Weekly Axis Of Easy #132
Last Week’s Quote was: “The only mistake in life is the lesson not learned”…was Albert Einstein, winner was Chuck Wong.
This Week’s Quote: “The media’s so central to our lives that we believe what we seen onscreen is real” …by ????
THE RULES: No searching up the answer, must be posted to the blog
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
Listen to the podcast edition of #AxisOfEasy here:
- Election app completely hoses Iowa caucus
- DNS DoS against a voter registration site
- China government tries to tighten control over Coronavirus reporting
- Wacom drawing tablets track every app you open
- Apple’s “CarKey” to enable iPhone to unlock your car
- Beware of those free mobile phone charging stations
- Dutch court rules welfare surveillance violates privacy rights
- Petition introduced to kill Canada’s BTLR proposal (by me)
As they say, “To err is human, but to really screw things up requires a computer.”. Which seems to be the case in the opening salvo of the US elections, the Iowa Democratic caucus.
The Iowa Democratic Party (IDP) tried to use a smartphone app called “IdahoReporter”, manufactured by a company called Shadow Inc. Delegates were to use the app to report their results, ostensibly to speed things up. Usability issues hampered the process which was compounded with a “data formatting error” when they were uploaded to Shadow Inc’s servers.
The fallback method of phoning it in overloaded the lines (some outlets blaming the latter on “Pro-Trump trolls”).
In any case, as I write this, the final results are being recounted via paper ballots and have still not been posted but are expected to be released before the New Hampshire primary, on the 11th.
The Vice article which looks at the Shadow Inc app had it decompiled and reverse engineered and are inviting security researchers to download the Android .AKP file from their website.
The US election hijinks continue as the FBI issued a Private Industry Notification (PIN) warning of an attack that targeted a state-level voter registration website. The attack vector was a Pseudo-Random Subdomain attack (PRSD), which is when your nameservers are hit with zillions of DNS lookups for non-existent hostnames within your domain.
The targeted site was unaffected since they had rate limiting set up on their name servers. The attack itself was no big deal (200,000 queries at times when 15,000 were expected), and my guess – launched by a script kiddie. But the FBI issued a PIN to alert industry to the possibility of this type of targeting in this election year.
Meanwhile in China, where things operate at as a police state anyway, the government is even further tightening up control around social media. China’s Cyberspace Administration of China (CAC) agency announced additional supervision of that country’s microblogging services and video and news app aggregators.
There’s another problem, with everybody now donning facemasks, in two provinces it’s even mandatory, facial recognition systems are thus hampered. In China many systems already require a face scan to access, such as some phones, access doors to apartments and office buildings, even bank accounts.
I hadn’t heard of these before now, suffice to say that these drawing tablets are for all effective purposes, a mouse. So why would your mouse need to track and log every single app you open on your computer, and then phone all the details back to the mothership?
Why indeed, an absolutely wonderfully written account by Robert Heaton, a software engineer at Stripe, takes the reader through the hows and whats of reverse engineering a peripheral device and then MITM-ing the traffic that it’s reporting back to corporate HQ on you.
Apple’s iOS 13.4 seems to contain system calls to an as yet unannounced “CarKey” API, portending the eventual release of an app which would enable one to lock, unlock, or start a car. What could possibly go wrong? Although I will admit, I do use a remote starter app from the car company on my car. This is winter in Canada. Gotta do it.
(I won’t use any network connected house locks, however. That’s a bridge too far.)
Beware of those free mobile phone charging stations
Numerous local authorities are issuing warnings to the public about the dangers of public charging stations people use to power up their mobile devices for free. Turns out hackers can implant malware on these kiosks that rifle through your device and exfiltrate the files while your phone is charging.
The government of Netherland has been ordered by a Dutch court to immediately halt the use of AI to detect welfare fraud. Those challenging the government position say that these programs were developed and deployed without oversight, without public consultation and unfairly target the poor.
This decision is being viewed elsewhere in the EU and UK as precedent setting and it is expected to have far ranging consequences.
Last week we gave a preliminary rundown on Canada’s Broadband Telecom Legislative Review (aka BTLR), which is a comprehensive study and set of recommendations toward overhauling Canada’s broadband and telecom laws.
I’ve since had a chance to do a deeper dive on it and it appears to be a comprehensive framework for regulating content on the internet and to make it harder to see independent news. It includes recommendations that the Broadcasting Act and the CRTC have their regulatory powers extended to cover the internet; that content creators be required to obtain a license from the government, that social media platforms and websites with user generated material actively police content, and GST/HST be added to all streaming services.
There’s more, and I wrote a longer piece on the blog. I’ve also introduced a petition into the House of Commons, sponsored by MP Michael Chong, that the government reject the BTLR entirely.