The Truth is my newsletter on tech news and policy. This is an archive of the issues of week 46 of 2019.


Get the newsletter delivered directly to your inbox every weekday. I promise I won’t send more than one email a day and you won’t get any spam from me. Sign up here:

powered by TinyLetter

The Truth: Apple Paying for Teacher Trips, Ring Doorbell Insecurity, OpenSUSE Sticks with Its Name

Monday, 11 November 2019

New week, more truth from your’s truly. The weekend was relatively quiet, but we had some stuff happening today. Here’s a roundup of the news since Friday.

As if Amazon’s Ring doorbell wasn’t already creepy enough, AV vendor Bitdefender has now disclosed a security vulnerability in the company’s Video Doorbell Pro that allowed attackers to gain access to the WiFi network the doorbell is using. This was possible during the initial configuration of the device. The attacker could also force the doorbell to reconfigure itself and exploit that as soon as the user re-entered the WiFi credentials. Amazon has fixed the vulnerability with an OTA software update.

The first exploits for the Windows remote desktop vulnerability BlueKeep (CVE-2019-0708) are starting to appear. Patch your Windows systems! Side note: I wasn’t aware that Marcus Hutchins, famous for halting the WannaCry attack and later getting arrested in Vegas, was involved in finding BlueKeep – neat!

If someone is telling you they can decrypt your backupless data that has been made unaccessible by the Dharma ransomware, they probably can’t. Looks like they’re just paying the malware author for you and are taking a cut of the money for the trouble. Backups, people! Backups!

The OpenSUSE project has voted on a name change. It wasn’t at all clear what the new name would have been, but that’s off the table now anyway as 225 project members voted against the proposal, with only 42 voting for it.

SpaceX has cluttered our orbit with 60 more Starlink satellites, meant to provide internet access across the globe. The Register was on the scene: “Since the launch of the first batch of the broadband birds, back in May, SpaceX engineers have upgraded things to maximise the use of both the Ka and Ku bands. The enhancements have meant that the satellites have bloated out a little, and SpaceX declared that the payload of 60 was the heaviest to date.” As seems to have become the norm for SpaceX, not everything went according to plan, however: “Worryingly, those upgrades do not seem to have done much for their reliability as SpaceX also admitted that one of the Starlink satellites on the launch was looking a little iffy before the rocket had even left the pad. That will worry scientists wringing hands about the impact constellations like those planned by SpaceX will have on the sky and neighbouring spacecraft. ESA has already had to dodge one Starlink satellite after Musk’s rocketeers failed to pick up the phone. If only they had some sort of communications network.”

Remember when Blizzard shut down community servers offering a vanilla World of Warcraft experience? Heavy criticism eventually forced them to promise to provide their own vanilla version of WoW. I bet they are glad they did that right now. Because according to their most recent earnings report World of Warcraft Classic brought WoW the biggest increase in subscribers in a quarter ever. This gave their finanicals a big push; revenue is up to $1.28 billion.

The kids aren’t just striking on Fridays now. Apparently, they’re also DDoS-ing their schools. And World of Warcraft Classic.

Speaking of schools… Ever wondered why all these schools are buying expensive iPads with tax dollars or are forcing parents to shell out for them? Apple is sending teachers on expensive trips and is paying for expenses. Who needs conspiracy theories when shit like this is actually happening?

The Register has a fun prehistoric computing story from the ‘70s when a single misplaced hyphen could cause a lot of trouble.

The Truth: Google is Hoarding Health Data, BlueKeep Patching is Lacking, Labour Under “Cyber-Attack”

Tuesday, 12 November 2019

Welcome to Tuesday’s tech news here at The Truth. Things still seem a bit slow, but here are some stories nonetheless.

The “sophisticated and large-scale cyber-attack” that the UK Labour party said took place against its campaign site was probably just a mundane DDoS. Labour says they fixed it, but in reality it was probably just Cloudflare dealing with it.

