FOXTROT/ALFA: French Digital Tax Gets Nixed, Data Leaks, Crazy Woman Stole Turing’s OBE

Hello and welcome to issue 69 of FOXTROT/ALFA for Thursday, 23 January 2020!

Here are the relevant goings-on in the world of technology.

Cisco Security Updates

Cisco has issued a list of 27 security advisories. One of them is rated critical.

A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device.

The vulnerability is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to gain administrative access to the web-based management interface of the affected device.

France Buries Digital Tax Idea after “Great Discussion” with Trump

Putain de bordel de merde! At the Davos World Economic Forum, French President Emmanuel Macron has said that his country’s planned digital tax on big tech companies (most of which are American) has been scrapped for now. He says he had a “great discussion” with US President Trump and wants to “avoid tariff escalation”. With other words: Trump has probably pressured the much smaller country into submission.

Some background on the proposed tax, via The Register:

Last year, France approved a new three per cent digital revenue tax on companies with sales of 25 million euros within French borders, and/or 750 million euros globally, as a way to force Californian titans like Google, Facebook and Apple to cough up more in the countries where they make billions of dollars in revenue.

The tax was passed after a collapse in talks to introduce a pan-European version of the digital tax, in large part because the country through which the companies funnel all their European earnings and pay a tiny amount of tax on – Ireland – objected. Ireland also enlisted Sweden and Denmark, and the plans stalled. France promised to kill off its cyber-tax if Europe managed to reach agreement.

That French decision was due to come into force this year, though it became a target of President Trump, who repeatedly threatened to add trade tariffs on French goods such as wine if the tax went ahead and decried Macron’s “foolishness” for trying to impose a tax on American companies.

Data Leaks of the Day

In the US, a company that makes software for cannabis dispensaries inadvertently leaked ID card scans and purchase details of 30,000 customers to the public when it failed to secure an S3 storage bucket on AWS.

A tech biz specializing in software for marijuana dispensaries inadvertently exposed to the public internet a database containing tens of thousands of mellow Americans' personal information. The leak-busting team at vpnMentor took credit for unearthing the unprotected Amazon Web Services S3 storage bucket, owned by THSuite, a vendor that sells software to medical and recreational cannabis dispensaries to manage customer records and stay in compliance with state regulations.

The bucket was taken offline last week after it was discovered on December 24, and its insecure configuration was reported to THSuite on December 26 and Amazon on January 7, according to vpnMentor. The S3 bucket’s data belonged to dispensaries in Maryland, Ohio, and Colorado, we’re told.

In Germany, c’t magazine has discovered 10 terabytes of customer data for the rental car company Buchbinder – which claims to be the market leader in Germany (I couldn’t say, I’ve never used them). The data encompasses names, addresses and contact details for three million customers – even one or two celebrities. This has c’t claiming that the incident “has to be one of the biggest data leaks in the history of the Federal Republic” of Germany.

The data contains invoices, rental contracts, emails and photos of cars damaged in accidents reaching back to 2003. It stems from a publicly accessible SMB server that contained database backups of a Microsoft SQL Server.

Crazy Woman Stole Alan Turing’s OBE Medal, PhD Certificate and other Effects

US government agents have recovered more than 250 personal items that once belonged to British information technology pioneer Alan Turing. Turing, who invented the Turing Test and was instrumental in breaking WWII wartime cyphers used by the Wehrmacht, was famously gay and didn’t have children, but it seems a woman in the US changed her last name to Turing and claimed she was his daughter. She seemed obsessed with the deceased mathematician to the point of being crazy.

Some of the items were even hidden is a secret passage in her house. The whole story, on The Register, is an absolutely fascinating read.

Email Surveillance Laws Called into Question in Germany

Mailbox.org, a Berlin-based email provider, has published its yearly transparency report on data requests by law enforcement agencies. As part of this, the company is demanding new regulation on what data authorities are allowed to request.

After the European Court of Justice decided in 2019 that Google is not a communication provider in the sense of the Telekommunikationsgesetz (TKG), which is based on EU directives, other email providers are now claiming that they don’t have to hand over data to authorities at all. But Mailbox.org cautions that the Germany-specific Telemediengesetz (TMG) still specifies that customer data has to be handed over to law enforcement agencies upon lawful requests. However, Mailbox.org says they currently do not comply with requests for actual email messages, because this is only regulated in the TKG. Because all of this is confusing and both bodies of law seem to contradict themselves now, at least when it comes to email providers, there should be new regulation, argue the Berliners.

I wrote the whole thing up on my blog , which might be interesting for the German speakers among you. If you want to translate the post, I’d recommend using the DeepL translation service.

Google Doubts the Tracking Protection Technology in Apple’s Safari Browser

Google, who makes Chrome, the web browser with the currently highest market share, has published a paper that criticises the tracking protection technology in use in Apple’s Safari browser.

Google security researchers have published details about the flaws they identified last year in Intelligent Tracking Protection (ITP), a privacy scheme developed by Apple’s WebKit team for the company’s Safari browser. In December, Apple addressed some of these vulnerabilities (CVE-2019-8835, CVE-2019-8844, and CVE-2019-8846) through software updates, specifically Safari 13.0.4 and iOS 13.3. Those bugs could be exploited to leak browsing and search history and to perform denial of service attacks.

But they’re not quite fixed, according to Google’s boffins. In a paper titled, “Information Leaks via Safari’s Intelligent Tracking Prevention,” authors Artur Janc, Krzysztof Kotowicz, Lukas Weichselbaum, and Roberto Clapis claim that the proposed mitigations “will not address the underlying problem.”

Browser mudfight!

The Register asked famously non-communicative Apple to weigh in. And as might be expected, we haven’t heard back.

He he. Well, no surprise there. They never answer these kind of questions.

Also Noteworthy

In case you still want more things to read:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.