Attention, slackers — if you do remote work for a financial institution, using a mouse jiggler might not be the best career move. That’s what a dozen people learned this week as they became former employees of Wells Fargo after allegedly being caught “simulating keyboard activity” while working remotely. Having now spent more than twice as many years working either hybrid or fully remote, we get it; sometimes, you’ve just got to step away from the keyboard for a bit. But we’ve never once felt the need to create the “impression of active work” during those absences. Perhaps that’s because we’ve never worked in a regulated environment like financial services.
For our part, we’re curious as to how the bank detected the use of a jiggler. The linked article mentions that regulators recently tightened rules that require employers to treat an employee’s home as a “non-branch location” subject to periodic inspection. More than enough reason to quit, in our opinion, but perhaps they sent someone snooping? More likely, the activity simulators were discovered by technical means. The article contains a helpful tip to avoid powering a jiggler from the computer’s USB, which implies detecting the device over the port. Our guess is that Wells tracks mouse and keyboard activity and compares it against a machine-learning model to look for signs of slacking.
Can you believe that Facebook turns 18 this year? One of the troubled teenager’s biggest problems is that not only are the young people still leaving in droves, many of the remaining denizens are 50 or over and susceptible to the various predators and sources of misinformation that plague the site.
The site was developed by Older Adults Technology Service (OATS), who are an AARP affiliate. OATS were leading computer classes for seniors and moved online during the pandemic, and the idea grew from there.
The main difference is that Senior Planet Community is absolutely free (for now, at least), including a complete lack of advertisements. If Grandma’s gonna unwittingly spend hundreds on micro-transactions, it won’t be taking place here, and not just because there’s no mobile app or games just yet. As far as moderation, there’s a long list of house rules that involve courtesy and encourage the citing of sources. Posts can be reported should they violate the rules.
We’ll see how it goes. There are plenty of bad actors that could pretend to be age 50+, or don’t even have to lie about it. We also wonder how long they’ll be able to go without advertisers.
We’re all getting older, including Zuckerberg. Don’t believe it? Here’s video proof.
History is full of stories about technology that makes sense to the designer but doesn’t really fit the needs of the users. Take cake mixes. In 1929, a man named Duff realized that he could capitalize on surplus flour and molasses and created a cake mix. You simply added water to the dry mix and baked it to create a delicious cake. After World War II General Mills and Pillsbury also wanted to sell more flour so they started making cakes. But sales leveled out. A psychologist who was a pioneer in focus groups named Dichter had the answer: bakers didn’t feel like they were contributing to the creation of the cake. To get more emotional investment, the cake mixes would need to have real eggs added in. Actually, Duff had noticed the same thing in his 1933 patent.
It is easy to imagine a bunch of food… scientists? Engineers? Designers?… whatever a person inventing flour mixes in the 1930s was called… sitting around thinking that making a mix that only requires water is a great thing. But the bakers didn’t like it. How often do we fail to account for users?
From Cake Mix to Tech
Apple has made a business of this. Most of us don’t mind things like arcane commands and control key combinations, but the wider pool of global computer users don’t like those things. As the world continues to virtually shrink, we often find our users are people from different lands and cultures who speak different languages. It is, after all, the world wide web. This requires us to think even harder about our users and their particular likes, dislikes, and customs.
Here at Hackaday we love the good kinds of hacks, but now and then we need to bring up a less good kind. Today it was learned that the NPM package ua-parser-js was compromised, and any software using it as a library may have become victim of a supply chain attack. What is ua-parser-js and why does any of this matter?
In the early days of computing, programmers would write every bit of code they used themselves. Larger teams would work together to develop larger code bases, but it was all done in-house. These days software developers don’t write every piece of code. Instead they use libraries of code supplied by others.
For better or worse, repositories of code are now available to do even the smallest of functions so that a developer doesn’t have to write the function from scratch. One such registry is npm (Node Package Manager), who organize a collection of contributed libraries written in JavaScript. One only need to use npm to include a library in their code, and all of the functions of that code are available to the developer. One such example is ua-parser-js which is a User Agent Parser written in JavaScript. This library makes it easy for developers to find out the type of device and software being used to access a web page.
On October 22 2021, the developer of ua-parser-js found that attackers had uploaded a version of his software that contained malware for both Linux and Windows computers. The malicious versions were found to steal data (including passwords and Chrome cookies, perhaps much more) from computers or run a crypto-currency miner. This prompted GitHub to issue a Critical Severity Security Advisory.
What makes this compromise so dangerous is that ua-parser-js is considered to be part of a supply chain, and has been adopted even by Facebook for use in some of its customer facing software. The developer of ua-parser-js has already secured his GitHub account and uploaded new versions of the package that are clean. If you have any software that uses this library, make sure you’ve got the latest version!
Of course this is by no means a unique occurrence. Last month Maya Posch dug into growing issues that come from some flaws of trust in package management systems. The art for that article is a house of cards, an apt metaphor for a system that is only as stable as the security of each and every package being built upon.
