Weekly Axis Of Easy #115
Last Week’s Quote was: “We’ll know our disinformation program is complete when everything the American public believes is false”…was by former CIA chief William Casey. Winner was Gilles Durot.
This Week’s Quote: “It isn’t the rebels who cause the troubles of the world; it’s the troubles that cause the rebels.” ….by ????
THE RULES: No searching up the answer, must be posted below.
The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.
We’ve added a podcast version of #AxisOfEasy! You can listen to this week’s edition:
- US tech companies will have to share encrypted messages with UK police
- Data Breach of the Week: Doordash. 4.9 million records. Boom.
- Tibetan activists targeted by Chinese authorities via their cellphones
- Who is at-fault when self-driving cars kill people?
- Belarus becomes first country to make IPv6 mandatory
- Kazakhstan blocks over 90K sites to target one domain
- Massive Youtube hack targets content creators
- Google’s DNS-over-HTTPS draws anti-trust scrutiny
A new treaty between the UK and the US will mean that US-based social media platforms like Facebook and WhatsApp will be legally compelled to share users’ encrypted messages with UK police. The agreement is expected to be signed in October and will require that tech companies in the US whose users are being investigated for “serious” crimes give access to law enforcement or intelligence agencies in the UK.
Parameters of the deal include that the respective governments may not investigate each other’s citizens while the US is prohibited against using information obtained from UK companies in cases that carry the death penalty.
When a company blog post starts out with “We take our customers’ security very seriously”, you know it’s bad news. Thus begins Doordash’s blog about a security breach that affects “some” users. 4.9 million to put a number to it.
Basically anybody who joined the service prior to April 15, 2018 has had the following data exposed: name, email address, delivery addresses, order history, phone numbers, hashed and salted passwords, and in “some” cases, the last 4 digits of the credit card.
While Doordash states that these last 4 digits of your credit card cannot be used to facilitate fraudulent charges to your card, what they don’t say is that they can frequently be used in account recovery operations with other services.
The cyber-espionage watchdog CitizenLab has issued another report detailing efforts to infect Tibetan advocacy groups via their mobile devices. The report dubs the actor behind the attacks “POISON CARP”, who used maliciously crafted links within WhatsApp texts to exploit malware which installed spyware on their iOS and Android devices. The attack vector differs from previous, and long-running efforts to compromise Tibetan civil society groups that the report dubs it “a game changer”.
Who is POISON CARP? Nobody comes out and says it, but the forensics seem to find commonality between campaigns targeting the Tibetans and the Uyghur Moslems who are currently actively surveilled and persecuted in China.
This article in Forbes delves into “the complex web of liabilities” that must be disentangled whenever a self-driving car kills somebody. I find the entire question egregious. Most companies working on this, like Uber (who killed a pedestrian whilst testing an autonomous vehicle in March of ’18) at least have supervisors in the car. It’s still inexcusable when some company testing something kills a member of the public who never signed up to be a guinea pig.
But then there are Tesla owners, who buy into Elon’s bullshit about “full self-driving” and take their Model S out on the road and sleep behind the wheel. These drivers think their cars are fully autonomous, they’re not, and they get themselves and others killed (see https://tesladeaths.com as documented by the TSLAQ collective).
Tesla’s newly unveiled “Smart Summons” is a joke, but it will cease being funny after somebody’s M3 rolls over some kid in a parking lot. The facts to date are that AI has already proven itself not up to the task of self-driving and nobody should be trying to run AVs in real world conditions until the debugging process is long over. That’s the part that gets me, autonomous vehicles are nowhere close to being considered stable or foolproof, so why am I being forced to share the road with somebody else’s buggy, self-driving beta test or some out-of-his-mind crazy Tesla owner who thinks he’s living in the future?
The former Soviet republic of Belarus is setting itself up to become a tech Mecca. It has passed numerous wide ranging decrees (it is also called “Europe’s Last Dictatorship”) favourable to the tech sector. It seems like they’re going for a kind of Singaporean approach: benevolent authoritarian, exceedingly pragmatic. 36 types of technology activities have been decreed to incur zero taxes until 2049. Crypto-currencies have been embraced. Smart contracts have legal validity. Initial coin offerings are permitted and incur no taxation until 2023.
As part of the infrastructure to maintain all of this, the Belarus government has also decreed that all ISPs in the nation must provide IPv6 transit to their customers starting January 1st, 2020.
Another former Soviet republic, Kazakhstan, seems to be taking a more ham-handed approach. As we reported earlier, they recently imposed a government root CA that in effect allows them to wiretap TLS traffic to all citizens. In their latest adventure they took aim at what the government is calling an illegal prostitution ring by taking down a massage parlour’s website. They ordered ISPs to blackhole 2 IP addresses associated with the “Rainbow Spa”, however those two IP addresses belonged to a German DDoS mitigation firm, and thus, over 90,000 other websites were also effectively disappeared from internet users in the country.
A reader sent me this a week ago but it never got in for last issue. Seems like a boatload of prominent Youtubers had their channels taken over after their Google accounts were hacked. The attack vector was a simple email phish, directing the victims to a fake Google account login page. What I found interesting here was that the Youtubers who had 2-factor authentication enabled were still hacked, because the phishing attack used a tool called Modlishka (which I never knew existed) which facilitates man-in-the-middle attacks complete with fake 2FA token input screens, which it then uses to log into the real site.
(h/t David Clark)
DNS for the most part happens in the clear, your ISP or anybody else with visibility into your resolver can see exactly what lookups your computer is making, and from that infer a lot about your activity… or proclivities. DNS-over-TLS is a recent development, which encrypts the connection between your client (like you’re laptop) and your DNS resolver. Google intends to implement DNS-over-TLS in its Chrome browser.
The problem, according to House Judiciary Committee antitrust investigators, is that using their prominence in search and browsers, and DNS resolution (with their 220.127.116.11 public resolver), Google is abusing its market position.
This folks, by the way, is the end game of all these new free DNS services you’re seeing. Cloudflare’s Warp and 18.104.22.168 will implement similar mechanisms. Yes, DNS-over-TLS protects your lookups from other people like ISPs, but they do not protect your lookups from Google or Cloudflare.
What’s the solution? Personally I run my own PowerDNS resolver on my laptop and I’ve always thought there should be a concerted push toward decentralizing DNS resolvers.