The Sizzle - Issue 877

Wednesday 15th May, 2019

In This Issue

  • San Francisco bans government use of facial recognition tech

  • Human rights activists spied on via WhatsApp

  • Old version of Windows vulnerable to a new WannaCry style worm

  • New Intel CPU hardware vulnerabilities to watch out for

  • Adobe tells people using older versions of apps to stop it or potentially get sued

  • Demystify your computer's networking stack with Wireshark

  • Yep, your boss legally monitor what you do on your computer at work

  • Stuff I found on AliExpress - Part 1


News

San Francisco bans government use of facial recognition tech

San Francisco's city council has voted to ban the use of facial recognition technology by police and all other municipal agencies. Their argument is that mass surveillance of a city does not lead to a healthy democracy and doesn't work properly with minority groups. Other cities in America are working on similar laws, but having San Francisco (i.e: where most of this shit comes from) be first to say "nah, we don't want this in our city" sends a strong signal that facial recognition tech just isn't ready yet, or maybe ever, for use by the government. I guess they saw what goes down in China (i.e: the social credit system) and don't want that happening in San Francisco.

Human rights activists spied on via WhatsApp

WhatsApp has confirmed reports by the Financial Times of a major security breach that seems to have been targeted at human rights groups using WhatsApp to communicate. The hack took advantage of a buffer overflow in the VOIP stack in WhatsApp to load up spyware and monitor communications on a device. WhatsApp said it reckons the malware was developed by Israeli cyber surveillance company NSO Group and was used to spy on a "London lawyer who has been involved in lawsuits that accuse NSO Group of providing tools to hack the phones of Omar Abdulaziz, a Saudi dissident in Canada; a Qatari citizen; and a group of Mexican journalists and activists". Not cool.

Old version of Windows vulnerable to a new WannaCry style worm

Microsoft's released patches for old versions of Windows (XP, 7, Server versions prior to 2008) that fixes a flaw in Remote Desktop Services/Terminal Services (yeah, Terminal Services, that's how far this goes back) that could be an absolute shitshow if not applied. If you've got RDP open, someone just needs to send specific packets to it and boom, you can install and run any code you like. There's nothing in the wild yet, but now that there's a patch it's inevitable the specific packets will be reverse engineered and people will go on Shodan safaris to see what they can exploit. Because Microsoft are ahead of the curve with this one, it shouldn't end up at WannaCry levels of damage, but it's still not good.

New Intel CPU hardware vulnerabilities to watch out for

Intel's also having a shit day, with three new hardware CPU exploits centred around "Microarchitectural Data Sampling" (similar to Spectre and Meltdown) - Zombieload, RIDL and Fallout. They're complicated hacks, but boiled down to almost useless simplicity, any old app running on your computer could view all the internal comings and goings of data that are supposed to be kept private to the specific app that ran it. Here's a demo of Zombieload spying on a user's web traffic despite the use of Tails & TOR. All Intel CPUs made after 2008 are impacted, but unlike Spectre and Meltdown, there are microcode and operating patches ready to go.

Adobe tells people using older versions of apps to stop it or potentially get sued

Adobe has sent out emails to users of older versions of Creative Cloud apps like Photoshop, Premiere and After Effects that they "are no longer licensed to use certain older versions of the applications or deploy packages containing these older versions" and that if they keep using "these unauthorized versions, you may be at risk of potential claims of infringement by third parties". It looks that Dolby and Adobe are having a shitfight over some tech licensing and people that paid for their software are caught up in the mess. I doubt end users would be sued - smells like Adobe scaring people to upgrade.

Not News, But Still Cool

Demystify your computer's networking stack with Wireshark

Wireshark, if you're not already familiar, is a program that runs on a computer and shows you the raw packets flowing across the network interfaces on that computer. It's one of those apps that once you get the basics of how to use it, computers suddenly become less mysterious. It's also a massive beast of an app that seems to powerful it's scary. Julia Evans has put up a nice post explaining how she uses it and gives a basic intro to what is a key part of any computer nerd's toolkit.

Yep, your boss legally monitor what you do on your computer at work

My mate Raj over at Reckoner was told his employer was wanted install some "security" software on his computer that logs his activity. Naturally, he wasn't keen on it (I wouldn't be either) and opted out at the time, but knows it's inevitable the logging software becomes mandatory and wanted to know if his employer can legally do this. The answer is pretty much yes, if the computer you're using is supplied by them and they tell you it's being done. They can't do it on a computer you own and can't do it without telling ya.

Stuff I found on AliExpress - Part 1

I fell into a deep AliExpress hole yesterday and found some amazing stuff (mostly via Thieve). So much stuff I had to split it up into three parts. Here’s part 1:


Aussie Broadband is the best ISP I've used since Internode's glory days. Their CEO gives talks at AUSNOG about their network and they even have network utilisation charts for every NBN POI. Their pricing isn't the cheapest, but if you want an ISP that's fast & reliable, give them a shot. Use my affiliate link or my referral code (1001031) and we both get $50 credit on our next bill.

The Sizzle is curated by Anthony "@decryption" Agius and emailed every weekday afternoon. Join us on Slack and chat with other Sizzle subscribers.

The Sizzle acknowledges the traditional owners of country throughout Australia and recognises their continuing connection to land, water and community. I pay my respect to them and their cultures, and to elders both past and present.​