Weekly Axis Of Easy #194
Last Week’s Quote was “Most of the greatest evils that man has inflicted upon man have come through people feeling quite certain about something which, in fact, was false” … was Bertrand Russell, I don’t think anybody got it.
This Week’s Quote: “Most of the energy of political work is devoted to correcting the effects of mismanagement of government”… by???
THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.
The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.
New BIND vulnerabilities
Also, a set of three vulnerabilities have been found in the BIND nameserver, which is one of the most widely used nameserver packages across the internet.
The first is within the “GSSAPI security policy negotiation mechanism for the GSS-TSIG protocol” and can be triggered remotely to crash the server. The good news there is that the default configuration of BIND doesn’t expose the exploit path, you have to have changed or set the “tkey-gssapi-keytab/tkey-gssapi-credential” for that to happen. This apparently happens most often in environments where BIND is integrated with Samba or used with Active Directory domain controllers.
This one is CVE-2021-25216.
The second one is CVE-2021-25215 has to do with how DNAME’s are processed and can lead to a crash in the server.
The last one is CVE-2021-25214 is that a malformed IXFR request (incremental zone transfer) can also crash the server.
iOS 14.5 comes with new privacy alert pop-ups
Apple’s latest iOS 14.5 comes with a new set of privacy alert pop-ups that let you know when the various apps you have installed want to share or access your data. It’s called App Tracking Transparency.
“The privacy feature requires any app that wants to track your activity and share it with other apps or websites to ask for permission.”
I think some apps may actually do this before 14.5, my Uber Eats prompted me about this the other night and I realize now that I was still on 14.4.5, I’m downloading 14.5 right now.
Google’s contact tracing app has privacy flaws
Over on the other side of the mobile device duopoly, things aren’t going as well.
The MarkUp reports that Google’s contact tracing app, despite promising to be secure and private, had a flaw. Turns out hundreds of preinstalled apps are able to access a log file created by the contact tracing app which contains sensitive information.
Worse, when researchers from a privacy watchdog called AppCensus discovered the flaw, they notified Google in February who has so far failed to fix it. AppCensus discovered the issue in the course of work they were doing under contract with the Department of Homeland Security.
Apparently Google is moving to correct this now that The Markup has broken this story.
Digital Ocean has data breach while DC police suffer ransomware attack
TechCrunch has obtained a copy of an email Digital Ocean has sent to affected customers advising them of a data breach to their customer billing data. The breach occurred over a two week stretch between April 9 and April 22 and attackers were able to access names, billing addresses, phone numbers, last 4-digits and issuing bank of customer credit cards.
DO stressed in the email that no customer logins, passwords or access to client droplets occurred in the breach.
We have not received such a notice so we’re guessing only impacted users have been notified.
Meanwhile the Washington DC police force was forced to admit it had been hit with the Barbuk ransomware strain after some of the data was leaked on the web. In a statement to BleepingComputer a DC spokesperson wrote:
“”We are aware of unauthorized access on our server. While we determine the full impact and continue to review activity, we have engaged the FBI to fully investigate this matter.” – Metropolitan Police Department.”
The gang says they have obtained 205GB of unencrypted filed.
MS researchers find Remote Code Execution in MS IoT Devices
Security researchers from Microsoft have found over 25 vulnerabilities in Internet of Things (IoT) devices that utilizes memory allocation or integer overflow bugs in widely used libraries. They can lead to denial of service by crashing the devices or even Remote Code Execution.
The entire set of flaws has been called BadAlloc. The US CISA has issued advisory ICSA-21-119-04 on this, and a list of impacted devices follows:
France to use algos in detection of extremism
In France, certain temporary measures which were enacted in the wake of the 2015 terror attacks there are about to be made permanent by the Macron government. Citing a new wave of lone actor terror attacks, the French government says this is necessary because these lone wolves are increasingly self-radicalizing, without being in contact with known terror groups or operatives.
This means they have to be detected algorithmically, by monitoring communications flows via non-telecom channels (social media networks, chat forums) as well as web searches. A recent knife attack was cited in which an attacker searched and viewed videos of Islamic terror attacks in the hours before the act.
