Researcher Drops Third Windows Zero-Day Exploit in Four Months Security Boulevard
A security researcher named SandboxEscaper has published proof-of-concept exploit code for an unpatched vulnerability in Windows.
On Thursday morning, I started seeing a bunch of tweets pop up in my feed from people of Iranian backgrounds, who no longer lived in Iran, who were having their entire Slack groups shut down, with the company blaming US laws regarding sanctions on Iran.
Slack closed my account today!
I’m a PhD student in Canada with no teammates from Iran!
Is Slack shutting down accounts of those ethnically associated with Iran?!
And what’s their source of info on my ethnicity?#slack #UsSanctions pic.twitter.com/mY8Ltczq8v
— Amir (@a_h_a) December 19, 2018
So @SlackHQ decided to send me this email. No way to appeal this decision. No way to prove that I'm not living in Iran and not working with Iranians on slack. Nope. Just hello we're banning your account. pic.twitter.com/giqYQcMJYz
— Amir Omidi (@aaomidi) December 20, 2018
Yesterday, @SlackHQ sent me an email. My accounts on various Slack teams had been immediately deactivated, with no prior warning. The reason? I've visited family in Iran and used Slack when there. Only my work's paid-for Enterprise account works still. pic.twitter.com/0GFO3E0oqW
— Sareh (@Sareh88) December 20, 2018
Dear #Slack, instead of kicking out Iranians from your platform you could follow other disgusting solutions like what #Oracle and #Google do; return an error for every request with an Iranian IP. I'm NOT even in Iran!!!
This is literally #Racism pic.twitter.com/sbfjKDd9Jv— Reza Bigdeli (@rezabigdeli6) December 20, 2018
@SlackHQ closed my account linked to my @TU_Muenchen email with workspaces related to university and research in Germany! This is both sad and stupid…#slack pic.twitter.com/DlUoKmjM7U
— Mahdi Saleh (@mahdi_slh) December 19, 2018
Hey @SlackHQ – my account was just deactivated "in order to comply with economic sanctions, etc"…is this because I took a HOLIDAY to Iran?!
— James Lambie (@jimlambie) December 20, 2018
There are a lot more reports like this, but that was just the first batch I found with a quick search. Slack’s explanation to the press seems… lacking:
“We updated our system for applying geolocation information, which relies on IP addresses, and that led to the deactivations for accounts tied to embargoed countries,” the representative said. “We only utilize IP addresses to take these actions. We do not possess information about nationality or the ethnicity of our users. If users think we’ve made a mistake in blocking their access, please reach out to [email protected] and we’ll review as soon as possible.”
All of the blocked people talking about it on Twitter note that they don’t live in any sanctioned country — though many admit to having visited those countries in the past (often years ago) and probably checking in on Slack while they were there. That… is not how the sanctions system is supposed to work. In another press statement Slack tries to pin the blame on the US government:
“Slack complies with the U.S. regulations related to embargoed countries and regions. As such, we prohibit unauthorized Slack use in Cuba, Iran, North Korea, Syria and the Crimea region of Ukraine. For more information, please see the US Department of Commerce Sanctioned Destinations , The U.S. Department of Treasury website, and the Bureau of Industry and Security website.”
But that’s bullshit. The sanctions rules don’t say you have to cut off completely anyone who ever connected from a sanctioned country. The Verge (linked above) spoke to an Oxford researcher with knowledge in this area:
“They are either incompetent at OFAC interpretation or racist,” said Oxford researcher Mahsa Alimardani, who specializes in communication tools in Iran.
[….]
“Detecting an Iranian IP address on a paid account (which is presumed to be for business) login as a violation of sanctions is a wrong interpretation of these regulations,” Alimardani says. “At best it’s over-regulation to prevent any sort of misunderstanding or possible future hassle with OFAC.”
Of course, as former Facebook Chief Security Officer Alex Stamos notes in his own tweet on this topic, this is exactly what happens when you have vague rules with strong punishment, and expect internet platforms to magically police the web:
This is a warning of what you get with regulation that:
1) Puts enforcement responsibility on a tech platform
2) Without real guidelines/safe harbor of how to interpret
3) Over-penalizes false positives
4) Has no appeals process in the actual legal systemGet ready for more! https://t.co/vBUar6Nnap
— Alex Stamos (@alexstamos) December 20, 2018
And of course, we’re seeing more and more and more of that. FOSTA does that in the US. The GDPR is doing that around the globe. The EU Copyright Directive will do that. The EU Terrorist Content Regulation will do it. And a bunch of other regulations targeting the internet as well. That’s why some of us keep warning that these laws are going to lead to widespread censorship and suppression of free speech. Because that’s how it always works out. If you threaten internet platforms with huge penalties for failing to block content, but leave the details pretty vague, they’re going to make decisions like that and simply kick people off their services entirely, rather than face liability. It’s a recipe for disaster — and one that seems to be favored by tons of clueless regulators, politicians, and plenty of people who just don’t realize how much harm they will cause.
Permalink | Comments | Email This Story
Techdirt.