My Weekly RoundUp #117
Sure, the main event of this week was the launch of Tesla Cybertruck, but I've also other interesting topics, for example Wordpress sites under attack, Roboto Linux botnets, Mac malware related to Lazarus and Nextcry, a ransonware that targets Nextcloud instances.
Then some privacy relevant news related to GPS and DuckDuckGo, programming topics on Python and GitHub and finally some news about Doctor Who, The Mandalorian and Star Trek.
The Tesla Cybertruck
Elon, what's this?
Tesla wants to reinvent the pickup with the $39,900 Cybertruck
On Thursday night, Tesla CEO Elon Musk revealed his company's take on that most quintessentially American of automobiles, the pickup truck. "Trucks have been basically the same for 100 years. We want to do something different," Musk told a rapturous audience. He wasn't underselling things. It's called the Cybertruck, and it looks like a cross between the Aston Martin Bulldog, a wedge-shaped concept from the early 1980s, and that cool APC you remember from Aliens.
"We moved the mass to the outside," Musk said, referring to the fact that the Cybertruck has a stainless steel monocoque construction, like the Model 3. Criticizing the body-on-frame construction technique used for almost heavy trucks on sale, Musk told attendees that "the body and the bed don't do anything useful," before launching into a lengthy demonstration of people hitting or shooting body panels and glass from the Cybertruck to prove the toughness of the exterior.
Tesla unveils the wildly futuristic Cybertruck, starting at $39,900
It’s finally here – after years of teasing, Tesla has unveiled the Cybertruck. Yes, that’s the official name, and it’s like no truck you’ve seen before. No real truck, anyway.
With an angular design that would make Christopher Nolan’s Batmobile jealous, the Cybertruck is built to be tough, with “ultra-hard” cold-rolled steel and extra-tough armor glass. Tesla made a point of the toughness, and demonstrated hitting the truck with a sledgehammer and shooting it with a gun (the latter, thankfully not on stage).
Elon Musk's Cybertruck ain't got no alibi: It's ugly
On Thursday night, weird billionaire and Twitter enthusiast Elon Musk revealed the Cybertruck: Tesla's first pickup truck. It was a long-awaited moment for electric vehicle fans, who had been waiting six years for this.
However, it looks like none of those years were spent honing the trucks aesthetics, because the Cybertruck is one powerfully ugly vehicle. That's what Twitter says, and that's the truth.
Seating six, the Cybertruck can supposedly tow 7,500 pounds, accelerate from 0 to 60 mph in less than 6.5 seconds, and travel up to 500 miles on a single charge. This all sounds fairly impressive, and moving away from reliance on fossil fuels should always be encouraged.
But all of this is a moot point if people are embarrassed to be seen driving the thing. Which they will be if they have any affinity for design.
WordPress is by far the most popular content management system (CMS) and, because of its wide usage, it is also popular among cybercriminals. Most of the WordPress sites that have been compromised are the result of attackers exploiting vulnerable versions of the plugins used.
Roboto, a new P2P botnet targets Linux Webmin servers
Researchers at 360Netlab discovered a new P2P botnet, tracked as Roboto, that is targeting Linux servers running unpatched installations of Webmin installs.
The experts first spotted the Roboto botnet in August when they detected a suspicious ELF file. In October one of the honeypots of the company captured the bot, its downloader, and some bot modules.
“Fast forwarded to October 11, 2019, our Anglerfish honeypot captured another suspicious ELF sample, and it turned out to be the Downloader of the previous suspicious ELF sample.” reads the analysis published by 360 Netlab. “The Downloader sample downloads the above Bot program from two hard-coded HTTP URLs. One of the addresses disguised the Bot sample as a Google font library “roboto.ttc“, so we named the Botnet Roboto.”
Mac Backdoor Linked to Lazarus Targets Korean Users
Criminal interest in MacOS continues to grow, with malware authors churning out more threats that target users of the popular OS. Case in point: A new variant of a Mac backdoor (detected by Trend Micro as Backdoor.MacOS.NUKESPED.A) attributed to the cybercriminal group Lazarus, which was observed targeting Korean users with a macro-embedded Microsoft Excel spreadsheet.
New NextCry ransomware targets NextCloud sync and share solution
Attackers are reportedly targeting an NGINX/php-fpm vulnerability to infect users of the NextCloud file sync and share service with a recently discovered ransomware called NextCry.
Infecting a NextCloud instance is doubly damaging to victims because the affected service begins replacing files stored on their synced-up machines with the newly encrypted versions.
In a Nov. 15 report, BleepingComputer describes the NextCry as a “Python script compiled in a Linux ELF binary using pyInstaller.” It encrypts files with an AES algorithm, and has an RSA2048 public key embedded in the malware code. Researcher Michael Gillespie also noted that the file names are encoded with Base 64, as are affected files after they are initially encrypted.
For now, there is no known way to decrypt this malware and, as of at least Nov. 15, NextCry had zero detections on VirusTotal.
Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai
Ship's captains and outside monitoring firms have reported waves of GPS jamming around Shanghai's ports, on a scale and of a severity never seen before: the jamming causes ships' locations to be incorrectly displayed and to jump around; the observations were confirmed via an anonymized (sic) data-set from a short-hire bike firm, whose bikes are also mysteriously appearing and disappearing at locations all through the region. The spoofing has created a massive local shipping hazard and has led to spectacular shipwrecks.
The most likely culprit in the mystery is sand smugglers, who are part of a global network of sand-thieves who have literally cratered whole cities and islands in their drive to obtain sand for concrete.
Sand for Shanghai's building boom was largely dredged from the Yangtze river, so prolifically that bridges, buildings, riverbanks and ecosystems on the river collapsed. The Chinese state has banned dredging from the Yangtze, but the practice continues, and it's theorized that "soft gold" smugglers are using GPS jammers to prevent Chinese law-enforcement from detecting and interdicting their vessels
DuckDuckGo Will Automatically Encrypt More Sites You Visit
It's increasingly common for the data that passes between your browser and a website's server to be encrypted with HTTPS, which makes it impossible for outside snoops to read. But you don't get that protection if the URL drops that crucial "S" after HTTP. And while some mechanisms do redirect you to an encrypted version of a site, they often do so only after exposing that initial request. The makers of the privacy-focused search engine DuckDuckGo think there's a better way.
Today DuckDuckGo is releasing a feature called Smarter Encryption that combines its existing private search capabilities and tracker blocking service with a new tool to upgrade encryption for more of the sites you visit. It's available on DuckDuckGo's mobile browser for Android and iOS, and through the company's desktop browser extension for Firefox and Chrome. DuckDuckGo is also open sourcing the code behind the feature so other sites and platforms can adopt it as well. First up? Pinterest.
Announcing GitHub Security Lab: securing the world’s code, together
Today at GitHub Universe, we announced GitHub Security Lab to bring together security researchers, maintainers, and companies across the industry who share our belief that the security of open source is important for everyone.
We’re excited to have an initial set of partners that have all committed to achieving this goal. Together, we’re contributing tools, resources, bounties, and thousands of hours of security research to help secure the open source ecosystem.
As part of today’s announcement, GitHub Security Lab is making CodeQL freely available for anyone to find vulnerabilities in open source code. CodeQL is a tool many security research teams around the world use to perform semantic analysis of code, and we’ve used it ourselves to find over 100 reported CVEs in some of the most popular open source projects.
The Incredible Disaster of Python 3
I have long noted issues with Python 3’s bytes/str separation, which is designed to have a type “bytes” that is a simple list of 8-bit characters, and “str” which is a Unicode string. After apps started using Python 3, I started noticing issues: they couldn’t open filenames that were in ISO-8859-1, gpodder couldn’t download podcasts with 8-bit characters in their title, etc. I have files on my system dating back to well before widespread Unicode support in Linux.
Due to both upstream and Debian deprecation of Python 2, I have been working to port pygopherd to Python 3. I was not looking forward to this task. It turns out that the string/byte types in Python 3 are even more of a disaster than I had at first realized.
Postwoman 👽 - An open sourced, free, fast & beautiful alternative to Postman
The very first task I was assigned is an API integration of an old project. That's when I came across Postman API testing. Postman has separate builds targeted to each operating systems made with Electron. I use a low-end PC and can't possibly afford to run another Electron app. From that moment onwards, I wanted to make an API testing platform which is:
- Open Sourced 💚
- Runs online
- Have multi-platform support
- Have multi-device support
- Accessible from anywhere
That's how Postwoman was born (this is a free, fast and beautiful alternative to Postman, it does the job very beautifully and minimally.
Doctor Who: Series 12 Trailer
Coming early 2020
Love Baby Yoda, You Must
No matter how frequently it happens, when people online love something obsessively, when they simply must stan, it always brings out the cynics. Their cynicism, in turn, will be understood as intellectual seriousness. As maturity. To wit: This week the internet pledged its fealty to Baby Yoda—the tiny alien from Disney+’s The Mandalorian—and was immediately met with the rationale of Adult Nerds eager to pronounce each fan a nerf-herding sap who doesn’t really understand the object of their affection. It’s a reality created by clicks as much as crotchetiness. Baby Yoda hype has produced beatific meme-collection posts showcasing how many adherents would die for the li'l green cherub, speculations about what role Baby Yoda will play in The Mandalorian, and beyond. Naysaying is the obvious next step.
Man Turns Old Minivan Into Star Trek TNG Shuttlecraft
Cory Mervis-Bocskor wanted to go to Burning Man in style, and he had an old Ford Aerostar minivan laying around, so he decided to turn it into the Goddard shuttlecraft from Star Trek: The Next Generation. Unfortunately, the vehicle was not street legal, even though the man tried to make it so, so he had to use a trailer to bring it there.
Mayim Bialik Settles The Difference Between ‘Nerd’ and ‘Geek’
Watch as Neuroscientist and Actress Mayim Bialik (Amy Farrah Fowler in The Big Bang Theory) settles the difference between ‘nerd’ and ‘geek’ once and for all.
The video is kind of old, but if you haven’t seen it, it’s definitely worth the watch.