|In this issue:
- Widely used Node.js package has code injection vulnerability
- Merkel: Everyone agreed that we need a digital vaccination certificate
- Gab has been hacked
- Oops! Youtube nukes Coindesk’s entire channel. By mistake.
- Digital Ocean and Coinbase file S1’s to go public
- Myanmmar junta enforcing nightly internet shutdowns
- Lastpass mobile clients have multiple embedded trackers
- Confessions of a censorship machine developer
- China’s APT31 cloned NSA hacking tools
- No harm no foul: US says MSB approved Khashoggi hit.
- Why Amazon is lobbying hard for higher minimum wages
- EVENT: What do Canadians want from their Digital Government Platforms?
- Canada’s Bill C-10 is unconstitutional according to former-Justice dept senior counsel
- Trigger Alert: I went on Steve Bannon’s show to talk Transhumanism (yes, really)
- AxisOfEasy Salon 38: Should Social Media networks be open source public utilities?
Widely used Node.js package has code injection vulnerability
If you’re using Node.js you should check that they’re using the latest 5.3.1 version of the “system information” package. This package is used to gather information on the local system such as CPU speed, RAM, system clock, etc and was found to be vulnerable to a code injection vulnerability outlined in CVE-2021-21315.
If you can’t upgrade for any reason, there is a workaround as reported by the BleepingComputer piece:
“”As a workaround instead of upgrading, be sure to check or sanitize service parameters that are passed to si.inetLatency(), si.inetChecksite(), si.services(), si.processLoad() … do only allow strings, reject any arrays. String sanitation works as expected,” reads the associated npm security advisory.”
The system information package reportedly receives 800K downloads per week and has a total installation base of around 34 million.
Merkel: Everyone agreed that we need a digital vaccination certificate
Last week, a virtual meeting among EU leaders was held about so-called “vaccination passports.”
The outcome was that the majority of them agreed that some kind of “vaccine certificates” will be required to travel even within the EU member states (remember, citizens within the Schengen Zone of the EU could, at least until now, travel from country to country as freely as crossing provincial or state lines here in North America).
“Commission President Ursula von der Leyen warned that unless they hurry Apple Inc. and Google will step into the vacuum.”
The concern here is that if a digital passport is implemented, they want it to be an EU designed solution in order to protect the data privacy of the citizenry. So far the WHO says they are pursuing a “software neutral” approach and that neither company is involved in the process thus far (although, as reported in AoE 144, Google and Apple came out of the gate fast with hooks for COVID tracking apps, so I imagine they’ll be on the forefront of immunity passports).
Meanwhile, Oxford sociologist Melinda Mills wrote an op-ed via The Financial Times on how vaccination passports will be a “technical and ethical minefield.” It’s behind a paywall but Zerohedge covered it here.
Welcome to The New Normal.
Gab has been hacked
It appears as though the controversial “free speech” platform Gab, which was until Parler, the place where everybody who got kicked off of Twitter went to vent, has been hacked (Parler was also hacked back when they were kicked off of Amazon’s AWS).
A data dump of 70GB of platform data including “70 GB of Gab public posts, private posts, user profiles, hashed passwords for users, DMs, and plaintext passwords for groups in SQL format, along with over 70,000 messages in more than 19,000 thats with over 15,000 users in plaintext format.” have been released via Distributed DDoS, a Wikileaks type platform that specializes in data dumps.
Distributed DDoS is saying that because of the inflammatory nature of Gab and the personal details contained therein, they are only making the dump available to researchers and journalists.
Oops! Youtube nukes Coindesk’s entire channel. By mistake.
Coindesk is among the most well respected, venerable commentators on Bitcoin and the crypto-asset economy in the world. I personally listen to their Breakdown podcast featuring NLW every day (it’s produced by Let’s Talk Bitcoin alumni Adam B Levine).
So it was a bit jarring when I got word that their entire YouTube channel had been deleted for the ole “repeated violations of community standards,” whatever The Fsck that means these days. The channel was deleted in the midst of their daily Coindesk TV livestream “All About Bitcoin.”
The Coindesk staff received no elaboration other than the notice and Youtube did not respond to inquiries until finally taking a second look after a backlash ensued.
