[AxisOfEasy] Stop What You're Doing and Update Chrome. Do It Now.

Weekly Axis Of Easy #88

This week’s quote: “Love your country, but never trust its government” by ?????

Last Week’s Quote was   “Congress truly is America’s only native criminal Class” by Mark Twain. Winner was Roger Loeb.

THE RULES: No searching up the answer, must be posted in the comments below:

The Prize: First person to post, gets their next domain or hosting renewal on us.

In this Issue:
  • Stop what you’re doing and update Chrome. Do it now.
  • Fake Google Recaptcha injects banking malware
  • Google and Facebook are “antithetical to democracy” …and they don’t care
  • Venezuelan biometric ID worse than Sesame Credit
  • Thunderclap: beware of attacks via peripheral devices
  • Bill Gates to curate MIT Tech Review “10 Breakthrough Technologies” series
  • MIT: Why non-conformists always end up looking like clones of each other
  • Coinhive javascript crypto miner to shut down
  • Wal-Mart to automate away night shift, and greeters
  • Is Google still working on Chinese censorship engine, after saying they stopped?

Stop what you’re doing and update Chrome. Do it now.

Just as we were going to send, a days late this week and perhaps fortunately so, news broke of a Chrome 0-day vulnerability that allows remote attackers to execute arbitrary code on the victim’s computers and take control of the device. This vulnerability has been assigned CVE-2019-5786 and is being actively exploited in the wild right now:

“Without revealing technical details of the vulnerability, the Chrome security team only says the issue is a use-after-free vulnerability in the FileReader component of the Chrome browser, which leads to remote code execution attacks.”
If you haven’t done this before, just open Chrome, click on the “Chrome” pulldown and select “About Chrome”, at the top of that box it will show you your version and whether there is an update available. While you’re in there you could enable automatic updates.

Read: https://thehackernews.com/2019/03/update-google-chrome-hack.html
And: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5786

Fake Google Recaptcha injects banking malware

Watch out for this one: Sucuri researchers found cases of a phishing attack where users are prompted via a fake email to authorize an unknown banking transaction, but instead of taking the user a fake banking login page, they instead are presented with a counterfeit Google Recaptcha page. After the victim “solves” the impersonating puzzle, they are directed to download a piece of malware, and whammo. Yer infected.

Read: https://blog.sucuri.net/2019/02/hackers-use-fake-google-recaptcha-to-cloak-banking-malware.html

Google and Facebook are “antithetical to democracy” …and they don’t care

In a podcast with Recode’s Kara Swisher, “The Age of Surveillance Capitalism” author Shoshana Zuboff talked about the massive asymmetries of information and visibility that the Big Tech behemoths like Google and Facebook possess over the end-user individual. Since people don’t actually like being surveilled, let alone monetized for it, money companies take the data in one way or another, while trying to obscure this reality from the end users.

Around the same time Zuboff also penned an op-ed for FastCompany where she elaborates that even when Facebook, for example, does something that bothers you immensely, if you act on that in a way they can track (i.e. posting an rage filled meme, i.e “TEOTWAWKI”) then you are just handing them more data that they can monetize. So they really don’t care if they piss you off, so long as they can track what you do with your angst.

Read / Listen: https://www.recode.net/2019/2/20/18232469/shoshana-zuboff-age-surveillance-capitalism-book-google-facebook-privacy-data-kara-swisher
And: https://www.fastcompany.com/90303274/why-facebook-and-google-wont-change

(In my mind it comes down to one question – is the counter-party to my transaction’s business model to derive value from their exchange with me? Or is it to aggregate the data generated from my transaction in bulk, and derive their value from leveraging that to third parties? The former is good ole fashioned free market capitalism. The latter is surveillance crapitalism).

Thunderclap: beware of attacks via peripheral devices

This one isn’t news as much as something I hadn’t really thought about until I came across the “Thunderclap” page, which describes the risk and attack vectors one is vulnerable to via peripheral devices connected to your computer via the Thunderbolt port. Anybody who has physical access to a machine can use a thunderclap style attack to execute arbitrary code on the device at the highest privileged level: potentially accessing passwords, logins, …you get the idea.