Still wondering why Google bought Fitbit? Well, wonder no more. They are building an enormous health database. Reporting on a Wall Street Journal report, The Register says: “Following a controversial data-sharing project within the National Health Service (NHS) in the UK, the search engine giant has partnered with the second-largest health system in the United States, St Louis-based Ascension, to collect and analyze the health records of millions of patients. According to a report in the Wall Street Journal, which claims to have seen confidential internal documents confirming the move, Google already has the personal health information of millions of Americans across 21 states in a database. The project is codenamed Project Nightingale and according to the WSJ, over 150 Google employees have access to the records of tens of millions of patients. Neither patients nor doctors have been told about the project and have not given their consent to Google being given access to their health data. But Google is relying on a legal justification that says hospitals (under the Health Insurance Portability and Accountability Act of 1996) are allowed to share data without telling patients if that data is used to ‘only to help the covered entity carry out its health care functions.’” Project Nightingale? More like Project Nightmare!

Even though many security experts, all kinds of publications – and also this humble newsletter – have been warning Windows admins to get their systems patched so as to not fall prey of the BlueKeep RDP vulnerability (CVE-2019-0708) that’s now being exploited in the wild, people have not been doing that, it seems. The SANS Institute is saying that a survey they ran of publicly accessible systems shows that the rate at which admins are patching this vulnerability hasn’t increased lately: “The percentage of vulnerable systems seems to be falling more or less steadily for the last couple of months and it appears that media coverage of the recent campaign didn’t do much to help it. And since there still appear to be hundreds of thousands of vulnerable systems out there, we have to hope that the worm everyone expects doesn’t arrive any time soon.”

That parachute on Boeing’s CST-100 Starliner that failed during a recent test had “a lack of a secure connection between pilot and main parachute on the third parachute”, says Boeing. That’s a bit like saying that MCAS can lead to a lack of a secure landing on the 737 MAX.

The Register has some interesting tales from the Chrome Dev Summit. Apparently Google tried very hard to suggest Chrome is just one of many, many equal players in the browser field. And then promptly pointed attendees to a web app that didn’t work in Firefox or Safari. FACEPALM

The Truth: Patch Day, Facebook’s iOS App is Looking at You, US Border Searches of Electronics Need Probable Cause

Wednesday, 13 November 2019

Hello, hello hump day! If you’re wondering why your computer was so slow to wake up this morning, it’s probably because of Patch Day. You also might want to uninstall the Facebook app on your iPhone. Just saying…

Yesterday was Patch Tuesday once again. On this occasion, Microsoft has fixed 74 security vulnerabilities (13 of them critical) in Internet Explorer, Edge, Office and Windows itself. One vulnerability in Internet Explorer’s scripting engine (CVE-2019-1429) allows remote code execution and is a zero-day, meaning it was discovered when attacks on the flaw in the wild were noticed. Meanwhile, Adobe has released patches for security vulnerabilities in their Adobe Media Encoder and some of its Creative Cloud apps. SAP has also released 12 security updates.

In other security news, Intel has disclosed a new variant of the CPU hardware vulnerability ZombieLoad. The Register reports that “the same group of university boffins who helped uncover the infamous Spectre and Meltdown flaws say that a third issue, reported back in May under the name ZombieLoad, extends even further into Chipzilla’s processor line than previously thought. The ZombieLoad hole can be exploited by malware running on a vulnerable machine, or a rogue logged-in user, to snoop on processor cores and extract sensitive information from memory that should be out of bounds. In practice, this would potentially allow an attacker already on the system to lift passwords, keys, and the like from other running software.” Apparently the security researchers have discovered that this vulnerability also extends to Intel’s newest processors (8th and 9th generation), which Intel had denied earlier this year. “The researchers say the only way to fully resolve the flaw is to turn off speculative execution, a move that will effectively cripple CPU performance.” Intel is trying to patch it with microcode updates as well as they can and they have released software updates to do this. But, says The Register, “Chipzilla acknowledges this release does not fully remedy the problem.”

Facebook’s iOS app has been spying on people. It uses the phone’s camera app in the background without telling the user. “A number of users have noticed the unusual behavior and posted videos demonstrating it. In each, the rear camera is clearly turned on and can be seen behind the main app screen: something that is unnecessary and the user is not informed about.” Facebook says its a bug and they are looking into it. I’m not buying it and I think The Register’s advice is reasonable: “The best solution is to delete the Facebook app from your phone and, if you must, access Facebook through a browser, preferably a separate browser to the one you normally use. Facebook has a long history of abusing trust, and downloading an app grants it far more access to your data that accessing its service through a browser.”

