FOXTROT/ALFA: Shitrix, Alphabet Worth a Trillion, The Decline of Copyleft

Good day to you and welcome to issue 65 of FOXTROT/ALFA, my newsletter on tech and policy, with the occasional sprinkle of nerd entertainment. Today is Friday, 17 January 2020 and TGIF!

“Shitrix”: Unpatched Vulnerability with PoC Affects 25,000 Servers

Aside from that NSA-reported Windows vulnerability, there’s another bad one with a proof-of-concept exploit out there at the moment: CVE-2019-19781 is a bug in Citrix networking products.

“The vulnerability allows an unauthenticated remote attacker to execute arbitrary code on the system,” said Qualys researchers in an analysis last week. “Once exploited, remote attackers could obtain access to private network resources without requiring authentication.”

Researchers say it is extremely easy to exploit, and affects all supported versions of Citrix Gateway products and Citrix ADC, a purpose-built networking appliance meant to improve the performance and security of applications delivered over the web. A patch will not be available until late January, Citrix has announced.

Security expert Kevin Beaumont, who dubbed the vulnerability “Shitrix,” said on Twitter that the exploit PoC code means “this is going to get very messy.” According to the Bad Packets Report, over 25,000 servers globally – with the most in the U.S., Germany and the UK – are vulnerable to CVE-2019-19781.

Are Copyleft Licenses Becoming Less Common?

Copyleft licenses like the GPL are seemingly losing more and more mindshare with open source developers over time.

Permissive open-source software licenses continue to gain popularity at the expense of copyleft licenses, according to a forthcoming report from WhiteSource, a biz that makes software licensing management tools. Permissive licenses include the MIT and Apache 2.0 licenses and are known as such because the permit licensors to do more or less what they want with the covered software, with minimal caveats, and without imposing obligations like sharing code revisions.

Copyleft licenses like GPLv2, GPLv3, and LGPLv2.1 convey similar freedom, while, to put it simply, requiring that licensors not release versions or derivatives of the licensed code that restrict said freedom.

Based on its analysis of some four million open-source packages and 130 million open-source files in over 200 different programming languages, WhiteSource found that “use of permissive open-source licenses continues to rise, while usage of copyleft licenses, and the GPL-family in particular, continues to decrease.”

In 2019, 33 per cent of the software in the WhiteSource data set relied on copyleft licenses while 67 per cent of the software favored a permissive open-source license, three percentage points more than in 2018. Rewind to 2012 and copyleft licenses could be found with 59 per cent of projects while permissive licenses accompanied just 41 per cent.

This appears to be consistent with the trend against copyleft that GitHub observed in 2015.

However, there are experts who do not agree with this analysis.

Paul Berg, an open-source licensing consultant who worked previously for both Amazon and Microsoft, suggested copyleft licenses shouldn’t be counted out. And he contends that permissive licenses make a stronger statistical showing because they can be incorporated into both open-source and proprietary ventures, whereas copyleft licenses remain incompatible with entities focused on proprietary code.

“It has always been true that for integration with proprietary licensing, more permissive licenses like Apache, MIT and BSD are more popular, which is expected since those licenses do not impose many restrictions or obligations when interfacing with proprietary software, and particularly when the authors of that software do not wish to release rights to redistribute.”

“On the other side of the spectrum though, particularly in the area of cloud computing, we are seeing a resurgence of interest in extremely strong copyleft licensing, such as the AGPL, which is even less permissive than the GPL, because it has stronger guarantees that consumers of that software will remain members of the community rather than simply extend and repackage the software for their own sole benefit.”

The more salient trend, Berg argues, is simply the growing ubiquity of open source, including the full spectrum of licenses. “It is becoming fairly rare to find a company whose software is not predominantly open-source software,” he said.

How the Police Breaks Locks on Apple and Android Phones

Picking up from the iPhone unlocking story I talked about yesterday, The Register has a neat analysis on how police agencies around the world are cracking smartphone passwords.

With all the brouhaha over the FBI, like a broken record, once again demanding Apple backdoor its iPhone security, and tech companies under pressure to weaken their cryptography, how has the Scottish plod sidestepped all this and bypassed encryption?

The force is using bog-standard Cellebrite gear that, typically, plugs into smartphones via USB and attempts to forcibly unlock the handsets, allowing their encrypted contents to be decrypted and examined by investigators. This is widely used kit – sold to cops, businesses and spies around the world – and it will be set up in various police stations across Scotland.

