The Truth is my newsletter on tech news and policy. This is an archive of the issues of week 41 of 2019.


Get the newsletter delivered directly to your inbox every weekday. I promise I won’t send more than one email a week and you won’t get any spam from me. Sign up here:

powered by TinyLetter

The Truth: Signal and WhatApp Vulnerabilities, Red Dead Redemption 2 Comes to the PC, Iranian Attacks on Office 365

Monday, 7 October 2019

Welcome to another week of tech news – I read it all, so you don’t have to. You only get the stuff that matters right to your inbox. Today, we have some security items, some gaming stuff and Brexit domain news (sort of).

There’s a security vulnerability in Signal for Android that allows attackers to call without you noticing, which means they can spy on you. It’s been patched in version 4.47.7. The iOS version is immune to it because of another bug. It seems, in this case, two wrongs do make a right.

WhatsApp on Android also has a vulnerability that allows local privilege escalation and remote code execution, all by sending the victim a manipulated GIF image. “The exploit works well for Android 8.1 and 9.0, but does not work for Android 8.0 and below.” It’s fixed in WhatsApp version 2.19.244.

Iranian attackers have tried to breach more than 241 different Office 365 accounts, according to Microsoft. These accounts “are associated with a US presidential campaign, current and former US government officials, journalists covering global politics and prominent Iranians living outside Iran”, The Register reports. Only four of these accounts were actually broken into. The attackers’ MO seems to have been to gather information on their targets, break into other accounts of theirs and then prompt a password reset for the Microsoft account, intercepting the resulting emails using those other accounts. With other words: Standard script kiddie stuff.

To not make spies working for the US government jump through the same hoops, the old “outlaw end-to-end encryption” horn is being tooted again. What the US government calls “lawful access” actually amounts to letting the government see everything you do online. Their argument for this? Child porn, of course. As a US deputy attorney general explains: “Outside the digital world, none of us would accept the proposition that grown-ups should be permitted to mingle in closed rooms with children they don’t know in order to groom them for sexual exploitation.” My response to this: Outside the digital world, none of us would accept the proposition that a US government official follows us around 247. Standing in the corner and looking over our shoulder in our bed- and bathrooms, watching everything we do.

Red Dead Redemption 2 is finally coming to the PC. Just about a year after its initial release, so it seems their console exclusivity deals were for a year, then. It’s out on 5 November at the Epic Games Store, Greenman Gaming, the Humble Store, GameStop, and “additional digital retailers”. Steam users will have to wait for December, Rockstar hasn’t said why.

Meanwhile Sony is now allowing all game developers to have PS4, Xbox and PC gamers play together. Why has this not always been a thing? Probably because PC gamers are just inherently better at many games because they possess this great technological marvel called “the mouse”…

If your VMware installation is broken on Windows 10, it’s not you, it’s Windows: “The culprit seems to be KB4517211, which upgrades Windows 10 to build 18362.387. Although not mentioned in the knowledgebase, this update adds entries to the Windows Compatibility database, the result being that attempting to run VMware Workstation 14 or below gives the message ‘VMware Workstation Pro can’t run on Windows’.”

In a study, researcher found that blindly copying and pasting code from Stack Overflow is bad. Well, d’oh! The unanswered question is: Would the code be better if these people, who obviously can’t code without the help, try on their own?

If you’re a UK citizen and you own a .eu domain, you might lose it. Or it may cease to function as of 30 May 2019. Or not. Is Brexit happening? Does anybody know? The BBC seems as confused as anyone (audio). Just get a proper .co.uk domain, will ya? That’s probably the safest way to go.

The Truth: Adobe Woes on macOS, Ongoing Stack Exchange Brouhaha, PlayStation 5

Tuesday, 8 October 2019

Good evening and welcome to The Truth once again. A lot is happening at the moment. There’s another patch for vBulletin, macOS is having issues with Adobe software, Stack Exchange is trying to placate its community, Donar Sarkar has quit the Windows Insider programme and Atari’s VCS console is dead in the water.

There’s a new patch for beleaguered forum software vBulletin. The developers have fixed a security issue with users’ avatars this time. The software has been under attack everywhere since an anonymous researcher dropped a zero-day vulnerability for it two weeks ago on the Full Disclosure mailing list. The newest versions are: 5.5.2 Patch Level 2, 5.5.3 Patch Level 2 and 5.5.4 Patch Level 2.

