Weekly Axis Of Easy #96
Last Week’s Quote was “The Cosmos is about the smallest hole that a man can hide his head in” by…. G.K Chesterton, nobody got it, again.
This Week’s Quote: “Don’t retaliate. Just get stronger” by….??
THE RULES: No searching up the answer, must be posted in the comments below:
The Prize: First person to post, gets their next domain or hosting renewal on us.
Backdoor found in Cisco routers
San Francisco and Oakland may ban facial recognition
Cloudflare ordered to reveal infringing users to RIAA
Guess which Nobel economist is calling for a ban on crypto
Microsoft hoses own DNS causing global Azure outage
Netsol’s fugly sign-up scams and what to do with malicious files
Reverse engineering China’s surveillance app
Has Slack hit the point of diminishing returns?
Looks like Cisco left a default SSH key hard coded into their Nexus 8000 series routers, which when accessed via IPv6 transport granted the intruder root access to the device. Cisco has issued a patch for the vulnerability, CVE-2019-1804, along with 40 other vulnerabilities ranging from privilege escalation to Denial-of-Service.
Impending proposals in San Francisco and then Oakland later this month could make these two cities the first in the USA to ban the use of facial recognition software in all city departments:
In San Francisco it’s called the “Stop Secret Surveillance Ordinance, which would make it illegal for any department to “obtain, retain, access or use” any face-recognition technology or information obtained from such technology.” Other provisions of the proposal would require that city supervisors sign off before any agency purchases any surveillance technology including: license plate readers, closed circuit cameras, body cams, biometrics tech and “any software for forecasting criminal activity”.
Oakland has similar proposal pending shortly after San Fran’s.
The Recording Industry Association of America (RIAA) has obtained a subpoena from a Columbia federal court ordering the CDN provider Cloudflare, which sits in front of websites as a proxy, to turn over IP addresses and email contacts of select websites on the system. The order targets the file hosting sites DBREE and AyeFiles, and music downloading sites RapGodFathers and Plus Premieres, which are making unlicensed copies of tracks from artists such as Pink, Drake, T-Swift, and others available for download.
I don’t really sympathize with these sites. Yes, there are some here on the system, and we make them abide by Section 21 of our Plain English Terms of Service which state that they have to action copyright removal requests or face termination.
But the bigger picture is covered by our Open Letter to BitTorrent and File Sharing sites which we wrote in 2015, and if you are running one of these sites, you should read it.
Trick question perhaps? Paul Krugman once opined that he cannot think of a single problem crypto-currencies such as Bitcoin actually solves. I ended up writing this “Memo to Krugman” outlining seven issues crypto solves. It ended up running on Zerohedge and a few other places.
Today it’s Joseph Stiglitz, who won a Nobel in economics for devising the optimal queuing theory for toilet-paper line-ups. Or maybe that was Lenin, it’s so hard not to confuse the contemporary economic Nobel laureates from the most extreme Marxists these days. Next thing we know they’ll be giving a Nobel to Piketty.
Anyhoo – Stiglitz goes beyond Krugman. He thinks crypto-currencies should be banned. He says it like it’s within anybody’s power to actually do that. He says it as if crypto-currencies are not a wholesale rejection of a fraudulent Ponzi scheme that is rigged to systematically leech the wealth from everybody who is not intimately connected to a microscopically small cadre of global oligarchs. (Look specifically at “Problem #3” that crypto solves in that article)
To that point, Stiglitz thinks there is value in a digital currency, if it’s a government run one.
“I’ve been a great advocate of moving to an electronic payments mechanism. There are a lot of efficiencies. I think we can actually have a better regulated economy if we had all the data in real time, knowing what people are spending”
Translation: If the Government could use the currency to spy on you, everything would be awesome.
Last week several Microsoft systems experienced an outage when the company made a configuration error whilst migrating some legacy, core domains, to their own Azure platform. The errors had second-order effects within the Azure ecosystem itself, impacting Azure compute, storage, App service, Azure Identity, and SQL storage.
Believe me when I tell you I am not adding this piece out of schadenfreude that a competitor blew up its own DNS for a few hours last week. It happens. And that is exactly my point here. To paraphrase Dr. Johnny Fever when he said “look, we all ruin our lives”. At some point, everybody has a DNS outage and it doesn’t even matter what the reason is. Like Thanos said, “It’s inevitable”.
The moral of the story is if you’re running what we call “an infrastructure domain”, meaning one that is holding up a piece of the internet, then you rilly rilly need to have a stand-by DNS solution, queued up, ready to go, always. As per http://HighAvailabilityDNS.com
However, in this piece, wherein I reference a competitor, I am admittedly being a bit more dick-ish about it because I found the tactic so egregious and deceptive I got a little triggered and went on a rant about it.
It all happened when I went to buy an aftermarket domain from Network Solutions….
Another quick blog post last week was in response to a reader who asked me what could one do when you discover a potentially malicious file that can help the security community in general:
In #AxisOfEasy 93 we covered a story in the NYTimes about how China is using technology to turn an entire city, inhabited almost entirely by Uighur Moslems, into a virtual prison.
Now Human Rights Watch has managed to obtain and reverse engineer the mobile app that police and other officials use to communicate with the Integrated Joint Operations Platform (IJOP):
“[T]he policing program aggregates data about people and flags to officials those it deems potentially threatening; some of those targeted are detained and sent to political education camps and other facilities.”
Now that HRW has reverse-engineered the app, they now know what kinds of behaviours this mass surveillance system targets.
I only hope HWR is still around in the West when whatever we end up calling our own Sesame Credit system becomes mandatory here. (Who am I kidding, it’ll still be called Facebook)
This article takes a look at Slack and poses the question: is it diminishing productivity in the workplace instead of enhancing it? Part of the problem is that when average users send 200 messages per week, and power users exceeding 1000 messages per day, keeping up with the Slack can become a full-time job unto itself.
My other issue, not covered in the article is that Slack is centralized – potentially sensitive internal company communications being stored and who knows what else on somebody else’s servers. That’s why we use Mattermost here. It’s like slack, but you can use your own backend storage. (We also have it rigged so that it administers a small electrical shock to anybody who exceeds their daily quota of messages.)