FOXTROT/ALFA: Boeing Posts Record Sales Slump, TSB Goes All-In on IBM, Trump Wants iPhone Passwords NOW!

Hello and welcome to FOXTROT/ALFA #63 for Wednesday, 15 January 2020. Hump day once again. Onwards and upwards, people!

But before I get into the tech news of the day, I would like to make a short editorial remark. Thanks to everyone who’s replied to this newsletter with feedback. It helps me immensely and it makes me happy to hear that many of you are enjoying this daily influx of me in your inbox. Especially the emails from readers saying that I help them escape their usual filter bubbles are very close to my heart, because that’s a very important public services these days where we’re all lost in Algo-Land.

Now, if you have praise or criticism, feel free to write me. Unlike many of my other colleagues in the press, I usually don’t complain about reader comments and try to learn from them where I can. But enough meta talk, let’s have some content.

Trump Attacks Apple over iPhone Security

US President Donald Trump has attacked Apple publicly on Twitter for refusing to decrypt an iPhone that belonged to the murderer who shot and killed three US Navy sailors in Florida. Trump tweeted:

We are helping Apple all of the time on TRADE and so many other issues, and yet they refuse to unlock phones used by killers, drug dealers and other violent criminal elements. They will have to step up to the plate and help our great Country, NOW! MAKE AMERICA GREAT AGAIN.

Making America great again by somehow weakening encryption for everyone? It seems to me that, like many of his politician peers – say over here in Germany – Trump does not understand how encryption works and why it benefits everyone to not have a system where vendors can simply circumvent it on their own devices. To spell it out for you, Donald: Because if Apple can do that, the evil hackers from China can do it, too.

Further analysis from Business Insider:

Trump’s mention of „helping Apple all of the time“ is an apparent reference to the iPhone maker’s negotiations with the White House over exemptions from planned tariffs on goods imported from China. Apple CEO Tim Cook has worked to develop a close relationship with Trump and his administration in an effort to convince him not to impose those tariffs, which would hurt Apple because its products are mainly manufactured in China.

Trump’s tweet comes after Attorney General William Barr said Apple had offered the FBI „no substantive assistance“ in its investigation during a press conference on Monday. Apple rejected Barr’s characterization, telling Business Insider that its „responses to their many requests since the attack have been timely, thorough and are ongoing“ and that it has produced „a wide variety of information associated with the investigation… including iCloud backups, account information and transactional data for multiple accounts.“

Trump and Barr have taken issue, however, with Apple’s refusal to help the FBI unlock the phones, which are password-protected. Apple has framed the issue around protecting consumers‘ privacy, saying that „encryption is vital to protecting our country and our users‘ data.“

Patch Tuesday Overview

The Register has a great overview of all the Patch Tuesday fixes, including the big NSA one I reported on yesterday. The highlights:

This month’s Microsoft security fixes include three more remote-code-execution vulnerabilities in Redmond’s Windows Remote Desktop Protocol software. Two of the flaws (CVE-2020-0609, CVE-2020-0610) are present on the server side in RD Gateway – requiring no authentication – while a third (CVE-2020-0611) is found on the client side.

There are the handful of remote-code-execution vulnerabilities in Office, programming screw-ups that can be exploited when the user opens a specially poisoned document file. Those include flaws in Excel (CVE-2020-0650, CVE-2020-0651, CVE-2020-0653) and one for Office in general (CVE-2020-0652).

There were half a dozen advisories released this month by Intel, including one for what Chipzilla considers a high-severity issue. That flaw, CVE-2019-14613, allows elevation of privilege by way of the VTune Amplifier for Windows software.

While you’re patching Windows, it would be wise to get the latest update for VMware Tools. That fix cleans up CVE-2020-3941, a race condition flaw that would potentially allow users to escalate their privileges within a Windows VM.

This was a relatively light Patch Tuesday for Adobe, which emitted a pair of updates to address a total of nine CVE-listed bugs. Of those, five were found in Adobe Illustrator CC for Windows. Each are memory corruption vulnerabilities that, if exploited, allow for arbitrary code execution. The second patch was issued for Adobe Experience Manager. It cleans up four flaws, each allowing for information disclosure.

This month saw SAP release six bug fixes and one update to an earlier notice. Of those seven bulletins, the most serious concerns CVE-2020-6305, a cross-site scripting vulnerability in the Rest Adaptor for SAP Process Integration. Other patches include a denial of service flaw in NetWeaver Internet Communication Manager (CVE-2020-6304), and a missing authorization check in Realtech RTCISM 100.

