Weekly Axis Of Easy #94
Last Week’s Quote was “The great danger is that the excess of speculation may bring its usual punishment” by W. Stanley Jevons (1835 – 1882). This one was tricky, I lifted it from the latest issue of Marc Faber’s GloomBoomDoom report.
This Week’s Quote: “Every decent man is ashamed of the government he lives under.” by…. ??
THE RULES: No searching up the answer, must be posted in the comments below:
The Prize: First person to post, gets their next domain or hosting renewal on us.
We’re transmitting on Wednesday this week on account of the Easter Monday sorta holiday.
-
Production companies to sue Canadian BitTorrent users, even if unknown
-
Privacy Commissioner considering horrible, unworkable changes to cross border data transfers
-
F-Book uploaded 1.5 million users’ email contacts without their consent
-
Domain name hijackings is worse than experts originally thought
-
Nevermind Y2K, here comes “768K day”
-
DoD ethics scandal hits Amazon, putting big fat slab of pork at risk
-
Japanese taxis using facial recognition to target ads at passengers
-
Microsoft discovers possible backdoor in Huawei driver affecting laptops
Production companies to sue Canadian BitTorrent users, even if unknown
This CBC piece puts Canadians on notice that they better not be using BitTorrent to download copyright material because producers will now be able to sue those associated with an IP address even if the identity of that person is unknown. I’m on the board of the Internet Society Canada Chapter and we discussed this at our last policy meeting. We find the assertions made in the article tenuous. Suing an IP address user on a “John Doe” basis is somewhat pushing it. It reminds me of those “Notices of Criminality” the London PIPCU was emailing out to domain registrars a few years ago.
At any rate, with my ISCC hat on, we’re keeping an eye on this.
Read: https://www.cbc.ca/news/canada/nova-scotia/movie-studios-bittorrent-users-lawsuits-norwich-order-1.5100700
Privacy Commissioner considering horrible, unworkable changes to cross border data transfers
The Privacy Commissioner has deemed that Canada’s decades old privacy laws are not up to the task of protecting citizens in the digital age, especially with respect to cross border data transfers. The privacy commission is now considering to make it so that “a company that is disclosing personal information across a border, including for processing, must obtain consent.”
We don’t really know what this looks like yet. This was another thing the ISCC discussed in our last policy meeting and we’re on our guard with this one. Considering that if I send a text message to my kid (telling her it’s time for bed) there’s a decent chance that message could contain personal metadata and will cross an international border before it gets to her, and she’s downstairs right now. You get the idea.
Read: http://www.michaelgeist.ca/2019/04/rewriting-canadian-privacy-law-commissioner-signals-major-change-on-cross-border-data-transfers/
F-Book uploaded 1.5 million users’ email contacts without their consent
Have I ever mentioned that it gets really tiring to document F-book’s incessant and unceasing failures to respect users’ privacy? Can I stop? No, I can’t. Especially when this item was forwarded to me by numerous readers, and with good reason. F-Book “unintentionally” harvested the email contact lists of approximately 1.5 million users and pulled those contacts into the F-book platform without their knowledge or consent.
Read: https://www.businessinsider.com/facebook-uploaded-1-5-million-users-email-contacts-without-permission-2019-4
Domain name hijackings is worse than experts originally thought
ArsTechnica has been following a spate of domain name hijackings targeting key infrastructure suppliers for several months now. When I was at CaribNOG last week I caught a talk from the Steve Feldman at Packet Clearing House who was on the receiving end of one of these attacks and I was impressed with PCH’s transparency on the matter, combined with the sophistication of the attack.
These attacks are ongoing and purportedly being executed by a state sponsored entity, targeting infrastructure vendors of myriad political targets within the Middle East. It’s a whole new ballgame now.
We are in the era of cyberwar. For this reason, you should:
-
Enable 2FA on your account (two factor authentication)
-
Use Access Control Lists (ACLs)
-
Enable Enhanced Security Module (ESM) – which is the new default and deprecates “Secret Questions / Answers” recovery
-
Enable all Event Notifications for your account
-
Consider DNSSEC signing your zones.
