The Truth is my newsletter on tech news and policy. This is an archive of the issues of week 50 of 2019.


Get the newsletter delivered directly to your inbox every weekday. I promise I won’t send more than one email a day and you won’t get any spam from me. Sign up here:

powered by TinyLetter

The Truth: Elon Musk Legally Allowed to Call People Paedophiles, Lots of Cheap VPS Providers Shutting Down, CVN-79 Named USS John F. Kennedy

Welcome to The Truth for Monday, 9 December 2019. A new week brings fresh tech news. Among the things we learned over the weekend was that you can apparently wantonly call people paedophiles if you’re a rich, eccentric asshole.

Nvidia has published a security bulletin for its Tegra-powered Jetson computing boards. Six security vulnerabilities have CVSS scores ranging from 7.6 to 8.4 – mostly threatening denial of service and privilege escalation.

OpenBSD has released patches for four (CVE-2019-19519 thru CVE-2019-19522) authentication vulnerabilities. These were discovered by Qualys.

Microsoft’s latest security patch for Access is apparently causing SQL queries to fail.

Twenty cheap VPS providers in the US have suddenly shut down, giving customers only two days to save their data. ZDNet reports that customers “suspect an exit scam.”

All clues point to the fact that all 20 websites are part of an affiliate scheme or a multi-brand business ran by the same entity. A source in the web hosting industry who wanted to remain anonymous told ZDNet that what happened this weekend is often referred to as “deadpooling” – namely, the practice of setting up a small web hosting company, providing ultra-cheap VPS servers for a few dollars a month, and then shutting down a few months later, without refunding customers.

After the infamous keyboard problems, Apple seems to be having more hardware issues with its new MacBook Pro.

When using Final Cut Pro X, Logic Pro X, QuickTime Player, Music, Movies, or other applications to play audio, users may hear a pop come from the speakers after playback has ended. According to an internal memo, Apple is investigating a fix to the software-related problem. As such, repair personnel are advised to refrain from setting up service appointments or replacing affected MacBook Pros.

The US Navy has christened its second Gerald R. Ford-class nuclear aircraft carrier (CVN-79) as USS John F. Kennedy. CVN-79 is thus the second aircraft carrier to bear the name, the first one being CV-67 (decomissioned in 2007). The ceremony was held on Saturday at Newport News Shipbuilding. The ship’s sponsor is former ambassador Caroline Kennedy, daughter of JFK. CVN-79 is planned to enter service in 2022.

Elon Musk has won his defamation lawsuit against a British cave diving expert he labelled “pedo guy” and “child rapist”. The hero, who helped rescue a football team of 12 boys in a cave diving expedition in Thailand, had dared to dismiss the billionaire’s idiotic mini-sub PR stunt in a TV interview, for which Musk labelled him a paedophile, based on a short Google search that told him the diver lived in Thailand, it seems. Musk’s successful defence was apparently based on claiming that in South Africa, where he comes from, “pedo guy” is shorthand for “creepy old man”. As TechCrunch reports, the court decided Musk’s tweets were not meant as a statement of fact and are thus not punishable as defamation.

CNBC notes in a separate report that the verdict could “set a precedent where free speech online, libel and slander are concerned” as among the first court cases brought by a private individual over a tweet.

My personal opinion is that the court would have done well to slap that Musk asshole* down hard. Meanwhile, he’s celebrating and driving around in his idiotic new car.

* Not a statement of fact. Where I was born, “that asshole” just means “that guy over there”.

China is continuing to play hardball in the trade war:

China has ordered all government offices to start ripping out non-Chinese computers and software in order to bolster domestic manufacturers and suppliers. The ban needs to be fully implemented within three years.

As The Register points out their stipulation that stuff be “Chinese-made” leaves a lot of questions unanswered. Does Lenovo count? What software are they going to use? Their state-sponsored Linux distro?

René Auberjonois, best know for his role as Odo on Star Trek: Deep Space Nine has died. This fills me with sadness. We’ve been losing way too many DS9 actors recently.

