š Kettle Botnet
Mudge testifies | Cyber resilience act to destroy your kettle | Facebookās antitrust lawsuit acrobatics
Hiyerrrr. Just incase you are unaware of what British life is like right now, citizens are forming The Queue of the Century to go look at a dead old woman in a box with fancy drapes over it (canāt even prove that sheās actually in there!). Meanwhile, with every single voter either in the queue or looking at the queue, the prime minister no one asked for has unbanned fracking. Itās just great here.
Anyway, enough of the real world. Letās hop into the matrix instead. This week was good! Finally š. Because:
The UKās cyber resilience act seeks to delete all IoT devices from the face of the Earth (itās about time)
That there Twitter whistleblower went in front of what the US refers to as their ācongressā (room full of wrinkly white people), and explained just how broken Twitter really it
Facebook are leveraging an antitrust lawsuit to engage in some antitrustworthy behaviour. Good for them for finally being innovative!
š§āāļø New act dropped
Itās time to learn about the cyber resilience act, because this week some new TOUGH rules were announced. This regulation is an attempt by the UK government to appear to be cracking down on cybercrime.
š§Ā Cool facts:
The regulation says that makers of IoT devices will have to inform the authorities, and their consumers, about any attacks on their devices
Failure to comply with this will result in the usual consequence: fines
Oh but wait, thereās one more juicy consequence: the regulator will have the power to take devices off the market if they are not deemed secure enough. Apparently, right now, that would account for around half the IoT devices out there.
This legislation caught my eye because, as you may know by now, I am all for anything that weakens the distribution of IoT devices into the world. This news prompted me to do a little digging ā including consulting my good friend Clement Briens, who runs Misinfosec UK. Below is a mixture of stuff he told me and stuff I told myself, with my own brain.
š§ Ā Literally the last thing we need is more IoT devices, so I believe this legislation is probably Good Vibesā¢ļø. Makers of these devices generally donāt build them with security in mind; they are simply built to perform a function, and assume that the people handling the software side of things will also do the security stuff. Itās a lot of passing the buck, basically
š§ Ā We are entering the 5g age. IoT devices are always on, and probably always talking to each other. 5g is low-latency and high-bandwidth, which is exactly what connected devices need to function well ā in other words: prepare yourself for the oncoming torrent of IoT devices. Nothing will be safe. Your toaster; your sofa cushions; bus stops; pumpkin spiced lattes; NOTHING.
š§ Ā Bad actors + an extremely hackable grid of connected devices = chaos. Maybe it will be the kind of chaos we like butā¦ we really canāt predict that, can we? IoT devices can be ā and have been ā used to form botnets (a collection of machines that someone has hacked and is controlling all at once), which can perform DDoS attacks and even conduct misinformation campaigns.
So what Iām saying is, donāt you DARE buy that smart kettle. If you do, youāre just part of the problem.
š¢Ā Something something Twitter is broken
You may remember that less than a month ago, the ex-security chief at Twitter did some whistleblowing, and changed things forever made the headlines for a bit. This week he testified in front of some old dusty law-makers in the US. I feel like so many of the questions that got thrown at him were about national security, and how likely it was that a government agent from a foreign country was on Twitterās payroll ā too much paranoia and not enough scrutinising of actual internal negligence, IMO.
As fascinating and non-racist as it is, letās put ānational securityā to one side for a sec and examine the more interesting stand-out points:
No one working at Twitter knows where any of the data is or what itās doing. This means, when new engineers are on-boarded, itās easier just to give them access to everything ā so, hundreds of engineers around the world have access to too much data, and the only thing thatās stopping them from fucking with it is how much of Twitterās kool-aid they may or may not have had.
Apparently, they do not use a staging environment. All changes are pushed straight to the live site. Maybe Iām naive but I find this one very hard to believe. Even the stupidest engineers running the smallest most inconsequential service has an environment set up where they can test stuff. Right? Right????
They do not fear US regulators. Now this one makes perfect sense to me. Of course they donāt ā paying the meagre FTC fines is just the cost of doing business. They arenāt afraid of the regulators in the US, because the regulators havenāt actually done any regulating yet; Twitter have no incentive to stop doing whatever theyāre getting fined for, because they can afford the fines very easily.
āØĀ Ultimate thing to take away from this: I literally have no idea. The world seems to be saturated in hearings full of senators asking the wrong questions, and whistleblowers with unconvincing arguments. Itās getting harder and harder to care ā itās what I call scandal fatigue.
āļø Facebookās lawyers literally donāt give a FUCK
In 2020 the FTC turned around to Facebook and said: āyou know what?? Iāve had it with you!ā and slapped them with a gigantic lawsuit, the main complaint being that Facebook are simply too big. Thatās actually quite an unoriginal complaint. Iād rather stand out and complain about the fact that there are āleftā and ārightā shoes when they could just be designed to fit BOTH feet. Think about it.
Anywayā¦ a lot has happened since 2020. Letās review:
In July 2021 the federal courts came back to the FTC saying that they failed to demonstrate that Facebook has a monopoly over social media. Pretty impressive to fail at something like that.
Then in August 2021, the FTC refiled the lawsuit, saying that Facebook actually was indeed a monopoly, because ā via some obscure parameters ā they argued that TikTok (probably the hugest direct competitor to Facebook) does not count as social media.
This week, Facebook are using this lawsuit as an excuse to take the absolute pissā¦
As part of forming their defence, Facebook have, for some reason, subpoenaed 132 companies (such as Snap, TikTok, and Clubhouse) to get some vital information. Things like how they get users, how they make money, their marketing strategies, etc. So basically, everything they need to utterly destroy their competitors. Theyāre literally using this antitrust lawsuit to perform anticompetitve behaviour right out in the open ā ironic!
Thank you for reading. I dedicate this issue of Horrific/Terrific to my queen, Sallie, my girlfriend, who I love.