#AxisOfEasy 169: Stop What You’re doing: Chrome 0-Day Edition


Weekly Axis Of Easy #169


Last Week’s Quote was  “Minimal exposure to the media should be a guiding principle for someone involved in decision making under uncertainty” was Nassim Taleb, nobody got it.

This Week’s Quote: “Birds born in a cage think flying is an illness” by ….???

THE RULES:  No searching up the answer, must be posted to the blog.  The place to post the answer is at the bottom of the post, in the comments section.

The Prize:  First person to post the correct answer gets their next domain or hosting renewal on us.


Don’t forget to check out “A Hacker’s Teleology: Sharing the Wealth of Our Shrinking Planet” … the newest book by AxisOfEasy’s Charles Hugh Smith. 
 
In this issue:
 
  • New Chrome 0-day, upgrade now
  • Beyond the pale! Ransomware could target coffee machines 
  • GitHub suspends multiple Youtube-DL repositories after RIAA DMCA notice
  • Police can hack into your phone
  • DOJ files anti-trust against Google
  • Paypal to support Bitcoin in 2021
  • Report: Governments use COVID to crackdown on online dissent
  • Facebook’s China-based hate speech censors
  • Senate panel subpoenas Zuckerberg and @jack after they decline invitation
  • Update on the easyDNS Fold@Home team
  • This Week on the AxisOfEasy 

 

New Chrome 0-day, upgrade now

It’s been awhile since we had to put out a “drop what you’re doing” alert, but we’re putting one out now:  Stop reading this and go check your Chrome browser version: Click on “Chrome” -> “About Google Chrome” and it should be 86.0.4240.111

If it isn’t it should then automagically start an update and then you probably have to restart Chrome for the new version to take effect.

This is to mitigate several high level security issues found in Chrome under CVE-2020-15999 having to do with memory corruption and heap buffer overflows that are actively being exploited in the wild. 

It also affects any other software packages using FreeType, a popular font-rendering open source package.  Any other software using FreeType should be ensuring they have upgraded that to FreeType 2.10.4.

The flaws can be exploited to execute arbitrary code on the victim’s machine.


Beyond the pale!  Ransomware could target coffee machines 

With the Internet of Things (IoT) increasingly connecting everything to the global network, it opens us up to security risks via the most innocuous vectors.  Yet, some of those could have outsized impacts or be just plain over the line in terms of civility.
 
Martin Hron, a security researcher with Avast recently blogged about a proof of concept firmware attack he successfully carried out… against his coffee maker.

Hron details in his post how he 0wned his coffee maker to settle a debate he was challenged with.  The “myth” as he called it, claimed that hacking an IoT device required hacking the router or network that the device is on. 

He disproved the myth by attacking and successfully compromising the firmware of his coffee machine by hijacking the Over-the-Air firmware update, and then reinserting his own modified firmware to the device.  From there he had complete control and could make the device do anything he wanted that was within its technical or physical capabilities.

The ramifications are chilling, given that practically everything uses OTA firmware updates these days (even Tesla’s).

Read: https://blog.malwarebytes.com/ransomware/2020/10/smart-coffee-maker-ransomware/



GitHub suspends multiple Youtube-DL repositories after RIAA DMCA notice

GitHub has suspended access to numerous code Youtube-dl repositories after receiving an RIAA takedown notice advising them that the code was being used to violate copyright. 

YouTube-dl and its myriad forks are programs and libraries used by Youtube downloaders, software that can download videos from YouTube and store a copy locally.  I make frequent use of one whenever I see a video I feel is in danger of being deplatformed.  This is what I use to grab a copy so that I can re-post them to AxisOfEasy or elsewhere.

GitHub has posted the DMCA request, but opens the obvious question.  If a software package can be used in a way RIAA finds objectionable, why stop there?  Operating systems, computers even electrical power can be used to violate copyright – maybe the RIAA needs to be in charge of all that to make sure everybody is living in compliance with the DMCA. 

The other obvious question is would GitHub have complied with such a request prior to its acquisition by Microsoft.

In a stunning turn of events nobody could have predicted, the internet has responded by spreading lists of alternative Youtube-dl repositories and mirrors all over the place.



Police can hack into your phone

According to a report via the New York Times, at least 2,000 police forces across the USA have the tools and technical know-how to break into encrypted smartphones, and they are utilizing these capabilities more often then previously suspected. 

The NYTimes is citing a report by Upturn, a Washington DC based non-profit that monitors how police use technology.  They found that 49 of the 50 largest police departments had such tools and the ones that don’t, smaller or rural departments, routinely farm out the work to crack into phones to a larger department that does.

These types of tools have been known for some time, while not mentioned specifically in either piece, NSO Group, for example, has been mentioned within these pages on numerous occasions as selling their services to do just that to government and police forces worldwide.

While police decry device maker’s efforts to make their phones harder to crack, phones still remain a veritable treasure trove of data for LEA who seem unimpeded in their ability to access it.

(Hat Tip: Steve P)

The report: https://www.upturn.org/reports/2020/mass-extraction/


DOJ files anti-trust against Google 

The long anticipated news finally hit last week with the US DoJ filing an anti-trust case against Google and as many as 37 states expected to follow.  The suit alleges that Google abused its dominant position in search to maintain a monopoly and stifle competition. 

There may be more damage than Google, as one of the accusations is that its deals with mobile device manufactures, like Apple, to make Google the default search engine in Safari is anti-competitive.

As a result of these various practices, Google is able to maintain search dominance, currently estimated to capture 80% of total search traffic in America. 

The action marks the first major antitrust action against a tech giant since the case against Microsoft, nearly 20 years ago.


