Weekly Axis Of Easy #122
Last Week’s Quote was “Image is reality, and reality is nothing more than one long propaganda film” by Peter Levenda, winner was Marco Maske
This Week’s Quote: “The liberties of none are safe unless the liberties of all are protected.” by….???
THE RULES: No searching up the answer, must be posted to the blog
The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.
Listen to the podcast edition of #AxisOfEasy here: https://vimeo.com/374180968
In this issue:
Amazon doorbells exposed home WiFi passwords to hackers
Suspicionless search of mobile devices ruled unconstitutional
Facebook app secretly accesses your photos
Micro-ISPs and the future of broadband
Bank Wires 800K to fraudsters based on fake email address
Update on Unassailable book
Intel Chips still vulnerable after discovery a year ago
Researchers at Bitdefender have reported that Amazon Ring doorbells send the password for the WiFi network they are connecting to in the clear, which means hackers can intercept them. Armed with your WiFi’s password, one then has access to the entire network within the home. The lapse occurs when your smart phone app sends credentials to initially configure the device, it does so over an unsecured connection.
Amazon reportedly fixed the vulnerability in September, however they did not disclose it until a couple weeks ago.
In a rare bit of good news, a US federal judge has ruled that searches of phones or mobile devices by border agents without grounds for suspicion is unconstitutional. The decision was the culmination of a suit brought by the ACLU and Electronic Frontier Foundation (EFF) on behalf of 11 travellers who had their cellphones searched without a warrant at the US border.
US Border agents conducted approximately 30,000 warrantless searches of devices in 2017, the year the suit was filed.
Web designer Joshua Maddux stumbled on an issue affecting multiple versions of the iOS Facebook app (Android does not seem to have the same issue). While scrolling his photos on his device he noticed his camera had activated, in the background. If you’ve previously given the app access to your camera, in order to use it to take pictures, for example, then the camera feed is active while you do this.
The current thinking is that this is a bug (not a feature), and not yet another creepy privacy invasion by Big Tech. It’s more of a privacy #fail. The remedy for now is to go into your iOS Settings -> Privacy -> Camera -> Facebook and Settings -> Privacy -> Microphone -> Facebook (wow) and revoke perms for the app from both your camera and microphone. Or, you can do what I do, and refuse to put that crap on your phone. The only place I use Facefail is in a browser tab, which I close when I’m done.
Eminent technology commentator and futurist Jesse Hirsh recently launched a new premium newsletter, Metaviews. I subscribed to it immediately and he transmits every weekday, it’s one of the few newsletters I make it a point to read regularly.
And now, you people will also be able to access two key segments of Metaviews right here: Future Fibre and Future Tools. In the first installment Jesse looks at the state of broadband in rural Canada and rise of the micro-ISP movement to fill a void that the big tech incumbents and policy makers are not addressing.
A Calgary man is suing his bank after he was tricked into wiring 800K to the wrong bank account when fraudsters inserted himself into a real estate deal (I’m still trying to figure out if the condo he bought was real, or if that was all part of the con). At any rate, the cybercrooks sent him an email with “revised wire instructions”, and the email purported to come from the law firm he was dealing with. Except, the email was a forgery, using a fake domain, with two letters of the law firm’s real name reversed.
It’s a tough case. All I can say is to companies like the law firm, brokers, escrow agents, etc who transact business over the internet should be using a system like our new Domainsure platform which detects these fraudulent variations of your domain names in near realtime. The easyDNS customer who brought this to our attention over Twitter notes that the fraudsters with the fake domain have at least 100 other domains registered, similar variants of other financial firms.
Some of you have noticed that the pre-order links on the blog post about my forthcoming book, Unassailable: Protect yourself from Deplatform Attacks and Cancel-Culture, stopped working. Do not fret, my book on cancel-culture didn’t get canceled (I’m intentionally self-publishing this one). But something weird did happen in that after I moved the publication date back, Amazon delivered the preorders on the original date anyway, and to make matters worse, I hadn’t uploaded the new version yet. So an old, incomplete version of “Unassailable” went out, and I pulled it from all the stores as a result until I can get the final version finished and a release date set.
In the meantime, if you’re not already on the #AxisOfEasy list you can sign up to be notified when this happens.
I literally finished writing this edition, went into the other room to grab some coffee, and before I got back to my desk was alerted to the situation with Intel, where two hardware flaws reported to them by researchers over a year ago have been discovered to not be fixed. The new revelations surfaced last week, but I just happened to glance at my email and saw a notice from Digital Ocean outlining what they’re doing about it (for them, one vulnerability affects them, the other doesn’t).
The flaws are variations of issues called Zombieload and Rogue In-Flight Data Load (RIDL), and basically means if an attacker can get some specialized code to run on affected devices, they can get the CPU to reveal sensitive information such as browser history or authentication credentials.