FOXTROT/ALFA: Android Bluetooth Vulnerability, GitLab Sexism, Debian Switching to Systemd Journal

Welcome to issue number 79 of FOXTROT/ALFA for Friday, 7 February 2020. This will be the last newsletter for about a week, as I’m taking a few days off. You’ll have to get your tech news from somewhere else for a bit, or just ignore it all, as I’m planning to do. Anyway, here’s what you need to know to be up to date for today.

Android Security Updates

Google has released the monthly Android fixes. The February list includes a fix for a pretty bad remote code execution vulnerability in Bluetooth, so you should probably install these as soon as you get them on your particular device.

Designated CVE-2020-0022, the flaw was discovered and reported by researchers with German company ERNW who say a fix has been in the works since November.

“On Android 8.0 to 9.0, a remote attacker within proximity can silently execute arbitrary code with the privileges of the Bluetooth daemon as long as Bluetooth is enabled,” the team explained. “No user interaction is required and only the Bluetooth MAC address of the target devices has to be known. For some devices, the Bluetooth MAC address can be deduced from the WiFi MAC address.”

While they have yet to post technical details on the flaw, they report the vulnerability allows full remote code execution in older versions of Android (8, 8.1, and 9) but is slightly less dire for Android 10, as those devices merely crash. It should be pointed out that the bug is only exposed when the device has Bluetooth in discovery mode, i.e it’s trying to find a device to pair with.

In the meantime, ERNW advises those worried about the flaw to switch to wired headphones and make sure their devices are not in discovery mode in public.

Wire headphones are the way to go anyway. Do it old-school.

Philips Hue Vulnerabilities

Philips' smart Hue lightbulbs have once again been hacked to serve as a bridgehead for hackers to get into a network.

Check Point’s researchers showed how a threat actor could exploit an IoT network (smart lightbulbs and their control bridge) to launch attacks on conventional computer networks in homes, businesses or even smart cities. Our researchers focused on the market-leading Philips Hue smart bulbs and bridge, and found vulnerabilities (CVE-2020-6007) that enabled them to infiltrate networks using a remote exploit in the ZigBee low-power wireless protocol that is used to control a wide range of IoT devices.

My brain automatically translates “smart” to “insecure” these days – for good reason.

Companies Abandoning MWC over Coronavirus Fears

More and more companies are pulling out of the Mobile World Congress (MWC) in Barcelona at the end of the month, citing health and safety issues over the coronavirus spread in China. This lead The Register to title:

“MWC now means ‘Mobiles? Whatever! Coronavirus!’ as Ericsson becomes latest to pass on industry shindig”

Pretty good headline, although the story baffles me somewhat.

The latest to fall out is Swedish comms kit provider Ericsson, a big player in 5G hardware. In a statement, Ericsson said the health and safety of employees and customers was a “top priority”.

“After an extensive internal risk assessment, Ericsson has decided to take further precautionary measures by withdrawing from MWC Barcelona 2020, the largest event in the telecom industry,” it said.

Is this an excuse for something else? Or are they going to pull the same thing for every seasonal outbreak of the flu now? I mean, I’d kinda understand if the conference was in China, where there is apparently total collapse of information channels on this, but Spain… I think you’re more likely to get infected with influenza over there at the moment. Are we now all never going out anymore?

Sexism at GitLab

The Register is reporting on some pretty egregious language used in instructions the code-hosting company GitLab gave female sales employees.

Hot on the heels of insisting “diversity and inclusion is a core GitLab value,” the code-hosting biz asked its saleswomen to wear “short but somewhat formal dress and heels” to an awards night during its sales kickoff in Vancouver next week – because the company is “trying to step it up.”

The request, which went out in an email to attendees, and seen by The Register, was cited by GitLab strategic account leader Hailey Pobanz as an example of communication that could be better aligned with the business’s stated values.

“I think it’s fine to say cocktail casual without having to denote dress code for men and women,” she observed in a public GitLab discussion post. “I personally think it’s outdated and sexist to require women to wear a short dress and heels and it doesn’t recognize non-binary individuals.”

It might be outdated and sexist, but anyone who’s been at such an event knows that’s how they work. Sex sells, there’s no getting away from that. And I doubt these people think non-binary individuals are a factor in pulling in the big sales bucks. I’m not trying to suggest this kind of thinking is OK, but it’s also very widespread. Pretending it is otherwise only changes your perception, but not the reality of the situation.

