FOXTROT/ALFA: Dan Houser Leaves Rockstar, Nobody Uses FTP Anymore, Debacle in Iowa

Welcome to issue 77 of FOXTROT/ALFA for Wednesday, 5 February 2020. Another hump day has been reached! And here’s what’s important in tech today:

Security Patches

Cisco is fixing a number of remote code execution vulnerabilities in devices that use the Cisco Discovery Protocol (CDP).

CDP is a proprietary Layer 2 data link protocol for gathering information about networked devices. It’s implemented in almost all of Cisco’s products, including routers, switches, IP phones, and IP cameras. Armis, the security biz that spotted the aforementioned flaws and privately reported them to Cisco, has dubbed its troublesome quintet CDPwn. The infosec outfit claims tens of millions of devices are vulnerable.

Exploiting the CDPwn flaws involves first hacking smart TVs, printers, smart lighting, video cameras, or badge readers that have been put on a segmented portion of a corporate network to isolate them from managed corporate IT gear. The assumption is that identifying and exploiting a vulnerability in one of these typically low-security, unmanaged consumer devices provides a path to exploit the CDPwn flaws and then compromise high-value devices on other network segments by breaking network boundaries.

And there’s also another “please make me root” bug in sudo.

This security hole, discovered by Joe Vennix at Apple Information Security, is only active if the pwfeedback option is enabled. This option shows an asterisk each time a key is pressed, when entering a password. The good news is that pwfeedback is generally disabled by default.

Sudo is included in macOS, but this option was not enabled when we tried it on our Catalina box. However, a few Linux distributions – seemingly Mint and Elementary OS – do enable the option. The purpose of the feature, as its name implies, is to reassure users that they are not typing into a black hole. If sudo is installed and vulnerable, any user can trigger the vulnerability, even if not listed in the sudoers list of those with sudo privileges.

If in doubt, disable the pwfeedback function and you should be fine.

FTP is Dead

Google has switched off Chrome’s ability to use FTP to download files with version 80 of the browser which has just been released. Apparently nobody is using FTP anymore. In the browser, at least.

You can still switch it back on via an option or command line flag (such as –enable-ftp) but, to be honest, why would you? Google noted that usage in the browser was so low (yes, The Chocolate Factory is watching, always watching) that there wasn’t much point in improving support.

Windows 10’s Start Menu Search is Broken

No, it’s not just you. That black screen when you use the Windows 10 search to find a program? It’s down to a problem with Bing. If only Windows 10’s start menu was usable without this search feature…

The problem, which looks like it is related to Bing (not the children’s television character), manifests itself by flinging up a large, black box where search results should be on the Windows 10 desktop. Multiple flavours of Windows 10 are affected.

The Start Menu itself appears unaffected. However, if, like us, you use the search box to get to apps - because life is too short to wade through the current attempt to make something a bit like Windows 7 to find the required program – this outage is doubly maddening. Even typing the name of a known app, such as notepad.exe, and hitting return does nothing. Sad.

Dan Houser Leaves Rockstar

One of the two brothers who founded Rockstar Games is leaving the company. Dan Houser will officially leave in March and has been on an extended leave of absence for a while, the company’s parent Take-Two Interactive has said.

Co-founder of Rockstar Games, Dan Houser, is leaving the firm he started with his brother Sam in 1998. Mr Houser was a main creative force behind two of the firm’s biggest series, Grand Theft Auto and Red Dead. Dan Houser was one of the lead writers for the Grand Theft Auto series, as well as Rockstar’s other hits, Bully and Red Dead Redemption. He also worked as a voice actor on some of the company’s projects.

In 2018, while the company was creating the award-winning and hugely successful Red Dead Redemption 2, Dan Houser told Vulture that the team was working 100-hour weeks. The comment caused a stir at a time when many game journalists and fans were beginning to discuss so-called “crunch”, where staff work to meet tight deadlines for a game’s release.

