Weekly Axis Of Easy #205
Last Week’s Quote was “People would rather be wrong than alone.” …was slightly tricky. I figured it was obscure, but it was from Luke Burgis, the guy I cited in the piece about Mimetic desire. Nobody got it.
This Week’s Quote: “Rhetoric is no substitute for reality.” … by???
THE RULES: No searching up the answer, must be posted to the blog – the place to post the answer is at the bottom of the post, in the comments section.
The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.
In this issue:
- Cloudflare CDN.js bug introduced critical vulnerability into 12% of websites online
- WooCommerce patches security flaw in WordPress plugin
- D-Link fixes routers with hard-coded admin password
- Uber agrees to reduced fine over sexual assault data
- The US government flags COVID misinfo stories for Facebook to delete
- Trading Big Tech shares while regulating them has made the Pelosi’s $70,000,000 USD
- Israeli firms help governments target journalists with 0-days
- Canadian heritage minister says tweets are undermining democracy
- Surprise! UK COVID pass ready to redeploy as a national ID card as France set to jail unvaxxed diners
- This just in: Brian Stelter is not, in fact, a Reliable Source of anything
A sharp-eyed security researcher who was looking at various types of supply chain attack vectors, came across a bug in Cloudflare’s open source CDN.js package which could lead to remote code execution. The bug would have potentially put all websites using Cloudflare’s CDN package at risk, estimated to be nearly 12% of sites hosted on the Internet.
The researcher, who goes by the Twitter handle RyotaK figured out a way to introduce hostile code into the Cloudflare GitHub repository. Once his code was executed he was able to obtain sensitive information like the Github Repo private key and an API token, which would have given him the ability to modify any library file in the repository.
Cloudflare has patched the issue and it looks like this was discovered and fixed before any exploits came out in the wild.
WooCommerce patches security flaw in WordPress plugin
Also in the last week, a critical vulnerability was found in the popular WooCommerce plugin for WordPress. WooCommerce adds e-commerce and online shopping functionality to a WordPress site, think Shopify for WordPress. Integrates with everything, very popular and used widely.
On July 14, WooCommerce released an emergency patch to fix an SQL injection bug that enabled attackers to access data within a WooCommerce store.
As per the WordFence advisory (who were able to develop proof-of-concept attacks for it),
“The vulnerability affects versions 3.3 to 5.5 of the WooCommerce plugin and WooCommerce Blocks 2.5 to 5.5 plugin.”
If you’re an easyPress client, this has already been done for you. If not, get cracking.
D-Link fixes routers with hard-coded admin password
If you’re running a DIR-3040 AC3000-based wireless router, you should make sure your firmware is upgraded to version 1.13B03. This comes after Dave McDaniel, a Cisco Talos researcher discovered multiple issues, including command injection, information disclosure ….and a hard-coded password, DIRrqtq*@twsz (at least it wasn’t “abc123”).
The vulnerabilities have been assigned CVE numbers (see within) and D-Link has issued a hot fix here which can be downloaded here.
Uber agrees to reduced fine over sexual assault data
In December 2020, Uber was fined $59M USD by the California Public Utilities Commission for failing to answer questions about sexual assaults that occurred during the use of their service which surfaced in an internal safety report that was published in early 2020.
Uber refused to answer questions because they said it would violate the privacy and safety of the victims in the report.
They have now entered into an agreement with the CPUC to pay a reduced fine ($150,000), pay a further $9M to the CPUC, of which $5M will be transferred to the California Victim Compensation Fund. Part of that settlement is that they will report anonymized data on victims who are sexually assaulted in the course of using an Uber.
The US government flags COVID misinfo stories for Facebook to delete
A truly stunning revelation delivered in a rather matter-of-fact tone this week as US Presidential Press Secretary Jen Psaki talking about how the Biden Administration is flagging “problematic” posts on Facebook because they spread COVID misinformation.
“We are in regular touch with the social media platforms and those engagements typically happen through members of our senior staff and also members of our COVID-19 team — given as Dr. Murthy conveyed, this is a big issue, of misinformation, specifically on the pandemic,…
We’ve increased disinformation research and tracking within the Surgeon General’s Office. We are flagging problematic posts for Facebook that spread disinformation…it’s important to take faster action against harmful posts … and Facebook needs to move more quickly to remove harmful violative posts.”
Joe Biden looked into a camera and said Facebook’s misinformation was killing people. Senator Amy Klobuchar made a reference to “#DirtyDozen of COVID Misinformation,” a list put out by the CCDH – the Center for Countering Digital Hate (misinformation = hate speech?) Who is the CCDH that they seem to have the purview to dictate who gets a voice and who doesn’t? I’m glad you asked.
