FAB INDUSTRIES 〉 Issue 150 (Saturday, 17 October 2020)

FOXTROT/ALFA: Amazon Copies Another Open Source Project, CUPS Abandoned, Hangouts are Dying

FOXTROT/ALFA — Your Daily Tech and Policy Newsletter, Issue 150
Saturday, 17 October 2020

Issue 150! Quite a milestone! When I started this newsletter over a year ago I sure wasn’t convinced I’d keep it up this long. I might not have been able to get an issue out each weekday (today’s belated issue being testament to that) but at least I have kept it going. And more and more people keep discovering the newsletter and the vast majority of you seems to like it, judging by the fact that you’re is sticking with me.

Since I didn’t get around to it yesterday, you’ll get another Saturday Special newsletter with a recap of the news from both days today. One of the things I’ve been busy with was writing a review of the first episode of season 3 of Star Trek: Discovery . Pretty horrible stuff. If I wasn’t being paid to write about this stuff, I’d stop watching it after that episode. Star Trek is rapidly reaching the point I got to with Star Wars a few years back. I just don’t care anymore.

Speaking of disappointing sequels to things from my childhood: Aquanox: Deep Descent was released yesterday. I had been waiting on this since I saw a demo years ago at Gamescom. With Schleichfahrt (which in the English-speaking market was released under the name Archimedian Dynasty) being my absolutely favourite video game ever, I’ve played every sequel since. AquaNox and AquaNox 2 were both shit, but I finished them both because I loved the original so much. I have not much hope this reboot will be better. But I have bought it and I will play it and write an in-depth review in due time.

But enough rambling. Let’s get to your tech news overview.

Security News

I told you security news were heating up. This trend looks like it’s continuing. For one thing, Crytek and Ubisoft were pwned by the same group of hackers.

This week, the Egregor ransomware game posted archives containing unencrypted files, stating that they were stolen from Ubisoft and Crytek in unrelated attacks. While it has not been confirmed if the attack against Ubisoft is legitimate, BleepingComputer has confirmed that Crytek suffered a ransomware attack.

In addition to encrypting the devices, the Egregor gang claims to have stolen unencrypted files from Crytek and leaked a 380MB archive on their data leak site. This leaked data includes files related to WarFace, Crytek’s canceled Arena of Fate MOBA game, and their network operations. Egregor ransomware also claimed to have breached Ubisoft’s network and stolen unencrypted data, including the source code for the upcoming Watch Dogs: Legion game. As part of this leak, Egregor has posted a 20MB archive containing game assets the ransomware gang says are part of Ubisoft’s Watch Dogs game.

None of these game assets, though, prove that they were actually stolen from Ubisoft, and could easily have been obtained elsewhere. Security researcher MalwareHunterTeam has told BleepingComputer that they have been trying to warn Ubisoft for almost a year that their employees have fallen victim to phishing attacks, but never received a response. Our emails to Ubisoft remain unanswered as well.

There also seem to be a lot of Zerologon attacks happening right now.

One of the most critical Windows vulnerabilities disclosed this year is under active attack by hackers who are trying to backdoor servers that store credentials for every user and administrative account on a network, a researcher said on Friday. Zerologon, as the vulnerability has been dubbed, gained widespread attention last month when the firm that discovered it said it could give attackers instant access to active directories, which admins use to create, delete, and manage network accounts. Active directories and the domain controllers they run on are among the most coveted prizes in hacking because once hijacked, they allow attackers to execute code in unison on all connected machines. Microsoft patched CVE-2020-1472, as the security flaw is indexed, in August.

On Friday, Kevin Beaumont, working in his capacity as an independent researcher, said in a blog post that he had detected attacks on the honeypot he uses to keep abreast of attacks hackers are using in the wild. When his lure server was unpatched, the attackers were able to use a powershell script to successfully change an admin password and backdoor the server. In an interview, Beaumont said that the attack appeared to be entirely scripted, with all commands being completed within seconds. With that, the attackers installed a backdoor allowing remote administrative access to devices inside his mock network.

“The takeaway for me is attackers are spraying the Internet to provide backdoors into unpatched Active Directory systems in an automated fashion,” Beaumont told Ars. “That isn’t great news. It’s not super sophisticated, but these attackers are doing something effective – which is usually more problematic.” riday’s findings are the most detailed yet about in-the-wild attacks that exploit the critical vulnerability. Late last month and again earlier this month Microsoft warned that Zerologon was under active attack by hackers, some or all of them part of a threat group dubbed Mercury, which has ties to the Iranian government.

In other security news, there’s a critical vulnerability in SonicWall VPN firewalls – which has suddenly become a very critical component of many enterprise networks during the COVID-19 panic.

