Everyone and their dog knows that Unix systems come with a “least-privilege” default, which for some reason was flipped on its head when Alibaba created a service model.

Trend Micro reports:

…the default Alibaba ECS instance provides root access…all users have the option to give a password straight to the root user inside the virtual machine (VM)… In this situation, the threat actor has the highest possible privilege upon compromise, including vulnerability exploitation, any misconfiguration issue, weak credentials or data leakage. Thus, advanced payloads such as kernel module rootkits and achieving persistence via running system services can be deployed.

Ouch. It’s a burning question who setup Alibaba’s security to be the exact opposite of basic practices.

The rest of the Trend Micro report describes how security detection software easily was disabled since the attacker had total system control.

An interesting Bay Area article has taken AllTrails to task for being a heavily funded attempt to centralize and plan an economy, without investing in data integrity required to keep people safe.

I get a call from Meaghan Praznik, AllTrails’ head of communications. I ask her why my email led to an immediate change when the National Park Service’s previous outreach did not. She mostly doesn’t answer the question and instead talks about a new feature they’ll be debuting soon, which will apparently let park employees monitor and edit illegal shortcuts added to their 300,000 trails. (This does not seem like something park employees will have time to do.) “What I can say is we really do pride ourselves on offering the safest routes possible,” she says, after I ask her why they gave explicit directions to this incredibly dangerous shortcut. […] I ask her how big a “large team” is, and she says the San Francisco-based company employs more than 100 people, but most of them work on engineering and data integrity. “So you only have a fraction of 100 people trying to keep up with more than 300,000 trails?” I ask. “It is wild,” she replies. Not exactly the reply I was expecting, but it does lead to more questions: To what degree is the largest hiking app in the world responsible for the safety of hikers?

This of course begs why AllTrails exists when they could have just funded improvements to the National Park Service.

There is NO park-sanctioned “Alamere Falls Trail”
Please take note! Many social media posts, websites, and older (and some newer) guide books reference an “Alamere Falls Trail” (also sometimes referred to as a “shortcut to the falls”). The “Alamere Falls Trail” is NOT a maintained trail, and poses many hazards to off-trail hikers—crumbling and eroding cliffs, massive poison oak, ticks, and no cell phone service. Visitors who use this unmaintained trail may endanger themselves and rescuers, and inadvertently cause resource damage, such as trampling plants, which may lead to the death of the trampled plants. On an almost weekly basis, visitors get hurt scrambling down the heavily rutted route leading to the top of the falls or sliding down the crumbly cliff-face to get to the beach, sometimes requiring search and rescue teams to be mobilized. The National Park Service strongly advises visitors against using this unmaintained route. Please use the recommended routes described below to visit the falls.

While a public service like NPS is regulated as an official resource using distributed personnel dedicated to local expertise, AllTrails seems to bank on very low cost of centrally acquiring information from others yet avoiding accountability for being out of touch or lacking knowledge.

I have updated our 2006 paper on language pattern analysis to detect social network attacks. Some minor formatting changes were needed, given the last time I generated the PDF was 2011. The original post is here.

Attacks by scammers appear to make sophisticated use of language ideology to abuse trust relationships. Language that indexes a social group allows perceived “authenticity” to be constructed in a way that breaks down a victims’ defenses — a variety of linguistic devices are used as attack tools.