Weekly Axis Of Easy #190
Last Week’s Quote was “Historically, the claim of consensus has been the first refuge of scoundrels; it is a way to avoid debate by claiming the matter is already settled… There is no such thing as consensus science. If it’s consensus, it isn’t science. If it’s science, it isn’t consensus. Period” .. was Michael Crichton. Winner was Phillip Freeman.
This Week’s Quote: “The people will believe what the media tell them they believe”… by???
THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.
The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.
In 2019 the news broke that there was a rather large Facebook data leak / breach. We covered it briefly in AoE 71, linking to a Wired article outlining the identity theft vectors it exposed.
Heading into the Easter Weekend, Business Insider broke the news that a trove of over 500 million facebook user data from that breach has been leaked online in a hacker forum – and distributed for free.
“The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birth dates, bios, and — in some cases — email addresses.”
Facebook reps say that the data was scraped from the site exploiting a weakness that was fixed in 2019.
As I’ve mused previously, it’ll be bad enough under any governments that force immunity passports upon their subjects. But for some reason, it just feels worse when it gets decided by the likes of Ticketmaster.
In a similar vein, if immunity passports are to become a reality, whose role should it be to implement it and store the data? As skeptical as I am of governments in general, Canada’s contact tracing app was done fairly well in terms transparency and in safeguarding citizen’s data.
According to the acting director of the Centers for Medicare and Medicaid Services in the US, immunity passport implementation and data storage will be handled in the private sector:
“…unlike other parts of the world, the government here is not viewing its role as the place to create a passport, nor a place to hold the data of — of citizens. We view this as something that the private sector is doing and will do. What’s important to us, and we’re leading an interagency process right now to go through these details, are that some important criteria be met with these credentials.”
While some US states, most notably The Free State of Florida, have already enacted legislation to ban immunity passports, it looks like for the most part, these will be part of The New Normal.
Heading into the Easter weekend Microsoft Azure cloud and Team services went down globally. It started slightly after close of business on the east coast (5:21 EST) heading into a long weekend so hopefully that would have minimized disruption.
It affected many services from Xbox, Microsoft Office, Sharepoint, Skype, many more, too many to mention, but included Microsoft’s own status page.
The company ascribed the outage to a software bug in their DNS service which overloaded their nameservers which all went down hard (and that, as we always will chime in with when a DNS outage wreaks havoc, is why we created proactive nameservers.)
Hate it when that happens, like on Sunday night, when it happened to us (see below).
We had an outage Sunday night ourselves, and embarrassingly, we also lost our status page in that outage. See below….
In January, the IoT device maker Ubiquiti disclosed a data breach that they framed as an attack on a third-party cloud supplier in where they were part of the collateral damage (we covered that in AoE 179). They went so far as to claim that there was no evidence that Ubiquiti had been specifically targeted.
Now an unnamed whistleblower who was part of the incident response team for Ubiquiti has come forward via Krebs on Security and casts a very different light on matters. According to “Adam,” Ubiquiti was the target and knew there was a penetration somewhere as far back as November 2020, when staff began realizing that VPS machines were being spun up on their AWS account that were not part of anybody’s projects (that third-party cloud vendor was AWS).
According to “Adam,” they realized they had a breach, a back door was discovered into their system that gave attackers access to everything, private keys, super user access, the entire database – all of it. They were then contacted by the hackers who demanded a 50 Bitcoin (roughly 2.8M) in exchange for them revealing where they had installed another back door.
Ubiquiti did not engage with the hackers and eventually found the second back door.
The upshot of all this being: If you own any Ubiquiti devices and did not upgrade them and change your passwords after the January disclosure, stop what you’re doing and take care of that right now.
This one was supposed to be a late addition into last week’s edition but didn’t make it in time, sorry about that.
