I’ll just put this fire over here with the rest of the fire…
In an effort to write more, I’m going to make an effort to post this each week: Friday Fire Blogging. Where I’ll link and comment on some of the past week’s most “on-fire” stories. This will include things I find highly interesting, and also (or more likely) disturbing, because privacy and information security continue to be one gigantic tire fire. So here we go, and since this is the first go, I am pulling back a bit further than one week.
The whole industry is a trash-fire. It is built on badly conceived, badly overseen institutions like the Override Services Registry, maintained by Netnumber. The OSR is a powerful, industry-wide database that allows text messages to be redirected from one phone to another.
Your text messages were never secure. If you are forced to use SMS authentication for anything actually important, I suggesting using an app like MySudo and a dedicated number that isn’t easily discoverable. If the authentication messages come from a short code number you might be out of luck aside from a burner. In addition to the authentication issues, you should not assume any privacy with SMS messages. Get Signal; avoid SMS whenever possible.
As curious as I am about how the fire suppression must have failed here, I’m also not terribly surprised that a UPS appears to have started it, having personally seen two smaller UPS units try to self-combust. How many people have moved workloads to cloud providers thinking it was safer than their single on-premise data center, without off-site backups or geographic redundancy? Yeah. Don’t keep your important data in one place, ever. Just don’t.
Not really surprising that after passing laws in 2016 giving the government broader domestic surveillance powers, the UK is turning into more of a police state than it already was. Of course here in the States we don’t need the government to collect that data because privacy companies already do, and the government need only ask them nicely for it most of the time.
And finally, the biggest dumpster fire this week: Netgate pushing buggy, vulnerable Wireguard code and trying to defend their bad practices.
It’s hard to even summarize this one because it is just that bad on so many levels. Not only did Netgate hire a convicted felon to write a half-assed port of Wireguard for FreeBSD, they pushed that beta code to their own customers before pushing it to the FreeBSD 13 beta, where the lead Wireguard developer rightly identified a litany of issues. Then, Netgate accused them of “attacking” Netgate while trying to defend their own terrible practices, and say there were no vulnerabilities in that code just something “problematic” which is actually a denial-of-service vulnerability. Nope! Nope nope nope. Get rid of your pfSense boxes; replace them with OPNsense. Do it now. There is no way that pfSense doesn’t continue to implode after this.