Windows 10 version 1909, the November 2019 Update, is now available. According to The Verge, it’s more like a Service Pack than the previous, more feature-packed updates: “Most of the changes are minor, and you won’t see a lot of them as they’re behind-the-scenes improvements focused on stability, performance, and more.” Microsoft has started to push this version on people now. If you want it right away, go to Settings / Update & Security / Windows Update and click the button to check for updates.

Microsoft is moving Visual Studio to the web – and a rental model – with Visual Studio Online. It has some fancy features. But no doubt the idea is, as has been the case with software sales models everywhere for quite a while now, to get people away from buying software once and towards paying continuously.

WebAssembly, a kind of bytecode-language for the web, is being tendered as a solution for software that runs outside of browsers. Mozilla, Intel, Red Hat and Fastly habe now created the so-called Bytecode Alliance for the purpose. As The Register explains: “Wasm, as WebAssembly is known to its friends, is faster than JavaScript – about 20x by one measure – and has other advantages in terms of security, portability, size, and load-time efficiency. It’s been implemented in at least four major browsers – Chrome, Edge, Firefox, and Safari – and now Bytecode Alliance members aim to help it move beyond the browser. Many of the use-cases for wasm involve in-browser applications, such as running games or other performance-sensitive tasks. But wasm also has potential outside the browser, for content distribution, server-side handling of untrusted code, hybrid native apps on mobile devices, and multi-node computation.”

A Massachusetts district court has decided that US border agents seizing your electronics and searching them without demonstrating reasonable suspicion of a crime is unconstitutional. As such, “the CBP (Customs and Border Protection) and ICE (Immigration and Customs Enforcement) policies for basic and advanced searches, as presently defined, violate the Fourth Amendment to the extent that the policies do not require reasonable suspicion that the devices contain contraband for both such classes of non-cursory searches and/or seizure of electronic devices.” This sounds like good news for many techies travelling to the US who currently use burner devices because of these policies. But… “despite ruling that such searches are unconstitutional, the judge declined to issue an injunction that would require border agents to get a warrant before probing such devices or to have probable cause before searching a device. That means border agents will continue to be able to search devices at the border, though will have to justify doing so.” And: “It appears clear that the judge was determined to allow the fundamental decision that searches of electronic devices at the border break the Fourth Amendment stand until the case reaches the Supreme Court – something that it is almost certainly destined to do.” A win for privacy, albeit a small one.

The Truth: Docker Sells its Enterprise Business, New MacBook Pro, Chrome Ad-Blocker Changes

Thursday, 14 November 2019

Good evening and welcome to another edition of The Truth! Well, there certainly is a lot of stuff happening in the tech world today. It’s late, so let’s get right into it…

VMware has fixed a number of vulnerabilities (CVE-2018-12207, CVE-2019-11135, CVE-2019-5540, CVE-2019-5541, CVE-2019-5542) in VMware Workstation, Fusion and ESXI. For one of these, remote code execution is in the cards.

Heise is reporting “massive disruptions” of several online services like Google, Amazon, YouTube, Netflix and Twitter in Germany. Mobile traffic, mostly in Vodafone’s network, was also effected. Apparently routing issues were at fault (German).

Mexico’s national oil company Pemex is being extorted by hackers. They have demanded around $5 million in Bitcoins and the company has had to shut down several computer systems across its country-wide operations, but production is apparently not effected. Reuters is reporting that the company does not intend to pay a ransom. The company is saying (Spanish) that it was hit by ransomware on Sunday but that it has neutralised the attack.

Panic in Docker land. The Register is on the scene: “Docker has handed the Enterprise portion of its containerization business to Kubernetes cloud outfit Mirantis in a surprise sell-off. The move will see Mirantis take on all of the products, intellectual property, and customer contracts, and at least some of the employees, of the Docker Enterprise container management service. Mirantis also says it will run Docker Enterprise’s alliances and partner programs. Terms of the deal were not disclosed. Mirantis, known for being an early backer of both Kubernetes and OpenStack, says it will fold Docker Enterprise into its existing container service, offering the two products side-by-side to businesses. While Mirantis said it will continue to offer support in the near-term for Docker’s products, it was less committal in the longer term, with key products such as orchestration tool Docker Swarm only getting two years of planned support.” Many commentators are already saying Docker has given up on the enterprise with this deal. They are saying they want to become a “developer platform”, focusing on developer desktop tools and the Docker Hub package registry. Oh yeah, and their CEO is also out. “Docker says it has secured a $35m VC funding round and has named chief product officer Scott Johnston as the new CEO of the company when Bearden steps down.” Sounds to me like the investors stepped in and forced a change. I guess Red Hat saw this development coming in 2015 when they pivoted big to Kubernetes and became the go-to people for enterprise Docker environments.