I wonder if that interview is part of why he is leaving?

The company did not announce Mr Houser’s replacement or respond to requests for further comment. Take-Two’s stock fell 5% following the announcement of Mr Houser’s departure.

The Iowa Debacle

Well, the Democrats royally screwed up their first primary. How? A very late rollout of untested technology, which turned out to be buggy. Who needs Russian hackers if you can completely screw the election up by making an ass of yourself?

It’s all so painfully familiar: with a crunch date of February 3, the Democratic Party in Iowa decided to charge ahead with an IT rollout that comprised an entirely new software system spread out across thousands of sites to record the result of the Democratic caucus for its presidential nominee. It was, inevitably, a complete failure. The results from the Iowa caucus were supposed to come in nearly 24 hours ago. Instead, it has become a rolling news cycle of tech catastrophe.

We’re not even going to bother to dig into lessons learned because they are the same ones that every sysadmin since the dawn of time has dealt with – and spends their entire career warning the suits about, to greater and lesser degrees of success.

Let’s start with the app. It was produced by a bunch of IT hotshots who have advised previous Democratic campaigns, including those used by Obama and Hillary Clinton, and set up a for-profit company called, for some reason, “Shadow.” The biz won the contract to create an app that would do a simple task: allow people on the ground to type in the result of headcounts in town halls and gymnasiums across Iowa and send them to a central processing point. All people had to do was download the app, punch in a security code – only one per precinct, of which there are 1,765 – tap in the results and hit send. What could go wrong? Lots, as it turns out.

So no training, inadequate support, a rushed rollout and a complete inability to think through the obvious resistance to new technology from those required to use the app. Anything else? Oh yes, plenty.

If you want to read all the other stuff that went wrong, The Register has the full story in all its horrible details. Of course, Trump had a field day. He probably couldn’t have planned this better if he’d tried.

Boeing 737NG Overruns the Runway in Istanbul

Pegasus Airlines had another Boeing 737 overrun the runway at Sabiha Gökçen Airport in Istanbul. Is it just me or are these Boeing crashes racking up lately? If this keeps up, nobody will trust this company before long. They’ll go bankrupt.

A Pegasus Boeing 737-800, registration TC-IZK performing flight PC-2193 from Izmir to Istanbul Sabiha Gokcen (Turkey) with 171 passengers and 6 crew, landed on Sabiha Gokcen’s runway 06 at 18:20L (15:20Z) but overran the end of the runway, impacted the airport perimeter wall and broke into three parts about 170 meters/550 feet past the runway end. An engine, that had separated, caught fire.

According to Mode-S data transmitted by the aircraft the aircraft landed long and hot, 1500 meters before the runway threshold the aircraft was descending through 950 feet MSL (corrected for local pressure, actual Mode-S reading 1500 feet)/661 feet AGL at 194 knots over ground, touched down about abeam taxiways T/F (about 1950 meters/6400 feet past the threshold, about 1000 meters/3300 feet before the runway end) at about 130 knots over ground, overran the end of the runway at about 63 knots over ground veering slightly to the left (last transponder transmission), hit the localizer antenna runway 06, went over an airport road and a cliff and impacted the airport perimeter wall.

Looks like they had a significant tailwind.

FSB Not Blocking Mailbox.org in Russia

Mailbox.org is reporting that the Russian telco overseer Roskomnadsor won’t be blocking the privacy-oriented mail provider Mailbox.org inside Russia. Mailbox.org is denying an Interfax report that claimed the Berlin company had agreed to store user data on Russian servers.

The block was pursued by the FSB intelligence service, which already had the Swiss mail provider Proton Mail blocked a few weeks ago. According to Mailbox.org, the German service doesn’t have a significant user base in Russia.

I’m kind of happy though. Mailbox.org is my mail provider (they are providing me with a free account) and I like to be able to receive mail from everyone, including Russians.

Also Noteworthy

Some other stories I’ve read that might be worth a look:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.