US Retailers Pull Surveillance Company Products Linked to Genocide

Some argue a national security concern was the greater driver for pulling product off retail shelves.

Either way the result is Dahua products such as Lorex are gone from Lowe’s and Best Buy, which should tell you something about where might be safest to shop in America.

Best Buy, Home Depot, and Lowe’s dropped Lorex (Dahua) products after IPVM and TechCrunch reached out to the retailers about them selling products from a manufacturer deemed a threat to US national security as well as being sanctioned for human rights abuses.

Alibaba “Most-Privilege” Cloud Access Model Compromised

Everyone and their dog knows that Unix systems come with a “least-privilege” default, which for some reason was flipped on its head when Alibaba created a service model.

Trend Micro reports:

…the default Alibaba ECS instance provides root access…all users have the option to give a password straight to the root user inside the virtual machine (VM)… In this situation, the threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials or data leakage. Thus, advanced payloads such as kernel module rootkits and achieving persistence via running system services can be deployed.

Ouch. It’s a burning question who setup Alibaba’s security to be the exact opposite of basic practices.

The rest of the Trend Micro report describes how security detection software easily was disabled since the attacker had total system control.

AllTrails is Centrally-Planned Centrally-Managed System Dangerous to Hikers

An interesting Bay Area article has taken AllTrails to task for being a heavily funded attempt to centralize and plan an economy, without investing in data integrity required to keep people safe.

I get a call from Meaghan Praznik, AllTrails’ head of communications. I ask her why my email led to an immediate change when the National Park Service’s previous outreach did not. She mostly doesn’t answer the question and instead talks about a new feature they’ll be debuting soon, which will apparently let park employees monitor and edit illegal shortcuts added to their 300,000 trails. (This does not seem like something park employees will have time to do.) “What I can say is we really do pride ourselves on offering the safest routes possible,” she says, after I ask her why they gave explicit directions to this incredibly dangerous shortcut. […] I ask her how big a “large team” is, and she says the San Francisco-based company employs more than 100 people, but most of them work on engineering and data integrity. “So you only have a fraction of 100 people trying to keep up with more than 300,000 trails?” I ask. “It is wild,” she replies. Not exactly the reply I was expecting, but it does lead to more questions: To what degree is the largest hiking app in the world responsible for the safety of hikers?

This of course begs why AllTrails exists when they could have just funded improvements to the National Park Service.

There is NO park-sanctioned “Alamere Falls Trail”
Please take note! Many social media posts, websites, and older (and some newer) guide books reference an “Alamere Falls Trail” (also sometimes referred to as a “shortcut to the falls”). The “Alamere Falls Trail” is NOT a maintained trail, and poses many hazards to off-trail hikers—crumbling and eroding cliffs, massive poison oak, ticks, and no cell phone service. Visitors who use this unmaintained trail may endanger themselves and rescuers, and inadvertently cause resource damage, such as trampling plants, which may lead to the death of the trampled plants. On an almost weekly basis, visitors get hurt scrambling down the heavily rutted route leading to the top of the falls or sliding down the crumbly cliff-face to get to the beach, sometimes requiring search and rescue teams to be mobilized. The National Park Service strongly advises visitors against using this unmaintained route. Please use the recommended routes described below to visit the falls.

While a public service like NPS is regulated as an official resource using distributed personnel dedicated to local expertise, AllTrails seems to bank on very low cost of centrally acquiring information from others yet avoiding accountability for being out of touch or lacking knowledge.

Danish Navy Intercepts Pirates, Kills Four

The US Naval Institute reports that ladders in a speedboat were one indicator that led to interception near Malaysia:

The ship was responding to reports of pirate activity and heading to the scene while sending it’s embarked Royal Danish Air Force MH-60R helicopter in advance to observe the area, according to a Thursday news release from the Danish Armed Forces. The helicopter sighted a speedboat that afternoon with eight men on board in the vicinity of merchant ships in the area and observed that the boat was carrying a number of piracy-associated tools, including ladders.

By the evening, Esbern Snare was close enough to launch rigid-hulled inflatable boats (RHIBs) carrying Danish naval special forces personnel and called on the boat to halt and permit boarding, the news release said. When the boat refused to respond to the call, warning shots were fired, with the pirates responding by firing directly at the personnel in the RHIBs. A brief firefight then ensued, in which no Danish personnel were hit but five pirates were shot, with four of them killed and one wounded. The motorboat sank after the firefight and the surviving four pirates and the bodies of the dead pirates were taken aboard the frigate, where the wounded pirate was given medical treatment. The release said that Denmark’s inter-ministerial working group will handle what will happen next to the pirates.

Unregulated seas and collapse of safe markets generally is the root cause of piracy in the modern age. Someone financed a speedboat and ladders, let alone weapons.

Language Pattern Analysis to Detect Social Network Attacks

I have updated our 2006 paper on language pattern analysis to detect social network attacks. Some minor formatting changes were needed, given the last time I generated the PDF was 2011. The original post is here.

Attacks by scammers appear to make sophisticated use of language ideology to abuse trust relationships. Language that indexes a social group allows perceived “authenticity” to be constructed in a way that breaks down a victims’ defenses — a variety of linguistic devices are used as attack tools.

the poetry of information security