Author: Brian Carnell

Death By Snake Bite

The Guardian has an interesting story about snake bite deaths in the Democratic Republic of the Congo. The story documents about how the effects of snakebites are compounded by the DRC’s lack of infrastructure and poverty.

One of the fascinating statistics in the story is how many people die worldwide from snakebites,

Globally, about 5m snake bites occur worldwide each year, according to the World Health Organization, resulting in between 81,000 and 138,000 deaths. A bite from a viper, cobra or mamba can kill in a matter of hours or leave a victim suffering life-changing injury.

I would not have thought the total deaths would be so high, so decided to track down the WHO statistics that The Guardian cites,

The World Health Organization (WHO) estimates that about 5 million snakebites occur each year, resulting in up to 2.7 million envenomings. Published reports suggest that between 81,000 and 138,000 deaths occur each year. Snakebite envenoming causes as many as 400,000 amputations and other permanent disabilities. Many snakebites go unreported, often because victims seek treatment from non-medical sources or do not have access to health care. As a result it is believed that many cases of snakebite go unreported.

That underreporting means the actual total of snake bites and deaths may be significantly higher,

One of the consequences of inadequate efforts to control snakebite envenoming in the past is that the available epidemiological data are fragmented and lack both resolution and completeness. Accuracy is further reduced by the fact that many victims do not attend health centres or hospitals, and instead rely on traditional treatments. As a result, in some countries the degree of under-reporting is greater than 70% especially in rural areas with poor infrastructure.

CNN–Clickbait Network News

Twitter user Peter Hague recently noticed a fairly typical example of how CNN has become little more than a clickbait site at times, with almost no quality control in the articles it publishes.

The article in question concerns a tweet that Elon Musk sent about an asteroid that will make a near-Earth approach in 2029.

The CNN headline blasts Musk for hyping a non-existent threat,

Despite Elon Musk’s alarmist tweet about an asteroid hitting Earth, NASA says there is no known threat

Ugh. Elon’s at it again talking crazy. So what did Musk say? According to the first three paragraphs, Musk apparently tweeted that an asteroid is going to hit the Earth even though NASA disagrees,

Elon Musk, CEO of SpaceX and Tesla, tweeted that a “big rock” is going to hit Earth, and that we “currently have no defense.”

But NASA, seems to disagree.

Musk’s tweet was a response to another by comedian and podcaster Joe Rogan, who shared an article reporting that NASA has begun preparations for the 1,100-foot-wide asteroid Apophis, which is scheduled to pass by Earth on April 13, 2029. Apophis named after an Egyptian god of death.

Jesus, Elon, stop scaring people into thinking Apophis is going to hit the planet. Lets go to Twitter and reply to his tweet to that effect.

Oh.

So Joe Rogan made a tweet about Apophis, and Elon Musk retweeted him in order to add that this particular asteroid poses little threat to the Earth but that “a big rock will hit Earth eventually & we currently have no defense.”

Don’t worry, though, CNN’s Leah Asmelash isn’t going to let the facts get in her way.

Musk didn’t elaborate on what he meant by “big rock,” so it’s hard to know what he was actually referring to.

NASA’s website, though, clearly says, “No known asteroid poses a significant risk of impact with Earth over the next 100 years.”

Apparently Asmelash’s editors are fine with her rewriting “eventually” into “within the next 100 years by a currently known asteroid.” As the NASA website that she links to notes (but she omits), there are known asteroids that do have a significant risk of hitting the earth in the next 200 years (and by significant, we’re talking about less than .2 percent). And, of course, there are asteroids that we do not know about.

Large objects have hit the planet during the time that homo sapiens have existed, including the Arizona Meteor Crater which was created 50,000 years ago by a meteor estimated to be 60 meters in diameter. According to NASA estimates, that impact released the equivalent of 15 million tons of TNT–equivalent to a small hydrogen bomb (most US nuclear weapons, in contrast, have only about 500 kiloton yields).

Similarly, Asmelash hits out at Musk’s claim that we have no defenses, but the best she can muster is,

“While no known asteroid larger than 140 meters in size has a significant chance of hitting Earth for the next 100 years, NASA and its partners are studying several different methodologies for deflecting a hazardous asteroid,” he said.

Basically, even if an asteroid were hurtling toward Earth, scientists believe they will have the technology to deflect it off course and prevent collision.

Rather than try to illuminate or educate about the potential risks from asteroids and the costs/difficulties in actually doing anything about it, Asmelah apparently saw a chance to write a clickbait story about an “alarmist tweet” that exists entirely in her own story’s mischaracterization of it.

Shame on CNN for this sort of nonsense.

ID Ransomware

ID Ransomware is a service where you upload a ransom note and/or sample file encrypted by ransomware, and the ID Ransomware service tries to pinpoint exactly which ransomware you’ve been hit with.

This service is strictly for identifying what ransomware may have encrypted your files. It will attempt to point you in the right direction, and let you know if there is a known way of decrypting your files. 

Currently ID Ransomware can identify 750 known strains of ransomware.

ArsTechnica’s Analysis of Windows Text Services Security Vunerability

ArsTechnica has a through explanation of Microsoft’s Text Services vulnerability that Google’s Tavis Ormandy recently discovered, leading to security updates in Windows 10 this past week.

[Google’s Tavis] Ormandy didn’t start out looking for problems in the Text Services Framework—all he was really looking for was confirmation that he couldn’t send inter-process messages from an unprivileged process to a privileged process. But when he wrote a test case to send all possible messages to a Notepad.exe instance running as Administrator, he discovered that wasn’t the case: some of his inter-process messages unexpectedly went through.

Once Ormandy identified the culprit as MSCTF.DLL, the next step was figuring out what could be done with it. As he discovered, the answer was “pretty much anything you’d like.” The CTF protocol is a legacy system dating back to 2001’s Office XP, which even included support for Windows 98; it was available with the base system beginning with Windows XP itself. There was no access control at all implemented in the protocol—even sandboxed processes could connect to a CTF session outside their sandbox. Clients report their thread ID, process ID, and window handle—but there was no verification and nothing stopping such a client from lying through its teeth to get what it wants.

. . .

This vulnerability lurked unacknowledged in the Windows stack for 20 years, and the consequences were even farther reaching than the proof-of-concept exploit—CTF can even be used on unpatched systems to bypass AppContainer Isolation used in the newest and supposedly most securely designed applications, such as Microsoft Edge.

An Analysis of 350 Million SSL Connections

Lee Butterman created a dataset of 350 million SSL connections and then mined that for information on the state of SSL/TLS.

On the one hand, Let’s Encrypt was by far the largest registrar, accounting for almost 30 percent of the certs in Butterman’s dataset.

On the other hand, Butterman found that 3 million domains allowed RC4 or 3DES connections, and more than 4 million relied on outdated TLS including TLS 1.0 and 1.2.