Weekly Axis Of Easy #125
Last Week’s Quote was “The most successful people are those who are good at Plan B” by James Yorke, the winner was Shayne.
This Week’s Quote: “The only thing useful banks have invented in 20 years is the ATM.” by….???
THE RULES: No searching up the answer, must be posted to the comments below.
The Prize: First person to post the correct answer gets their next domain or hosting renewal on us.
Please forward this to friends and colleagues you think would benefit from it. Feedback welcome. Reply to this email or @easydns on Twitter.
Listen to the podcast edition of #AxisOfEasy here:
In this issue:
-
DHS wants mandatory facial scans at US airports
-
Google fires four labour organizers for reasons unrelated to organizing labour
-
How DNS-over-HTTPS would affect net neutrality
-
Ring: America’s scariest surveillance company
-
Detailed analysis into China’s gene edited babies
-
29leaks: Biggest data dump since Panama Papers on elites shady deals
-
Why ISOC sold the .ORG TLD to a private equity firm
DHS wants mandatory facial scans at US airports
Last week we reported how Chinese authorities have made it mandatory for new cell phone users to have their faces scanned when they get a new phone. This week we’re bringing to your attention an initiative by the US Department of Homeland Security who wants to introduce mandatory facial scans for all travellers passing through US airports.
At the moment, mandatory facial pictures only applies to foreign travellers through US airports, in a recent filing via the US government regulatory affairs portal, the agency introduced a proposed amendment to make the requirement apply to American citizens as well.
Google fires four labour organizers for reasons unrelated to organizing labour
Four Google employees who were active within the company for raising questions about numerous contentious issues have been terminated. The group were vocal about Google’s handling of sexual harassment cases (there have been multiple exposes in the mainstream press about the problematic workplace culture, including: paying large severance packages to senior executives who were forced out over sexual misconduct allegations, systemically paying women less and an overall air of “bro culture” that makes harassment the norm and garnered a class action lawsuit).
Other grievances the “Gang-of-four” were outspoken about was Google’s extensive contracts with the military-industrial complex, US border agencies and the Chinese government.
A Google spokesperson maintained that the four were fired “for clear and repeated violations of our data security policies.”, but declined to comment further.
How DNS-over-HTTPS would affect net neutrality
The new battlefront for your privacy seems to be your DNS lookups, as behemoths like Cloudflare and Google are pushing to the hoop to convince users, the government and browsers that centralizing DNS lookups via DNS-over-HTTPS is a good thing that protects user privacy against those evil connectivity providers and ISPs who usually fulfill that role now. (To be clear, we are talking DNS resolution or lookups here, that’s the other side of the lookup from what companies like easyDNS do. We are in the answering queries business).
PowerDNS founder Bert Hubert does a great job explaining why DNS-over-Http doesn’t really protect user privacy and how centralizing DNS lookups toward a few central repositories like Google, Cloudflare or anybody else who wants to cash in on the new trend isn’t necessarily good for net neutrality or user privacy.
Ring: America’s scariest surveillance company
We’ve been reporting on Ring doorbells doorbell’s a lot here in #AxisOfEasy. They seem to have become a type of privatized surveillance mesh network that Ring’s parent, Amazon, seems all too willing to harness and aggregate for the benefit of law enforcement agencies while bypassing pesky details like warrants and court orders.
In this article, Vice kicks off a three part series looking into the dynamics and outcomes of Ring. From the opening, where we meet a downtrodden neighbourhood in Baltimore who turns to the system to get things under control where the police won’t, the piece quickly segues into the reality of Ring.
Despite its stated aim “to reduce crime in neighbourhoods”, there’s no hard evidence that it actually does that. But there are myriad taxpayer funded programs to purchase their cameras, over 600 police partnerships, in which Ring must approve anything said police forces say about the company. Ring has been involved in police stings and a program to give people free cameras for testifying against their neighbours.
“At its core, Ring is a marketing company that realized it could make money by selling fear.”
Detailed analysis of China’s gene edited babies
We reported back in #AxisOfEasy 76 on a pair of gene-edited babies who were born in China. Dubbed “CRISPR babies”, the two girls had their genomes edited intending to make them immune to HIV.
Numerous repercussions followed, I think for a time the lead scientist actually disappeared.