Paypal to support Bitcoin in 2021

The big news in crypto-land last week was PayPal’s announcement that in 2021 they will be adding support for Bitcoin, enabling users to buy, sell or pay any transaction using BTC.

Bitcoin surged to a 2020 price high after the news broke, putting it within site of an eventual resurgence to new all-time highs previously hit in the December 2017 blow-off top.

Recently Square and MicroStrategy, both publicly traded companies with market caps of 74B and 1.75B respectively, announced they were putting some of their cash reserves into holding Bitcoin. Square allocated 1% of its assets, with a 50M purchase BTC, while the comparatively smaller MicroStrategy (a business intelligence company) made a much bigger bet, sinking $250M of their cash into Bitcoin.


Report: Governments use COVID to crackdown on online dissent

Last week the Washington DC based Freedom House, a non-profit watchdog that monitors government powers released a report finding that:

“Governments around the world are using the pandemic as a justification to expand surveillance and crack down on dissent online, resulting in a 10th consecutive annual decline in internet freedom…authorities in dozens of countries have cited the Covid-19 outbreak “to justify expanded surveillance powers and the deployment of new technologies that were once seen as too intrusive.”

The group’s president, Michael Abramowitz added  “The pandemic is accelerating society’s reliance on digital technologies at a time when the internet is becoming less and less free, without adequate safeguards for privacy and the rule of law, these technologies can be easily repurposed for political repression”

Freedom House uses a 100 point scale to rate internet freedom and found that across 65 countries, the score has dropped for the tenth year running.  On that 100-point scale with 100 being the most free, 0 being the least, some choice countries are as follows (interactive map here)


Canada: 98
Australia: 97
UK: 94
Germany: 94
USA: 86, down from 94
Russia: 20
China: 10

The Report: https://freedomhouse.org/report/freedom-world/2020/leaderless-struggle-democracy

The only thing I would take issue with among Freedom House’s findings is the future tense used in “can be repurposed for political expression,”  because they already have been.   And it’s not just governments, because as we tirelessly document here in AxisOfEasy, the mainstream media and Big Tech platforms are up to their eyeballs in wholesale repression as well.


Facebook’s China-based hate speech censors

To my point about how Big Tech is as vigorous in their suppression as any nation state can be, the NY Post took a look at Facebook’s “anti hate speech” unit which is staffed with personnel based largely out of… China. Yes, the country that rated at the very bottom of Freedom House internet freedom report above, is the same country that supplies social media censors to Facebook.

The unit is called the Hate Speech Engineering and is based mostly in Seattle, with the Chinese nationals there sponsored by the company under H-1B visas:

‘Many have Ph.D.s, and their work is extremely complex, involving machine learning — teaching “computers how to learn and act without being explicitly programmed,…When it comes to censorship on social media, that means “teaching” the Facebook code so certain content ends up at the top of your newsfeed, a feat that earns the firm’s software wizards discretionary bonuses, per the ex-insider.  It also means making sure other content “shows up dead-last.”’

NY Post is no stranger to this, having had their exposé on Hunter Biden’s laptop deep-sized by Facebook and Twitter, leading the suppression effort to become a bigger story than the original event.


Senate panel subpoenas Zuckerberg and @jack after they decline invitation

Recall last week when we did report on how Facebook and Twitter unsuccessfully attempted to suppress the Hunter Biden laptop story, a Senate panel “invited” the heads of Facebook, Twitter and Google to appear before them and answer some questions about the overwhelming apparent bias and selectivity in what the platforms will suppress vs what they will amplify. (Recall also how Google delisted the petition site sponsored by anti-lockdown medical professionals’ Great Barrington Declaration until the public backlash ostensibly had them quietly restore it to the index). 

All three declined the invitation, which now looks to earn them subpoenas from the same Senate panel after all.  The Senate Judiciary Committee voted Thursday to authorize subpoenas to compel their testimony around how their respective companies suppressed the NY Post story from being circulated by readers.


Update on the easyDNS Fold@Home team

The last time we checked in on the easyDNS Fold@Home team, which is participating in the global computing project to carry out molecular folding calculations in the hunt for a COVID-19 vaccine, we were at an impressive 1,338th place out of over 255,000 teams.

We are now in 307th place!

Team easyDNS is in the top 500 with a serious shot at cracking the top 100.  easyDNS and AxisOfEasy readers have pooled their resources for the cause and we now have 58 active CPUs contributing over 46,000 work units. 

Our top contributors are putting in over 1 million credits each are:

brujack
Jonathan_Jusczyk
gdf
TIMF
jbmartin6
HenriAlaPeijari
Bill Pye
0derivative
actazenJohn
BlitherMan
DL/LD
opn
Mike905
Philus.Allardus

Special thanks to you all and thanks to everybody working on this via Team easyDNS and the Fold@Home initiative.  If you want to join the effort, head to https://foldingathome.org/home/ and then join Team easyDNS which is team id: 248458

Details: https://stats.foldingathome.org/team/248458


This week on the AxisOfEasy

Last week on the AxisOfEasy, Jesse weighed in with a look at the Antitrust case against Google while Charles looked at the false narratives we buy into with Everything is Staged while noting that Everything We Assume is Permanent is Fragile.

For my part I felt compelled to dispel a couple of Canadian themed conspiracy theories around COVID that people kept sending me.

On our Salon we wondered if The Network State will be Capable of Acting in the Public Good.


Plug into the AxisOfEasy

When things like the Chrome 0-day hit, we put out an alert in realtime.  To keep on top of the AxisOfEasy, you can:

Follow us on Mastodon or Twitter
Join our Telegram
Join  /r/AxisOfEasy on Reddit