There is also a Github repository for the open source tool used to research these vulnerabilities.

Read: http://thunderclap.io/

Bill Gates to curate MIT Tech Review “10 Breakthrough Technologies” series

Say what you will about Microsoft, Windows, and all that, but you have to concede that Bill Gates is no dummy. So it will be interesting to get his take on “How We Will Invent the Future” as he curates the MIT Technology Review’s series on 10 Breakthrough Technologies.

Read: https://www.technologyreview.com/lists/technologies/2019/

MIT: Why non-conformists always end up looking like clones of each other

Also MIT Technology Review: “The Hipster Effect: Why non-conformists always end up looking the same”. Reminds of a Mad Magazine I had when I was a kid, a guy standing away from a crowd holding up an “I’m a non-conformist” placard. In each panel more people break away from the crowd and run over to stand under the non-conformity sign, until finally everybody is standing around under the “I’m a non-conformist” banner.

Read: https://www.technologyreview.com/s/613034/the-hipster-effect-why-anti-conformists-always-end-up-looking-the-same/

(Which is why I recently picked up the Ken L. Fischer’s “Beat the Crowd”which is not only his opus specifically about contrarian investing, but also about why most contrarians are also positioned wrong themselves. Quick analogy: If the mainstream clock says “12″, the knee-jerk contrarian says “6” but there are also 10 other positions that are “not 12”.)

Coinhive javascript crypto miner to shut down

Coinhive, the javascript monero miner that was a favourite among hackers and malware bots for monetizing every CPU cycle they could get in proximity to, is closing down. The malware underground economy is probably in a panic now there they will have no way to monetize all those infected blogs, IoT devices et al, they’ll have to reinfect them all over again with something else.

Don’t get me wrong, Coinhive came out of a legitimate idea and there are many legitimate users. We even experimented with it on junk redirects on easyUrl, but arguably most of the uptake was from the underground.

Read: https://coinhive.com/blog/en/discontinuation-of-coinhive

Wal-Mart to automate away night shift, and greeters

In an effort to remain competitive with the likes of online retailers like Amazon, Wal-mart is looking to AI and automation to make it’s operations more efficient. They’d be crazy not to. However the human toll starts to add up: the company will use robots to eliminate the overnight shift that does shelf restocking, and in part of the same initiative the venerable “Wal-Mart Greeter” position, a mainstay of the working-retired, will be phased out and those employees (hopefully) transitioned to other positions.

However, those positions will have “broader” responsibilities (i.e. “Cleanup in aisle 17”) and there are concerns that elderly or disabled greeters won’t be able to handle the expanded roles.

This is all part of the larger trend toward automation, which many optimists posit will create as many jobs as it displaces. I am not one of them. As Reuters reports, a record number of robots were deployed in US businesses last year and the trend is just getting underway.

Read: https://www.zerohedge.com/news/2019-03-01/walmart-replacing-overnight-shifts-labor-saving-machines-eliminates-store-greeters
And: https://www.reuters.com/article/us-usa-economy-robots/u-s-companies-put-record-number-of-robots-to-work-in-2018-idUSKCN1QH0K0

Is Google still working on a Chinese censorship engine, after saying they stopped?

(Late breaking) Remember Dragonfly? That was the Chinese version of Google that censored certain search terms (like “freedom” and “democracy”) as well as reported directly to State authorities whenever some miscreant dared search for forbidden terms. Google staffers revolted, so Alphabet pulled the plug on the entire deal. Or did they? I was skeptical at the time and I should have gone on record then I guess. Glenn Greenwald (of Edward Snowden, NSA surveillance fame) wrote a blog on a group of Google employees who have been monitoring internal company communications, looking for signs that Dragonfly might not actually be dead. For some reason, the code repositories associated with the project are still being updated,

Read: https://theintercept.com/2019/03/04/google-ongoing-project-dragonfly/

3 thoughts on “[AxisOfEasy] Stop What You're Doing and Update Chrome. Do It Now.

Leave a Reply

Your email address will not be published. Required fields are marked *