That GitLab issues thread to which Pobanz posted was started two months ago. It began as a discussion about how to make the tech upstart’s sales group more friendly to parents and, specifically, to mothers. That thread disappeared from public view on Thursday morning when someone with the company marked it confidential. GitLab insists transparency is one of its six core values.

The ill-received request for saleswomen to dress in short skirts and high heels, and employee reactions to it, prompted an apology from David Somers, director of field enablement, on behalf of himself and, Libby Schulze, corporate event manager. Separately, Schulze apologized for the email on an internal Slack channel.

The Register has asked why the thread was removed from public view and whether Schulze was the author of the email. We’ve not heard back from GitLab. A source familiar with the San Francisco business tells The Register it is common practice for male executives to have female subordinates take responsibility when things go wrong or deliver unwelcome messages.

LOL. “A source familiar with the San Francisco business”… It’s worth reading the whole story on The Register. Love their final sentence:

Whenever we hear the words “factually inaccurate” from an organization, it is usually those two words that are factually inaccurate.

Too true. GitLab doesn’t seem to be a fun place to work. Which is sad as I kind of like their service.

Debian Switching to Systemd Journal

It looks like Debian is now switching to Systemd’s journald daemon by default.

With today’s upload of systemd 244.1-2 I finally enabled persistent journal by default. It has been a long requested feature. The package will create a directory /var/log/journal on upgrades and new installs, which enables persistent journal in so called auto mode. If you decide, that you want to disable the persistent journal again, you can run: journalctl –relinquish-var; rm -rf /var/log/journal

Future package updates will respect this choice and not re-create the directory. You can, of course, also configure this explicitly via the Storage= option in journald.conf.

Depending on how it goes, I might ask the ftp-masters to lower the priority of rsyslog from important to optional, so it would no longer be installed by default on new bullseye installations. This would avoid, that we store log messages twice on disk. Users that prefer text logs can of course still install rsyslog by default (or their syslogger of choice).

The Systemd journal is controversial because a) it’s part of Systemd and b) because it creates binary files instead of text logs, which isn’t very Unix-y. Predictably, the change sparked heated discussion on the developer mailing list.

Debian was famously forked out of pushback over its switch to Systemd.

“Trump Fans” Blamed for Flooding Iowa Caucus Hotline

According to Bloomberg (obviously not the most objective source when it comes to the Democrat candidate race), Trump supporters and 4chan trolls flooded the emergency hotline used in the Iowa caucus .

Supporters of President Donald Trump flooded a hotline used by Iowa precinct chairs to report Democratic caucus results after the telephone number was posted online, worsening delays in the statewide tally, a top state Democrat told party leaders on a conference call Wednesday night.

Yeah. I’m sure that was the problem. Not the fact that the people put in charge of this by those Democrat party leaders completely fucked up six ways from Sunday.

And they did this, even though the guy who was responsible for it all had promised “a backup to the backup to the backup to the backup”. Well, looks like your genius backup theory failed. These guys are completely incompetent. But let’s pretend this is Trump’s fault. Because apparently everything is.

Snowden Seeking Longer Stay in Russia

Apparently Snowden is going to ask for Russia to extend his asylum.

Anatoly Kucherena, a Russian lawyer representing Mr. Snowden, discussed his client’s residency status during an event in Moscow, multiple regional media outlets reported.

“His residence permit will expire in April 2020, and we are working to extend it for several years,” said Mr. Kucherena, the state-run TASS agency reported in English.

Mr. Snowden, 36, has been criminally charged in the U.S. in connection with admittedly leaking a trove of classified National Security Agency material to media outlets in 2013.

The Russian government ultimately granted temporary asylum to Mr. Snowden, which was followed by Moscow issuing him a three-year residence permit in 2014 and again in 2017. However, he has spoken critically about Russia in the interim and indicated he would like to reside elsewhere. “It was not my choice to be here, and this is what people forget,” Mr. Snowden told NPR last year. “It was not my choice to live in Russia.”

Well, his alternatives aren’t great. But I hear Cape Verde is nice at this time of year.

Also Noteworthy

Some additional stories I’ve read today that might be worth a look:

It’s become a bit of a tradition here on FOXTROT/ALFA to leave you with some music for the weekend. May I recommend the soundtrack for the Netflix series The Witcher? It is excellent!


This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.