The Truth is my newsletter on tech news and policy. This is an archive of the issues of week 40 of 2019.

Get the newsletter delivered directly to your inbox every weekday. I promise I won’t send more than one email a day and you won’t get any spam from me. Sign up here:

powered by TinyLetter

The Truth: iOS Jailbreak, Legally Binding Email Signatures, BitLocker Switching to Software Encryption

Monday, 30 September 2019

Welcome to a new week and some fresh tech news. Today, we have a lot of security-related news items on the docket. From SIM card vulnerabilities and an iOS jailbreak to BitLocker not trusting SSD vendor crypto. In other news, you might want to be careful about using email signatures in the UK now.

After the Simjacker vulnerability there has now been another disclosure of security vulnerabilities in software pre-installed on SIM cards. Whereas Simjacker exploits vulnerabilities in the SIMalliance Toolbox Browser (S@T), the new vulnerabilities are present in a piece of software called Wireless Internet Browser (WIB). It’s pretty unlikely that you will become a target of such attacks, though, as only a very small number of SIM cards are actually vulnerable. According to the security researchers who found the issue “none of the most recent SIM cards tested show the presence of the vulnerable applications or badly chosen security settings” needed to actually attack a phone. A limited number of attacks were previously observed, mostly in South America.

In the UK, email signatures are now legally binding for contracts. At least, that’s what a court in Manchester decided. And here I was, thinking one important point of signatures was to make sure that things were read and understood and not responded too in an automatic fashion…

There’s apparently a tethered jailbreak for older iPhones and iPads in the works that Apple has no way of preventing. All devices with the A5 to A11 chips seem to be vulnerable. That means devices that are older than two years, from the iPhone 4S to the iPhone 8 and X. According to The Register, “the exploit is a first stepping stone to properly jailbreaking the aforementioned vulnerable iThings via a USB connection. What’s said to be working exploit code targeting the Boot ROM flaw is now available on GitHub. While such an exploit will be of great use to hobbyists, it can be used by cops and snoops with physical access to a device to commandeer it and install spyware, though they will need to brute-force the passcode to decrypt any private data already encrypted by iOS.” It seems Apple fixed the ability to exploit the vulnerability remotely with a patch that called the problem to the attention of security researchers. It is not quite clear why Apple cannot patch the tethered method of exploiting the vulnerability. Security researchers are recommending an upgrade: “We strongly urge all journalists, activists, and politicians to upgrade to an iPhone that was released in the past two years with an A12 or higher CPU.” From Apple’s perspective, this is a great sales pitch. Get new phones, everyone!

Apparently this allegedly “bulletproof” Cyberbunker hosting operation that was raided by German police last week was completely shut down.

Microsoft’s full disk encryption BitLocker used to use the hardware encryption features of modern SSDs, but Microsoft has now stopped trusting hardware vendors. “Now, the default is to use software encryption for newly encrypted drives. For existing drives, the type of encryption will not change”, says Microsoft in their documentation. Apparently, this change was made because hardware vendors made lots of mistakes implementing their hardware encryption. So far there hasn’t been any reporting on how switching from hardware to software encryption impacts performance on these drives. Heise says (German) that modern CPUs have hardware support for AES primitives which would speed up the underlying crypto operations used by Microsoft’s software implementation and speculates that the performance impact would be “very slight”. They do not, however, back this up with hard data.

NASA head honcho to Elon Musk: Nice polished phallic Starship you have there. But what about getting crew to the ISS like you promised us? As The Register points out, he isn’t being entirely fair, though, as the delays are also Boeing’s fault, too.

Tuesday, 1 October 2019

Today on The Truth: PDF encryption is busted, German cookie regulations aren’t strict enough for the EU, Samsung Galaxy S4 buyers are getting some money and Stack Exchange is embroiled in a gender war. Oh yeah, and F-35s might not be as easily uncloakable as has been reported elsewhere.

There’s a security vulnerability (CVE-2019-16928) in the Exim mail transfer agent that allows remote attackers to crash the server and might even be used to execute malicious code. “All versions from (and including) 4.92 up to (and including) 4.92.2 are vulnerable”, report the developers. Better download and install the fixed version 4.92.3 as soon as possible.

Remember that vBulletin zero-day? If you run such a forum, you better patch fast. You don’t want to end up like security vendor Comodo. They advertise a “breech proof” operation over there but forgot to update their vBulletin forums – which were hacked, putting the data of around 245,000 users at risk.

Well, here’s something we knew already: PDF encryption is not secure. It’s pretty broken: “During our security analysis, we identified two standard compliant attack classes which break the confidentiality of encrypted PDF files. Our evaluation shows that among 27 widely-used PDF viewers, all of them are vulnerable to at least one of those attacks, including popular software such as Adobe Acrobat, Foxit Reader, Evince, Okular, Chrome, and Firefox.”

