Weekly Axis Of Easy #155
This Week’s Quote: “The truth never caresses, it always stings” …by ???
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
This week seemed a little crazier than usual. Let’s get into it:
In this issue:
- Cloudflare outage takes out huge chunk of internet (but not easyDNS)
- Twitter hacked, blue checks iced, secret moderation tools exposed
- New Hong Kong law makes it illegal to dissent for anybody anywhere in the world
- Credential dump security firm hacked, dumping millions of credentials on the net
- “Zero logging” VPN turns out to be logging, exposing millions of records
- Google faces lawsuit after in-app tracking even after users opted-out
- Spanish government is client of secretive cellphone hacking company
- British Government bans Huawei gear from UK 5G network
- Canadian Supreme Court upholds genetic non-discrimination law
- Ex-ICANN CEO is now co-CEO of the VC that tried to buy .ORG
- AxisOfEasy Salon #13: The “Phase shift” everybody is bracing for has already happened
On Friday afternoon large swaths of the Internet went down as Cloudflare fat-fingered a router update and blew up their internal network. The exact nature of the outage remains nebulous as various tech outlets are either regurgitating Cloudflare tweets, or else fundamentally misunderstanding the difference between Cloudflare’s 22.214.171.124 resolver service, and their authoritative DNS. They are one of the largest authoritative DNS providers on the Internet, and perhaps their 126.96.36.199 service was also impacted, but it was the absence of their authoritative DNS that would have caused most of the damage.
For one thing, Cloudflare sells DDoS mitigation services to other DNS providers, including easyDNS. This works by situating the DNS providers’ nameservers behind a transparent DNS proxy using BGP advertisements, where Cloudflare filters out all the bad traffic leaving the DNS provider to answer the legit queries. At least one of these client DNS providers went off the air entirely. easyDNS, didn’t. Because we have an intense aversion to Single-Point-of-Failures, we don’t put all of our nameservers behind CF. We did see proxy outages to our affected servers for the duration of the outage but there was no customer facing impact because we had plenty of other nameservers up and running.
I wrote a longer piece about it, and how easyDNS uses our Proactive Nameservers system to keep our customers online even when our nameservers get hit with a DDoS or other misadventure.
Also note, we’ve dropped pricing on proactive nameservers: check out the new pricing here!
And Cloudflare’s statement: https://blog.cloudflare.com/cloudflare-outage-on-july-17-2020/
On Wednesday afternoon Twitter was rattled by a thorough penetration of their system when parties unknown cracked into staff access tools and used it to issue a sort of “advanced fee” fraud soliciting Bitcoin from multiple, extremely high profile accounts including: Elon Musk, Bill Gates, Barack Obama, Jeff Bezos, among others.
Their accounts were used to tweet a Bitcoin address, to which anybody who sent BTC would ostensibly receive double that amount back. It took a mere minutes for enough people to fall for it that the BTC addresses amassed over 12 BTC (approximately $120,000 USD), which, if you look at a block explorer, was quickly shuttled away through various laundering tools and is probably already sitting in a Monero wallet somewhere.
Twitter scrambled to bring the situation under control and briefly locked down the ability for all Twitter verified accounts to tweet at all.
The day after the hack, the alleged perpetrators began leaking screen shots of the tools they gained control of, giving a rare inside glimpse into the workings of the platform. There seems to be controls and parameters around “blacklisted trends”, and “blacklisted” and “protected” accounts.
China has implemented a new law, which was kept secret until the moment it took effect, that criminalizes political dissent about Hong Kong no matter where in the world it takes place and even applies to non-Chinese citizens.
Said differently, everybody in the world is presumably subject to a new law in China which would potentially criminalize those who,
“write favourably about Hong Kong independence, politicians who support sanctions against Hong Kong or even groups of Canadian students who provide financial support to the city’s protesters.”
Maximum penalties of those convicted is life imprisonment.
In case you were thinking that the Globe and Mail is being overly bombastic in their interpretation of the new law, Axios decided to get a legal opinion on it themselves and came to the same conclusion.
