Bleeding clouds, sad AWS, and more news

An exciting/terrifying new robot and the security corner round out the news. Read on...

Share this using the hashtag #SWE.

Opinions on Internet regulation. I was recently at CTO World Congress in San Francisco speaking with technical leaders in our industry, and we recorded video interviews with many people. Our first video is live, featuring Nelson Petracek and Amit Zavery discussing their take on internet regulation. Check it out:

The sad bleeding cloud. The “Cloudbleed” security failure hit mainstream news coverage this week. The issue – as discovered by Google’s Project Zero research Tavis Ormandy – was in Cloudflare’s HTML parser that accidentally revealed extra data from other parts of Cloudflare’s server memory, including things like session cookies or POST bodies. Check out the (technical) postmortem from Cloudflare to learn more about what happened and the mitigation, or check out their follow-up post where they attempt to quantify how much data was leaked.

The sad us-east-1 region. Amazon Web Services suffered another serious outage, with parts of the index subsystem in the us-east-1 region failing. This subsystem was responsible for basically all functionality of S3, which is responsible for most of EC2 and therefore the Internet. The root cause of the outage was a fat-fingered command run as part of normal maintenance. Oops. (Hilariously, Amazon’s notoriously optimistic status page remained all green for the first hour or so of the outage – it turned out Amazon was unable to update the page this time due to a dependency it had on S3.) Moral of the story? If you’re deploying something to AWS that needs to stay up, it needs to be in more than one region.

The bears have ears. Another day, another “internet connected toy so poorly engineered, the database storing all the data is wide open to the public on the internet” story, detailed by engineer Troy Hunt. This story is even worse than normal, however, as someone defaced the database adding a ransom note, demanding 1 BTC to have the backup allegedly deleted. The toy manufacturer responded with a somewhat-dodgy statement insisting that everything is fine. There’s also a lot more detail on how the toy itself (not just the web service) is poorly secured in this post.

A primer on reverse-engineering. Exactly what it says on the tin – learn how to reverse engineer in this great tutorial on reverse-engineering a router I learned about from Hackaday.

The Department of Justice is sitting on a Tor vulnerability. The vulnerability must be really useful to them, as they’re letting someone they were trying to prosecute for child pornography go free rather than reveal the source code of the vulnerability they used to gather the evidence against the man who allegedly accessed the Playpen honeypot. The defendant isn’t off the hook forever, though – the government is leaving its options open if they decide they are willing to give up the source code at a later date.

They should have called it the T-1000, not Handle. A new robot from Boston Dynamics was announced through a stunning YouTube video that shows it zipping around landscapes and performing other pretty amazing feats, for a robot, including a 9 mph travel speed and a four foot vertical leap. If your name is Sarah Connor, you’d better work on your endurance – Handle has a 15 mile range on one charge. Check it out:

In the security corner: botnet attacks will get worse, Slack had a token-disclosure vulnerability, and an overview of how traffic resellers evade detection:

• In news I’m certain surprised absolutely nobody, botnet attacks will only get worse over time. This story from Bruce Schneier gives a primer on what botnets are and explains why the attacks they’ve done are likely to continue and grow in strength.
• Slack had a bug that could give away access to third-parties. The bug was fixed in a few hours after disclosure and required the user be logged in to Slack through the web, rather than through the standalone application. The post disclosing the bug provides an awesome level of detail on how the exploit was developed and tested.
• Ad traffic resellers have crafty techniques for getting around fraud detection, reports Digiday in this post. Discussions on the internet suggest that fraudsters can bypass detection systems by combining multiple methods and that they’re always on the lookout for ways around new fraud analysis systems.

I’m excited to announce that we’ll add original video to the rundown next week. Stay tuned! As always, if you have feedback, or think there’s something I should cover next time, leave a comment – and don't forget to use #SWE anytime you write on LinkedIn.

Cover photo: Not everything in the cloud is great. Credit: erhui1979 / Getty Images – Edited by LinkedIn