Unlike the more secretive phone-unlocking-hardware maker GrayShift, Cellebrite is somewhat more upfront and straightforward about its products, openly boasting about its ability to bypass lock screens on iPhone and Android handsets.

The technology works in various ways: Cellebrite says for some phone models, its equipment copies a custom bootloader to the device’s RAM and runs that to bypass security mechanisms. In some other cases, such as with Android devices, it tries to temporarily root the handset. The equipment can also attempt to exploit vulnerabilities in phone firmware, including iOS, to ultimately extract data. It really depends on the hardware and operating system combination. Apple and Google tend to patch vulnerabilities exploited by this type of unlocking gear, in a security arms race of sorts.

Unfortunately, none of this should be a surprise to you. Depending on your phone model, there are various ways for the police to potentially delve into your device. As Forbes pointed out earlier this week, cops in the US last year tried to use a GrayShift product to read the contents of a locked and encrypted iPhone 11 Pro Max, according to a search warrant. It’s not clear whether the extraction was actually successful; the police paperwork merely declares a “USB drive containing GrayKey-derived forensic analysis” of the iPhone as evidence.

Still, if all this unlocking kit is out there, one wonders why the FBI and others are demanding law-enforcement backdoors in gadgets. Is it because it doesn’t always work? Or are the Feds tired of forking out wads of cash for gear made by Cellebrite, GrayShift et al, and want a cheap and easy built-in solution instead? Or both?

German Government: 128 x 128 Pixels are Enough

In a draft of new copyright legislation for Germany under the EU copyright reform that was passed last year, the government seems to be of the opinion that 128 x 128 pixels are enough to get an idea of what you are looking at in a search result. As Heise is reporting , the preliminary draft legislation posits that if anyone uses bigger images to link to certain content, they will have to acquire a license.

Apparently linking to content will be legal. Wow. How magnanimous of our legislators… Non-commercial users are apparently excepted, but because social networks usually reserve commercial rights on anything the user uploads, using larger text snippets of indeed images exceeding 128 pixels to link to, say a news story, would be illegal under this draft law.

Alphabet is Now a Trillion-Dollar Company

Google-owner Alphabet, which really is just a spin-out of Google itself to separate all the stuff they bought from the ad-and-search business, has now eclipsed one trillion dollars in its market valuation.

Google’s owner Alphabet has become a trillion-dollar company for the first time, making it only the fourth US firm to reach the bumper valuation. Alphabet’s value, based on the price of its Wall Street-listed shares, passed $1tn (£776bn) in the final minutes of trading on Thursday night, with shares closing at a record high of $1,450.16 each. It has followed its tech rivals Microsoft, Apple and Amazon over the $1tn mark.

Climate is the New Blockchain

Climate consciousness is the new blockchain. Want to make a dent with your PR announcement these days? You gotta go all-in on the climate talking points! Case in point: Microsoft’s recent announcement.

Microsoft has set itself the goal of being “carbon-negative” by 2030, nailing its colours to a so-called “moonshot” for worldwide removal and reduction of carbon. By 2050, it aims to have removed all the carbon it has emitted (either directly or through electrical consumption) since 1975.

“Moonshot” is an unfortunate turn of phrase, since some rockets have an impressively large carbon footprint of their own, and even the greatest of NASA apologists would struggle to call the Apollo programme “sustainable.”

The Redmond gang intends to use a variety of technology to get itself over the line, including reforestation, soil carbon sequestration (basically burying the stuff) and a variety of carbon capture methods. Citing the current scientific consensus, Microsoft hand-wringer in chief, Brad Smith, blogged that action was needed to avoid “catastrophic” results. Indeed, how will stockholders see a decent return if there are no humans left to buy Microsoft 365 subscriptions?

Also Noteworthy

Some other stories that you might find interesting, that I’m going to mention in passing:

…and that’s it for FOXTROT/ALFA for this week. May I leave you with some music for the weekend? This comes from my Spotify recommendations. Usually, those are utter crap, but while picking some music to write this newsletter by, I found a guy called Hayes Carll on there. He’s a singer-songwriter from Texas, who cites Dylan, Kristofferson and John Prine as his influences. And he lives up to them, I think. He’s pretty good.

See you on Monday!

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.