The latest macOS, version 10.15 “Catalina”, is out and it’s causing some problems because 32-bit programs won’t run anymore. Which is especially a problem for people using older Adobe software because they do not want to switch to the cloud subscription model. But even some never Adobe apps seem to be suffering from issues due to this.

In other Adobe news, the company is pulling the plug completely for customers in Venezuela. This is because President Trump’s Executive Order 13884 has banned all trade with the country, prompted by the disputed presidency of Nicolás Maduro.

The CTO of Stack Exchange has apologised to the community for mishandling a pending code of conduct change that saw a moderator, Monica Cellio, removed for using gender-neutral pronouns for another member of the community instead of their preferred pronouns. The whole thing let to a community revolt, which I had written about last week. By now, 600 moderators have resigned. This is the second time the company is apologising for the incident. When their director of community did the same thing last week, her post was downvoted 1394 times. To recap: “Cellio had questioned the requirements of Stack Exchange’s revised-but-not-yet-published Code of Conduct (due out Thursday), which as we understand will require the use of community members’ declared pronouns to avoid misgendering people. But rather than discuss this policy, the company determined that Cellio’s reticence represented a Code of Conduct violation and withdrew her moderator status.” According to The Register’s article on this, there’s more amiss in that community, though.

The PlayStation 5 is coming for Christmas of 2020. Wired has some details.

Starting with Chrome 79, Google’s browser will slowly move to blocking images, audio and video served over HTTP in websites served over HTTPS.

There I was, also last week, joking on how I find it hilarious that Microsoft’s insider programme is led by a fashion influencer, and suddenly, she quits: “Windows Insiders celebrated five years of the programme with the sudden ejection of its boss, Dona Sarkar, to cloudy pastures new. Sarkar oversaw the programme during some of the lowest points in the history of Windows quality, although to be fair the organisational issues that led to last year’s catastrophic October 2018 Update were in place long before she was handed Gabe Aul’s Big Red Button. The scurry to developer advocacy comes just as Microsoft is gearing up to push Window 10 19H2 out to end users, likely at some point this or next month.” The Register has the inside scoop: “One anonymous Windows Insider MVP who spoke to us wasn’t particularly surprised, telling The Register they’d ‘had the inkling she was hankering for a dev role.’ Certainly, Sarkar had invested much time and energy in developer outreach during her time in the Insider programme. Perhaps too much as it turned out. A favourite phrase of Sarkar’s is ‘Do The Thing’. An unkind observer who has had to endure the decline in Windows quality over recent years would probably have pleaded for that ‘Thing’ to be replaced by ‘Testing’.” Hehehe… The Register hitting the nail on the head, as usual. Apparently they haven’t decided who will replace her yet, but maybe someone who’s more in tune with the typical Windows crowd would be a good idea.

It very much looks like Atari’s retro console VCS is dead. The guy who was designing it has quit as Atari hasn’t paid him in over half a year. “It is unclear whether Atari will be able to complete its beleaguered project without Wyatt. It only received a prototype motherboard last month, and Wyatt and his team were in the middle of debugging it before deciding to draw stumps and quit. The task of finalizing the hardware will likely fall to SurfaceInk, another company that Atari has contracted to complete the console. SurfaceInk has not responded to multiple requests for comment.”

Saturn now officially has more moons than Jupiter. With 20 new Saturn moons having been discovered, the gas giant now stands at 82 – compared with 79 moons in the Jovian system. I guess they need to rewrite some parts of The Expanse books now…

The Truth: Patch Tuesday, SUSE Quitting OpenStack, HP Needs a New Way to Sell Printers

Wednesday, 9 October 2019

Hump day! If you’re a windows admin, you’re probably busy patching systems. For everyone else, here’s what happened in the tech world since the last newsletter:

Yesterday was the second Tuesday of the month which, as usual, means lots of patches to install. Microsoft has fixed 59 vulnerabilities in Windows, Office, Edge and Azure. Nine of them are rated critical, including CVE-2019-1372, which allows the users of Azure virtual machines to execute code on the host machine itself. Remote code execution and privilege escalation in one! CVE-2019-1327 in Office allows attackers to take over a victim’s machine by getting them to open a manipulated document. The Register has details on many of the Microsoft patches here.

Adobe, for once, has not published any updates for Patch Tuesday.