The Truth: Wunderlist Woes, ESA’s Space Trash Salvage Mission, Mechwarrior 5

Welcome to The Truth for Tuesday, 10 December 2019. Here’s a quick tech news update for you, before I’m off to the pub…

Yahoo is shutting down Yahoo Groups and Verizon, which bought Yahoo in 2016, is apparently actively preventing a group of volunteers from backing up the huge amounts of data that will be deleted along with it.

Well, as of sometime on December 5th a huge number of the archivists that were scrambling to rescue archives from Yahoo Groups, had their email addresses apparently banned so they can no longer rescue the archives anymore of the groups they had set up operations to do so.

Apple is suing the former chief architect of its iPhone and iPad processors, because he dared to quit and start his own chip design business.

Apple’s lawsuit alleged Williams hid the fact he was preparing to leave Apple to start his own business while still working at Apple, and drew on his work in steering iPhone processor design to create his new company. Crucially, Tim Cook & Co’s lawyers claimed he tried to lure away staff from his former employer. All of this was, allegedly, in breach of his contract.

The Register on the Wunderlist migration to Microsoft To Do:

In other words, we have done our utmost to slowly kill this thing off but you still keep using it so we’re bringing the axe down this time. Now get with the Microsoft-branded future or fuck off.

He he. I like it when they tell it how it is over at El Reg.

ESA is heading up the first mission into orbit to clean up space junk.

The plan will see the capture of a Vega Secondary Payload Adaptor (VESPA) upper stage left in an 800km by 660km orbit by the second flight of ESA’s Vega launcher in 2013. The derelict object weighs in at 100kg, so is roughly representative of a small satellite. The ClearSpace-1 spacecraft, equipped with four robotic arms to grapple debris, will be launched to a 500km orbit for commissioning before heading to VESPA for rendezvous and a destructive de-orbit.

If all goes well with the relatively simple VESPA, then more complex captures will be attempted.

Makes me immediately think of that scene in Firefly. “Let’s moon ‘em!”

Not a good weekend for Tesla drivers, going by this report on The Register:

A man driving a Tesla Model 3 on autopilot mode rammed into the back of two police cars and another vehicle parked on the side of a highway in Connecticut, USA, on Saturday.

Another Tesla bad boy driver got caught up in another minor accident, too. In Los Angeles, California, the company’s CEO Elon Musk hit a traffic bollard after he left the Japanese sushi restaurant Nobu in a Cybertruck, the silver, daft-looking, low-poly jalopy unveiled last month. Musk was out celebrating with his kooky popstar girlfriend Grimes after he won his defamation case last week, and the excitement probably got to his head.

Nineteen years after its predecessor, Mechwarrior 5 is now out. Epic Games Store exclusive, though.

If you’re interested in the whole Boeing 737 MAX story, might I shamelessly plug a podcast episode on this I just released? I did a lot of research and go very in-depth on the topic.

The Truth: Patch Tuesday, Linux Packages from Microsoft, Chrome Now Checking Your Credentials on All Websites

Welcome to The Truth for Wednesday, 11 December 2019. Lots of things happening in the run-up to the end of the year, it seems. I’ll have to skip tomorrow’s newsletter, since I’ll be on the road all day, but I’ll be back on Friday. Anyway, here’s the selection for today.

Yesterday was Patch Tuesday, which means security updates from Microsoft, Adobe, Intel and SAP.

This month is a relatively small patch bundle from Microsoft, with fixes kicked out for just 36 CVE-listed bugs, only seven of which are considered to be critical risks by Redmond standards. Not among those seven is CVE-2019-1458, a flaw believed to be under active attack in the wild. The bug, an elevation of privilege error caused by the handling of objects in memory, is said to have been chained with a Chrome flaw to let attackers remotely attack PCs, and is just rated as important. “While it’s not confirmed this patch is connected to those Chrome attacks, this is the type of bug one would use to perform a sandbox escape.”

For Adobe, there are updates for Acrobat, Photoshop, Brackets, and ColdFusion.

On Tuesday morning, word broke about Plundervolt, the latest side-channel flaw for Intel processors. That advisory was one of 11 from Chipzilla this month.

