Major PHP Vulnerability Can Allow Remote Code Execution


Weekly Axis Of Easy #39


Seems like all kinds of fit hit the shan last week, in this issue:
  • Major PHP vulnerability can allow remote code execution
  • EU wants ISPs to delete “terrorist content” within 1 hour
  • China bans Orwell’s “Animal Farm” and… the letter “N”
  • Surprise! Tor project was funded by the US Government
  • Freaking Yuge DDoS attacks are back: 1.3TB/sec reported
  • YouTube and Facebook algos start inflicting casualties
  • Canadians protest plan by Bell, Rogers et al to control web content
  • BoE’s Marc Carney calls for crypto regulation to end “anarchy”

Major PHP vulnerability can allow remote code execution

As per CisSecurity.org: “Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow an attacker to execute arbitrary code”. This affects versions < 7.2.3, < 7.0.28 and versions < 5.6.34. While no exploits have been spotted in the wild yet, now would be a good time to upgrade.

Read: https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-023/

EU wants ISPs to delete “terrorist content” within 1 hour

The European Union has issued new guidelines to social media platforms such as Facebook, Twitter and Google advising them to remove “terrorist” content within 1 hour of being flagged by Europol. Don’t ask me how anybody can cram even a semblance of due process or oversight into that. So far adding outside help to curate content such as “trusted flaggers” has been a debacle for both Facebook and Google, while Twitter will probably do just fine since they ban you for pretty well anything anyway.

These recommendations are in conjunction with wider EU directives to “get rid of terrorist content” within three months – and tucked into that, copyright violations within six.  “Make it so”.

(It may also be worth noting here that former French presidential candidate Marine Le Pen has been charged for some anti-ISIS tweets she made and faces a maximum of 3 years in prison. More on that here)

Read: https://www.buzzfeed.com/pranavdixit/terror-content-must-be-cut-from-social-media-within-an-hour
And: https://futurism.com/eu-internet-companies-you-have-three-months-get-rid-extremist-content/

China bans Orwell’s “Animal Farm” and… the letter “N”

Continuing on a theme (that theme being The State Knows What’s Best for the rest of us to think, say or blog), the People’s Utopia of China has issued a new list of banned words and themes which henceforth shall not be posted or discussed online in the wake of that country eliminating term limits, clearing the road for Xi Jinping to rule for life.

California based China watchdog has posted the new list of banned terms, which includes George Orwell’s “Animal Farm”, “Brave New World”, of course “1984” and inexplicably, the letter “N” (although it seems they’ve allowed that letter to be used agaiN.

Read: https://chinadigitaltimes.net/2018/02/sensitive-words-emperor-xi-jinping-ascend-throne/
And: http://www.independent.co.uk/news/world/asia/china-animal-farm-ban-censorship-george-orwell-xi-jinping-power-letter-n-a8235071.html

Surprise! Tor project was funded by the US Government

Yasha Levine, the author of “Surveillance Valley: The Secret Military History of the Internet” which I mentioned in the reading list last week wrote about his findings from combing through over 2500 pages of FOIA requests that the TOR project, which uses onion routing to provide ostensible untraceable anonymity for web surfers, is nearly 100% funded by the US Government.

Read: https://surveillancevalley.com/blog/fact-checking-the-tor-projects-government-ties

Freaking Yuge DDoS attacks are back: 1.3TB/sec reported

We’ve been saying this for years: DDoS attacks will only get bigger over time. Yesterday it was NTP reflection attacks which clocked in at 400GB to 800GB/sec (ironically the Mirai IoT botnet, such as the one that knocked Dynect completely offline in that big DNS outage of 2016 was much smaller than NTP reflection). As Akamai reported last week, a new DDoS vector of “memcache reflection” is now being used to launch DDoS attacks over the 1TB/sec threshold. Something that Prolexic (now Akamai) predicted would happen in 2020 is here a couple years early.

Read: https://blogs.akamai.com/2018/02/memcached-udp-reflection-attacks.html

Moral of the story? These things are only getting bigger – if you need to guarantee 100% DNS uptime you need to be able to get out of the way of DDoS attacks by using name server failover. Learn more

YouTube and Facebook algos start inflicting casualties

As Bloomberg reports, YouTube fumbled its first big test of using “trusted flaggers” to root out “fake news” and killed a wide swath of Conservative accounts instead.

Meanwhile, Facebook’s changes to its news feed algorithm (something we reported in AoE some time ago) has claimed at least one casualty. “Little Things” COO Gretchen Tibbits says that change wiped out 75% of their traffic and they’ve shut down the business. Very sad given that they were self-funded and had opted not to go the VC route.

Read: https://digiday.com/media/littlethings-shuts-casualty-facebook-news-feed-change/
And https://www.bloomberg.com/news/articles/2018-02-28/youtube-s-new-moderators-mistakenly-pull-right-wing-channels

Canadians protest plan by Bell, Rogers et al to control web content

Also as previously covered here, Bell Canada, along with some of the other incumbent big media companies here in Canada like Rogers and Maple Leaf Media are promoting initiatives which would result in website blocking without court orders and content filtering under the rubric of fighting copyright infringement.

Note that the so called “Fair Play” scheme promoted by the Bell coalition here is very different from the also so called “Net Neutrality” provisions in the US – which we said may not be such a bad thing when it was overturned. It is important to note why.

The US framework dealt primarily with raw access to the internet of which the hot-button issue was potential “throttling” or controlling the speeds at which consumers access the internet via various connectivity providers.

Here in Canada, the Bell proposals address content and due process two things we here at easyDNS have always held sacrosanct.

(We said then, and continue to warn now that those who are concerned about freedom of speech, content shaping, manipulation of the narrative and censorship should be more worried about Google, and Facebook, and Twitter than the cable and telcos.)

The Open Media Foundation is organizing a grass roots movement to protest the Bell plan, the deadline for CRTC public comment is March 29. (I should probably get off my ass and submit something myself.)

Read: http://www.michaelgeist.ca/2018/02/case-bell-coalitions-website-blocking-plan-canadians-take-stand-site-blocking/
And: https://www.blogto.com/tech/2018/02/canadians-rally-against-bells-plan-censor-internet/

And get involved via: https://www.fairplaycanada.com/

BoE’s Marc Carney calls for crypto regulation to end “anarchy”

Bank of England governor and Canadian dude Marc Carney called for co-ordinated global regulation for crypto-currencies, which is unsurprising given that they pose an existential threat to the centrally controlled cartel of money issuance. People always say “anarchy” like it’s a “bad thing”. In case you missed it, I’ve written an in-depth series about the historic and geo-economic ramifications of the Bitcoin phenomenon at Guerrilla-Capitalism.

See: https://www.bloomberg.com/news/articles/2018-03-02/boe-s-carney-calls-for-regulation-to-end-cryptocurrency-anarchy

If you’re not following us on Twitter you’re missing out on our witty repartee (and updates on the system) – better do it now.

Leave a Reply

Your email address will not be published. Required fields are marked *

Get in the know of what's up around the 'net weekly: #AxisOfEasy

x