FOXTROT/ALFA: Internet-Connected Bins, Vodafone Spying on Your Network, Ze Germans Want Your Passworts, Ja?

Welcome to issue 82 of FOXTROT/ALFA, your daily tech and policy newsletter. Today is Wednesday, 19 February 2020 and here are the (somewhat dystopian) tech news of the day:

Internet-Connected Rubbish Bins

Literally the internet of shit: Sheffield is going to install sensors that tell the city council when the bins are full.

Sheffield authorities have enlisted four companies to help improve rubbish collection and road maintenance in the northern English city through a network of sensors. The idea is that connected sensors can inform when rubbish bins are full and need emptying, trees need watering, grit bins need refilling and the like.

Councillor Mark Jones said in a canned statement: “By investing in this new initiative, our contractors will be undertaking fewer journeys, which in turn will result in a reduction in energy consumption, pollution and congestion, whilst ensuring our streets are kept clean and our bins are emptied using a more efficient and effective approach… those who live and work in our city should see a positive impact in their neighbourhoods fairly quickly.

Not like a dark dystopia from an ’80s cyberpunk novel at all…

Vodafone Wants to Know What Your Porn NAS is Called

Speaking of dystopia, Vodafone is spying on its customers' networks.

Seeking to improve its pisspoor customer service rating, UK telecoms giant Vodafone has clarified just how much information it slurps from customer networks. You might want to rename those servers, m’kay?

The updates are rather extensive and were noted by customers after a headsup-type email arrived from the telco. One offending paragraph gives Vodafone an awful lot of information about what a customer might be running on their own network:

For providing end user support and optimizing your WiFi experience we are collecting information about connected devices (MAC address, Serial Number, user given host names and WiFi connection quality) as well as information about the the WiFi networks (MAC addresses and identifiers, radio statistics).

More accurately, it gives a third party that information. Airties A.S. is the company responsible for hosting information that Vodafone’s support drones might use for diagnostics.

One customer shared a transcript of a chat with a support minion who fingered industry watchdog Ofcom: “These changes have been done mandatory by the of-com itself, otherwise we would have surely not done that.” [sic]

We asked “the of-com” if the slurpage was now mandatory. Ofcom took a look and directed us to the Information Commissioner’s Office (ICO). The ICO told us it would “not require a company to do this”.

As well as fiddling with a customer’s home router in order to “optimise” Wi-Fi performance, the service also means the company’s agents have the tools to work out why things might be going awry. Ominously, the spokesperson added: “They also have the ability to fix them remotely.”

Remind me to never, ever get a broadband connection from Vodafone ever again, OK? If that even helps…

As for how one might avoid the slurpage, it could be tricky. In a chat transcript seen by The Register, a Vodafone support operative said there was likely no escape: “Even if you switch to other provider they will also tell you the same thing. We all providers are bound under the rules and regulations of the of-com, so even you change the provider the scenario will be the same."[sic]

Worrying Laws Being Proposed in Germany to Combat “Hate Speech”

Meanwhile, in Germany, the government has drafted legislation that would require social network companies to give out user passwords to police or inland intelligence services if ordered to do so by a judge . The new law also includes provisions by which the government can force large providers to delete content that, by Germany’s comparatively draconian laws, is deemed “hate speech”.

The language governing the requirement to give passwords to law enforcement agencies is worded similarly to US laws coming into effect after the September 11 attacks. The legislation mentions “threats to national security” and “extraordinarily severe criminal activity”. Worrying is language that seemingly would made it illegal to “communicate intent to commit crimes” as well as “condone” illegal activities – which, judging by similar laws on the books means the failure to report criminal activities.

The new law also mandates harder punishments, including up to two years in prison for insulting somebody and up to three years for threatening to commit crimes like rape or the destruction of “significant property”. To put this into perspective: The current maximum penalty for actually raping somebody in Germany is five to fifteen years; it’s generally two years for destroying property.

All of the reporting I’ve seen on this, naturally, doesn’t mention how social networks are supposed to hand over these passwords. I’m guessing the politicians drafting these laws have no idea how passwords are actually stored on a server. Any social network remotely worth its salt (pun intended) will not store actual passwords and can’t recreate them from stored hashes. So I’m guessing social network companies will have to implement some kind of backdoor access portal for law enforcement agencies that gives them stealthy access to certain accounts. I totally can’t imagine that will ever be abused. At all.

