After a series of tragic missteps by the White House, which led to tens of thousands of Kurds being killed and hundreds of thousands of refugees, American officials tried to claim they had created a cease-fire.

On the face of it their claim doesn’t make any sense, as America turned tail and abruptly left its allies. A cease-fire would be with whom? Can’t say the Kurds or that would mean Turkey is formally acknowledging a Kurdish authority.

The U.S. departure from its position was so sudden, it had to fly in jets to bomb its own supply depots and structures instead of following normal exit procedures. Russians were said to be within hours inhabiting military structures built by Americans.

Russians have fun exploring the hastily abandoned American military base in Syria: “Yesterday it was them and today it is us here. Let’s see how they lived and what they ate.”

The American story-line attempted to say in this context of running away that a cease-fire was negotiated. It gives the impression of Turkey recognizing an authority.

However Turkey officially has said the opposite, as The Economist correspondent in Turkey tweeted:

Turkish FM Çavuşoğlu just now: “We will suspend the Peace Spring operation for 120 hours for the PKK/YPG to withdraw. This is not a ceasefire.”

The joint Turkish-US statement confirms this, calling it a unilateral pause for a Turkish operation.

Cisco announced that it’s wireless access points have an authentication bypass.

The most crucial one is CVE-2019-15260, which could be exploited by attackers by requesting specific URLs from an affected AP and allow them to gain access to the device with elevated privileges.

Kubernetes announced that anyone can be admin by tampering with headers.

…attackers could exploit the bug to authenticate as any user by crafting an invalid header that would go through to the server.

Palo Alto provided an example: “An attacker may send the following request to the proxy: ‘X-Remote-User : admin.’ If the proxy is designed to filter X-Remote-User headers but doesn’t recognize the header because it’s invalid and forwards it to the Kubernetes API server [anyway], the attacker would successfully pass the API request with the roles of the ‘admin’ user.”

Google announced its phones have a facial recognition bypass (you don’t have to be awake).

Google has confirmed the Pixel 4 smartphone’s Face Unlock system can allow access to a person’s device even if they have their eyes closed.

Samsung announced that its phones have a fingerprint reader bypass.

The issue was spotted by a British woman whose husband was able to unlock her phone with his thumbprint just by adding a cheap screen protector.

When the S10 was launched, in March, Samsung described the fingerprint authentication system as “revolutionary”.

…and if anyone remembers 2002 security mailing lists, biometric failure such as Samsung’s was framed as having an important moral.

Matsumoto tried these attacks against eleven commercially available fingerprint biometric systems, and was able to reliably fool all of them. The results are enough to scrap the systems completely, and to send the various fingerprint biometric companies packing. Impressive is an understatement.

There’s both a specific and a general moral to take away from this result. Matsumoto is not a professional fake-finger scientist; he’s a mathematician. He didn’t use expensive equipment or a specialized laboratory. He used $10 of ingredients you could buy, and whipped up his gummy fingers in the equivalent of a home kitchen. And he defeated eleven different commercial fingerprint readers, with both optical and capacitive sensors, and some with “live finger detection” features. (Moistening the gummy finger helps defeat sensors that measure moisture or electrical resistance; it takes some practice to get it right.) If he could do this, then any semi-professional can almost certainly do much much more.

Look at how far we’ve come in 17 years.

Headlines report “Wells Fargo takes $1.6 billion hit linked to fake-account scandal” and their CEOs are being punished for lack of ethics.

For the second time in 2½ years, a chief executive of Wells Fargo & Co. resigned abruptly on Thursday as the scandal-ridden bank took another stab at putting its problems behind it.

Tim Sloan became chief executive in October 2016, succeeding John Stumpf after the company was hit with the first of what would become billions of dollars in penalties for having opened millions of bank accounts without customers’ authorization.

That’s a far cry from Facebook, though, where a CEO continues to run the company despite ethics demonstrably worse than Wells Fargo.

CNN compared them like this:

One company said goodbye to its CEO and other top executives, clawed back tens of millions of dollars in pay, installed a new chair and hired a law firm to find out what went wrong.

The other company hired thousands of new security workers, conducted opposition research on George Soros and insisted senior executives are here to stay.

In recent polling Wells Fargo and Facebook rank near each other near the bottom of consumer perceptions, barely ahead of the bottom-dwelling Trump Organization.