The Cloud Native Computing Foundation (CNCF) today released a security audit of Kubernetes, the widely used container orchestration software, and the findings are about what you’d expect for a project with about two million lines of code: there are plenty of flaws that need to be addressed.
The CNCF engaged two security firms, Trail of Bits and Atredis Partners, to poke around Kubernetes code over the course of four months. The companies looked at Kubernetes components involved in networking, cryptography, authentication, authorization, secrets management, and multi-tenancy.
Having identified 34 vulnerabilities – 4 high severity, 15 medium severity, 8 low severity and 7 informational severity – the Trail of Bits report advises project developers to rely more on standard libraries, to avoid custom parsers and specialized configuration systems, to choose “sane defaults,” and to ensure correct filesystem and kernel interactions prior to performing operations.
“The assessment team found configuration and deployment of Kubernetes to be non-trivial, with certain components having confusing default settings, missing operational controls, and implicitly designed security controls,” the Trail of Bits report revealed. “Also, the state of the Kubernetes codebase has significant room for improvement.”
Underscoring these findings, Kubernetes 1.13.9, 1.14.5, and 1.15.2 were released on Monday to fix two security issues in the software, CVE-2019-11247 and CVE-2019-11249. The former could allow a user in one namespace to access a resource scoped to a cluster. The latter could allow a malicious container to create or replace a file on the client computer when the client employs the kubectl cp command.
As noted by the CNCF, the security auditors found: policy application inconsistencies, which prompt a false sense of security; insecure TLS used by default; environmental variables and command-line arguments that reveal credentials; secrets leaked in logs; no support for certificate revocation, and seccomp (a system-call filtering mechanism in the Linux kernel) not activated by default.
The findings include advice to cluster admins, such as not using both Role-Based Access Controls and Attribute-Based Access Controls because of the potential for inadvertent permission grants if one of these fails.
They also include various recommendations and best practices for developers to follow as they continue making contributions to Kubernetes.
For example, one recommendation is to avoid hardcoding file paths to dependencies. The report points to Kubernetes’ kublet process, “where a dependency on hardcoded paths for PID files led to a race condition which could allow an attacker to escalate privileges.”
The report also advises enforcing minimum files permissions, monitoring processes on Linux, and various other steps to make Kubernetes more secure.
In an email to The Register, Chris Aniszczyk, CTO and COO of CNCF, expressed satisfaction with the audit process. “We view it positively that the whole process of doing a security audit was handled transparently by the members of the Kubernetes Security Audit WG, from selecting a vendor to working with the upstream project,” he said. “I don’t know of any other open source organization that has shared and open sourced the whole process around a security audit and the results. Transparency builds trust in open source communities, especially around security.”
Asked how he’d characterize the risks present in Kubernetes at the moment, Aniszczyk said, “The Kubernetes developers responded quickly and created appropriate CVEs for critical issues. In the end, we would rather have the report speak for itself in terms of the findings and recommendations.”
according to a new report, Ring is also instructing cops on how to persuade customers to hang over surveillance footage even when they aren’t responsive to police requests.
According to a police memo obtained by Gizmodo and reported last week, Ring has partnerships with “over 225 law enforcement agencies,” Ring is actively involved in scripting and approving how police communicate those partnerships. As part of these relationships, Ring helps police obtain surveillance footage both by alerting customers in a given area that footage is needed and by asking to “share videos” with police. In a disclaimer included with the alerts, Ring claims that sharing the footage “is absolutely your choice.”
But according to documents and emails obtained by Motherboard, Ring also instructed police from two departments in New Jersey on how best to coax the footage out of Ring customers through its “neighborhood watch” app Neighbors in situations where police requests for video were not being met, including by providing police with templates for requests and by encouraging them to post often on the Neighbors app as well as on social media.
In one such email obtained by Motherboard, a Bloomfield Police Department detective requested advice from a Ring associate on how best to obtain videos after his requests were not being answered and further asked whether there was “anything that we can blast out to encourage Ring owners to share the videos when requested.”
In this email correspondence, the Ring associate informed the detective that a significant part of customer “opt in for video requests is based on the interaction law enforcement has with the community,” adding that the detective had done a “great job interacting with [community members] and this will be critical in regard to increased opt in rate.”
“The more users you have the more useful information you can collect,” the associate wrote.
Ring did not immediately return our request for comment about the practice of instructing police how to better obtain surveillance footage from its own customers. However, a spokesperson told Motherboard in a statement that the company “offers Neighbors app trainings and best practices for posting and engaging with app users for all law enforcement agencies utilizing the portal tool,” including by providing “templates and educational materials for police departments to utilize at their discretion.”
In addition to Gizmodo’s recent report that Ring is carefully controlling the messaging and implementation of its products with its police departments, a report from GovTech on Friday claimed that Amazon is also helping police work around denied requests by customers to supply their Ring footage. In such instances, according to the report, police can approach Ring’s parent company Amazon, which can provide the footage that police deem vital to an investigation.
