The Truth is my newsletter on tech news and policy. This is an archive of the issues of week 45 of 2019.


Get the newsletter delivered directly to your inbox every weekday. I promise I won’t send more than one email a day and you won’t get any spam from me. Sign up here:

powered by TinyLetter

The Truth: Google Buys Fitbit, Ubisoft Income in Free Fall, Protests at BlizzCon

Monday, 4 November 2019

Good evening and welcome to The Truth! This week starts off with big news from Fitbit and Ubisoft; it’s late, so let’s get right to it.

Chrome has security vulnerabilities patched, ClamAV has a zero-day, a Monero miner trojan is spreading via the RDP vulnerability BlueKeep and there’s new malware targeting NAS systems from QNAP – The Register has a roundup of these, and other, security news from the weekend.

Google has bought Fitbit. They spent $2.1 billion. This can’t possibly be about the devices. It’s about the users; the users and their data. Google wants that delicious data. Om nom nom. Of course, they are already in damage control mode over at Fitbit: “According to a separate press release issued by Fitbit, the company will still take privacy for health and fitness data seriously, noting that Fitbit health and wellness data will not be used for Google ads.” Ah ha ha ha ha ha …yeah right. If you don’t want Google to also have your health data, it’s time to ditch your Fitbit.

Ubisoft is someone else who’s probably in full damage control mode right now. Or they should be, seeing as their income is down 94% year over year. Ouch. “Ubisoft is predicting a rather vacant Q3 as well, as it does not have any major releases besides Ghost Recon: Breakpoint in early October, and then things like the Stadia version of Assassin’s Creed: Odyssey or free content updates like The Division’s Last Castle expansion.” Ouch, ouch, ouch! Considering these news, their stock price is surprisingly stable.

Since even Microsoft (“The GPL is cancer!”, “It’s Unamerican!!!”) is now on chummy terms with Linux, the Open Innovation Network (OIN) is thinking of shifting its defense of open source projects from evil tech giants towards defending against patent trolls. The Register is reporting on the plans, as told by the organisation’s CEO: “What we will be announcing in the next several weeks is a programme for the Linux Foundation and OIN of getting together to fund, in conjunction with support from two very significant operating companies, a programme designed to attack poor quality patents and to invalidate them so that they can’t use them to be able to try to extract rents on patents that have very significant prior art.”

Git 2.24.0 is out. My personal highlight: “We have adopted a Code-of-conduct document.”

Politics, propaganda and the trade wars are continuing to heat up. Now, GitLab “is considering a ban on hiring any Russian or Chinese support staff in order to improve security. It will also consider changing the role of any staff member who moves to Russia or China so that they no longer have access to customer data. GitLab currently has no Chinese or Russian staff members.” The Register has the lowdown. How these plans are actually supposed to improve security isn’t explained in any detail, though. They just seem xenophobic to me. And, of course, this isn’t coming out of nowhere: “There was a general assumption that the customer demand was from the US government. VP of engineering Eric Johnson said: ‘Please be aware there is an active, time-sensitive contract negotiation linked to this matter.’” Ka-ching! Follow the money, baby.

BlizzCon was overshadowed by protests over the company’s pro-China stance towards Hong Kong: “BlizzCon 2019 is well underway, and, while there were many great gaming announcements to be had during Friday afternoon’s showcase, the event was marred by protests outside the Anaheim Convention Center. Blizzard offered an apology for its actions surrounding Ng ‘blitzchung’ Wai Chung in October, but the publisher’s latest words have fallen on deaf ears.”

PSA: If you eat up all of your data centre’s bandwith allowance for your personal torrenting, better have an ace up your sleeve …or some damn good exuses!

Netflix’ The Witcher series is looking extremely dope. The trailer even has Geralt in a bath tub!

The Truth: No Electron in Apple’s App Store, Huawei’s HMS Core, Network Solutions Hacked

Tuesday, 5 November 2019

Hello and welcome to another late night edition of The Truth. Yep, I’ve been on the road again. Still, I did find the time to summarise some tech news for you. Enjoy!

If, as a security measure, you disable macros in Office for Mac, that seems to actually have the reverse effect. Carnegie Mellon’s CERT summarises: “The Microsoft Office for Mac option Disable all macros without notification enables XLM macros without prompting, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.” Hot damn!