The first official build of Microsoft’s new Edge browser, now based on Chromium, has arrived. This first version is targeted at ARM and meant for the new ARM-based Surface Pro X tablet/laptop/convertible/whatever device.

It seems, Icahn is getting involved in the Xerox-wants-to-buy-HP story. He’s pushing for a takeover. The notorious investor owns 10.6% of Xerox and 4.24% of HP stock. This stuff is getting serious now.

Meanwhile, Cisco has reported their quarterly numbers and is warning that its business is slowing down.

Apple has finally updated its MacBook Pro, something power users for a long time had been clamouring for. As expected, these things are expensive: “The $2,799 portable has a Retina display and some beefy but by no means unique specs, starting with a 2.3GHz eight-core ninth-generation Intel Core i9 processor, 16GB of RAM, an AMD Radeon Pro 5500M GPU with 4GB of GDDR6 memory, and 1TB of SSD storage. The $2,399 version has a six-core Core i7 processor, 512GB of storage, and a Radeon Pro 5300M.” Apparently they have also finally fixed the damn keyboards.

Google is starting to get serious about breaking most ad-blockers in the upcoming Chrome 80. “In spite of the overwhelmingly negative feedback on the Manifest V3 extension system, Google is standing firm on Chrome’s ad-blocking changes. Manifest v3 has become a bone of contention for many ad-block companies. This is because Google developers have introduced an alternative to the webRequest API (earlier used for ad-blocking) named the declarativeRequest API, which limits the blocking version of the webRequest API. Many ad blocker maintainers and developers felt that the introduction of the declarativeNetRequest API can lead to the crippling of many already existing ad blockers.”

Five GitHub employees have actually resigned over the company’s business relations with the US government agency Immigration and Customs Enforcement (ICE). GitHub currently has more than 800 employees.

The non-profit organisation that sells .org domains has been bought by a for-profit company. As The Verge points out, it’s pretty obvious that these domains will now get more expensive: “On June 30th, ICANN, the non-profit that oversees all domain names on the internet, agreed to remove price caps on rates for .org domain names – which were previously pretty cheap. Seems like something a for-profit company might want.”

Catching up with many everyday people, Doom creator John Carmack has also realised that VR is doomed, so to speak. He’s stepping down as CTO of Oculus, apparently to move on to the next buzzword: AI. “I have sometimes wondered how I would fare with a problem where the solution really isn’t in sight. I decided that I should give it a try before I get too old”, he said. I dunno. He could’ve stayed with VR to solve the problem of what it’s good for. That solution really isn’t in sight either.

50 years ago today, NASA found out what happens when you launch a big-ass rocket into some big-ass clouds: It turns out you don’t need a thunderstorm for a lightning strike. The rocket will generate the lightning itself. So much for Rule 1-404.

The Truth: The White Screen of Death, The UK’s Brexit App is Crap, Apple Bans Vaping Apps

Friday, 15 November 2019

Hello and TGIF! Here’s some final tech news for the week.

Two vulnerabilities (CVE-2019-11090 and CVE-2019-16863) in the Trusted Platform Module (TPM) of modern CPUs could allow attackers to exfiltrate the crypto keys stored within. The researchers who have discovered these vulnabilities have named them TPM-Fail. ZDNet explains: “An external observer can record the time differences when the TPM is performing repetative operations and infer the data being processed inside the secure chip – all based on the amount of time the TPM takes to do the same thing over and over again. The research team says the timing leakage they discovered can be used to extract 256-bit private keys that are being stored inside the TPM. More specifically, 256-bit private keys used by certain digital signature schemes based on elliptic curves algorithms such as ECDSA and ECSchnorr. While this sounds like a very narrow attack surface, these two are common digital signature schemes used in many of today’s cryptographically-secured operations, such as establishing TLS connections, signing digital certificates, and authorizing logins.” It seems like these attacks are feasable in real world scenarios, too. Intel has released firmware updates for its chips that are effected. STMicroelectronics actually has to fix its chips in hardware. Other chip manufacturers seem to be in the clear for now.