If you’ve ever bought a Samsung Galaxy S4 – a phone that originally came out in 2013 – you can apply to get about $10 from Samsung. This is because the manufacturer has just settled a long-running class-action lawsuit in the US. The whole thing will cost the company $13.4 million, $1.5 million of which will go to the winning lawyers. As The Register recaps: “The case was brought back in 2014 when testers revealed that Samsung appeared to be cheating on benchmark tests – frequently used to compare the speeds of different phones in reviews – by adding source code that detected whether a benchmarking app was running on the phone, and if so, ran the phone at a faster speed (532MHz rather than 480MHz).”

Great. The German solution of letting websites store cookies on a system if the website simply tells the user this is happening is illegal under European law, the European Court of Justice has decided. That means users have to explicitly opt in if a website wants to save cookies in their browser. Which means more obnoxious cookie warnings on websites.

Apparently Stack Exchange is changing its code of conduct (CoC) to require its users to stick to the pronouns someone specifies for themselves. In other words: If you refuse to call a person by the pronouns they want to be called by, they can throw you off their platform. You’re not even allowed to use the neutral they/them if the person in question has specified other pronouns. This CoC change has not been made public yet, but it seems a Stack Exchange moderator has already been removed because she objected to this. As a result, about 20 of the platform’s volunteer moderators have resigned or suspended their work. As The Register points out, this all seems to stem from a deluded advocacy group called Gay, Lesbian & Straight Education (GLSEN) which is of the opinion that a person can mandate how other people address them and that any deviation from that should be punishable.

Sony is reducing the price of its PlayStation Now gaming subscription: “The company announced today that the monthly subscription price is dropping to $9.99 a month, compared to the previous price of $19.99. Quarterly pricing will be $24.99 (down from $44.99), while the annual price will be $59.99 (down from $99.99).” They are also adding Grand Theft Auto V, God of War and Uncharted 4 to the service.

It’s been reported that a German radar manufacturer tracked two F-35 stealth jets for 150 kilometres after an airshow in Berlin in 2018. The company makes a passive radar system called TwInvis that uses reflections from electromagnetic emissions by commercial sources like cell and broadcast towers to track its targets. The Aviationist calls the validity of the test in question through, as the planes were not in stealth mode at the time – being equipped with radar reflectors and transmitting their position voluntarily via ADS-B transponders. In any case, “the technology is not yet accurate enough to guide missiles, though it could be used to send infrared-homing weapons close to a target.”

The Truth: Ugly Surface Earbuds, Windows 7 Forever, Google Maps Not-So-Incognito-Mode

Wednesday, 2 October 2019

Good evening! You might be wondering why I sound a bit grumpy writing today’s newsletter. I’m not, really. It’s all the dumb shit that gets reported that’s the problem: Windows 7 extended support, Microsoft’s ugly earbuds, Google Maps incognity mode, it just goes on and on with the nonsense. But don’t take my word for it, check it out for yourselves.

Yesterday we learned that PDF encryption is busted (again). As if that wasn’t worse enough, there’s a bunch of remote code execution vulnerabilities in the PDF reader Foxit – if you Usit, Patchit.

“The new Surface Earbuds are Microsoft’s first truly wireless earbuds” – sometimes, I hate this job. I mean, seriously? That’s the level of technology reporting these days? “Microsoft is introducing a new pair of wireless earbuds to join the company’s noise-canceling headphones. The Surface Earbuds are tuned for both music and voice performance – Microsoft is pitching them as a must-have Office accessory with dictation and excellent call quality. Each earbud has two microphones built in, which aid in noise reduction when you’re speaking into them.” Typical The Verge spin on the fact that Mictosoft – after Google, Apple and Amazon – is now also moving into the we-spy-on-you-oh-look-a-shiny-feature market. The things make you look like an idiot. It’s hard to believe, but I think they look even worse than Apple’s oh-I-forgot-my-toothbrush-head-in-my-ear-this-morning design. And won’t be more usable than any old in-ear headphones on a cable. Which are cheaper. And won’t spy on you. What’s wrong with these people?

There are still consumers, and businesses, who insist on running Windows 7. I will never understand why. Even with all the privacy nightmares in Windows 10, it’s still miles ahead of its predecessor – I mean, it’s not really worth mentioning Windows 8, is it? Anyway, if you’re one of these people and if you are indeed part of a business, you will be able to run that ugly piece of crap for three more years after support ends early next year. For a hefty price. Microsoft only tells you how high a price if you explicitly ask for it, which makes it clear that it’s expensive indeed. Furthermore: “The cost will increase per year, because Microsoft really wants those users to make the move.” Consumers will have to switch come 14 January 2020, or face getting owned, in the absence of security updates, as soon as the first big new vulnerability rolls around.