Now MIT Technology Review assembled a team of four experts: a legal scholar, an IVF expert, an embryologist and a gene-editing specialist and had them review the as-yet unpublished scientific paper He Jiankui wrote about the process. Significant concerns have been raised in this review, including whether or not they were actually successful in making these two human beings HIV resistant at all.
The paper has not been accepted for publication so far.
29leaks: Biggest data dump since Panama Papers on elites shady deals
This one has been brewing for a while when British company Formations House experienced a data breach over 100 GB in size, including emails, SQL dumps and other details of how super-rich elites hide their money. Boing Boing described Formations House as “a shell company factory”, think Panama Papers all over again. Various reporting agencies have been sifting through the data for awhile and will commence reporting their findings imminently.
The data was leaked to the Distributed Denial of Secrets activist group and is visible here and here.
Read: https://boingboing.net/2019/07/25/formations-house.html
Why ISOC sold the .ORG TLD to a private equity firm
Since our coverage of the .ORG sale to a private equity firm in #AxisOfEasy 123 and again in AoE 124, including the disclosure that I sit on the board of the Internet Society Canadian Chapter, I’ve since had the opportunity to discuss the transaction with the chairman of the Canadian chapter. Further, I did some more research and found more details on the transaction.
From there I wrote a much longer analysis of it on the blog which also incited a vigorous discussion thread on Hackernews.
HN thread: https://news.ycombinator.com/item?id=21723682
Customer looking for upstream ISP in Los Angeles, CA
In the spirit of our coverage of Micro-ISPs, we have a client in Los Angeles who is fed up with his upstream after it underwent a string of serial acquisitions (it got eaten by a bigger fish, who got eaten by an ever bigger fish, etc)
If there are any indie micro-ISPs left in LA our guy is looking for SDSL or comparable connectivity with a /28 of IP space.
Hit me up if you can help and we’ll put you in touch.
Milton Freidman?
Re: How DNS-over-HTTPS would affect net neutrality
On DNS-over-HTTPS, we need to dig deeper.
Everything here is right on the mark, but from what I have read, there are deep technical and environmental concerns that suggest DNS- over-HTTPS has seriously problematic side effects compared to DNS-over-TLS. I get the impression that there is a large chunk of the discussion goes in the direction of “if those ISPs want to block this DoH thing, it must be good”. The prevalence of “bad objections” does not automatically make the target of those objections “good”. Or an alternate cliche – the enemy of my enemy is not automatically my friend.
Bert’s blog entry heads in that direction, although he doesn’t really touch on the side effects of DoH being widely implemented. And the last current comment there (Dec5,8:06) falls straight into the pit, suggesting that if too much centralization is the problem, widespread DoH would deal with it. The comment even treats DNS-over-HTTPS and DNS-over-TLS as equivalent, when a careful and wider reading suggests that the two are anything but equivalent either as individual solutions or widespread solutions.
Trying looking up what Paul Vixie has written, and follow some of those threads. Look up the use of DNS-over-HTTPS for exfiltration. A lot of it relates to enterprise concerns, which although valid, might seem to be out of scope for small scale users. Think through what those same concerns mean on a home network of a few computers, a few phones, a few smart TVs, and a half dozen IoT devices.
A notable part of the problem is that the one thing DNS-over-HTTPS does do – prevent on the wire interception – causes significant small-network problems down the road. As an example, on my home network, I use a subscribed DNS service – and any attempts to use port 53 to go around the router’s DNS server are blocked. This means I can review logs and see what requests are being made. With DNS-over-HTTPS, DNS is now on port 443, so DNS is indistinguishable from browser traffic. This might be good for your browser – but it is also good for any malware on your system or small network, and also good for any unsavoury IoT devices that someone has hooked up.
Remember that it is possible to use recursive DNS to exfiltrate data, not just to contact a C&C server. Now the malicious stuff doesn’t even need a matching website – they can just exfiltrate using Google or CloudFlare.
In my view, the worst part is that at least I can deal with the centralization issues on my end by making specific choices in my browser, in my system, and in my network, both with DNS destination and protocol choices, and maybe even with a VPN. But if DNS-over-HTTPS becomes widespread, I can do almost nothing to deal with the negative side effects that follow relating to malicious use of the protective features. Even a VPN would still basically tunnel any malicious DNS-over-HTTPS traffic out to an endpoint, where it can continue on it’s way, while remaining invisible to me the entire time.