All of this is being spun as a glorious win in the fight against online hate, of course.

Amazon Austria Raided by Police during Press Tour

Amazon Austria was raided just as a press tour was going on at one of their warehouses.

When is a really bad time to get a police raid on your business? Possibly when it happens in the middle of a press tour and that’s pretty much what happened for Amazon Austria this week. It’s hard not to feel a little sorry for them on the timing when a bus load of journalists are having a warehouse tour at their Großebersdorf facility and the police burst through the doors and block every exit to prevent any runners.

It wasn’t the cops but the Finanzpolizei, literally ‘Financial Police’ an Austrian civilian police force run by the Austrian Ministry of Finance. The core task of the financial police is to carry out targeted controls in order to detect tax evasion, social fraud and the organised black economy. It wasn’t Amazon under investigation in the police raid but the hordes of drivers working for third party companies that they were interested in. 65 Finanzpolizei officers arrived and manned all six entrances to the Amazon warehouse checking all drivers that wanted to come in or out.

It turns out that the Finanzpolizei suspicions were correct and the police raid justified as, having checked 174 employees, they found Austrian labour laws were broken in 49 cases. There were 10 instances where third party courier companies owed money totalling €185,000 to the tax man and in one case a dodgy company with 20 employees hadn’t paid any tax since May and they owed €105,000.

Apparently many drivers were supposedly part time but the reality is they work a lot more than had been declared so driver rosters with number of items delivered were seized in the raid to determine how much income tax was under declared or not paid.

I’d say it’s likely that Amazon knows exactly that this kind of thing is going on and is turning a blind eye to it because it saves them a lot of money. So no, I don’t feel sorry for them. Even a little.

The .org Domain Registry Sale Has Been Halted

Looks like the petition has changed all of our lives for the better! Unbelievable! The sale of the .org domain registry to a private equity firm has been halted.

The Internet Society’s own members are now opposing its sale of the .org internet registry to an unknown private equity firm. The Chapters Advisory Council, the official voice of Internet Society (ISOC) members, will vote this month on whether to approve a formal recommendation that the society “not proceed [with the sale] unless a number of conditions are met.”

Those conditions largely comprise the publication of additional details and transparency regarding ISOC’s controversial sell-off of .org. Despite months of requests, neither the society nor the proposed purchaser, Ethos Capital, have disclosed critical elements of the deal, including who would actually own the registry if the sale went through.

Meanwhile, word has reached us that Ethos Capital attempted to broker a secret peace treaty this coming weekend in Washington DC by inviting key individuals to a closed-door meeting with the goal of thrashing out an agreement all sides would be happy with. After Ethos insisted the meeting be kept brief, and a number of those opposed to the sale declined to attend, Ethos’s funding for attendees' flights and accommodation was suddenly withdrawn, and the plan to hold a confab fell apart, we understand.

ISOC – and .org’s current operator, the ISOC-controlled Public Interest Registry (PIR) – are still hoping to push DNS overseer ICANN to make a decision on the .org sale before the end of the month. But that looks increasingly unlikely following an aggressive letter from ICANN’s external lawyers last week insisting ICANN will take as much time as it feels necessary to review the deal.

Security Vulnerability Roundup

It’s time to patch yet again! This time, you shall patch AIX

There are multiple vulnerabilities in IBM SDK Java Technology Edition, Versions 7, 7.1, 8 used by AIX.

…and Microsoft’s SQL Server.

SQL Server Reporting Services (SSRS) provides a set of on-premises tools and services that create, deploy, and manage mobile and paginated reports.

Functionality within the SSRS web application allowed low privileged user accounts to run code on the server by exploiting a deserialisation issue. Although the application was only accessible to authorised users, the lowest privilege (the Browser role) was sufficient in order to exploit this issue.

Get in Touch, Will Ya?

Have I missed anything important (or funny) today? If you think so, reply to this mail and tell me. You can also just tell me that you enjoy the newsletter, if you want. Or you can yell at me. Totally up to you.

Also Noteworthy

Here are some other stories you might find interesting:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.