNAP released firmware version 4.3.3 and this version included the fix for this vulnerability.

Apple Signs Malware to Run on Macs

Oooops! Looks like Apple’s advertising isn’t living up to reality again. Damn.

The process, which Apple calls “notarization,” scans an app for security issues and malicious content. If approved, the Mac’s in-built security screening software, Gatekeeper, allows the app to run. Apps that don’t pass the security sniff test are denied, and are blocked from running.

But security researchers say they have found the first Mac malware inadvertently notarized by Apple. Peter Dantini, working with Patrick Wardle, a well-known Mac security researcher, found a malware campaign disguised as an Adobe Flash installer. These campaigns are common and have been around for years – even if Flash is rarely used these days – and most run unnotarized code, which Macs block immediately when opened. But Dantini and Wardle found that one malicious Flash installer had code notarized by Apple and would run on Macs.

Wardle confirmed that Apple had approved code used by the popular Shlayer malware, which security firm Kaspersky said is the “most common threat” that Macs faced in 2019. Shlayer is a kind of adware that intercepts encrypted web traffic – even from HTTPS-enabled sites – and replaces websites and search results with its own ads, making fraudulent ad money for the operators.

Apple revoked the notarized payloads after Wardle reached out, preventing the malware from running on Macs in the future. But Wardle said that the attackers were back soon after with a new, notarized payload, able to circumvent the Mac’s security all over again. Apple confirmed to TechCrunch it has also blocked that payload. The cat and mouse game continues.

Amazon are a Bunch of Assholes

In case you hadn’t realised this yet: Amazon is a shitty employer.

Amazon is famous for its extreme efficiency yet behind the curtain is a crippling culture of surveillance and stress, according to a study by the Open Markets Institute. The think tank and advocacy group that repeatedly takes companies like Google and Facebook to task warned in the report that Amazon’s retail side has gone far beyond promoting efficient working and has adopted an almost dystopian level of control over its warehouse workers, firing them if they fail to meet targets that are often kept a secret.

Among the practices it highlighted, the report said that workers are told to hit a target rate of packages to process per hour, though they are not told what exactly that target is. “We don’t know what the rate is,” one pseudonymous worker told the authors. “They change it behind the scenes. You’ll know when you get a warning. They don’t tell you what rate you have to hit at the beginning.”

Not telling people what the rules are and penalising them for them to create a culture of fear? That’s right out of the Nazi playbook. Stalin had some success with it, too. Looks like the managers in Bezos' shop have studied a few history books.

If they grow close to not meeting a target rate, or miss it, the worker receives an automated message warning them, the report said. Workers who fail to meet hidden targets can also receive a different type of electronic message; one that fires them.

Automated firing of workers. And we thought those ’80s sci-fi movies were bad.

“Amazon’s electronic system analyzes an employee’s electronic record and, after falling below productivity measures, ‘automatically generates any warnings or terminations regarding quality or productivity without input from supervisors’,” it stated. The data is also generated automatically: for example, those picking and packing are required to use a scanner that records every detail, including the time between scans, and feed it into a system that pushes out automated warnings.

As with other companies, Amazon installs surveillance cameras in its workspaces to reduce theft. But the report claims Amazon has taken that approach to new lengths “with an extensive network of security cameras that tracks and monitors a worker’s every move”.

Bezos' bunch combines that level of surveillance with strict limits on behavior. “Upon entering the warehouse, Amazon requires workers to dispose of all of their personal belongings except a water bottle and a clear plastic bag of cash,” the report noted.

For Amazon drivers, their location is constantly recorded and monitored and they are required to follow the exact route Amazon has mapped. They are required to deliver 999 out of every 1,000 packages on time or face the sack; something that the report argues has led to widespread speeding and a related increase in crashes.

The same tracking software ensures that workers only take 30 minutes for lunch and two separate 15-minute breaks during the day. The report also noted that the web goliath has patented a wristband that “can precisely track where warehouse employees are placing their hands and use vibrations to nudge them in a different direction”.

I think I’d rather turn to a life of crime than work for these assholes. You literally get treated better in prison.

Vlambeer is Gone

Vlambeer is closing down. What a shame!

After a decade of monitor-shattering screenshake, the Gun Godz at Vlambeer are closing their doors. The creators of Nuclear Throne, Luftrausers, Super Crate Box and many more delightfully crunchy shooters today announced that Vlambeer’s time is up. While Rami Ismail and JW Nijman aren’t quitting games for good, they’ll no longer be releasing them under the banner of a hastily-drawn flaming bear – with the exception of Ultrabugs, of course.