It’s being reported that venerable DNS provider and registrar Network Solutions has been hacked and personal data has leaked. “On October 16, 2019, Web.com determined that a third-party gained unauthorized access to a limited number of its computer systems in late August 2019, and as a result, account information may have been accessed. Web.com said the information exposed includes contact details such as name, address, phone numbers, email address and information about the services that they offer to a given account holder. Both Network Solutions and Register.com are owned by Web.com”, Krebs on Security reports. Apparently passwords were not affected, but the company recommends customers to change passwords for their accounts on the company’s systems. Some customers have reported Network Solutions DNS settings or systems referenced in those DNS settings (that used the same or similar passwords to their Network Solutions account) were broken into to set up servers that sent out email spam.

Microsoft’s SQL Server 2019 has been released. Some highlights, according to Microsoft, are: “SQL Server 2019 (15.x) introduces Big Data Clusters for SQL Server. It also provides additional capability and improvements for the SQL Server database engine, SQL Server Analysis Services, SQL Server Machine Learning Services, SQL Server on Linux, and SQL Server Master Data Services.”

Driven by Trump’s trade policies, Huawei is being serious about ripping Google’s Play Services out of Android. XDA Developers explains some of details, which have just come to light: “While Android can be classified as an open source OS thanks to the existence of AOSP (Android Open Source Project), most users around the world have never really experienced AOSP in its purest sense. Most smartphones sold across the world, except in certain regions like China, come with Google’s Android, which is AOSP plus Google Mobile Services. Google Mobile Services consists of regular user-facing apps such as the Google app, Play Store, Chrome, Maps, YouTube, Gmail, Photos and more; as well as APKs for core background services such as GoogleOneTimeInitializer, SetupWizard, GooglePackageInstaller, and of course, the GMSCore, and more. GMS Core is what we commonly refer to as Google Play Services.” Google Play Services is what the company came up with to solve the issue with many phones never receiving updates in a timely manner. It allows Google to update all core operating system components that don’t directly interface with manufacturer hardware. “Huawei Mobile Services, or HMS, is Huawei’s alternative to GMS, consisting of user-facing apps as well as core background services. The idea behind HMS is the same as that of GMS – to provide an experience that is consistent across devices and independent of the platform update. Much like how GMS is made up of app elements and core elements, the HMS ecosystem comprises of HMS Apps, the HMS Core, and the HMS Capabilities that the Core enables through its available APIs. HMS Ecosystem has seen its monthly average users increase from 420 Million globally in July 2018 to a huge 530 Million by July 2019, while developers registered on this platform grew from 450,000 to 910,000 in the same time period, and HMS Core app integration grew from 20,000 apps to 43,000 apps.”

It seems Apple doesn’t like GitHub’s open source app development framework Electron: “Developers of apps built with the cross-platform Electron framework say that Apple has started rejecting their applications during its Mac App Store review process, and has threatened cancellation of Apple Developer Accounts for repeated rules violations.” This seems to be because Electron bundles Chromium and that talks to Apple’s private APIs, which is verboten.

Boeing’s manned spaceflight capsule, the CTS-100 Starliner, has had some issues during a test of its launch pad abort procedures: “While one of three main parachutes failed to deploy during the capsule’s descent, Boeing officials said the spacecraft was designed to land safely with just two and that the abort system met the requirements for a successful test.” Sounds in line with Boeing’s not exactly spotless track record in civil aviation recently. And they want to start shooting people to the ISS on board this thing soon? Maybe they should make sure all the parachutes work first? Just an idea…

The Truth: Android Patches, Another Data Leak at Facebook, Xerox Wants to Take Over HP

Wednesday, 6 November 2019

Hey, look at that, hump day again! Well, there weren’t that many interesting stories floating around today, but I’ve managed to pick out a good handful anyway. Some crazy stuff in there, too.

First of all, it’s Android Patch Day for November. Google has fixed 38 security vulnerabilities in the two patch levels 2019-11-01 and 2019-11-05. According to Google, “the most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.”

Uber’s self-driving car that hit and killed a woman in 2018 did so, because the AI wasn’t designed to deal with pedestrians in the road. Let that sink in for a minute. It wasn’t designed to deal with pedestrians in the road. What. The. Fuck. “Some 5.6 seconds before hitting her, the car’s radar detected Herzberg, and at 5.2 seconds, she was picked out by the Lidar. However, the machine-learning system more or less ignored her, figuring her to be a non-moving object not in the vehicle’s way. As the robo-vehicle drew nearer, it categorized her variously as a vehicle, a bike, or some other thing that was not, or was only partially, in its way. Just 1.2 seconds before hitting her, it identified her not only as a bicycle but also clearly in the path of its travel, by which point it was far too late to change course.” Yes. AI is definitely the future.