10 of the 12 names in The Dirty Dozen I would never have heard of until the list came out.
The only really problem with all this, as COVID has shown, is that it’s very difficult to figure out what is fact and what is wrong, and the general consensus of “what is true” has been a moving target from the get-go. COVID fatalities, especially with Delta variant, don’t seem to be tracking with the narrative that only unvaxxed people die from it. Some recent data out of Public Health England actually showed a higher fatality rate among the fully vaxxed for the over 50 cohort (but single-shot vaxxed is lower, begging the question: how can anybody claim to have a monopoly on truth when this is all very fluid and in some cases counter-intuitive?)
It’s important to note: I’m not saying “don’t get vaxxed” and I’m not saying “COVID is a scam.” I’m saying if you look at some data, or a study, and you find yourself thinking “this doesn’t fit with the narrative,” you are assuredly not committing an act of hate. Nor are you spreading misinformation if you share your thoughts about that. However anybody who deigns to censor or abridge your ability to freely communicate or listen to other opinions on this matter is committing human rights violations against you.
(Guess what does seem to be driving down fatality rate of COVID in India? Looks like Ivermectin is doing the trick.)
In last week’s edition we mentioned how hard it is to beat the market averages in stocks, even if you’re an investment professional, unless you’re in Congress. Then you outperform the markets handily and seemingly with ease.
Glenn Greenwald put out a more in-depth look at the Pelosi’s trades over the years. Nancy and her husband Paul (who runs a real estate investment firm), has increased her net worth by over $70,000,0000 USD since 2004, thanks at least in part to some pretty dynamite options trades.
“House Speaker Nancy Pelosi (D-CA) is the sixth-richest member of Congress, according to the most recent financial disclosure statements filed in 2019. As the California Democrat has risen through party ranks and obtained more and more political power, her personal wealth has risen right along with it. Pelosi “has seen her wealth increase to nearly $115 million from $41 million in 2004,” reports the transparency non-profit group Open Secrets. Even by the standards of wealth that define that legislative body — “more than half of those in Congress are millionaires” — the wealth and lifestyle of the long-time liberal politician and most powerful lawmaker in Washington are lavish.”
People consider me fairly well versed in terms of markets and finance. I’m no pro but I’ve done ok over the years. In that time I’ve lost money on nearly every single one of my options trades, including some where I was right about the overall move in the underlying assets or markets and still lost money or barely got out with my skin intact. With options you have time decay. You have premiums above or discounts below the underlying asset. You have volatility. It’s hard, so hard that for the most part I’ve bowed out and relegated it to the professionals. Most clueful participants who understand this stuff would recommend non-professionals give options a pass. Something like 99% of all options expire worthless and out of the money (yes, some of that is intentional, as in the case of hedges). But here we have a politician and a bureaucrat, married to a real estate guy, absolutely slamming it out of the ballpark. Consistently, repeatedly. Over and over again. Crushing it. Making Buffet look like a pussy.
It begs the question: If this power couple is so good at investing the markets, what are they doing wasting their time in Congress or running a lower yielding real estate fund? Especially in Paul Pelosi’s case, where the higher use and return on his investments would simply be to sell out the real estate fund and put the capital to work in the options markets.
“The sector in which the Pelosis most frequently buy and sell stocks is, by far, the Silicon Valley tech industry. Close to 75% of the Pelosis’ stock trading over the last two years has been in Big Tech: more than $33 million worth of trading.”
Unless, of course, his edge relies entirely on being married to a very well placed political operator who has the very power to regulate the companies and the sectors they’re trading.
“That has happened as major legislation is pending before the House, controlled by the Committees Pelosi oversees, which could radically reshape the industry and laws that govern the very companies in which she and her husband most aggressively trade.”
As I said last week, “nice work, if you can get it.”
Israeli firms helps government target journalists with 0-days
Over the weekend two separate stories emerged around the same theme: governments hiring tech companies (in both cases, based in Israel) to hack the mobile devices of journalists and spy on them. One of these companies is the NSO Group which we’ve covered many times in these pages. This is who Edward Snowden tweeted about this weekend when he said that this story would be “the leak of the year.”
A group of 17 media organizations undertook an extensive study of NSO’s work with their Pegasus spyware, which governments used to hack the mobile devices of at least 37 journalists. Toronto’s own CitizenLab, who has been tracking NS0 for years, was asked to verify the findings of the study and they did so. They released their report over the weekend concurring that the analysis method was sound and that they could independently verify many of the findings. CitizenLab’s own work on NS0 is available here.
