FOXTROT/ALFA: Threema Goes Open Source, WMG Data Breach, The Moon is Rusting

As you might have noticed, there wasn’t a newsletter in the last two days. It seems all the stuff I have to organise before we move house from Hamburg to Düsseldorf in the middle of the month has caught up with me. And then there’s the other stuff I keep busy with, like extra podcast episode releases. FOXTROT/ALFA issue 144 is therefore coming to you on a Saturday. In this special edition, for Saturday, 5 September 2020, I will recap all of the news I didn’t get to write to you about on Thursday and Friday.

This will be the last newsletter for a while. I have many things to organise for this move and as of now, I’m not even quite sure when I will have internet access in the new flat. I’m aiming to start up the newsletter again at the beginning of October. Please bear with me. I promise I’ll get it up and running as soon as I can.

For now, here’s what has happened in tech over the last few days:

Critical GnuPG Vulnerability

Heads up! There’s a critical vulnerability in GnuPG:

We are pleased to announce the availability of a new GnuPG release: version 2.2.23. This version fixes a critical security bug in versions 2.2.21 and 2.2.22.

Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour. Importing an arbitrary key can often easily be triggered by an attacker and thus triggering this bug. Exploiting the bug aside from crashes is not trivial but likely possible for a dedicated attacker. The major hurdle for an attacker is that only every second byte is under their control with every first byte having a fixed value of 0x04.

Code Execution Worm in Cisco’s Jabber Client

Cisco’s Jabber implementation seems to be a bit shit.

Until Wednesday, a single text message sent through Cisco’s Jabber collaboration application was all it took to touch off a self-replicating attack that would spread malware from one Windows user to another, researchers who developed the exploit said.

The wormable attack was the result of several flaws, which Cisco patched on Wednesday, in the Chromium Embedded Framework that forms the foundation of the Jabber client. A filter that’s designed to block potentially malicious content in incoming messages failed to scrutinize code.

WMG Data Breach

Warner Music has been hacked.

Warner Music Group (WMG) has disclosed a breach by an undisclosed party that could have taken payment information, including name, email address, telephone number, billing address, shipping address, and payment card details (card number, CVC/CVV, and expiration date) from customers making a purchase between April 25 and August 5. In its disclosure statement, WMG says that it is working with law enforcement agencies and have notified the financial institutions and credit card issuers involved.

Threema Goes Open Source

After years of security enthusiasts constantly asking for it, Threema seems to be going open source.

Within the next months, the Threema apps will become fully open source, supporting reproducible builds. This is to say that anyone will be able to independently review Threema’s security and verify that the published source code corresponds to the downloaded app. In the future, it will be possible to use multiple devices in parallel thanks to an innovative multi-device solution. In contrast to other approaches, no trace of personal data will be left behind on a server. Thanks to this technology, Threema can be used on a PC without a smartphone.

They also got a new investor.

After an intense startup phase, Threema lays the foundation for continuity, further growth, and an acceleration of the product development thanks to the entry of the German-Swiss investment company Afinum Management AG. That said, Threema’s founders – Manuel Kasper, Silvan Engeler, and Martin Blatter, all software developers – will continue to lead the company and still retain a significant ownership interest.

The Moon is Rusting

Believe it or not, the moon is rusting.

The Moon’s surface is peppered with flecks of rust, according to research published on Wednesday. It’s a surprising discovery considering the natural satellite contains no free oxygen, which is needed to oxidize iron to make rust. Yet data from the Moon Mineralogy Mapper (M3), a NASA-designed instrument onboard the Chandrayaan-1, the first lunar spacecraft from the Indian Space Research Organisation, has pointed out deposits of hematite, a type of iron oxide, dotted around the Moon.

“When I examined the M3 data at the polar regions, I found some spectral features and patterns are different from those we see at the lower latitudes or the Apollo samples,” said Shuai Li, lead author of the study published in Science Advances and a researcher at the University of Hawaii’s Institute of Geophysics and Planetology. “I was curious whether it is possible that there are water-rock reactions on the Moon. After months of investigation, I figured out I was seeing the signature of hematite.” This common form of iron oxide is found on both Earth and Mars.

Although lunar regolith does contain oxygen, all of it is locked up within minerals and it’s not available to readily react with iron. Instead, the Moon is apparently getting its fresh oxygen supplies from its nearest neighbor: Earth. Li and his colleagues reckon that the gas from our planet’s upper atmosphere may be carried by the solar wind and blown onto the satellite’s surface.

“It turns out that the total oxygen delivered to the Moon from Earth in 100 million years is sufficient to generate the hematite we see,” Li told The Register on Wednesday. “The total oxygen is estimated from the observation by Japan’s Kaguya mission. They observed that 1.5x1027 oxygen particles can be delivered to the lunar surface annually.”

Digital Pregnancy Tests are a Scam

Like The Register, I saw this on Twitter. Absolutely hilarious!

A hacker has uncovered a fancy digital pregnancy stick that is just a glorified analogue paper test strip with a screen added, a novel form of activation, and a big price tag.

Hardware hacker (and floppy disc enthusiast) foone bought a pack of two digital pregnancy sticks for $7, whereas a pack of 25 paper-based ones costs about $9. Foone decided to pry into one of the sticks and revealed it had a Holtek HT48C06 processor with 64 bytes of RAM, an 8-bit microcontroller, a series of LED lights, photosensors, a cell battery, and a small rectangular screen.

The computer onboard makes it seem quite advanced and high-tech, but at the core of is, well, one of those cheap paper tests. None of the hardware or software is used to detect if someone is pregnant or not. That job is for the paper, which looks for human chorionic gonadotropin, a type of hormone secreted during the early stages of pregnancy, in urine.

The whole device is activated when the strip is moistened. The damp paper connects a switch that fires up the stick’s battery and, if the characteristic two lines show up, the LED lights and photosensors spot this and the screen displays the results – “Pregnant” or “Not pregnant”.

Because someone apprently thought that counting strips on paper, which generations of women have done successfully, was too complicated for millenials? Or something? Jeez.

Also Noteworthy

Other stories I’ve been reading:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.