“If we ask within 60 days of the recording and as long as it’s been uploaded to the cloud, then Ring can take it out of the cloud and send it to us legally so that we can use it as part of our investigation,” Tony Botti, public information officer for the Fresno County Sheriff’s Office, told GovTech. When contacted by Gizmodo, however, a Ring spokesperson denied this.
Data breach researchers at security firm UpGuard found the data in late July, and traced the storage bucket back to a former staffer at the Democratic Senatorial Campaign Committee, an organization that seeks grassroots donations and contributions to help elect Democratic candidates to the U.S. Senate.
Following the discovery, UpGuard researchers reached out to the DSCC and the storage bucket was secured within a few hours. The researchers shared their findings exclusively with TechCrunch and published their findings.
The spreadsheet was titled “EmailExcludeClinton.csv” and was found in a similarly named unprotected Amazon S3 bucket without a password. The file was uploaded in 2010 — a year after former Democratic senator and presidential candidate Hillary Clinton, whom the data is believed to be named after, became secretary of state.
UpGuard said the data may be people “who had opted out or should otherwise be excluded” from the committee’s marketing.
A redacted portion of the email spreadsheet (Image: UpGuard/supplied)
Stewart Boss, a spokesperson for the DSCC, denied the data came from Sen. Hillary Clinton’s campaign and claimed the data had been created using the committee’s own information.
“A spreadsheet from nearly a decade ago that was created for fundraising purposes was removed in compliance with the stringent protocols we now have in place,” he told TechCrunch in an email.
Despite several follow-ups, the spokesperson declined to say how the email addresses were collected, where the information came from, what the email addresses were used for, how long the bucket was exposed, or if the committee knew if anyone else accessed or obtained the data.
We also contacted the former DSCC staffer who owned the storage bucket and allegedly created the database, but did not hear back.
Most of the email addresses were from consumer providers, like AOL, Yahoo, Hotmail and Gmail, but the researchers found more than 7,700 U.S. government email addresses and 3,400 U.S. military email addresses, said the UpGuard researchers.
The DSCC security lapse is the latest in a string of data exposures in recent years — some of which were also discovered by UpGuard. Two incidents in 2015 and 2017 exposed 191 million and 198 million Americans’ voter data, respectively, including voter profiles and political persuasions. Last year, 14 million voter records on Texas residents were also found on an exposed server.
The developers of cutesy Animal Crossing–Pokemon mashup Ooblets just had a weekend from hell. After trying to preempt a tidal wave of rage over their newly announced Epic Games Store exclusivity, they got hit with a swirling tsunami of foaming-at-the-mouth anger, up to and including death threats and anti-Semitic hoaxes. This is the worst overreaction to an Epic deal that’s yet been publicized. It’s also part of a larger trend that the video game industry has let run rampant for far too long.
Today, Ooblets designer Ben Wasser published a lengthy Medium post about the harassment that he and his sole teammate at development studio Glumberland, programmer/artist Rebecca Cordingley, have been subjected to. In it, he discussed in detail what he’s only alluded to before, showing numerous screenshots of threatening, often racist and sexist abuse and pointing to coordinated efforts to storm the Ooblets Discord and propagate fabricated messages that made it look like Wasser said anti-Semitic things about gamers. In part, he blamed the tone of his tongue-in-cheek announcement post for this, saying that while it’s the tone the Ooblets team has been using to communicate with fans since day one, it was a “stupid miscalculation on my part.”
It is, on no uncertain terms, insane to expect that anyone might have to deal with a reaction like this because of some slight snark in a post about what is to them very good news. Actually, let’s just sit with that last point for a second: If you’re a fan of Ooblets, the Epic Store announcement is fantastic news; no, you don’t get to play it on Steam, and yes, the Epic Store is a weird, janky ghost town of a thing that’s improving at an alarmingly slow rate, but thanks to Epic’s funding, Ooblets and the studio making it are now guaranteed to survive. Thrive, even, thanks to additional staff and resources. You’ve got to download another (free) client to play it, but you get the best possible version of the game you were looking forward to, and its creators get to keep eating, which is something that I’ve heard keeps people alive.
And yet, in reaction to this, people went ballistic, just like they have so many times before. This is our default now. Every tiny pinprick slight is a powder keg. Developers may as well have lit matches taped to their fingers, because any perceived “wrong” move is enough to set off an explosive consumer revolt. And make no mistake, the people going after Ooblets were not fans, as evidenced by the fact that, according to Wasser, they didn’t even know how the game’s Patreon worked. Instead, they were self-described “consumers” and “potential customers” who felt like the game’s mere existence granted them some impossibly huge stake in its future. Wasser talked about this in his post:
“We’ve been told nonstop throughout this about how we must treat ‘consumers’ or ‘potential customers’ a certain way,” he said. “I understand the relationship people think they might be owed when they exchange money for goods or services, but the people using the terms consumers and potential customers here are doing so specifically because we’ve never actually sold them anything and don’t owe them anything at all… Whenever I’ve mentioned that we, as random people happening to be making a game, don’t owe these other random people anything, they become absolutely enraged. Some of the most apparently incendiary screenshots of things I’ve said are all along these lines.”