All from within your Account Security Settings
Read: https://arstechnica.com/information-technology/2019/04/state-sponsored-domain-hijacking-op-targets-40-organizations-in-13-countries/
And https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/ (I thought I ran this one in an earlier issue of #AoE but I can’t find it)
Nevermind Y2K, here comes “768K day”
Sometime within the next few weeks the global internet BGP routing table is expected to hit 768,480 entries, which means on some older network equipment like routers or gateways, they may run out of space to hold the tables. The last time something like this happened was “512K day”, back on August 12, 2014, when Verizon suddenly added 15,000 new BGP routes, causing any equipment at the time that couldn’t hold more than 512K routes to implode. The likes of AT&T, BT, Comcast, Sprint and Verizon to all went down and it apparently punched quite a hole through the internet. (I actually don’t even remember that day. I think I spent the entire month in flip flops and a snorkel mask in Barbados that year. Sorry I missed it.)
Anyway, the entire world should have learned and will be better prepared for it when 768K day hits… right? …Right?
Read: https://www.zdnet.com/article/some-internet-outages-predicted-for-the-coming-month-as-768k-day-approaches/
DoD ethics scandal hits Amazon, putting big fat slab of pork at risk
Grant’s Interest Rate observer submitted this piece to Zerohedge about the US Department of Defense’s procurement of cloud services for its Joint Enterprise Defense Infrastructure (JEDI). It’s a 10 billion dollar contract and there have been some rumblings of wrongdoing with respect to the awarding of the contract. Currently, Amazon Web Services bagged the deal. AWS is responsible for 60% of Amazon’s operating profits. (The rest of the company mostly loses money).
While the DoD conducted an internal investigation and cleared itself (literally: “DoD investigates self, finds no wrongdoing”) however they did find that potentially there was wrongdoing on the part of DoD civilian personal or procurement procedures. There will now be an investigation into that. The contract was down to Amazon vs Microsoft, so if things go very badly for the former, the latter could wind up with the deal.
Read: https://www.zerohedge.com/news/2019-04-19/unexpected-scandal-threatens-cripple-amazon
(Also, Jim Grant is great. All of his books are great. And he has a free podcast as well. Macro finance groupies only, but it’s worth it)
Japanese taxis using facial recognition to target ads at passengers
I’m pretty sure I’ve made this reference here before: remember that scene in ‘Minority Report’ when the protagonist is running through the mall the hologram ads and robotic mannequins are calling out his name, trying to get him to look at ads targeted at his identity? And then I usually say something like “we’re sort of headed for that”.
Well in Japan, they have these taxis now, and when you get into the back they use facial recognition software that tries to assess your age and gender so that it can better target ads at you while your cab takes you where you want to go. I don’t see any reference to them cross referencing your actual identity but hey, if the technology enables it, it’ll happen, eventually.
Read: https://futurism.com/japanese-taxis-facial-recognition-target-ads-riders/
Microsoft discovers possible backdoor in Huawei driver affecting laptops
This one is a tad old-news-ish, because it’s from March, but I found it interesting given than Huawei is under the gun for allegedly using their market dominance to act as an extension to Chinese state-sponsored espionage.
Turns out Microsoft found that certain Huawei Matebook systems “included a driver that would let unprivileged users create processes with superuser privileges”. The company has apparently “fixed” this. Of interest was how Microsoft found the problem, because they did it by running scans designed to detect NSA style “DOUBLEPULSAR” backdoors.
As we went to press we also found this piece on how Huawei P30 Pro phones in Thailand were found to be phoning home (no pun) to government servers within China
Read: https://arstechnica.com/gadgets/2019/03/how-microsoft-found-a-huawei-driver-that-opened-systems-up-to-attack/
And: https://www.microsoft.com/security/blog/2019/03/25/from-alert-to-driver-vulnerability-microsoft-defender-atp-investigation-unearths-privilege-escalation-flaw/
Andrew says
I think you should stop preaching MFA for easydns until you can actually make it work. Right now the only way to share admin access to an easydns domain is by sharing the credentials, and shared credentials are pretty much the opposite end of the spectrum from MFA.
Mark E. Jeftovic says
Hi Andrew, I do realize 2FA makes it harder for having multiple parties work on an account. At the moment you could use separate accounts and share management via domain portfolios. However we are also working now on a full-sub-account capability which will be ready soon(ish).