Canada’s Bill C-10 lets CRTC regulate user-generated content
Canada’s forthcoming Bill C-10 will designate the internet as a “broadcast undertaking” and put it under the purview of the CRTC for regulation and content moderation purposes. Heritage Minister Stephen Guilbeault is driving this process, he’s already said he wants to create a new entity to actively censor political speech and is willing to create a so-called “internet killswitch” to remove content that insults or denigrates politicians.
The text of Bill C-10 did include an amendment that would specifically exempt user-generated content uploaded to social media platforms from being under the purview of the incoming regulatory framework. Then, in a subsequent revision to the proposed bill, that amendment was removed. That implies that user-generated content will be subject to this new framework, although Guilbeault, when asked about this by CBC’s David Common in a video interview, stammered and jabbered like a blithering idiot for a few minutes before muttering something resembling “it doesn’t matter.”
But it probably does matter, as University of Ottawa law professor Michael Geist outlines here, and former CRTC chairman Tim Denton lays out here.
Breaking update: The NDP has announced that they will be supporting a motion to wait for a Department of Justice review of C10 for compliance with the Charter of Rights. Given the Liberals have a minority government, this is looks to put Bill C10 on ice for now (unless the CPC votes with the Libs, which these days, wouldn’t surprise me at all). https://www.ndp.ca/news/ndp-statement-bill-c-10
Trudeau says vaccination passports will likely be required to travel
There is an old political maxim attributed to Otto Von Bismarck (apparently a distant relation, by marriage, according to family lore) that advises “never believe anything until it has been officially denied.” Today’s equivalent would be former Eurozone head Jean-Claude Junker: “When it gets serious, you have to lie.”
In January Canada’s Trudeau the 2nd said that there were “no plans for vaccine passports,” citing them as “divisive.” As recently as March he warned that they would raise questions of “fairness.”
Now, it appears, Trudeau has gotten the memo: Canadians should expect vaccine passports as a requirement to travel. Having said that, he declined to clarify what that meant exactly, whether vaccinated travellers can enter Canada, or whether returning Canadians who are vaccinated would still have to be incarcerated at these accursed internment hotels.
Speaking of the latter, the Justice Center for Constitutional Freedom went to bat on that very issue, seeking an injunction against the federal government from forcing their applicants to quarantine at designated hotels, instead of at home, as travellers entering via land are permitted to do.
While the injunction was denied, the judge did acknowledge that serious Section 7 and 9 issues exist (In the Charter of Rights and Freedoms), the Constitutionality of which will be assessed at a hearing June 1 – 3. I’m glad somebody is putting many of these measures to the legal test, and that’s why I am personally donating monthly to the JCCF.
Sheryl Atkisson on the possibilities of COVID lab origin
It’s not really permissible to talk about the possibility that COVID-19 originated in a lab. Zerohedge was deplatformed for being the first to connect a few dots about it, but after about a year, and at least one Nobel Laureate for Medicine and a former CDC head going on record as saying this came from a lab in Wuhan; a few intrepid news outlets and journalists are finally touching this third-rail of civil discourse.
I’ve read Sharyl Attkisson’s previous books on media bias and read some of her material on big pharma and overall find her to be credible. She’s done a deep dive into this story and put out a comprehensive exposé, meticulously documented and easily checkable, which is accompanied by a 10-minute mini-documentary. The bullet points are:
What she’s detailing here is in line with previous data points we’ve covered before here in AxisOfEasy, specifically that former Nobel Laureate Luc Montagnier’s belief that COVID-19 had to have been modified in a lab (western media diligently ignoring him).
While the origin of the COVID-19 virus might appear out of our wheelhouse, I mention it here as an example of a narrative that seems to be marginalized by the incumbent press, not to mention a frequent target of institutional and coordinated deplatforming campaigns.
This week on the Axis
There was no AxisOfEasy Salon last week, we should be on for this Thursday, in the meantime I was a guest on Brian Jackson’s Tech Insights show to discuss the mystery move of that YUGE block of IP addresses from the US DoD to a shadowy pentagon contractor.
Also an interview I did several weeks ago with Dr. Bradley Werrell just came out yesterday. Fascinating guy and an interesting talk.