The Register is reporting that Xerox is apparently considering a buyout of HP, which has three times its market cap. Crazy. “According to the Wall Street Journal, the board at Xerox convened yesterday to consider a combined cash and stock offer. NYSE-listed HP currently has a market cap of $27.27bn, but clearly shareholders will want more than that. At this stage, there is no certainty that Xerox – which is itself valued at $8.05bn on the NYSE – will launch an opening bid, loquacious folks close to the situation told the paper.” HP hasn’t been doing so well, as I’ve also written about in The Truth recently. “HP has surfed the wave of the Windows 10 PC refresh to remain the second largest shifter of PCs in the world, behind Lenovo, but HP has been hit hard by the growth of cloned or remanufactured print supplies, and by the general downturn in printing.”

Facebook has had yet another user data leak to third parties. The Verge reports that “Facebook says that even after it locked down its Groups system last year, some app developers retained improper access to information about members. A company blog post reports that roughly 100 developers might have accessed user information since Facebook changed its rules in April of 2018, and at least 11 accessed member data in the last 60 days. It says it’s now cut all partners off from that data.” They keep messing this shit up.

Somebody is trying to make another desktop-focused BSD version: “Joe Maloney of iXsystems has lifted the wraps on FuryBSD, a new desktop BSD focused on tight integration with FreeBSD.” Apparently the guy used to work on TrueOS, formerly PC-BSD.

NPM now has a funding command. From NPM 6.13.0 onwards, “developers creating packages for the JavaScript runtime environment Node.js can declare metadata that describes where would-be donors can go to offer financial support. Doing so involves adding a funding field to package.json, a file that lists various module settings and dependencies. The funding field should be a URL that points to an online funding service, like Patreon, or payment-accepting website. Thereafter, application programmers using these modules can run npm fund <package name></code>, and that will open the designated funding service link in the user’s default browser for credit card input and so on.”

The Truth: Security Updates for Nvidia’s Drivers, NSA Flounders in Judiciary Committee Hearings, Microsoft’s HoloLens 2 is Shipping

Thursday, 7 November 2019

Hello everyone! Seems like there isn’t much happening in the tech world at the moment. Still, can’t leave you completely hanging on this fine Thursday, so here’s some IT news.

Nvidia has fixed nine vulnerabilities in its graphics drivers (CVE‑2019‑5690 thru CVE‑2019‑5698). These can lead to “denial of service, escalation of privileges or information disclosure”, Nvidia says. The highest CVSS Score among these is 7.8 for two of the software flaws. To fix these, get driver version 441.12 – which is also optimised for Red Dead Redemption 2.

Oh yeah, Red Dead Redemption 2 was released for the PC, by the way. In case you hadn’t heard.

So far, the NSA’s attempts to get its controversial phone surveillance programme (part of the 2015 USA Freedom Act) reauthorised, isn’t going so well, The Register reports. “The repeated refusal by NSA senior official Susan Morgan to provide any detail whatsoever about how the program – which the NSA and FBI are formally asking Congress to permanently authorize – has proved useful, left senators on the Judiciary Committee shaking their heads in disbelief. Among those expressing their frustration were the two senators, Patrick Leahy (D-VT) and Mike Lee (R-UT), who co-sponsored the USA Freedom Act that the intelligence services are asking be reauthorized before it expires on December 15.” It seems the NSA doesn’t want to say in a public hearing what exactly it’s doing to spy on American citizens. Or why that would even be necessary. “As for why spying programs that have never been used, have failed to work properly, or remain highly controversial should be reauthorized at all, the representatives of the NSA, DoJ and FBI all had the same answer: they are valuable ‘tools in our toolbox’ and both the nature of terrorist organizations and technology continues to change over time, meaning that the intelligence agencies need the ‘agility’ to evolve with them. Based on events today in the Senate Judiciary Committee’s hearing room, that argument is not going to cut it. But then, as the NSA knows only too well, what senators say in public and what they end up doing when confronted with a decision are often not entirely consistent.” Time will tell, I guess.

Do you want to “look like RoboCop, play with holograms”? Microsoft is now shipping its augmented reality (AR) headset HoloLens 2. With its $3,500 price tag, it’s mostyl aimed at businesses, though. “Unlike traditional idiot goggles, the HoloLens projects images, or holograms, over the user’s view. These can range from models a user can manipulate, to good old-fashioned windows-style dialogs. Although HoloLens 2 has increased the field of view from its predecessor and also improved finger tracking, customers we spoke to were more excited about iris scanning (meaning poking at a virtual keyboard was no longer required for logging in) and the improved weight distribution.” Well, the guys at El Reg seem to be fans.

