Weekly Axis Of Easy #172
Last Week’s Quote was “We are experiencing how history is being made and politics carried on with words that have no content. What is depressing is that there is little inclination to realize this very thing,” nobody got it. It was Rudolf Steiner in a series of lectures delivered in 1917 about the spiritual deficit, media distortions and propaganda that gave rise to World War 1.
This Week’s Quote: “The smallest bookstore still contains more ideas of worth than have been presented in the entire history of television.”
THE RULES: No searching up the answer, must be posted to the blog. The place to post the answer is at the bottom of the post, in the comments section.
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
- Ticketmaster to require immunity passports for event attendance
- DNS cache poisoning attacks are back
- EC charges Amazon with anti-trust violations
- EU wants to outlaw end-to-end encryption
- Ethereum unexpectedly hard forks, hilarity ensues
- Ransomware group using Facebook ads to pressure victims
- Google sued for unauthorized data transfers from Android devices
- Mac OSX 11 removes your ability to avoid Apple’s surveillance
- AxisOfEasy Salon #30: The one, the only Doc Searl
Ticketmaster to require immunity passports for event attendance
Last week Billboard reported on how Ticketmaster plans to navigate the reopening of the economy by requiring event-goers to either provide proof of vaccination or a negative COVID test taken within 48 hours of the event.
It signals the looming reality of vaccinations becoming mandatory, if not legally, then in practice. If you can’t go anywhere or do anything without being vaccinated then it’s de facto compulsory.
The system would work by tying the Ticketmaster app into various “health pass companies” (read: immunity passports), like IBM’s Digital Health Pass, CLEAR Health Pass, or the trans-national CommonPass which are now a thing.
Ticketmaster, like most multi-sided platforms that achieve primacy in their space, has a quasi-monopoly on event ticketing. That means for anybody objecting to the likes of Ticketmaster dictating their healthcare decisions or having access to their health records, falling back to “so I’ll just never buy my tickets through Ticketmaster” doesn’t mean you’ll simply buy tickets from a competitor that decides to position differently. It means, in effect “so I’ll never go to another event.
That opens an entirely different can of worms, including, but not limited to: this will be the first mRNA vaccine ever produced, where most vaccinations take a decade or more to develop, this one was rushed within a year (although, as one person pointed out to me, there was an industry head start in this direction since SARS, some pharma companies were already working on this). Charles Hugh Smith did an excellent piece on mRNA vaccines here.
DNS cache poisoning attacks are back
In a DNS cache poisoning attack, victims can be sent to a fake website by in effect, “overtaking” the real DNS query responses sent by a nameserver and substituting fake responses that would connect the victim to a fake resource, like a dummy website for your bank, or crypto wallet, etc.
They were discovered by Dan Kaspersky in 2008 and spawned one of the most frantic episodes of mass-patching across the internet (prior to say, Heartbleed). Nameserver developers responded by adding things like source port randomization which dramatically raised the bar on cache poisoning, and DNSSEC, which cryptographically signs DNS responses, is the ultimate solution to it.
But DNSSEC is still not widely deployed across the internet, and now cache poisoning is back, at least theoretically. Researchers from Tsinghua University and the University of California, presented a paper on a side-channel attack that makes obtaining the source port of a DNS query possible. The side channel itself is simple, but brilliant – with researchers figuring out which source port is being used by simply flooding the name server with fake queries very quickly across all ports until they figure out which port sends back no response, instead of a port unreachable error, once the anti-flooding threshold is met. After that there is still the matter of enumerating the transaction id, but having the source port solves one of the elements that raised the bar on cache poisoning in the past.
Remember that we have our Set-And-Forget DNSSEC(tm) solution, easyDNSSEC(tm) (what else?) It’s one click, and then you’re done. (You have to be using easyDNS as your domain registrar in order to enable it). Also note that this cache poisoning attack is run against resolvers like OpenDNS, Google Public DNS (22.214.171.124), Quad9 (126.96.36.199) or CloudFlares’s 188.8.131.52 and not against authoritative nameservers such as the type easyDNS runs on behalf of your domains.
EC charges Amazon with anti-trust violations
The latest tech giant to be hit with an anti-trust suit is Amazon, after the executive branch of the EU (the European Commission) charged them with abusing their market dominance to “box out” aspiring competitors. Once again, it’s Amazon’s practice of acting as both the e-commerce storefront from which third-parties sell products, and a competitor – using the data they glean from running the platform to create knock off versions of successful products and undercutting them.
This process will play out over months, if not years, with the next step giving Amazon the opportunity to respond. The EC has initiated a parallel investigation into whether Amazon’s “buy box” which features prominently on the website and drives billions in revenues, gives preferential treatment to Amazon’s own products.
We reported on this in AoE 144 and in AoE 156 we looked at how sometimes Amazon would go even further: meeting with founders to “better understand their model” and then knocking them off instead of investing.
And yes, in case you were wondering if the Libertarian in me is pained to see a privately owned company taken to task by a big government regulator, the answer is “cognitive dissonance intensifies.” I find myself pulling for the regulators on this one. I can’t believe I just typed that, but as an indie audiobook publisher, I witness and suffer first-hand at the mercy of Amazon’s monopoly and predatory practices in the audiobook space every day. At some point I’ll write that one up.
EU wants to outlaw end-to-end encryption
Also, where I get to revert back to my Pavlovian disdain for all things governmental, the EU wants to regulate lawful access into encrypted communications. In a Draft Council Resolution on Encryption entitled “Security through encryption and security despite encryption,”
While the document attempts to pay lip service to the legitimate need for privacy and the ability to protect personal and proprietary communications:
“The principle of security through encryption and security despite encryption must be upheld in its entirety. The European Union continues to support strong encryption. Encryption is an anchor of confidence in digitisation and in protection of fundamental rights and should be promoted and developed.
