👍 Kettle Botnet
Mudge testifies | Cyber resilience act to destroy your kettle | Facebook’s antitrust lawsuit acrobatics
Hiyerrrr. Just incase you are unaware of what British life is like right now, citizens are forming The Queue of the Century to go look at a dead old woman in a box with fancy drapes over it (can’t even prove that she’s actually in there!). Meanwhile, with every single voter either in the queue or looking at the queue, the prime minister no one asked for has unbanned fracking. It’s just great here.
Anyway, enough of the real world. Let’s hop into the matrix instead. This week was good! Finally 👍. Because:
The UK’s cyber resilience act seeks to delete all IoT devices from the face of the Earth (it’s about time)
That there Twitter whistleblower went in front of what the US refers to as their ‘congress’ (room full of wrinkly white people), and explained just how broken Twitter really it
Facebook are leveraging an antitrust lawsuit to engage in some antitrustworthy behaviour. Good for them for finally being innovative!
🧑⚖️ New act dropped
It’s time to learn about the cyber resilience act, because this week some new TOUGH rules were announced. This regulation is an attempt by the UK government to appear to be cracking down on cybercrime.
🧊 Cool facts:
The regulation says that makers of IoT devices will have to inform the authorities, and their consumers, about any attacks on their devices
Failure to comply with this will result in the usual consequence: fines
Oh but wait, there’s one more juicy consequence: the regulator will have the power to take devices off the market if they are not deemed secure enough. Apparently, right now, that would account for around half the IoT devices out there.
This legislation caught my eye because, as you may know by now, I am all for anything that weakens the distribution of IoT devices into the world. This news prompted me to do a little digging — including consulting my good friend Clement Briens, who runs Misinfosec UK. Below is a mixture of stuff he told me and stuff I told myself, with my own brain.
🧠 Literally the last thing we need is more IoT devices, so I believe this legislation is probably Good Vibes™️. Makers of these devices generally don’t build them with security in mind; they are simply built to perform a function, and assume that the people handling the software side of things will also do the security stuff. It’s a lot of passing the buck, basically
🧠 We are entering the 5g age. IoT devices are always on, and probably always talking to each other. 5g is low-latency and high-bandwidth, which is exactly what connected devices need to function well — in other words: prepare yourself for the oncoming torrent of IoT devices. Nothing will be safe. Your toaster; your sofa cushions; bus stops; pumpkin spiced lattes; NOTHING.
🧠 Bad actors + an extremely hackable grid of connected devices = chaos. Maybe it will be the kind of chaos we like but… we really can’t predict that, can we? IoT devices can be — and have been — used to form botnets (a collection of machines that someone has hacked and is controlling all at once), which can perform DDoS attacks and even conduct misinformation campaigns.
So what I’m saying is, don’t you DARE buy that smart kettle. If you do, you’re just part of the problem.
📢 Something something Twitter is broken
You may remember that less than a month ago, the ex-security chief at Twitter did some whistleblowing, and
changed things forever made the headlines for a bit. This week he testified in front of some old dusty law-makers in the US. I feel like so many of the questions that got thrown at him were about national security, and how likely it was that a government agent from a foreign country was on Twitter’s payroll — too much paranoia and not enough scrutinising of actual internal negligence, IMO.
As fascinating and non-racist as it is, let’s put ‘national security’ to one side for a sec and examine the more interesting stand-out points:
No one working at Twitter knows where any of the data is or what it’s doing. This means, when new engineers are on-boarded, it’s easier just to give them access to everything — so, hundreds of engineers around the world have access to too much data, and the only thing that’s stopping them from fucking with it is how much of Twitter’s kool-aid they may or may not have had.
Apparently, they do not use a staging environment. All changes are pushed straight to the live site. Maybe I’m naive but I find this one very hard to believe. Even the stupidest engineers running the smallest most inconsequential service has an environment set up where they can test stuff. Right? Right????
They do not fear US regulators. Now this one makes perfect sense to me. Of course they don’t — paying the meagre FTC fines is just the cost of doing business. They aren’t afraid of the regulators in the US, because the regulators haven’t actually done any regulating yet; Twitter have no incentive to stop doing whatever they’re getting fined for, because they can afford the fines very easily.
✨ Ultimate thing to take away from this: I literally have no idea. The world seems to be saturated in hearings full of senators asking the wrong questions, and whistleblowers with unconvincing arguments. It’s getting harder and harder to care — it’s what I call scandal fatigue.
⚖️ Facebook’s lawyers literally don’t give a FUCK
In 2020 the FTC turned around to Facebook and said: ‘you know what?? I’ve had it with you!’ and slapped them with a gigantic lawsuit, the main complaint being that Facebook are simply too big. That’s actually quite an unoriginal complaint. I’d rather stand out and complain about the fact that there are ‘left’ and ‘right’ shoes when they could just be designed to fit BOTH feet. Think about it.
Anyway… a lot has happened since 2020. Let’s review:
In July 2021 the federal courts came back to the FTC saying that they failed to demonstrate that Facebook has a monopoly over social media. Pretty impressive to fail at something like that.
Then in August 2021, the FTC refiled the lawsuit, saying that Facebook actually was indeed a monopoly, because — via some obscure parameters — they argued that TikTok (probably the hugest direct competitor to Facebook) does not count as social media.
This week, Facebook are using this lawsuit as an excuse to take the absolute piss…
As part of forming their defence, Facebook have, for some reason, subpoenaed 132 companies (such as Snap, TikTok, and Clubhouse) to get some vital information. Things like how they get users, how they make money, their marketing strategies, etc. So basically, everything they need to utterly destroy their competitors. They’re literally using this antitrust lawsuit to perform anticompetitve behaviour right out in the open — ironic!
Thank you for reading. I dedicate this issue of Horrific/Terrific to my queen, Sallie, my girlfriend, who I love.