Google is rolling out “incognito mode” for Google Maps. The idea is that it won’t store your data in your Google account. This is mostly bullshit though, as location data on its own is in many cases enough to identify a person. Google doesn’t have to connect it to your Google account to know who you are. They just need to store the location data. Even unconnected from personally identifiable information, they still can, in many cases, figure out who the person moving along the map is. They know where you live and where you work. Where you go to the gym, where you go shopping and where you meet your friends. And they know when you do these things normally. So in many cases they just need to compare a GPS track to data like this and they can figure out to a very high degree of likelihood whose data it is – even after the fact, from “anonymised” records. This is why, to spooks, metadata is worth almost as much as actual data. We know this, especially since Snowden.

The Windows Insider programme is now five years old. This marks the moment Microsoft finally woke up to a practice open source projects had been using for decades: Let willing early adopters test your broken software for free before you launch it properly. Microsoft has been using this technique to great success ever since. The Register has a handy Top 5 recap of the programme’s greatest innovations. My favourite highlight only gets a side mention: When they replaced tell-it-as-it-is nerd Gabe Aul with influencer fashion icon Dona Sarkar.

After 14 years of giving up on proper flight simulations, Microsoft wants to release Flight Simulator 2020 next year. To play it, you have to have an always on internet connection. Because they’re streaming in the landscapes from the cloud – 20,000 Blu-ray discs worth of data. It certainly looks very pretty. I believe that it flies better than X-Plane when I’ve tried it myself.

What else is Microsoft spending their time and money on? A bot powered by machine learning that generates fake comments on news articles. I shit you not. That’s what Microsoft is apparently focusing on these days. Because that’s exactly what we all need. Luckily, I have no comment function on my blog. And don’t you go answering this email, alright? Just joking, I’m always happy for feedback on my work.

The Truth: Another “Bulletproof” Hoster Goes Down, Microsoft Android Phone, Police Tesla Runs Out of Juice

Thursday, 3 October 2019

Today is a bit light on relevant tech news, not sure why that is. After all, it’s only a holiday in Germany and the rest of the world shouldn’t be affected by people not working. Anyway, I nonetheless found a handful of interesting stories for you. As always, I’m reading all the nonsense so you don’t have to.

Police in the Netherlands have taken a “bulletproof” hosting provider in Amsterdam offline, in the process of which they also took down two large Mirai botnets. Mirai is a strain of denial of service malware that originally was written as part of a script kiddie war over Minecraft servers and has become one of the biggest DDoS threats on the internet. It’s currently not known if this raid was connected to a raid by German anti-terrorism unit GSG 9 on a similar hosting operation at a former NATO bunker in Traben-Trarbach last week. The “bulletproof” hoster in Germany was also operated by a Dutch company.

Microsoft is producing an Android phone, which is meant to hit the market at Christmas of 2020. It’s foldable, but unlike the broken device that Samsung can’t make work, it’s just two screens with a hinge. Microsoft is “partnering with Google to bring the best of Android.” As The Register points out, this is quite the move for Microsoft who was fighting tooth and nail against Android and Linux until very recently: “This comes after Microsoft extracted billions of dollars in patent royalty payments out of Android makers, until recently, and is about to finally bring the axe down on its family of mobile Windows operating systems. And this is Android powered by Linux, the open-source kernel that Redmond now apparently loves after earlier declaring it a cancer. Quite a turnaround.” At least they’re giving up on their deluded idea to make Windows work on phones.

Meanwhile, Huawei is continuing to chafe under Trump’s trade war. Their newest flagship phone, the Mate 30, has to make do without Google services and apps on its Android operating system. There was a workaround, CNet somewhat sloppily labels it a “backdoor”, to install these apps on the phone but that seems to have come to an end. “Security researcher John Wu outlined the process that let Huawei Mate 30 owners manually download and install major apps Google Maps and Gmail. This method, which used an app called LZPlay, apparently no longer works, and Bloomberg reported that only Google is able to make that kind of change.” Well, if Bloomberg say it, it must be true, I guess…

It seems the trade war is also affecting the purchasing decisions of gamers, with sales of powerful gaming PCs being on the rise. According to market analysts from IDC, “shipments of gaming rigs staged something of a comeback in the second quarter of 2019 as retailers sought to avoid potential trade tariffs on machines bought in China and imported to the US.”

