Office Privacy Threatens Swiss Data Security.
Also Telecoms Leak GPS and Printers Are Still Evil

The Internal Memo on Mandatory Data Sharing

Encrypted email and VPN provider Proton is threatening to pack up its monitors and leave its home office in Switzerland over a new government proposal. The proposed amendment to the surveillance law would require private communication services, like VPNs and messaging apps, to essentially become data custodians, identifying and retaining user data upon request. This level of administrative overhead is usually reserved for the larger, more established departments like mobile networks and internet service providers.

Proton CEO Andy Yen stated that the potential regulation would make the company "less confidential than Google" which, from a business perspective, is probably the worst possible performance review one could receive. Mr. Yen has indicated that relocating the entire operation would be necessary if the company is to maintain its core promise of not collecting metadata that could identify a user. This dramatic exit is essentially the equivalent of the one privacy-conscious developer on the team deciding to move to a cabin in the mountains because the IT department installed keystroke logging software on their office desktop. For an organization built on being the secure alternative, the mere discussion of the new policy sets a concerning precedent, even if the legislation appears to be already dead in the water due to political opposition.

The Phone Call That Broadcasted Your Cubicle Coordinates

UK telecom giant O2, which is owned by Virgin Media O2, appears to have accidentally turned its modern phone service into an incredibly granular tracking device. Researcher Daniel Williams discovered that O2's 4G Calling, or VoLTE, service was leaking a surprising amount of recipient information directly back to the caller's phone. Specifically, the IMS signaling messages meant for network maintenance were providing the calling party with the recipient's IMSI, IMEI, and crucial cell location data.

This technical oopsie meant that anyone could essentially geolocate an O2 customer simply by initiating a phone call and checking the SIP headers that came back. In high-density urban areas, the flaw was so detailed it could pinpoint a user's location to an area as small as 100 square meters. It is the digital equivalent of a person answering the phone and their desk chair automatically rolling one block closer to the caller. Virgin Media O2 has since resolved the issue, but only after the vulnerability had been reportedly present for at least two years.

The Printer Justifies the SysAdmin’s Trauma

In a plot twist no one in IT could possibly find surprising, the official driver software for Procolored printers was found to contain full-blown malware for roughly six months. The infected downloads, which were hosted on a third-party file sharing site, contained not one, but two different malware families, including a backdoor known as XRedRAT and a Bitcoin clipboard-replacing tool called SnipVex.

When initial reports came in from tech reviewer Cameron Coward, the China-based company reportedly dismissed the alerts as "false positives" before a deeper investigation by security researcher Karsten Hahn of G Data exposed the severity of the problem. The official explanation from Procolored for how a literal Windows backdoor got into their production files was that the virus was "possibly introduced during this process" when transferring the file from a USB drive. It is the gold standard of "we used the same thumb drive we found in the breakroom" corporate negligence, and confirms every paranoid belief about the one device you cannot trust in the office.

Briefs

• Code Refactoring Advice: A highly-rated article details the structural best practice of having developers push 'ifs' up and 'fors' down. The entire exercise is basically organizing the company's inbox to save five milliseconds of mental processing time.
• CSS Auto-Contrast: Webkit engineers are attempting to implement a new CSS function that would allow the browser to automatically select a contrasting color, solving the perennial problem of developers choosing a text color that is somehow both black and invisible on a dark gray background.
• JavaScript's Explicit Resource Management: The V8 engine has rolled out a new 'superpower' for JavaScript that is essentially a finally standardized way to clean up after yourself, like a developer being taught how to use a finally block to actually release the lock on the shared office spreadsheet. The new feature uses using declarations, which is at least clearer than a sticky note.