In the world of the traditional idiot goggles, things aren’t going as well, though. Now Google has lost interest in its VR platform Google Cardboard. And it’s doing to it what Google does when it loses interest in things: it’s open sourcing it. Seems like it’s taken Google some time, but they have now finally also realised that VR is dead. Or never was alive, to be more precise. Good riddance. I can’t wait for people to stop talking about this silly fad.

The Truth: Cisco Router Vulnerabilities, DNA Database Startup Hacked, Wikipedia Article of Disgraced Spiegel Journalist Doctored

Friday, 8 November 2019

It’s the last day of the work week and here are some tech news for you to take into the weekend.

Several small business router models made by Cisco use hardcoded password hashes and duplicate certificates which makes it easy for attackers to break into these devices. If you are running an RV320 or RV325 router, you should update to firmware version 1.5.1.05 or later. If you are using any of the following router models, you should update to firmware version 4.2.3.10 or later: RV016, RV042, RV042G and RV082.

Heads-up: “It has been revealed that Adobe’s Experience Platform mobile SDKs, used to create apps that interact with the company’s cloud services, until recently contained sample configuration files that created insecure default settings. Developers creating apps that utilize those files as templates or examples could find that their apps have been sending data over the network without SSL protection, making it vulnerable to interception and alteration.” Doesn’t sound like Adobe wants to fix this any time soon.

Anti-virus manufacturer Trend Micro has disclosed that one of their employees has sold customer support data to phone scammers. “In early August 2019, Trend Micro became aware that some of our consumer customers running our home security solution had been receiving scam calls by criminals impersonating Trend Micro support personnel. The information that the criminals reportedly possessed in these scam calls led us to suspect a coordinated attack. Although we immediately launched a thorough investigation, it was not until the end of October 2019 that we were able to definitively conclude that it was an insider threat. A Trend Micro employee used fraudulent means to gain access to a customer support database that contained names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers. There are no indications that any other information such as financial or credit payment information was involved, or that any data from our business or government customers was improperly accessed. Our investigation revealed that this employee sold the stolen information to a currently unknown third-party malicious actor.” Wow, pretty embarrassing, that one.

People keep asking me if I would want my DNA sequenced by a company. Hey, it’s pretty cheap and so cool! Why not do it? Here’s why: “DNA-testing firm Veritas Genetics experienced a security breach that included customer information”, Bloomberg reports. “Veritas, which sells whole-genome sequencing for $599, said it became aware that a customer-facing portal had been recently”accessed by an unauthorized user. The company said that the portal didn’t contain genetic data, DNA-test results or health records.” Uh-huh. I’m sure those were on systems that are actually secure. What are the chances… The problem with having your DNA out there is that you can’t change it after a breach like you can change a passwort. If it’s ever used for authentication, or someone invents a way to easily replicate it from this kind of data, you’re fucked.

Dart 2.6 has been released. According to The Register, the new version of Google’s JavaScript competitor includes “the ability to create self-contained, native executables for the major desktop operating systems.”

In the US, employees for surveillance equipment manufacturer Aventura Technologies have been arrested because the company is accused of rebranding Chinese-made surveillance gear as US-made products. “It is alleged Aventura imported cheap cameras and network-enabled security gear from vendors in China, then rebranded the equipment as being made by Aventura at its factory in Long Island, NY. In addition to lying about the products being made in America, it is alleged Aventura owner Jack Cabasso falsely represented his wife Frances as being the owner and CEO of the company in order to get government contracts earmarked for women-owned small businesses.” Wow. What a shitshow.

In Germany, someone has been messing with the Wikipedia article of disgraced Spiegel journalist and fraudster Claas Relotius (here’s his English Wikipedia page). Apparently coordinated attempts were made to make his article shine a more positive light on him. As Heise reports (German), one IP address in particular had registered a whole number of accounts that were making some of these edits. This IP was, Heise says, localised in the municipality of Seevetal in Lower Saxony. Relotius’ hometown of Tötensen is part of this municipality. There is already talk of this being “one of the biggest manipulations in the German language version of Wikipedia ever.”

Anyway, I’ll take a cue from Mark Knopfler. And I’m picking my way out of here, one song at a time. See you on Monday!


Header image credit: Marcus P.