SAP, however, has released fixes for eight vulnerabilities in NetWeaver, SQL Anywhere, BusinessObjects and other products. Two of these vulnerabilities have a CVSS rating that exceeds 9.

German Linux company SUSE is getting rid of its OpenStack commitment. It’s a bit of an unexpected move, The Register explains: “Coming less than a month before OpenStack’s Shanghai Open Infrastructure Summit and a scant few since SUSE released Cloud 9, chock full of OpenStack Rocky goodness, the move will raise a few eyebrows. Not least those of Matthew Johns, the outfit’s product and solutions marketing manager for Cloud Solutions, who had cheerfully posted a blog just over a week earlier on how to upgrade OpenStack.” For a long time, SUSE was one of the primary forces behind OpenStack. “SUSE is a founding member and platinum sponsor of the OpenStack Foundation and was the first to launch a commercially supported OpenStack distro in 2012, based on the Essex release. Seven years on, the party is over.” It looks like they are now moving towards Kubernetes instead.

Printers, like razors, are famous for a business model that involves selling the main device at a loss and making money by selling a consumable – in the case of the printer, this would be ink cartridges. Apparently, this business model doesn’t work anymore for HP, one of the biggest printer manufacturers: “HP is overturning a print sales model that helped it amass billions in profits over the decades but is now challenged by rival supplies makers luring customers with cheaper ink and toner cartridges.” They are now shifting more and more to selling printers that come preloaded with years’ worth of ink or toner. The big question here is if that will work. After all, what is stopping other companies to do the same with those bigger tanks that they did with the smaller cartridges? “HP did not explain how it will ensure its locked printers only accept its own-branded supplies; supplies cloners and re-manufacturers have reverse-engineered cartridge smart chips for more than a decade.”

Twitter gave advertisers access to private information of its users by accident. Email addresses or phone numbers entered for security purposes could thus be used to target ads. Yes, they are really saying that this happened by accident. I wonder if all the money they made from this was an accident, too?

Response to Twitter Oopsie

Blizzard has suspendet a Hearthstone pro after he voiced his support for pro-democracy protesters in his home province of Hong Kong in an interview. The pro, known by the handle Blitzchung, is now banned from the digital CCG for a year and had his winnings cancelled. Blizzard is partly owned by Tencent, a Chinese company and the protesters advocate for independence from China. “Fuel Games, developer of rival card game Gods Unchained, tweeted Tuesday its support for Blitzchung and said it’ll pay ‘all of his lost winnings.’ The developer will also invite him to its $500,000 tournament.” This stuff isn’t unprecedented in the CCG world. After Magic The Gathering pro player Owen Turtenwald was kicked out of the Magic Pro League and banned from MTG tournaments for alleged inappropriate behaviour towards female players, he became a professional Hearthstone player.

The Truth: Blizzard Shitstorm, Intel NUC Vulnerabilities, Ken Thompson’s Password

Thursday, 10 October 2019

Good afternoon! Today seems to be a somewhat slower news day, but we have several stories that have to do with the protests in Hong Kong and another company is in trouble because the US Immigration and Customs Enforcement is using their technology. In other news, Ken Thompson’s password from the ‘70s has been cracked.

Intel has patched two security vulnerabilities in its NUC mini-PC. A third vulnerability will not be patched, Intel asks users to uninstall the affected software (Intel Smart Connect Technology) instead. All three vulnerabilities can be exploited to elevate an attacker’s privileges.

After Chef, Github is now also being criticized for selling their software to the US government agency Immigration and Customs Enforcement (ICE). “On Wednesday, GitHub employees posted an open letter on the Washington Post demanding that the Microsoft-owned company cancel its contract with ICE ‘no matter the cost’, in response to an internal email by GitHub CEO Nat Friedman explaining why GitHub would not cut off ICE from its products.” Friedman has now published a defense: “As a matter of principle, we believe the appropriate way to advocate for our values in a democracy is to use our corporate voice, and not to unplug technology services when government customers use them to do things to which we object.” Sounds reasonable, but in the current climate of people barely even reading news headlines before grabbing their pitchforks, reasonable responses are getting very sparse.

Speaking of pitchforks, Blizzard is having a major shitstorm on their hands after banning a Hearthstone pro for supporting the protesters in Hong Kong. Several employees walked out of work in protest on Tuesday and the company is under sustained attack on social media from critics. Of course, there are also calls of boycotting their games a-plenty.