We need to face facts: This kind of mentality is a major force in video game culture. This is what a large number of people believe, and they use it as a justification to carry out sustained abuse and harassment. “When presented with the reality of the damage inflicted, we’ve seen countless people effectively say ‘you were asking for it,’” said Wasser. “According to that logic, anything anyone says that could rub someone the wrong way is cause for the internet to try to ruin their life. Either that, or our role as two people who had the nerve to make a video game made us valid targets in their minds.”
Things reached this deranged fever pitch, in part, because companies kowtowed to an increasingly caustic and abusive consumer culture, frequently chalking explosive overreactions up to “passion” and other ostensibly virtuous qualities. This culture, to be fair, is not always out of line (see: loot boxes, exploitative pricing from big publishers, and big companies generally behaving in questionable ways), but it frequently takes aim at individuals who have no actual power and contains people who are not opposed to using reprehensible mob tactics to achieve their goals—or just straight up deploying consumer-related concerns as an excuse to heap abuse on people and groups they hate. While the concerns, targets, and participants are not always the same, it’s hard to ignore that many of these mob tactics were pioneered and refined on places like 4chan and 8chan, and by movements like Gamergate—other pernicious elements that the gaming industry has widely failed to condemn (and has even engaged with, in some cases).
In the world of PC gaming, Valve is the biggest example of a company that utterly failed to keep its audience in check. Valve spent years lingering in the shadows, resolutely remaining hands-off until everything caught on fire and even the metaphorical “This is fine” dog could no longer ignore the writing on the wall. Or the company got sued. In this environment, PC gamers developed an oppositional relationship with game makers. Groups sprung up to police what they perceived as sketchy games—but, inevitably, they ended up going after perfectly legitimate developers, too. Users flooded forums when they were upset about changes to games or political stances or whatever else, with Valve leaving moderation to often-understaffed development teams instead of putting its foot down against abuse. Review bombs became a viable tactic to tank games’ sales, and for a time, any game that ran afoul of the larger PC gaming consumer culture saw its score reduced to oblivion, with users dropping bombs over everything from pricing decisions to women and trans people in games.
Smaller developers, utterly lacking in systemic or institutional support, were forced to respond to these attacks, granting them credibility. The tactics worked, so people kept using them, their cause justified by the overarching idea that many developers are “lazy” and disingenuous—when, in reality, game development is mind-bogglingly difficult and takes time. Recently, Valve has begun totake aim at some of these issues, but the damage is already done.
Whether unknowingly or out of malice, Valve went on to fire the starting gun for this same audience to start giving Epic Store developers trouble. When publisher Deep Silver announced that Metro Exodus would be an Epic Store exclusive, Valve published a note on the game’s Steam store page calling the move “unfair.” Inevitably, Steam review bombs of previous games in the series followed, as did harassment of individual developers and even the author of the books on which the Metro video game series is based. Soon, this became a pattern when any relatively high-profile game headed toward Epic’s (at least temporarily) greener pastures.
That brings us to Ooblets. The game’s developers are facing astounding abuse over what is—in the grand scheme of life, or even just media platforms—a minor change of scenery. But they’re not backing down.
“I recognize that none of this post equates to an apology in any way that a lot of the mob is trying to obtain, and that’s by design,” Wasser wrote in his Medium post. “While some of what I’ve said was definitely bad for PR, I stand behind it. A portion of the gaming community is indeed horrendously toxic, entitled, immature, irrationally-angry, and prone to joining hate mobs over any inconsequential issue they can cook up. That was proven again through this entire experience. It was never my intention to alienate or antagonize anyone in our community who does not fit that description, and I hope that you can see my tone and pointed comments were not directed at you.”
And while Epic is, at the end of the day, an industry titan deserving of some of the scrutiny that gets hurled its way, it’s at least taking a stand instead of washing its hands of the situation like Valve and other big companies have for so long.
“The announcement of Ooblets highlighted a disturbing trend which is growing and undermining healthy public discourse, and that’s the coordinated and deliberate creation and promotion of false information, including fake screenshots, videos, and technical analysis, accompanied by harassment of partners, promotion of hateful themes, and intimidation of those with opposing views,” Epic said in a statement yesterday, concluding that it plans to “steadfastly support our partners throughout these challenges.”
So far, it seems like the company has been true to its word. “A lot of companies would’ve left us to deal with all of this on our own, but Epic has been by our side as our world has gone sideways,” said Wasser. “The fact that they care so much about a team and game as small as us proves to us that we made the right call in working with them, and we couldn’t be more thankful.”
That’s a step in the right direction, and hopefully one that other companies will follow. But the gaming industry has allowed this problem to grow and grow and grow over the course of many years, and it’s hard to see a future in which blowups like this don’t remain a regular occurrence. In his post, Wasser faced this sad reality.
“I hope that laying all this out helps in some way to lessen what pain is brought against whoever the next targets are, because we sadly know there will be many,” he said. “You should have opinions, disagree with things, make arguments, but don’t try to ruin people’s lives or jump on the bandwagon when it’s happening. What happened to us is the result of people forgetting their humanity for the sake of participating in video game drama. Please have a little perspective before letting your mild annoyance lead to deeply hurting a fellow human being.”
