HackerTrans
TopNewTrendsCommentsPastAskShowJobs

kogepathic

no profile record

comments

kogepathic
·il y a 2 mois·discuss
> Did they ever fix PCIe over thunderbolt security?

It seems to depend on whether you're on a desktop or mobile device. [1]

> macOS 13 Ventura was released in 2022 and for portable Macs with Apple CPUs Apple introduced a feature known as ‘Accessory Security’ (also known as ‘Restricted Mode’)

> By default, portable Macs (i.e. laptops) with an Apple CPU running macOS 13 Ventura or newer version of macOS will require the end user to authenticate and approve a Thunderbolt device when initially connected.

> Stationary Macs (i.e. desktops) with an Apple CPU running macOS 13 Ventura or newer version of macOS do NOT implement the ‘Accessory Security’ feature. As a result, Thunderbolt devices will be automatically approved and authenticated when initially connected.

Anecdotally, I have had Dell and Lenovo laptops with Thunderbolt and in Linux I had to manually approve each new device before it would function. [2]

[1] https://kb.plugable.com/docking-stations-and-video/do-i-need...

[2] https://wiki.archlinux.org/title/Thunderbolt#User_device_aut...
kogepathic
·il y a 4 mois·discuss
> That sounds like what Software Freedom Conservancy would call a GPL violation

Sure, it is. So what? Have you got 200k for lawyers and years of your life to spend in court fighting over it?

I have personally contacted the SFC with ample evidence of deliberate and wilful GPL violations, such as providing a written offer for source code and then ignoring or flat out refusing requests for the source code. The SFC has acknowledged the vendors are violating the spirit and letter of the GPL.

Nothing happens. The SFC is one organisation with limited resources, FOSS developers don't want to spend their time in court, they'd rather develop software. Vendors know 9 times out of 10 they will get away with the GPL violation scot-free.

It's fine to put on your rose colored glasses and pretend GPL forces companies to release source code. Reality is, the vendors have a larger marketing budget than the entire SFC endowment and the vendor's legal team is happy to tar-pit requests ad infinitum.
kogepathic
·il y a 4 mois·discuss
> AFAIK you could, today, with no legal changes, have a vendor release 100% of the code under eg. a MIT license while also making the device refuse to run firmware not signed with their keys.

This is already the case today with many embedded devices. They have secure boot enabled so even if the vendor releases the GPL source code (big if), you can't do anything because the device will only boot the vendor's signed firmware.

> at a minimum I think there should be a wifi card that does refuse modifications and a main application processor that is 100% user controlled so that they can actually fix problems without needing the vendor to help

This is already possible. The RF components frequently have a signed firmware blob that is verified on load. There is no reason but planned obsolescence and greed keeping the application processor locked to running the vendor's signed code.
kogepathic
·il y a 6 mois·discuss
> Forcing the release of signing keys would be a security disaster. The first person to grab the expired domain for the auto update server for a IoT device now gets a free botnet.

Have you seen the state of embedded device security? It is already an unmitigated disaster.

Since you bring up botnets, there are far more exploited security vulnerabilities because a vendor EOLed support (or went bankrupt) and their firmware contained bugs that cannot be fixed because a signed firmware is required, or the source code was not provided than because their signing keys were leaked and someone is distributing malicious updates.

> Forcing vendors to release their security mechanisms to the public and allow anyone to sign firmware as the company is not what you want, though.

Yes, it is what I want. I am perfectly aware of the potential downsides and what I am proposing is worth it. The product is already EOL. In our current era of enshittification, vendor pinky promises to implement a user-bypass in their signed boot chain is not good enough. Look at the Other OS controversy on the PS3 if you want an example of this in practice, or Samsung removing bootloader unlocking in their One UI 8.0 update.

> The only real way to make devices securely re-usable with custom firmware requires some explicit steps and action to signal that the user wants to run 3rd-party firmware: A specific button press sequence is enough. You need to require the user to do something explicit to acknowledge that 3rd-party software is being installed, though.

The vendor has implemented an internal pad on the laser-welded, weather sealed, IP-rated smart watch that must be shorted to disable secure boot. Opening the device to access this will essentially destroy it, but we preserved the vendor's secure boot signing keys so missioned accomplished!
kogepathic
·il y a 6 mois·discuss
This is very much not an option on most embedded devices. They allow one key to be burned once.

IIRC, a certain Marvell SoC datasheet says multiple key slots are supported, but the boot ROM only supports reading the first entry (so really, only one key is supported).
kogepathic
·il y a 6 mois·discuss
> What I am asking for: publish a basic GitHub repo with the hardware specs and connection protocols. Let the community build their own apps on top of it.

This concept works fine for the author's example of a kitchen scale, but fails when the device in question is something like a router that has secure boot with one key burned into e-fuses.