The other story involves another Israeli company called Candiru who had been reportedly hired to actively exploit the recently revealed supply chain attacks, such as those against Microsoft, “to hack more than 100 journalists, academics, activists, and political dissidents globally.”
Candiru was recently identified as a commercial surveillance company by Google’s Threat Analysis Group (TAG) and also corroborated by CitizenLab, who said
“This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services.”
“As we went to press, word came out that Amazon AWS has cancelled infrastructure used by the NSO Group.”
Canadian heritage minister says tweets are undermining democracy
The Canadian federal heritage minister Stephan Guilbeault is at it again. Bill C-11 already seeks to ban internet content that taunts politicians and implement an internet kill switch to do that (whatever the hell that even means), now an internal report ruminates how social media is undermining democracy.
“Social media platforms can also be used to threaten, intimidate, bully and harass people or used to promote racist, anti-Semitic, Islamophobic, misogynist and homophobic views that target communities, put people’s safety at risk and undermine Canada’s social cohesion or democracy….This content steals and damages lives, It intimidates and obscures valuable voices, preventing a truly democratic debate.”
The internal briefing contained no examples of such damaging language but called for greater transparency and accountability from social media platforms…
“The mandate of the Department of Canadian Heritage includes the promotion of a greater understanding of human rights.”
(Except the one about freedom of speech, I guess.)
For their troubles, #TrudeauDictatorship began trending on Twitter once news of the report surfaced.
Surprise! UK COVID pass ready to redeploy as a national ID card as France set to jail unvaxxed diners
In an astonishing turn nobody could have seen coming, one of the companies involved in the creation of the UK’s vaccine passport said that all the components are there to pivot the system into a national ID card.
Plans for a digital national ID card in England were tabled in 2011 and promptly scratched on privacy concerns. Things change.
The product manager for Entrust, the company awarded the contract for vaccine passports blogged:
“Vaccine credentials can become part of the infrastructure of the new normal..With the infrastructure and investment necessary to ensure a viable vaccine passport, why not redeploy this effort into a national citizen ID program that can be used for multiple purposes, including the secure delivery of government services, secure cross-border travel, and documentation of vaccination.”
Meanwhile in France, as many as 20,000 of citizens flooded the streets of Paris in protest on Bastille Day over proposed legislation that would levy fines of 10,000 francs and up to six months in prison for anybody who enters a restaurant or bar without a valid COVID pass. Business owners who fail to check their patrons for said COVID passes face fines of 45,000 francs and 1 year in prison.
French President Macron was quick to point out that vaccines are not going to be mandatory in France, but the health pass will be pushed “to the fullest extent.”
“You’ve understood – vaccination is not immediately obligatory for everyone, but we’re going to extend the health pass to the maximum, in order to push a maximum of you to go and get vaccinated.”
President Macron is also not vaccinated, btw, because in this video he is saying (loose translation by our editor Tracy):
‘He saying he caught the virus, and still has antibodies and so he will follow the prescription of the faculty and he will get vaccinated when it’s the important time to get vaccinated between 3 to 6 months … “better to wait until 6 because I still have anti bodies … I think I’ll do a test to see if I still have the antibodies.”‘
So if you’ve already had COVID you don’t need the vaccine? Unless you want to eat out in a restaurant I guess. Something tells me Macron gets a pass on that one when he goes out to dinner.
A lot of this continued hysteria revolves around Delta variant, which Chris Martenson points out: it’s more contagious, but according to recent data out of the UK: about 10% as lethal as Alpha variant. Where alpha (the original strain) of COVID has a CFR of 1.9%, Delta’s comes in at 0.2% – exactly the same as the traditional flu. Also – by “case” in this context we mean the traditional medical definition of a case, which is presenting symptoms and requiring medical treatment. This doesn’t include the vast majority of reported cases of positive PCR tests on asymptomatic people (especially when the Cycle Thresholds are higher than 30).
This just in: Brian Stelter is not, in fact, a Reliable Source of anything
I didn’t really come across anything particularly uplifting this week, aside from this segment where author Michael Wolff went on CNN and told Brian Stelter the media has done a terrible job on everything, and that Stelter himself was “full of sanctimony” and that the media’s belief that they “have a monopoly on truth” is a big part of the problem.
“You are the flip side of Donald Trump… most people don’t want to turn to Brian Stelter to tell us what’s real.”
It was a truly awe inspiring clip and I’m amazed CNN didn’t cut to commercials in the midst of it. Stelter, to his credit took it in stride and even asked “what should I do differently?”