Linguistic Lumberjack & cloud vulnerabilities | FOSS tools when there is no net neutrality
CyberInsights #140 - Vulnerability in a log parser users by most major cloud service providers || It's not really FOSS when it costs more to access it
A ubiquitous log parser has a critical bug
Most cloud service providers use ‘Fluent Bit’ (the log parser). There is a possibility that your cloud could be hacked.
For an application that claims to have been deployed over 10 billion times (yeah, you heard that right - 10 billion), Fluent Bit is not quite well known outside its core circle.
I hadn’t heard of it until I read this article about a critical bug on Fluent Bit that allows DOS & RCE. And then, I researched Fluent Bit. See this 9 minute video for an overview of Fluent Bit.
Fluent Bit is a lightweight, high performance log parser. Most major cloud platforms use it.
A vulnerability called “Linguistic Lumberjack” on Fluent Bit allows the built in http server to be subject to DOS attacks. Read the technical details and the POC here. [LINK].
Take Action:
If you are deploying Fluent Bit in your own environment, update to the latest version where this has been fixed.
If you are using a cloud service and you do not know if you have the Fluent Bit vulnerability, reach out to your service provider for a confirmation that this has been fixed.
If you are a cyber insurer, you know that this is a case for accumulation. You do know if your book has exposure to cloud platforms, right?
Activists find it expensive to access FOSS privacy tools in Myanmar
Net Neutrality is a big deal. Every country should strive for it.
Facebook has a service called Free Basics. This is what they say about it on their official page:
“Free Basics makes the internet accessible to more people by providing them access to a range of free basic services like news, maternal health, travel, local jobs, sports, communication, and local government information.”
Read more about it here. [LINK].
It’s a plan to save the world. Like Thanos.
Free Basics is a program that makes Facebook the face of the internet. Facebook ties up with telecom companies and offers some data services for free. You pay for the rest. On the face of it, it is a service that will help the poor have more access to the internet. This is not so. It divides the internet into 2 parts. It makes Facebook very powerful. Facebook (and the telcos or the government) can decide what internet the people see. For the rest of the internet, you have to pay more.
It was implemented in Myanmar. Read this article to see how it makes life more difficult. [LINK]
With an internet for the poor and a different internet for the rich, activists who are protesting in Myanmar do not have access to free and open source (FOSS) tools that enable their privacy. The Signal messenger is available, but not on Free Basics, hence it leaves out many people. Activists have to resort to less secure and less private messengers.
In 2016 India, Facebook tried to set up their Free Basics program. India protested. [LINK]. They even made videos about Net Neutrality:
And won. Free Basics was never implemented in India. It is illegal for telcos to charge “Discriminatory charges for data services” - meaning that all data has to be charged at the same rate.
India won. Myanmar was not so lucky.
I’ve rambled on about Net Neutrality more than I wanted to, but it is something I strongly believe in.
Take Action:
There is no direct action here.
If you have not heard of the word “Net Neutrality”, then read up on it. Big tech can play foul when it has the possibility to make huge profits.
Hey thank you for this one