I hope you’re not using Bitbucket for development. If you are, you probably haven’t gotten much work done recently. The Register is reporting on a hefty outage: “Git and Mercurial, separate software version control applications supported by Bitbucket, began misbehaving on around 2241 UTC on Monday, September 30, according to the company’s status page. Within about two hours, early Tuesday, October 1, the incident was resolved, only to see more problems accessing git via HTTPS about ten hours later. The fix arrived in about an hour. And then both git and Mercurial became inaccessible via HTTPS for another three hours, with service restored at 1912 UTC. By 0928 UTC, Wednesday, October 2, git and Mercurial access over HTTPS has failed again. About two hours later, the problem is resolved. Except it’s not. Come 16:17 UTC on Wednesday, the Bitbucket reports still another service disruption that lasted another three-plus hours.” Developers aren’t happy and are currently busy ripping the Australian service provider a new one on social media platforms.

A Silicon Valley police officer nearly lost a suspect because his Tesla was running out of juice. The Fremont PD officer radioed his colleagues to report “I am down to six miles of battery on the Tesla, so I may lose it here in a sec. If someone else is able, can they maneuver into the No. 1 spot?” As the venerable New York Times reports, “it wasn’t the car’s fault.” No shit. Since cars can’t think (at least not yet, thankfully) one would have to blame whoever got the idea of buying Teslas as squad cars. But hey, apparently it’s the fastest car they’ve got and it handles very well in pursuits. One can only imagine how Harry Bosch feels about this.

Harry Bosch

The Truth: Android Zero-Day, The Feds Say Pay Ransomware If You Must, Oracle on a Fishing Expedition

Friday, 4 October 2019

Welcome to The Truth, we wrap up the week with a zero-day in Android, the FBI changing their stance on ransomware (again) and Oracle wanting money for software from someone who isn’t running it. Read all about it here.

There’s a zero-day in Android: “Attackers are exploiting a vulnerability that can give them full control of at least 18 different phone models, including four different Pixel models, a member of Google’s Project Zero research group said on Thursday night.” Apparently it’s being used by notorious Israeli spyware-for-hire developers NSO Group, probably to spy on people. The company is denying this, of course. According to Ars Technica, the “exploits require little or no customization to fully root vulnerable phones.” Google reportedly wants to fix this in the October security update for Android that should be arriving in a few days. As usual, no telling when these patches land on non-Pixel devices.

Cisco has issued software updates to mitigate 18 security vulnerabilities in its ASA, FMC and FTD software. All of the vulnerabilities are given a “high” impact rating, the highest CVSS Base Score listed is 8.8.

At dawn of the global ransomware wave, the FBI made headlines by telling victims to “just pay” the ransom demands because in most cases, so they said, that would be your only hope to get your data back. If you didn’t have backups, that is. Cottoning on to the fact that this meant more people would be paying criminals, which in turn would mean the criminals’ business would flourish, which then would then mean more ransomware, the FBI later reversed this stance and told people to never pay the ransom demanded by the criminals. It’s seems they have, again, reconsidered: “The Bureau has posted an updated version of the guidance it offers for companies on how to handle ransomware demands with a section discussing the option of paying the hackers to get data decrypted. In short, the FBI still says that companies should not cave to hacker demands and pay to have their data unlocked, but the bureau acknowledges that paying is an option.”

PostgreSQL 12 has been released. Headline features include better performance, the ability to rebuild database indexes concurrently, improved authentication via SSL and more.

Oracle wants $12,200 from a UK company for using the VirtualBox Extension Pack. Here’s the kicker: The company says it’s not using any of Oracle’s products. “Oracle provided the company with a range of IP addresses, more than 100, that it claimed had been using its proprietary VirtualBox Extension Pack in conjunction with VirtualBox installations.” Apparently the company owns the IP range, but since it’s a network service provider, some of the IPs are used by its customers. Oracle, it seems, doesn’t care and hasn’t gotten back to the company or The Register, which is reporting on this story, with an explanation. There’s suspicion that this is all a “fishing expedition” by Oracle to get data on the people who are actually using those IP addresses. It seems that Oracle’s proprietary extension to the GPL-licensed VirtualBox hypervisor is phoning home.

Magecart, a type of malware that affects online shop software at the point of sale and extracts credit card or other payment information via malware that’s embedded right into vulnerable shop software (often from software provider Magento), is still going strong. In a recent survey, security researchers found 573 different command & control server domains receiving data from almost 10,000 compromised hosts. They found more than two million different instances of malicious JavaScript binaries of the Magecart type. So the next time a credit card of yours gets compromised, you know how it most likely happened.

Well, that’s The Truth for this week. See you for the next edition on Monday. Until then, enjoy the weekend! In honour of Android, here’s your weekend song: Zero Day by MC Frontalot.

Header image credit: Marcus P.
Additional image credit: Amazon Prime Video