The pair broke the news via the frequently-dormant Vlambeer Twitter account earlier today. On the studio’s tenth birthday, they’ve decided to wind things down and go their separate ways. This probably won’t come as a shock to anyone who’s kept up with the Dutch indie darlings, mind. Since wrapping up Nuclear Throne back in ‘15, Ismail and JW have largely pursued their own projects – the former jetting around the world to advocate for game dev communities, while the latter teamed up with buds to develop games like Minit and the upcoming Disc Room. “After Nuclear Throne it felt a bit like we had proven everything Vlambeer had to prove,” Ismail told Kotaku this week, “and after a well-earned break after such a demanding project we realized that we had both found our own separate ways forward.”

The Two-Time is Anxious

Looks like his mystery ban has deeply affected The Doc.

Dr Disrespect says he still doesn’t know why he was banned from Twitch, and he warned viewers that the mysterious ban has been causing him anxiety. “My anxiety levels are something that comes in these huge waves,” said Dr Disrespect, real name Guy Beahm, on a stream compilation posted to YouTube this afternoon. “And I’m having a hard time dealing with it. I’ll be honest.”

“Just so you know, there might be days when the Doc seems off, feels off,” Beahm said. “We’re trying to learn the dark alleyway, man. We’re trying to get out of it.” Because he’s banned on Twitch, other Twitch streamers aren’t allowed to feature Beahm in their videos. That limits who he can partner with to promote his new channel. “To think that I’m here, and I’m just moving on,” Beahm said. “I’m not. I can’t. How? How can I? I’m trying. How? But how? How can I?”

WHAT THE FUCK HAPPENED? I need to know.

Small Nuclear Reactors Might be Coming

Tiny nuclear reactors? I find this prospect very exciting. A first design has now received a certification from the USNRC.

One hope buoying nuclear energy advocates has been the promise of “small modular reactor” designs. By dividing a nuclear facility into an array of smaller reactors, they can largely be manufactured in a factory and then dropped into place, saving us from having to build a complex, possibly one-of-a-kind behemoth on site. That could be a big deal for nuclear’s persistent financial problems, while also enabling some design features that further improve safety. On Friday, the first small modular reactor received a design certification from the US Nuclear Regulatory Commission, meaning that it meets safety requirements and could be chosen by future projects seeking licensing and approval.

The design comes from NuScale, a company birthed from research at Oregon State University that has received some substantial Department of Energy funding. It’s a 76-foot-tall, 15-foot-wide steel cylinder (23 meters by 5 meters) capable of producing 50 megawatts of electricity. (The company also has a 60-megawatt iteration teed up.) They envision a plant employing up to 12 of these reactors in a large pool like those used in current nuclear plants.

The basic design is conventional, using uranium fuel rods to heat water in an internal, pressurized loop. That water hands off its high temperature to an external steam loop through a heat exchange coil. Inside the plant, the resulting steam would run to a generating turbine, cool off, and circulate back to the reactors. The design also uses a passive cooling system, so no pumps or moving parts are required to keep the reactor operating safely. The pressurized internal loop is arranged so that it allows hot water to rise through the heat exchange coils and sink back down toward the fuel rods after it cools.

In the case of a problem, the reactor is similarly designed to manage its heat automatically. The control rods – which can encase the fuel rods, blocking neutrons and halting the fission chain reaction – are actively held in place above the fuel rods by a motor. In the event of a power outage or kill switch, it will drop down on the fuel rods due to gravity. Valves inside also allow the pressurized water loop to vent into the vacuum within the reactor’s thermos-like double-wall design, dumping heat through the steel exterior, which is submerged in the cooling pool. One advantage of the small modular design is that each unit holds a smaller amount of radioactive fuel, and so it has a smaller amount of heat to get rid of in a situation like this.

Pretty neat. Especially since these things tend to blow up when people make mistakes.

Zoom, Zoom Goes the Virus

So here’s a conspiracy theory for ya: SARS-CoV-2 was created by the leadership at Zoom to make them and investors rich. Nah, just kidding. They are doing great, though.

The coronavirus pandemic has been kind to videoconferencing service Zoom, which has seen Q2 2021 revenues soar by 355 per cent year-on-year on the back of widespread adoption by business and personal users alike. It’s also been kind to videoconf biz boss CEO Eric Yuan, who woke up $4.2bn richer this morning after shares rose about 44 per cent in premarket trading.

Also Noteworthy

Other things I’ve been reading today:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.