‘We’re pleased to let you know that we’ve recently reviewed your YouTube account, and after taking another look, we can confirm that it is not in violation of our Terms of Service,” the platform said in an email.
Coindesk is pleased not to offend Youtube.’
Recall, as we reported in AoE 146, Youtube deplatformed CoinTelegraph’s live-streaming coverage of the 2020 Bitcoin halving event in mid-transmission.
Myanmar junta enforcing nightly internet shutdowns
Since the military coup in Myanmar on Feb 1st, the ruling junta has been resorting to regular internet shutdowns to stem the flow of communications from amongst the populace. Netblocks first reported on the outage on the eve of January 31st, hinting that something was in the offing even before the news of the overthrow had become widely known the next day.
This Wired article cites reports via Netblocks of internet outages “like clockwork” for the last 12 nights running, between 1am and 9am local time. Civil rights groups monitoring the situation fear that the outages occur during times of overnight mass arrests.
Also being reported by Netblocks, internet outages in Chad, and Iran, and Armenia during an attempted coup attempt there.
Lastpass mobile clients have multiple embedded trackers
We used to use Lastpass as our password manager, but we wanted to move away from it, not because of any particular failing in their part – there was a security breach a few years ago which I thought they did a decent job handling, but because we generally dislike solutions where our data is inside somebody else’s system.
So for the same reason we moved from Slack to Mattermost, where we use our own backend data storage, some time ago we moved from Lastpass to Bitwarden, same deal.
In this piece a security researcher named Mike Kuketz put out a report for a non-profit research firm called Exodus. In it he details how he found no less than seven tracking beacons embedded within the LastPass app for Android. (By contrast, 1password and Keepass have none).
This may not be nefarious intent unto itself but merely be another instance we’ve outlined before where application developers will use third party SDKs in order to fast-track their development cycles, with the tradeoff being that those third-party SDKs have embedded trackers because their business model is to broker the data.
Confessions of a censorship machine developer
A pretty riveting story of censorship and coding from a former developer at Bytedance, the parent company to Tik-Tok, allow me to quote at length:
“It was the night Dr. Li Wenliang struggled for his last breath in the emergency room of Wuhan Central Hospital. I, like many Chinese web users, had stayed awake to refresh my Weibo feed constantly for updates on his condition. Dr. Li was an ophthalmologist who sounded the alarm early in the COVID-19 outbreak. He soon faced government intimidation and then contracted the virus. When he passed away in the early hours of Friday, Feb. 7, 2020, I was among many Chinese netizens who expressed grief and outrage at the events on Weibo, only to have my account deleted.
I felt guilt more than anger. At the time, I was a tech worker at ByteDance, where I helped develop tools and platforms for content moderation. In other words, I had helped build the system that censored accounts like mine. I was helping to bury myself in China’s ever-expanding cyber grave.
I hadn’t received explicit directives about Li Wenliang, but Weibo was certainly not the only Chinese tech company relentlessly deleting posts and accounts that night. I knew ByteDance’s army of content moderators were using the tools and algorithms that I helped develop to delete content, change the narrative and alter memories of the suffering and trauma inflicted on Chinese people during the COVID-19 outbreak. I couldn’t help but feel every day like I was a tiny cog in a vast, evil machine.”
The biggest fear among tech platforms in China, especially those aggregating user-generated content, is not deleting material fast enough that is critical of, or cast the Chinese authorities in an unfavourable light.
China’s APT31 cloned NSA hacking tools
Fascinating account over on Dark Reading on how security researchers are tracking and analyzing the use of a hacking tool that originated with the US NSA and is now also being used by an Advanced Persistent Threat (APT) actor associated with China.
When I first saw the article, I thought it could be part of, or another example of a previously leaked NSA toolset being appropriated by foreign threat actors, like DoublePulsar which we reported on back in AoE…. #2? Wow
But this one is different, as security researchers theorize that this tool, originally crafted and used by a threat actor dubbed The Equation Group, discovered by Kaspersky researchers in 2015. The Equation Group tool is referred to as “EpMe” by researchers, while the suspected Chinese one is dubbed “Jian”. It is not believed the latter had access to the source code and may have possibly captured and reverse engineered it after encountering it on a target compromised by both parties.
It reads like a real Spy vs Spy narrative.