Protecting the privacy and security of communications through encryption and at the same time upholding the possibility for competent authorities in the area of security and criminal justice to lawfully access relevant data for legitimate, clearly defined purposes in fighting serious and/or organised crimes and terrorism, including in the digital world, are extremely important. Any actions taken have to balance these interests carefully.”
It still calls for some ability for law enforcement to be able to access encrypted communications “in a lawful and targeted manner, in full respect of fundamental rights and the data protection regime, while upholding cybersecurity.”
One of our lawyers has an expression: “You can’t suck and blow at the same time.” If there is a way for any encrypted data to be accessed, “lawfully” or via any methodology other than the intended recipient decrypting it with a private key, then it isn’t strong encryption.
Which means, if regulators actually move forward and mandate back doors for lawful access into encryption, it will instantly criminalize everybody who then moves to unsanctioned, end-to-end encryption out of the same exigencies the EU has already recognized as being legitimate. Thus, our quote contest from AxisOfEasy #147 will become a reality:
“If privacy is outlawed, only outlaws will have privacy.” (Phil Zimmerman)
The Resolution: https://files.orf.at/vietnam2/files/fm4/202045/783284_fh_st12143-re01en20_783284.pdf
Ethereum unexpectedly hard forks, hilarity ensues
They’re calling it the most significant failure in Ethereum since The Dao Hack of 2016 which saw the blockchain permanently fork into Ethereum Classic and the current chain. On November 11, this year, large chunks of the Ethereum ecosystem came unglued and began malfunctioning: Infura, Metamask, MyCrypto to name a few stopped working and thus, so did any of the smart contracts or dapps that relied on them. Major exchanges hastily halted Ethereum trading.
It turned out that Geth, an Ethereum client written in Go that is estimated to underpin upwards of 80% of all Ethereum applications had a bug that split the blockchain in two, causing an unannounced hard fork. The Ethereum team lead released the post-mortem here indicating that the event was traced to a bug introduced in a fix several months ago which laid dormant until a transaction finally hit the blockchain on the 11th which triggered a rupture in the matrix, resulting in the two blockchains.
Post mortem: https://gist.github.com/karalabe/e1891c8a99fdc16c4e60d9713c35401f
When I saw this headline for the article on Krebs on Security, I was expecting to see an article about ransomware gangs using Facebook ads to direct users to some poison URLs that would deliver an infected payload to their computers. Wrong.
What it described instead was how hackers are using compromised Facebook advertising accounts to create and then run advertising campaigns designed to shame victim companies into complying with the extortion demands. In this specific example it was the Italian corporation the Campari Group, which was attempting to downplay the extent of the compromise and level to which customer / consumer data was breached.
Ads started running across the platform, using the hacked business account of a Chicago-based DJ, countering, “This is ridiculous and looks like a big fat lie. We can confirm that confidential data was stolen and we’re talking about huge volume of data.”
What I find weird about all this is how the ads even ran in the first place. I get Facebook ads denied all the time. In fact we put the piece we wrote about last week in regards to how Ledger customers were targeted via a homoglyph attack, into a separate post on the Domainsure blog and when we went to boost it on Facebook they denied it as “circumventing security.” We had to appeal it before they finally let it run.
Google sued for unauthorized data transfers from Android devices
A lawsuit filed by four separate plaintiffs across the USA seeks to be certified into a class action against Google over its use of customer data allowance for unauthorized and undisclosed data transfers. It’s a unique take on confronting the search giant over its surveillance capitalism model. While there are numerous privacy cases dealing with how various Big Tech incumbents harvest data from their users, often without their knowledge or acquiescence. This one just goes straight to the unauthorized use of the customers data allowances with their carriers.
On that note, I came across this essay by Jeffery Paul called “Your Computer isn’t yours anymore” talking about additions in Mac OSX 11 Big Sur which remove your ability to avoid Apple’s surveillance. To wit:
“On modern versions of macOS, you simply can’t power on your computer, launch a text editor or eBook reader, and write or read, without a log of your activity being transmitted and stored.”
Further, these thousands of updates your computer is emitting from you all the time, for every single app you use and the IP address you’re using it from, traverse the network in the clear (unencrypted), so everybody in the network path can see it. ISPs, people on the same network segments as you. Etc.
These requests hit a third party provider, in Akamai, the CDN apple has partnered with to cover distribute their network layer.
Oh, and Apple is a partner in the PRISM program, a US military intelligence surveillance program first disclosed by Edward Snowden.
The ramifications are that:
“This data amounts to a tremendous trove of data about your life and habits, and allows someone possessing all of it to identify your movement and activity patterns. For some people, this can even pose a physical danger to them.”
Now, it is possible to block these updates on Mac OSX using a program called Lil Snitch which is a small firewall you can install on your system that gives you control over all of the outbound network traffic, so you can block these messenger requests going out to Apple. I have this installed and it is a bit of a chore to constantly monitor and manually allow what you want, but at least the capability is there.
At least it was.
With the new OSX 11, Big Sur, Apple has added new API calls that prevent Lil Snitch from being able to block their traffic at the operating system level. But wait, there’s still more:
OSX 11 has new rules installed so that Apple apps will also bypass VPNs.
That’s what Paul means when he says “your computer is no longer your own.” It also means I have to shop for a new laptop because quite frankly, this is bullshit.
AxisOfEasy Salon #30: The one, the only Doc Searls
Salon #30 had us welcome the one, the only Doc Searls. Co-author of The Cluetrain Manifesto and The Intention Economy, alumni fellow at Harvard University’s Berkman Klein Center for Internet & Society, Project VRM leader and open source champion.