More on Plundervolt

For those using SAP software, there are a total of seven security notes this month, including fixes for bugs in Adaptive Server Enterprise (CVE-2019-0402), SAP BusinessObjects (CVE-2019-0395) and SAP Enable Now (CVE-2019-0405).

It’s probably not a good idea to buy a smart toy this Christmas.

Working with security researchers NCC Group, Which? found a karaoke machine that could transmit audio from anyone passing within Bluetooth range because of its unsecured connection. It found walkie-talkies from VTech which anyone with their own set of similar equipment could connect to over a 200-metre range. It also found a Mattel-backed games portal which appeared to be unmoderated, allowing users to upload their own games with content inappropriate for children.

Meanwhile, Sphero, maker of the Sphero Mini interactive toy also implicated in the Which? study, said that the feature highlighted related to the Sphero Edu app, which was meant to be used in classrooms or in the home with teacher or parent supervision.

As usual, the word “smart” can be substituted with the word “insecure”.

Google’s Chrome browser will now check your username and password against a database of known leaks every time you sign in somewhere. According to reporting on The Register they are not sending this data to Google, though:

The idea is that your credentials are never sent to Google in a form it can read, and that details of other people’s breached credentials are never sent to you in a form you can read. The procedure, we are told, “reflects the work of a large group of Google engineers and research scientists”.

Even though users may still feel uncomfortable enabling this kind of check, the risks are likely lower than that of being unaware that your credentials have been stolen. The bigger snag, perhaps, is that you have to sign into Chrome with all that implies in terms of giving the data-grabbing giant more information about your digital life.

This seems to be similar to how Troy Hunt’s HIBP works.

Tim Cook thinks having a monopoly isn’t bad if you don’t misuse it. No, seriously. He said that.

“A monopoly by itself isn’t bad if it’s not abused,” Cook said, while insisting that Apple does not have a monopoly in any sector.

Apple sounds more and more like Microsoft in the ‘90s these days.

Microsoft has released a public preview of Microsoft Teams for Linux. They have .deb and RPM packages. What a crazy world we live in these days!

After users who were trying to backup data from Yahoo Groups had complained, Yahoo (now a subsidiary of Verizon) has now extended the deadline to do so until 31 January 2020. Volunteers are helping the Internet Archive to back up information from the message board system.

Struth! Some guy in Queensland has downloaded 26.8 TB in June of this year alone. That’s a lot of porn, mate!

Early adopters got shafted in two bankruptcies recently: E-scooter startup Unicorn has packed it in due to buying too many Facebook ads, which means orders will neither be shipped nor refunded. And the Kickstarter project Coolest Cooler, some kind of drinks cooler with built-in blender, is also history, allegedly due to the trade war between the US and China. It leaves 20,000 orders unfulfilled.

The Truth: A New Xbox, NHS Patient Data for Sale, Siemens Power Plant Control System Vulnerabilities

Welcome to The Truth for Friday, 13 December 2019. Sorry again for leaving you hanging yesterday. Here’s a tech news update:

Researchers from Qualys have disclosed a local privilege escalation in OpenBSD (CVE-2019-19726): “The vulnerability could allow local users or malicious software to gain full root privileges.”

Are you a state-sponsored (probably Russian) hacker looking for vulnerabilities to exploit in industrial control systems from Siemens? If you are, you’re in luck today as researchers have published a report of 54 security flaws in the SPPA-T3000 system, which is designed to control power plants.

According to Siemens this week, the control system is “mostly used in fossil and large scale renewable power plants.” The vulnerable components are usually protected by a firewall, meaning a hacker would most likely have to be positioned appropriately on the local network to exploit the bugs. Crucially, the miscreant would need access to a so-called highway component behind the firewall before they could attack the app server.

Among the more serious flaws is CVE-2019-18283 and CVE-2019-18284, flaws that do not require any authentication to exploit. “The AdminService is available without authentication on the Application Server,” Siemens said of these flaws. “An attacker can gain remote code execution by sending specifically crafted objects to one of its functions.”

Ouch. That’s cyberwar in the making, that is.

If you use NPM, you should probably update to version 6.13.4 of the packaging software’s command-line tool. Vulnerabilities in previous versions of the tool enable “proof-of-concept exploits that write or overwrite arbitrary files and allow unauthorized file access.” At least there don’t seem to be any packages currently in the registry that exploit this problem.