A critical vulnerability in a SonicWall enterprise VPN firewall can be exploited to crash the device or remotely execute code on it, reverse engineers said this week. The stack-based buffer overflow (CVE-2020-5135) uncovered by infosec outfit Tripwire can be triggered by an “unauthenticated HTTP request involving a custom protocol handler” – and, most worryingly, could have been deployed by an “unskilled attacker.”

The biz said about 800,000 devices were discoverable through device search engine Shodan.io at the time it made its findings, which are lightly detailed on its blog. With the vuln being exploitable before authentication, anyone could send malformed requests to a target device – either causing a denial-of-service condition by crashing it, or potentially exploiting it to remotely execute code without local authentication; Tripwire says such an attack is “likely feasible.” A worm could be developed that infects a machine via the VPN and then seeks out other vulnerable devices to hijack.

Affected versions are: SonicOS 6.5.4.6-79n and earlier, 6.5.1.11-4n and earlier, 6.0.5.3-93o and earlier, SonicOSv 6.5.4.4-44v-21-794 and earlier, and SonicOS 7.0.0.0-1. The security hole is closed in these newly released versions: SonicOS 6.5.4.7-83n, 6.5.1.12-1n, 6.0.5.3-94o, SonicOSv 6.5.4.v-21s-987, and SonicOS 7.0.0.0-2 and onwards.

British Airways has been fined £20 million for its 2018 data breach, which was one of the first big hacks that came to light after the GDPR went into effect. It’s a lot less of a fine than many observers had expected.

British Airways is to pay a £20m data protection fine after its 2018 Magecart hack – even though the Information Commissioner’s Office discovered the airline had been saving credit card details in plain text since 2015. The fine, announced this morning by the UK’s data watchdog, is almost exactly at the reduced £19.8m level that BA parent company the International Airlines Group had expected back in August.

“The failures are especially serious in circumstances where it is unclear whether or when BA itself would ever have detected the breach,” thundered the ICO today. It also condemned BA’s claims during fine negotiations that credit card data breaches are “an entirely commonplace phenomenon” and “an unavoidable fact of life”.

British Airways’ internal payments systems were accessed by malicious people in June 2018, as we reported at the time. Some 380,000 people’s credit and debit card details were stolen as a result. Alarmingly, the ICO’s redacted fine notice published today revealed not only that the airline was compromised through a Citrix vulnerability but that it had been saving card details without any encryption at all – a huge no-no.

Information Commissioner Elizabeth Denham floated a £183m fine in July last year, saying at the time: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

The data watchdog said the fine had been reduced by £4m to take BA’s coronavirus financial situation into account, justifying this by pointing to IAG revenues in excess of £12bn in FY2017 – long before the pandemic tore the heart and lungs out of the air travel industry. COVID-19 and resulting government prohibitions have forced the premature retirement of BA’s iconic Boeing 747 fleet.

It’s actually worth it to read that whole story. The level of fail on BA’s part in that hack is quite staggering.

Amazon Copies Another Open Source Project

Amazon is under fire for copying open source code without giving the creator enough credit. To be honest, I don’t really see this as a big deal. If you don’t want this to happen, don’t use such a permissive license. It’s pretty simple.

On Thursday, Amazon Web Services launched CloudWatch Synthetics Recorder, a Chrome browser extension for recording browser interactions that it copied from the Headless Recorder project created by developer Tim Nolet. It broke no law in doing so – the software is published under the permissive Apache License v2 – and developers expect such open-source projects will be ~~copied~~ forked. But Amazon’s move didn’t win any fans for failing to publicly acknowledge the code’s creator.

There is a mention buried in the NOTICE.txt file bundled with the CloudWatch extension that credits Headless Recorder, under its previous name “puppeteer-recorder,” as required by the license. But there’s an expectation among open source developers that biz as big as AWS should show more courtesy.

“The core of the problem here (for me at least) is not the letter of the license, it’s the spirit,” said Nolet in a message to The Register. “It’s the fact that no one inside of AWS cared enough to stop and think ‘is this a dick move? Is this something I would want to have happen to me?’ Hence the current PR damage control campaign. They know it’s wrong. Not illegal, but wrong. Someone just had to tell them that.”

To be clear here, I don’t criticise The Register for reporting on this. I think that’s good, things like this need to be publicised. I’m just not surprised, let alone outraged by what happened. Big companies make dick moves. It’s what they do.

This is not the first time AWS has taken the work of open source developers and turned it into an AWS product. Last year, it launched Open Distro for Elasticsearch, to the dismay of Elasticsearch, a company formed to make a business out of the Elasticsearch open source project. And earlier that year it released DocumentDB, based on an outdated version of the open source MongoDB code. Many popular open source licenses allow this, but because AWS brings billions in infrastructure assets into the competition, smaller companies trying to commercialize open source projects find the challenge difficult to deal with.

Apple has Abandoned CUPS

Speaking of big companies and open source …it looks like Apple has abandoned CUPS.