Google has broken Chrome for hundreds of thousands of enterprise customers who use the world’s most popular browsers via Citrix terminal servers. It’s been termed the “White Screen of Death”, because instead of content, the browser just renders white pages: “We have confirmed and replicated; when any user on a shared session Citrix box locks their screen, all Chrome windows stop rendering until ANYONE unlocks their screen, upon which, all Chrome windows resume rendering. This looks like random behaviour to the user but we have confirmed lock/unlock is the culprit.” That’s just hilarious! Unless you are effected, of course. Or if you’re the poor admin who has to find out what the actual problem is. Apparently Google pushed an experimental flag to the stable version of Chrome at which point it got turned on by default. And the users aren’t happy: “I am stunned by your response. Do you see the impact you created for thousands of us without any warning or explanation? We are not your test subjects. We are running professional services for multi million dollar programs. Do you understand how many hours of resources were wasted by your experiment? Not acceptable…” The Register has more details on this story.

Amazon is suing the US government of giving the hugely lucrative Department of Defense JEDI contract to Microsoft. And The Register is trolling with a Star Trek splash image again. He, he, he…

The UK Home Office’s Brexit app has significant security issues. The Norwegian security company Promon, which has analysed the app, summarises: “From our research, we found that the Brexit app on Android lacks crucial security measures, which is hugely concerning when you consider the sensitive nature of the information that users input into it. At this time of political uncertainty, the last thing that people who are applying to remain in the United Kingdom need, or expect, are concerns around whether their passport information and photo IDs are being stolen by hackers.” Actually, seeing how much of an omnishambles the rest of Brexit is, I had precisely expected something like this from a Brexit app.

Apple is getting in on the war on vaping and will throw all vaping apps out of its App Store. Makes sense. I mean, 42 people have died in the US from vaping. That’s huge when compared with only 480,000 tobacco-related deaths in the US every year. Vaping clearly needs to be banned everywhere. Sure. Makes complete sense.

This story on The Register is so amazingly, unbelievably, stupidly funny, I’ll just have to quote from it verbatim.

The High Court of Justice in London yesterday dismissed another attempt by an unnamed man, who refuses to identify himself to the UK courts, to take his Right To Be Forgotten legal action to the Court of Appeal. The individual, a litigant in person who is only known to court staff and judges as ABC, had asked that a post on squaremilenews.blogspot.com be removed from Google search results because it allegedly refers to a spent criminal conviction he had picked up in the past. ABC describes himself as an entrepreneur currently involved in business, investment and civil society ventures in the UK and overseas. He alleges that the continued publication by Google of the materials complained about has prevented him from pursuing his ventures, causing him and his businesses to suffer substantial loss of earnings. He has already had two attempts to take it to the Court of Appeal in London denied by a senior British judge. Mr Justice Saini said in today’s judgment that the procedural history of this claim shows “in my judgment, that the claimant’s approach to the court’s orders and directions might fairly be described as abusive”. “It is obvious that basic common law fair trial requirements require a defendant to know who it is being sued by,” he said. “The material before me also shows that a number of judges have explained to the claimant that these basic requirements are necessary for the proper conduct of the claimant’s claims, which include claims for libel and alleged breaches of data protection legislation. “Regrettably, the claimant simply refuses to accept this. He has adopted an approach which means that, to date, the claim has not progressed at all. Instead, through unwise and misconceived applications, the Claimant has wasted substantial amounts of court time (involving over, I understand, 10 Judges or Masters). He has also clearly caused significant costs to be incurred by the defendant.” In conclusion, Justice Saini said: “I agree with the defendant that not only should the application be dismissed, but I will also certify it as totally without merit.”

You can’t make this shit up.

Microsoft is finally showing some gameplay of Age of Empires IV:

Well, that’s it from me for this week. I hope you have a great weekend! Here’s some Van Morrison to tide you over till Monday. I think everyone can use some healing on the weekends.


Header image credit: Marcus P.