Adobe’s numbers for the fourth quarter should make some folks over there happy.

Total revenue for the three months ended 29 November came in at $2.992bn, up 21.4 per cent year-on-year. Subscription sales rocketed to $2.686bn from $2.184bn; product was 11 per cent to $167m; and services edged up by a little less than $8m to $138m.

Looks like constantly milking your customers with subscriptions is a great idea. If you’re the one on the receiving end of the money, that is.

Meanwhile, Oracle ain’t doing that hot – at least that’s what the market thinks. “Oracle stock falls as earnings show continuing struggle for revenue growth” titles Marketwatch.

Revenue for the November quarter rose to $9.61 billion from $9.57 billion, coming in a bit below the FactSet consensus of $9.65 billion. The company disclosed that it generated cloud-services and license-support revenue of $6.8 billion. Revenue from cloud licenses and on-premise licenses totaled $1.1 billion.

I’d be happy. But I then, I don’t have shareholders.

Microsoft has finally made its new console official: The Xbox Series X. Good to see they’re continuing to take the piss with their naming scheme. It also looks funny. It probably won’t fit in that shelf under your TV, because, as The Register puts it, it looks like “a Gateway tower PC from the 1990s.” Otherwise, it’s gonna be faster, better and have more Ks on the display …all that shit.

The Register seems to have gotten hold of some documents that show that NHS medical records are being peddled to the highest bidder.

Discussions are already in progress over the future use of patients’ personal records and related information, said to be valued at roughly £10bn a year. NHS England’s top brass met big tech and pharma executives at an invite-only event in October this year to discuss collecting patient data to improve healthcare services, fund this whole data-management project, and potentially even profit from it. This record-organizing programme includes the creation of a “single, standardised, event-based, longitudinal patient record” repository for as many as 65 million Brits. Basically, everything you can imagine collected, cleaned up, curated, and searchable, in one place.

Private sector involvement in the data-collection project, which our sources say looks like a private finance initiative, was represented by Amazon UK boss Doug Gurr, Microsoft UK CEO Cindy Rose, and Dr Jim Weatherall, veep for data science and AI at drug giant AstraZeneca.

The proposed medical record repository will pull together information from GPs and hospitals, mental health professionals, death and demographics registers, information from the private healthcare sector, prescription records, and environmental and social statistics, as well as data flows from embedded medical devices and patient-supplied and entered details.

WHAT COULD POSSIBLY GO WRONG? Jesus…

Police in Moscow has raided an office of web server maker Nginx because a company the head programmer worked for years ago has claimed they own the server’s source code.

We understand the cops showed up after Russian company Rambler Group formally complained it owned the code, and that Nginx was thus infringing its rights, highlighting the country’s rather interesting approach to intellectual property. Nginx, which is today headquartered in San Francisco, USA, and operates as a subsidiary of American tech giant F5 Networks, did not return a request for comment.

In the cross-hairs of the source code copyright claim is Nginx creator Igor Sysoev, who was an employee of Rambler in the 2000s, and at the time wrote the code for what would become the open-source Nginx web server and proxy platform. He claims he wrote the software in his spare time, and thus it belongs to him, though Rambler appears to disagree and has claimed ownership of the blueprints.

Nginx is licensed under the 2-clause BSD license, by the way.

In astronomy news, there are objects in the night sky that disappear or blink in a way that we don’t understand.

A hundred red objects blinking in and out of existence across Earth’s skies over the past 70 years have left scientists giddy: they believe this could be evidence of previously unseen astronomical phenomena or – and hold tight, now – alien civilizations.

I don’t know about you, but I’m quite worried by this current tendency of astronomers to attribute everything we can’t understand to aliens immediately. Just because we don’t understand how something works doesn’t mean it’s caused by mysterious forces. How is just assuming that immediately without any further indicators good scientific work? Have these people never heard of Occam’s razor?

Anyway, speaking of aliens: Season 4 of The Expanse just launched on Amazon Prime today. Which is what I’m gonna go binge watch right now. See you next week!


Header image credit: Marcus P.