In that case we need both open software and a requirement that the manufacturer escrow signing keys with someone so that after EOL any software can be run.
kogepathic
·il y a 6 mois·discuss
> She would see 'sign up now for 20% off!' and smile! like it positively hit her like she just won the lottery

If you intend to purchase an item from the merchant anyway, why would you pass on 20% off?

I sign up for newsletters to get a discount then immediately unsubscribe. If merchants are going to offer a discount for me to input my email, copy the code they email me, and GMail unsubscribe why would I turn that down?
kogepathic
·il y a 7 mois·discuss
Hard no on giving Jolla a cent. Jolla rug-pulled [1] people who crowd-funded [2] their tablet in 2014.

Jolla used the crowd-funding campaign to butter up VCs for their next funding round [3] and then decided the Asian LLC handling the crowdfunding would go bankrupt, leaving backers with no tablets and most with no refund. [4]

The real kicker was that the tablets were ALREADY manufactured by their ODM, Jolla just never paid them. Took backers money and stiffed their manufacturing partner too. For a while after the campaign folded you could buy Jolla branded tablets (running Android, it was just an ODM model they flashed Sailfish on) on eBay or Taobao [5]. I just checked and there's a Jolla Tablet listed on eBay right now. [6]

10 years later, it looks like they're trying the same thing. Maybe they think the internet has forgotten, but I have zero interest in supporting their next hardware rug-pull endeavour.

[1] https://together.jolla.com/question/97695/information-regard...

[2] https://www.indiegogo.com/en/projects/jolla/jolla-tablet-wor...

[3] https://jolla.com/content/uploads/2017/02/46_JOLLATABLET_STR...

[4] https://blog.jolla.com/second_phase_refund/

[5] https://old.reddit.com/r/Jolla/comments/3x2s7e/jolla_tablets...

[6] https://archive.ph/Ncf17
kogepathic
·il y a 8 mois·discuss
> Pick any app you want and search for it. Ideally it has a pretty unique name and not just a dictionary wod. What will you see? The first result will always be an ad for a completely different app.

This is also the case on the Play Store. Google *always* places the ad above the actual result, even if you search by the app ID (e.g. org.videolan.vlc)
kogepathic
·il y a 9 mois·discuss
> The problem is that if everyone hops jobs every 9-18 months, it’s not worth training up juniors because the employer will never get to benefit.

It is absolutely worth hiring and training juniors. The quality of your onboarding process and documentation will improve. Not only that but a junior will ask questions that senior engineers take for granted, such as "why are we doing X this way?" which can lead to improvements that your existing engineers might not have considered.

Finally, if junior engineers are joining your organisation and leaving every 9-18 months, you need to take a serious look at your career progression ladder and compensation. I have seen way too many companies that have an arbitrary "you cannot receive a promotion in the first X months" HR policy which is just asinine. You know who doesn't have this stupid policy? The company your junior just accepted an offer from.

If your organisation doesn't have the tools and processes to up skill junior engineers into seniors, then it doesn't have professional development for senior engineers and is just a career dead end.
kogepathic
·il y a 9 ans·discuss
> He seems actually content with Amazon eating the world, and I don't think it will be a net positive for humanity.

You mean Bezos? Well of course, he's CEO of Amazon and I don't think the board or shareholders would tolerate him saying "this is such a good idea that would make us tonnes of money, but we'd better give the opportunity to someone else"

I'm actually kind of amazed that Amazon has managed to plow so much money into their business without shareholders throwing a fit. The usual modus operandi of activist shareholders now is to get the company to pay out as much money as possible to shareholders while investing as little as possible into R&D. They've even managed to squeeze Apple into stock buy backs! Amazon seems to have avoided this and is thus able to invest lots of money into their business units, and look at how it's paid off for them (amazingly well).

Regarding Amazon eating the world, I'm not that concerned about it honestly. If Amazon starts acting like a monopoly, regulators will step in and force them to divest from certain business segments. If Amazon gets lazy and starts charging people higher prices or offering a more limited selection, then people will vote with their wallets and order from somewhere else.

So on the whole I still see Amazon as a net positive. They're pushing the rest of industry to innovate in ways we haven't seen before (logistics, online shopping, cloud services, assistants) and this is a win for consumers.

Sure, there's been some high profile bankruptcies/fire sales from competitors who haven't been able to adapt (e.g. Sears in 6 months), but I have to ask: do you really want to prop up companies that cannot compete in the market? That doesn't make sense from a consumer or economic perspective.
kogepathic
·il y a 9 ans·discuss
> So in general, use a trusted channel for key exchange separate from the communication channel so that a MITM needs to control both channels?

Yes, this is how PGP verification is supposed to take place.

Someone sends you their public key, and then you meet them in person to verify it.

Of course, nothing stops the government from sending an agent to meet you, but it does raise the effort required to MITM substantially.