The open source “netmask” npm package, which is used by over 250K other packages has been found to contain a vulnerability that can be exploited for
“Server side request forgery, remote file inclusion, local file inclusion, and more”
As I read through the finding, I found myself thinking “what’s the big deal?” (Netmask wouldn’t trim a leading “0” from an octet before evaluating if it was a private or public address, so 127.0.0.1 we all know and love as “local host.”
Netmask’s is PrivateIP() function would return true for “0127.0.0.1,” which actually, isn’t the case when evaluated….
“The problem is, private-ip thinks 0127 is 127 because it is not evaluating the first octet, which is in octal format, as the true decimal value 87.
This is catastrophic.
private-ip thinks 0127.0.0.1 is localhost, but it’s really 184.108.40.206.”
Because what can happen in certain web applications, is that IP addresses may be considered private by the application executing the code, but are really remote, public IPs, they may be tricked into either loading remote files into their application thinking they are private, or exposing private files to an external address, thinking the external address is private, when it isn’t.
The vulnerability has been assigned CVS-2021-28918.
People who figure this sort of stuff out never fail to amaze me.
The military junta who seized power in a March coup have stopped messing around and have ordered a complete internet shutdown until further notice. This comes after drastic curtailment of internet access over the previous three weeks, including nightly internet shutdowns.
The new shutdown order affects wireless broadband services, although at the time of the reports coming in, fibre connections were still operational.
The likes of Facebook and Google spend a lot of money
“All in all, we found 25 companies whose combined spending on federal lobbying totaled $29 million in 2020. Many of the top spenders were not pure data brokers but companies that nonetheless have massive data operations. Oracle, which has spent the past decade acquiring companies that collect data, spent the most by far, with disclosure documents showing $9,570,000 spent on federal lobbying.
For comparison, of the Big Tech firms with heavy lobbying presences, Facebook spent $19,680,000, Amazon $18,725,000, and Google $8,850,000 in the same period, according to the Center for Responsive Politics. Public Citizen, a consumer advocacy group, found that Big Tech spent $108 million collectively on lobbying in 2020. “
When I look at those numbers, in this day and age, they don’t seem that large, until you realize what “lobbying” actually entails which is contributing money directly to the election and re-election campaigns of the legislators.
While ruling on a lawsuit against former president Trump over his blocking users on Twitter, Supreme Court Justice Clarence Thomas signalled that he thinks it may be time to regulate Twitter, Facebook and Google as public utilities.
“Today’s digital platforms provide avenues for historically unprecedented amounts of speech, including speech by government actors. Also unprecedented, however, is control of so much speech in the hands of a few private parties,” Thomas wrote Monday (pdf). “We will soon have no choice but to address how our legal doctrines apply to highly concentrated, privately owned information infrastructure such as digital platforms.”
He goes on to note that digital platforms are similar enough to common carriers to be regulated in this manner.
This continues on a theme, initiated by Trump and continued under the new Biden regime, of calling into question Section 230 protections for Big Tech under the Communications Decency Act.
This was a theme we explored in a recent AxisOfEasy Salon #38: Should social media platforms be open source public utilities?
An unlikely string of circumstances led to an outage Sunday night. It took out the control panel, webmail, URL forwarding and email in general was severely impaired. Oh, and our blog with the status page, also gone for most interested parties. We’re going to be setting up an out-of-band status site and we are making changes in the data centre to avoid a repeat (some have already been implemented).
We’ve posted the RFO to the blog, and, I apologize for the outage.
Charles Hugh Smith, Jesse Hirsh and myself convened on April Fool’s Day and talked about the new Adam Curtis documentary series “Can’t Get You Out of My Head.”
Also, on Easter Saturday I was back on Steve Bannon’s Warroom for his special on Transhumanism, where we once again spoke of AI, Transhumanism, technocracy, etc.
View (Segment 1): https://rumble.com/vfbyed-google-executives-dream-of-super-ai-to-rule-the-world.html
And (Segment 2): https://rumble.com/vfbygb-technocracy-how-big-tech-transhumanism-the-tower-of-babel-and-french-revolu.html