FOXTROT/ALFA: Microsoft Buys NPM, Slack Vulnerability, Zoom Goes Down for the Count

Good evening and hello from Hamburg, where I’m indoors writing and watching UFC events all day because social life has basically been shut down. Not that this is necessarily that bad for me particularly. As a geek, I was born for a situation like this. I just imagined it to come about because of a nuclear holocaust or some similarly dramatic circumstances. The current reality is a bit more disappointing than a Ron Perlman narrated apocalypse. Anyway, this is FOXTROT/ALFA, issue 90, for Monday, 16 March 2020 and here’s what’s important in tech news today:

Slack Vulnerability

Slack has fixed a critical vulnerabilty that could have been used for account takeovers.

The security flaw was reported by Evan Custodio on November 14, 2019. Custodio was able to find an HTTP Request Smuggling vulnerability on slackb.com.

This form of attack tampers with the processes sequences of HTTP requests within a website or app, generally when front-facing services send an HTTP request to a back-end server, and any disparity between how requests are interpreted can lead to data leaks and the bypass of existing security controls.

In Slack’s case, the HTTP Request Smuggling vulnerability was found in an asset that could be used to force users into open redirects, leading to a CL.TE-based hijack and the theft of secret user session cookies. These cookies could then be stolen, leading to the compromise of arbitrary Slack customer accounts and sessions.

Microsoft Buys NPM

GitHub (ie. Microsoft) is buying NPM.

On Monday GitHub announced it plans to buy NPM Inc, which operates the npm repository relied upon by 12 million JavaScript developers. The deal, announced by GitHub CEO Nat Friedman and NPM co-founder Isaac Schlueter, brings another major piece of open source code infrastructure under the control of GitHub’s owner, Microsoft.

And it saves NPM from running out of money: Last summer, after going through an ugly labor relations battle that involved layoffs, union-busting, the departure of key talent, and the exit of its CEO, the company looked like it might run short on cash early this year.

The npm repository hosts 1.3 million JavaScript-oriented libraries that get downloaded 75 billion times a month, popularity that has made it difficult for NPM to police its vast code holdings. Under GitHub’s roof, JavaScript developers can look forward to better vetted code components for their applications, more reliable infrastructure, and ties to GitHub’s other services.

Their goal, clearly, is to have control over as much open source code as possible. They’re doing for code what Google is doing for data. A worrying trend.

Brave Browser Submits GDPR Complaint Against Google

The privacy-focused Browser startup Brave, which is based on Google’s Chrome browser, is complaining to five European data protection agencies under the GDPR that Google isn’t transparent enough about what data it collects when Chrome browsers use the internet.

Browser-flinger Brave’s chief privacy and industrial relations officer, Dr Johnny Ryan, has written to five European data protection commissions to complain of claimed breaches of the EU’s General Data Protection Regulation (GDPR) by Google. A complaint on behalf of Ryan has been sent to the European Commission, German Bundeskartellamt, UK Competition & Markets Authority, French Autorité de la concurrence, and the Irish Competition and Consumer Protection Commission.

GDPR article 5.1 specifies that personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” When Ryan demanded to know what those purposes are, for his own personal data, “Google referred our client to a series of links on their website, including reference to their privacy policies,” according to a statement from Brave’s lawyers.

Note that since the GDPR covers personal data, the complaint is from Ryan himself rather than Brave.

The privacy officer and his employer consider that Google’s privacy policies are “hopelessly vague and unspecific”, despite the GDPR requirement for specificity. Second, they claimed “it is not apparent from the policy which activity, product or interaction is covered by which purpose.” They added that Google’s “policies and procedures” were spread across several links and websites, making them hard for users to identify.

Well, we’ll see if that goes anywhere. I guess it’s worth a try. Seems to be more a PR stunt on behalf of his employer than anything else, though.

Zoom Can’t Take It Anymore

Typical Silicon Valley. They promise us all these things but as soon as we actually use them, they are over capacity. This is the Fail Whale all over again. As soon as people start working from home in droves, the video conferencing goes tits up.

They knew it was coming and have been desperately building capacity – yet the flood of workers to video conferencing software has proved too much for companies like Zoom and Microsoft. This morning, with millions of Americans joining the global trend toward social distancing and working from home amid the REDACTED, demand for services like Zoom’s conferencing software and Microsoft’s Teams outstripped capacity and starting 0900 on the East Coast, outages began.

As can be seen from third-party observers like DownDetector, the problems only increased as more and more workers woke and logged into their computers to connect with co-workers. As California – the hub of tech activity in America – came online, it only got worse.

Zoom may be regretting its decision to make hay while the sun shines: all its execs, its CEO, CFO and CIO have been on a media blitz in recent days in an effort to get its name out there. They have been boasting about their low latency, network optimization, decision to remove a 40-minute limit on free accounts and even offering free video conferencing for schools.

“Zoom conquered video chat – now it has even bigger plans,” reads the headline from one over-excited publication this morning. It may prove to have been too successful at raising awareness.

By the way, “social distancing” is a dumb expression. Back in the day, we called it “asocial behaviour”. It might benefit us at the moment, but it’s still what it is. Let’s not rename things because the Zeitgeist demands it, OK?

I’m sick of seeing the very people that lambasted their employees a year or two ago for “social distancing” (or avoiding meetings at it was called back then) tweeting about this as if it was the greatest idea ever. For years you were saying how in-person meetings are so very important and now, all of a sudden, we can all do without them? Just because looking like you’re on top of the current crisis strokes your ego more than holding meaningless monologues in front of your underlings used to back in the day? Give me a break!

Also Noteworthy

Here’s some other things that might be worth a read:


This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.