Daily Tech News 8 September 2021

• WhatsApp - the secure end-to-end encrypted messaging app - isn't quite. (Gizmodo)
  
  Says WhatsApp:

  We can't read or listen to your personal conversations, as they are end-to-end encrypted. This will never change

  On the other hand, if someone reports you for misconduct, WhatsApp's moderation team can see your messages.
  
  You need to read past the scary headline and get into the details before you find out what's going on: Someone pressing that report button sends the decrypted messages from you straight back to WhatsApp. It has to work that way, or you'd have no way of handling complaints. But it means - and this should be obvious anyway - that no matter how secure the channel, if the person at the other end can't be trusted, you have no security at all.
  
  Think of WhatsApp as a room full of classified documents and the report button as Bradley Manning.
  
  
  

• Or think of WhatsApp as a McDonald's Monopoly contest and the report button as a database connection error. (Bleeping Computer)
  
  One thing I learned long ago is if you're lazy and hard-code database connection parameters in some pre-production code, make sure they're assigned to variables well outside any potential stack trace. Because if you put them right in the connection call, and you forget that debug mode is enabled on the application server, and the pre-production code gets rushed into production - all events with a 95% or better probability - then the first time you have a connection error every single user will see your database password.
  
  Of course your database should be locked to your internal network and firewalled both locally and at the network boundary, right? And you wouldn't also leak the login credentials for the server itself. Nobody would be that silly.
  
  
  
• IBM's Power 10 CPUs are on their way. (AnandTech)
  
  15 cores with 8 threads per core on each chip, and two chips per socket. 30MB L2 and 128MB L3 cache. 1TB memory bandwidth per socket, 1TB of inter-socket interconnect, and 512GB of PCIe 5.0 for I/O.
  
  Just don't ask how much it costs.
  
  
  
• The SEC is suing Coinbase over its Lend program which doesn't even exist yet. (Coinbase)
  
  The SEC asked the crypto industry to provide information on upcoming projects so that the SEC could provide regulatory guidance. Coinbase - the fools - took them at their word. And now the SEC has filed notice of intent to sue Coinbase, over a product that doesn't exist, without at any point before or since saying what the substance of the complaint is.
  
  
  
• GitHub creates useless garbage merges. (Kernel.org)
  
  It's just Linus Torvalds spouting off again. It's not like he invented Git or anything.
  
  ...
  
  Oh.
  
  
  
• Hacking hackers hacked the Jenkins project's Confluence server... And used it to mine Monero. (Bleeping Computer)
  
  This could have been a crippling supply-chain attack, because Jenkins is widely used to automate software testing.
  
  Fortunately for us all, the hackers were idiots.
  
  
  
• Intel is spending $80 billion on two new chip plants in Europe. (Thurrott.com)
  
  You might well ask why not in the US, and the answer is they are already expanding all their facilities in the US and building a huge new facility in Arizona as well.
  
  They're betting that demand for semiconductors isn't going to decline any time soon - and hedging against the possibility of disruption in the Far East. Even short of a war, China could cause significant mischief.
  
  
  
• Almost forgot this one. We've used two monitoring services at my day job - Datadog and StatusCake. (I also use StatusCake for my own servers.)
  
  The monitoring agent for Datadog is a 750MB install that includes its own version of Python. I have no idea what is going on in there; it's completely unauditable and I consider it a supply chain attack waiting to happen.
  
  The monitoring agent for StatusCake fits on one page. I read through it, passed it on to our new sysadmin, he read through it, and we shrugged and are going to install it on all our servers.
  
  Not everything needs to be an avalanche of crap.

posted by Pixy Misa at 05:00 AM

| Access Comments