The official public repository for CUPS, an Apple open-source project widely used for printing on Linux, is all-but dormant since the lead developer left Apple at the end of 2019.

Apple adopted CUPS for Mac OS X in 2002, and hired its author Michael Sweet in 2007, with Cupertino also acquiring the CUPS source code. Sweet continued to work on printing technology at Apple, including CUPS, until December 2019 when he left to start a new company. Asked at the time about the future of CUPS, he said: “CUPS is still owned and maintained by Apple. There are two other engineers still in the printing team that are responsible for CUPS development, and it will continue to have new bug fix releases (at least) for the foreseeable future.”

Despite this statement, Linux watcher Michael Larabel noted earlier this week that “the open-source CUPS code-base is now at a stand-still. There was just one commit to the CUPS Git repository for all of 2020.” This contrasts with 355 commits in 2019, when Sweet still worked at Apple, and 348 the previous year. We asked Apple about its plans for CUPS and have yet to hear back. We also note Sweet is not counting on Apple’s continued involvement.

Twitter Manipulating the Public Again, Hiding Behind a Bad Excuse

Twitter prevented users from tweeting a story that was critical of Joe Biden’s son Hunter. Even though it seems obvious that Twitter did this because that story doesn’t jive with the company’s politics – many members of its leadership are on the record for having progressive tendencies and/or supporting the Democrats and Biden – the PR spin is that this was all about the morality and legality of posting hacked documents. What a load of bull.

Twitter has changed its policy on sharing hacked materials after facing criticism of its decision to block users from tweeting links to a New York Post article that contained Hunter Biden emails allegedly retrieved from a computer left at a repair shop.

On Wednesday, Twitter said it blocked links to the Post story because it included private information and violated Twitter’s hacked materials policy, which prohibits sharing links to or images of hacked content. But on late Thursday night, Twitter legal executive Vijaya Gadde wrote in a thread that the company has “decided to make changes to the [hacked materials] policy and how we enforce it” after receiving “significant feedback.”

Twitter enacted the policy in 2018 “to discourage and mitigate harms associated with hacks and unauthorized exposure of private information,” Gadde wrote. “We tried to find the right balance between people’s privacy and the right of free expression, but we can do better.” Twitter will thus change its hacked materials policy to “no longer remove hacked content unless it is directly shared by hackers or those acting in concert with them.” Twitter will also “label Tweets to provide context instead of blocking links from being shared on Twitter.”

This is idiotic. If I had a tenner for every time I have personally found a tweet linking to hacked material on Twitter in my almost eight years of being a professional journalist, I’d be well on my way to becoming a millionaire by now.

Twitter CEO Jack Dorsey acknowledged that Twitter handled the Post situation poorly, writing on Wednesday that “blocking URL sharing via tweet or DM with zero context as to why we’re blocking [was] unacceptable.” Today, Dorsey commented on the policy change, writing that “Straight blocking of URLs was wrong, and we updated our policy and enforcement to fix. Our goal is to attempt to add context, and now we have capabilities to do that.”

The Post’s headline on the story in question is, “Smoking-gun email reveals how Hunter Biden introduced Ukrainian businessman to VP dad.” But as the Poynter Institute’s PolitiFact noted, the emails cited in the Post article “do not establish that such a meeting ever occurred.” While Twitter blocked links to the story outright, Facebook instead reduced its distribution.

Interesting comment on that story. We’re talking about emails here. And the emails in question ware pretty damn specific. Also: You do know that you can introduce people without meeting them directly these days, right? Have you heard of Zoom? Or emails?

Hangouts on the Chopping Block Next at Google

Google is killing another service. Surprise.

It’s time to talk about Google messaging again. The company’s latest blog lays out future plans for its suite of messaging services, which includes stripping features out of Google Hangouts as we head toward its eventual demise and the promotion of Google Chat to being the main messaging product.

The first bit of news in the blog post is that Google Chat will go live for consumer accounts “starting in the first half of 2021.” The service started as a business-focused G Suite app (G Suite is now called “Google Workspace”), so access to Google Chat originally required you to pay for G Suite. But in 2021, it will be free for everyone. Google says it wants a “smooth transition” from Google Hangouts to Chat, and it will “automatically migrate your Hangouts conversations, along with contacts and saved history.”

With the rise of Google Chat, Google Hangouts is going to die. Google initially announced this all the way back in 2018, and now we’re getting more details about the service’s slow shutdown and transition plans for the services that rely on it. We’ve already seen Hangouts lose location sharing and SMS support, and in the blog post, Google announced that phone calls, Google Fi support, and Google Voice support will soon be stripped away from the service.

Also Noteworthy

Other stories I’ve been reading in the last two days:

It looks like I will be very busy on Monday, so my next newsletter will probably arrive on Tuesday. Until then, I hope you have a good Sunday. Talk to you next week!

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.