It’s not a jailbreak, but [basti564]’s Oculess software nevertheless allows one the option to remove telemetry and account dependencies from Facebook’s Oculus Quest VR headsets. It is not normally possible to use these devices without a valid Facebook account (or a legacy Oculus account in the case of the original Quest), so the ability to flip any kind of disconnect switch without bricking the hardware is a step forward, even if there are a few caveats to the process.
To be clear, the Quest devices still require normal activation and setup via a Facebook account. But once that initial activation is complete, Oculess allows one the option of disabling telemetry or completely disconnecting the headset from its Facebook account. Removing telemetry means that details about what apps are launched, how the device is used, and all other usage-related data is no longer sent to Facebook. Disconnecting will log the headset out of its account, but doing so means apps purchased from the store will no longer work and neither will factory-installed apps like Oculus TV or the Oculus web browser.
What will still work is the ability to sideload unsigned software, which are applications that are neither controlled nor distributed by Facebook. Sideloading isn’t on by default; it’s enabled by putting the headset into Developer Mode (a necessary step to installing Oculess in the first place, by the way.) There’s a fairly active scene around unsigned software for the Quest headsets, as evidenced by the existence of the alternate app store SideQuest.
We have to admit, it was hard not to be insufferably smug this week when Facebook temporarily went dark around the globe. Sick of being stalked by crazy aunts and cousins, I opted out of that little slice of cyber-hell at least a decade ago, so Monday’s outage was no skin off my teeth. But it was nice to see that the world didn’t stop turning. More interesting are the technical postmortems on the outage, particularly this great analysis by the good folks at the University of Nottingham. Dr. Steve Bagley does a great job explaining how Facebook likely pushed a configuration change to the Border Gateway Protocol (BGP) that propagated through the Internet and eventually erased all routes to Facebook’s servers from the DNS system. He also uses a graphical map of routes to show peer-to-peer connections to Facebook dropping one at a time, until their machines were totally isolated. He also offers speculation on why Facebook engineers were denied internal access, sometimes physically, to their own systems.
It may be a couple of decades overdue, but the US Federal Communications Commission finally decided to allow FM voice transmissions on Citizen’s Band radios. It seems odd to be messing around with a radio service whose heyday was in the 1970s, but Cobra, the CB radio manufacturer, petitioned for a rule change to allow frequency modulation in addition to the standard amplitude modulation that’s currently mandatory. It’s hard to say how this will improve the CB user experience, which last time we checked is a horrifying mix of shouting, screaming voices often with a weird echo effect, all put through powerful — and illegal — linear amps that distort the signal beyond intelligibility. We can’t see how a little less static is going to improve that.
Can you steal a car with a Game Boy? Probably not, but car thieves in the UK are using some sort of device hidden in a Game Boy case to boost expensive cars. A group of three men in Yorkshire used the device, which supposedly cost £20,000 ($27,000), to wirelessly defeat the security systems on cars in seconds. They stole cars for garages and driveways to the tune of £180,000 — not a bad return on their investment. It’s not clear how the device works, but we’d love to find out — for science, of course.
There have been tons of stories lately about all the things AI is good for, and all the magical promises it will deliver on given enough time. And it may well, but we’re still early enough in the AI hype curve to take everything we see with a grain of salt. However, one area that bears watching is the ability of AI to help fill in the gaps left when an artist is struck down before completing their work. And perhaps no artist left so much on the table as Ludwig von Beethoven, with his famous unfinished 10th Symphony. When the German composer died, he had left only a few notes on what he wanted to do with the four-movement symphony. But those notes, along with a rich body of other works and deep knowledge of the composer’s creative process, have allowed a team of musicologists and AI experts to complete the 10th Symphony. The article contains a lot of technical detail, both on the musical and the informatics sides. How will it sound? Here’s a preview:
And finally, Captain Kirk is finally getting to space. William Shatner, who played captain — and later admiral — James Tiberius Kirk from the 1960s to the 1990s, will head to space aboard Blue Origin’s New Shepard rocket on Tuesday. At 90 years old, Shatner will edge out Wally Funk, who recently set the record after her Blue Origin flight at the age of 82. It’s interesting that Shatner agreed to go, since he is said to have previously refused the offer of a ride upstairs with Virgin Galactic. Whatever the reason for the change of heart, here’s hoping the flight goes well.
The Apache HTTP Server version 2.4.49 has a blistering vulnerability, and it’s already being leveraged in attacks. CVE-2021-41773 is a simple path traversal flaw, where the %2e encoding is used to bypass filtering. Thankfully the bug was introduced in 2.4.49, the latest release, and a hotfix has already been released, 2.4.50.
If that returns anything other than a 403 error, your server may be vulnerable. It’s worth pointing out that Apache is shipped with a configuration block that mitigates this vulnerability.
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
The Day The Internet Stood Still
You might have noticed a bit of a kerfluffel on the Internet on Monday. Facebook dropped out for nearly six hours. While the break was nice for some, it was a major problem for others. What exactly happened? The most apparent cause was that the Facebook.com domain was returning nxdomain to DNS lookups. This led to some fun tweets, with screen caps showing Facebook.com for sale. Continue reading “This Week In Security: Apache Nightmare, REvil Arrests? And The Ultimate RickRoll”→