A computer security start-up called “Data Viper” whose offering is to catalog previous data breach credentials and detect client exposure to hacks, has itself been hacked. It appears as though their entire inventory of leaked credentials, 15 billion of them from across 8,000 website breaches, has been posted online along with their own internal database.
I guess if they download that and add it to their catalog they’ll have cred dumps from 8,001 website compromises.
One of these days I’m just going to whip up a keyboard macro that spits out the string “Bob Dianchenko strikes again”. He’s the security researcher with the uncanny ability to uncover vast troves of data various companies that leave exposed in the wild of the internet.
This time he found log files and a database belonging to UFO VPN, a Hong Kong-based company that bills itself as a “zero logging” VPN provider.
The data contains access and API request logs of potentially all 20 million UFO VPN users. The company responded to Dianchenko’s security exposure via email claiming that the data was anonymized, but the security company is skeptical of that.
A new lawsuit against Google is seeking class action status, the second in as many months filed by the law firm Boies Schiller Flexner on behalf of consumers. This one alleges that the company is violating US federal wiretap and California state privacy laws by continuing to
“record what people are doing on hundreds of thousands of mobile apps even when they follow the company’s recommended settings for stopping such monitoring.”
In this case it means that Google snoops on various apps like Ride hailing and news even when the end user has disabled monitoring of “Web and App Activity” in the device settings.
The secretive Israeli firm NSO Group has graced these pages numerous times. They’re the tech firm that helps governments of the world hack into and eavesdrop the mobile phones of journalists and political dissidents.
They also emerged as a player in the emerging COVID-19 contact-tracing industry when one of their databases was found wide open and exposed on the internet.
Add Spain to the list of governments employing NSO’s service where the company’s hacking tools were used against “prominent politicians” in that country, namely people at the forefront of Catalonia’s push for independence from Spain.
The UK government has barred Chinese telecom giant Huawei from participating in the build-out of that nation’s 5G network, mirroring similar moves in Canada and the US.
The decision is a reversal from an earlier one in January which would have permitted a limited role in the network infrastructure.
UK carriers that have already used Huawei equipment on their 5G build-out, including Vodaphone and BT, have until 2027 to remove such gear from their networks.
The Canadian Supreme Court has upheld the Genetic Non-Discrimination Act, which bars third-parties from requiring an individual to supply genetic data.
In an atypical move, the Federal government itself challenged the legislation as being unconstitutional. The 2017 Act was introduced by the Canadian Senate and passed overwhelmingly by parliament, over the objections of the entire Federal Cabinet, which voted against it.
“The bill made it illegal to require anyone to undergo genetic testing, or to be required to disclose the result, if having the test and disclosing it is a condition for obtaining goods or services, such as an insurance policy, or to qualify for a job or other contract.” (iPolitics )
While it bars employers and insurance companies from requiring genetic data, it contains exceptions for medical, scientific and pharmaceutical purposes.
The story of this legislation is quite complex and I encourage interested parties to follow the entire thread through the CBC piece.
Full text of bill: https://openparliament.ca/bills/42-1/S-201/
Just in case there was any reason to believe there was some kind “inside baseball” going on with the, for now, abortive attempt on the part of the Internet Society to sell the .ORG top-level-domain off to a VC firm called “Ethos Capital”, Fadi Chehadé has emerged as the co-CEO of Ethos.
Chehadé is, of course, the former CEO to ICANN itself, and was rumoured to be mixed up in the transaction when his name was found on a domain whois record for a domain registered by Ethos Capital.
Recall, the Internet Society entered into an agreement to sell the .ORG TLD to Ethos for $1.135 billion dollars, but the deal was scuttled when ICANN began looking into it and surmised the entire thing smelled funny.
I wrote about the mechanics of the deal here, and we’ve been following it over the course of these AxisOfEasy updates. This latest chapter was uncovered by Andrew Allemann over at DomainNameWire.
In last week’s AxisOfEasy Salon, Charles, Jesse and myself surmised that the often posited societal restructuring or “phase shift”, characterized by a transition from linear to non-linear is not something coming at us from an uncertain future: the phase shift has already occurred.