Meanwhile, Apple has taken the app of the news organisation Quartz off its app store in China. An editor for the publication speculates this is down to their coverage of the protests in Hong Kong. Seems reasonable as Apple has also pulled the crowdsourced mapping app HKmap, which was being used by the protesters and subsequently Apple was criticised by the Chinese government.

An Australian developer has hacked Unix pioneer Ken Thompson’s login password from the ‘70s. It took him four days to crack the password hash found in an old BSD source code tree. He used an AMD Radeon Vega 64 graphics card. Thompson’s password turned out to be “p/q2-q4!”, which is a way to express the chess opening move pawn from Queen’s 2 to Queen’s 4.

The Truth: OpenSSH 8.1, SAP Gets Two New CEOs, Trump on Twitch

Friday, 11 October 2019

TGIF. Here’s the final edition of The Truth for this week. Reading all the boring tech news, so you don’t have to. The interesting stuff you need to know about is as follows:

If you use the macOS terminal emulator iTerm2, you should patch it. Now. A vulnerability (CVE-2019-9535) in older versions of the app “could allow an attacker to execute commands on a computer using the application”. Version 3.3.6 is safe, get it here. The vulnerability in the open source program was found during an audiot sponsored by Mozilla.

OpenSSH 8.1 is out and some guy wrote about it for Heise (German). It includes protections for crypto keys while they are held in RAM, to protect against side channel shenanigans like Meltdown, Spectre and Rambleed. They specify this in the changelog: “This release encrypts private keys when they are not in use with a symmetric key that is derived from a relatively large prekey consisting of random data (currently 16KB).”

End-of-Life updates from Microsoft: Windows 10, version 1703 is now no longer supported. Version 1803 will meet its end on 12 November.“You may still have devices running these versions in your environment. To continue to receive quality updates beyond these dates, you will need to update those devices to the current version of Windows 10, version 1903”, say the guys in Redmond.

Bill McDermott, CEO of SAP, is stepping down. They are going for the two-headed giant approach now: “Just like Oracle, SAP has opted to split the CEO roles between two people in a decision already approved by the board. Jennifer Morgan, who was president of the SAP’s cloud business – succeeding Robert Enslin – and oversaw Qualtrics, SuccessFactors and Concur, among other things, takes one half. The other goes to Christian Klein, who was most recently COO.” This apparently makes SAP the first DAX company ever to have a female chief executive. Note: The DAX is the stock market index of the 30 most important German companies. SAP has been a member since 1995; the company was founded in 1972.

Donald Trump has opened a Twitch channel. You can say about the guy what you want, he’s always been on the forefront of new technologies when it comes to politics.

Microsoft is the latest victim of the craze that sweeps the nation over in the US: Lobbying your company to stop selling software to the government agency ICE. “Microsoft and its GitHub subsidiary are under fire from some of their own employees over service contracts with America’s controversial Immigration and Customs Enforcement (ICE) agency. A number of workers at both tech organizations, overseen by Redmond CEO Satya Nadella, have issued open letters demanding executives step in and kill contracts with the agency that has become notorious for its poor treatment of asylum-seeking immigrant families”, The Register reports. And I’m still here wondering why ICE is suddenly controversial now, as opposed to when it was founded and received its current remit under George W. Bush. Or when it started building holding facilities with cages to start separating kids from their parents under the Obama administration.

After the Chaos Computer Club published Ursula von der Leyen’s fingerprint based on a photo, this story shouldn’t surprise me. But it still kinda does. “A Japanese man indicted on Tuesday for allegedly attacking a 21-year-old woman last month appears to have found where his victim lived by analyzing geographic details in an eye reflection captured in one of her social media photos. According to Japanese broadcaster NHK, the man located the woman’s residence by matching the reflected image of a train station she frequented to a Google Street View image and waiting for her so he could follow her and find where she lived.” Incredible.

Eye Reflection Stalker Post

And with that, I’ll wrap up The Truth for the week. Remember: Be careful what’s reflecting in your eyes when you post pictures on social media! As the sun is slowly setting here in Hamburg, I once again leave you with a song, this time by Bruce Springsteen. For everyone who’s currently about twenty-five hundred miles from where they wanna be: Sundown from the Film Western Stars.


Header image credit: Marcus P.