A further note on that NSA-reported ECC-certificate vulnerability from Carnegie Mellon’s CERT:

By exploiting this vulnerability, an attacker may be able to spoof a valid X.509 certificate chain on a vulnerable Windows system. This may allow various actions including, but not limited to, interception and modification of TLS-encrypted communications or spoofing an Authenticode signature.

DynDNS Problems

If you use DynDNS not just for dynamic DNS services but also for domain registration, you might wanna check if your domains are still pointing at the right thing.

Customers of Oracle’s DynDNS who used the service for domain registration – rather than just dynamic DNS – have suffered a sudden involuntary change of registrar, in some cases redirecting websites to those of different companies. This comes after the enterprise giant sent out notices last month about the transfer of its Domain Registration Business to name.com.

This has not proved to be a smooth process in all cases. The email about the change apparently went astray in some cases, and in some instances (where the domain did not use Dyn’s DNS service) the nameservers were changed. “In the case of my company domain, it was pointed at some other company site,” said a Reg reader who emailed us.

In another tale of woe posted in Oracle’s user-to-user support forum for Dyn services, a user gets the message “name resolution is blocked and has been cancelled due to administrative reasons,” when logged into their Dyn account. “Try Name.com is the response from Taylor; but once the user gets there, they are confronted with: “Sorry, but we do not have any record of this domain.”

Yet another customer took to Twitter to enquire: “Why have you stolen my domain and sold it to name.com … give it back. You’ve deleted my mx record but want to send me an email to verify ownership. Did anybody actually think this through?”

Boeing Had Only 54 Orders in 2019

After sales reaching an 11-year low, Boeing is no longer the biggest airplane manufacturer in the world.

Net orders (after cancellations) last year came to just 54 aircraft. The BBC reported that in 2018 Boeing delivered 893 aeroplanes. Deliveries of new aircraft to customers halved to 380, reportedly the lowest number since 2008.

The Seattle Times, Boeing’s hometown newspaper in the US and one of the leading sources of information about the company, reported that the airframer suffered net cancellations of more than 200 737 Max aircraft during 2019, a loss of $10.6bn in order revenues. In stark contrast, Airbus scooped 662 orders for its A320neo series aircraft.

In that story, The Register is also reporting on a new problem surrounding the 737 MAX:

A raft of internal Boeing communications was released to the public earlier this week revealing just how much contempt and anguish was going around inside Boeing at the time the 737 Max was being finalised.

In among those messages, seen by The Register, are multiple specific references to a 737 Max simulator installed at London Gatwick Airport. Boeing staffers appeared concerned that the sim wasn’t going to meet its Level D certification (the highest level, necessary for the most demanding pilot training) because it wasn’t realistic enough. They also appeared worried that the sim might have been faithfully reproducing unusual control displays as would have been shown in the real airliner, potentially calling into question other aspects of the 737 Max software.

The more I read about the development and production of this plane, the more amazed and angry I get. It also becomes apparent that there wasn’t a radical re-thinking of company culture immediately after the groundings. It’s actually nice to see the market punishing Boeing for all of this, because they sure earned it.

TSB Switching to IBM and Red Hat

The British banking firm TSB is switching to a private cloud that will be built and run by IBM – for €1 billion.

The decade-long agreement will provide a much needed shot in the arm for Big Blue’s hard pressed Global Technology Services (GST), and is designed to shore up TSB online banking services. Under the tie-up, IBM will create and host a private cloud that runs TSB’s core banking platforms with all of the infrastructure operated and managed by IBM “under supervision by TSB,” the bank said.

They’re using Red Hat’s Open Shift.

Red Hat OpenShift tech will be used to deploy on-container architecture, and new cloud native apps will be deployed, TSB added.

Why are they doing this? Well…

TSB suffered the mother of all IT meltdowns in April 2018 when it was upgrading systems and switching customers' data from former owner Lloyds Banking Group’s data centre to its new Spanish parent Sabadell.

The project was famously botched leaving 1.9 million customers locked out of their accounts. TSB turned to IBM for help. Subsequent compensation to customers that fell victim to fraud was then paid by TSB – and the whole debacle cost CEO Paul Pester his job – and the bank £200m.

A 262-page incident report was published in November, following an independent investigation by law firm Slaughter and May, which concluded stronger oversight of suppliers was needed, and found 2,000 defects related to testing when the system went live all those months earlier.

No wonder IBM was eager to help. They’ve gotten a sweet deal for their trouble.

Also Noteworthy

Some other interesting stories I found today:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.