Zombie Miles And Napa Weekends: How A Week With Chauffeurs Showed The Major Flaw In Our Self-Driving Car Future
> A few years ago, Mustapha Harb realized there was a problem in his field of research about how autonomous cars will change the way people travel. The solution to the problem he settled on was as simple as it was revealing.
> Using 13 volunteers (a very small sample size due to budgetary constraints) from the San Francisco Bay Area who owned cars, Harb and his team studied their travel patterns using GPS trackers on their cars and phones for one week, then gave them a chauffeur for a week who would drive the participants’ personal vehicles for them. Finally, the researchers observed the subjects for a final week to look for any changes returning to their chauffeur-less life.
iOS Jailbreak via MIDIServer Sandbox Escape
> While the kernel has a large amount of userland-reachable functionality, much of this attack surface is not accessible due to sandboxing in iOS. By default, an app is only able to access about 10 drivers’ userclients, which is a relatively small amount of code. Therefore, first escaping the app sandbox can be highly beneficial in order to attack the kernel.
> In contrast to the kernel, many daemons running in userland are accessible via the default app sandbox. One such example is a daemon called MIDIServer (com.apple.midiserver). This daemon allows apps and other services to interface with MIDI hardware which may be connected to the device.
snek - Python from PowerShell
> Snek is a cross-platform PowerShell module for integrating with Python. It uses the Python for .NET library to load the Python runtime directly into PowerShell. Using the dynamic language runtime, it can then invoke Python scripts and modules and return the result directly to PowerShell as managed .NET objects.
You Can’t Just Call Loans Options
> Also tech companies as banks, the bank of crypto and index funds.
> A weird feature of U.S. tax law is that, if you do a thing purely to get around tax rules, then that is bad and a sham and the IRS can look through it and make you pay your taxes. But if you do the thing not only to get around tax rules but also to get around other rules (like margin requirements), then from the IRS’s perspective you have a valid business purpose and you might be able to keep your good tax treatment. “We’re not just gaming your rules, we’re gaming other regulators’ rules too” is, surprisingly, an argument that might persuade the IRS.
> The advertising for the Apple card calls it “A new kind of credit card. Created by Apple, not a bank.” That appears to be true of the appearance of the physical card. But the credit algorithms were created by a bank, to Apple’s eventual embarrassment. It is just a little odd that Apple seems to have been so incurious about the algorithms. It’s a tech company!
Introducing iVerify, the security toolkit for iPhone users
> Not only does iVerify help you keep your data confidential and limit data sharing, it helps protect the integrity of your device. It’s normally almost impossible to tell if your iPhone has been hacked, but our app gives you a heads-up. iVerify periodically scans your device for anomalies that might indicate it’s been compromised, gives you a detailed report on what was detected, and provides actionable advice on how to proceed.
drgn - Scriptable debugger library
> drgn (pronounced “dragon“) is a debugger-as-a-library. In contrast to existing debuggers like GDB which focus on breakpoint-based debugging, drgn excels in live introspection. drgn exposes the types and variables in a program for easy, expressive scripting in Python.
The Unrepeatable Architectural Moment of Yugoslavia’s “Concrete Utopia”
> Monument to the Uprising of the People of Kordun and Banija, in Petrova Gora, Croatia. Abstract, boldly expressive memorials once dotted the Yugoslavian countryside by the thousands.
The Atlantic Makes a New Mark
> New visual identity and product experience launch today, with redesigned print magazine and reimagined iOS App.
Mostly fluff, but the logo is now just an A because words are hard.
The day when starting a receiver fixed the transmitter
> Have you ever tried to do something, but had it fail and weren’t really sure why? Did you then try to fall back to doing something you could actually measure in order to then get a handle on the problem? I had something like this happen quite a while back with some software defined radio stuff. Here’s how it went.
Motorola Brings Back The Razr: Flip-Phone In 2020
> Motorola has today announced a modern successor to one of the most iconic phones ever released: the Razr V3. The popular flip-phone was first released in 2004 and had been a huge success for the company as it went on to sell over a 100M units. The clamshell design was immensely popular as it was a lot thinner and had a unique design. The new Razr takes the core aspects of this design and ports it over to the latest 2019 technologies. At the heart of the new smartphone lies Motorola’s take on foldable displays, giving the new Razr a proper modern “full body screen” experience.
A nice look at how they got the fold to work. We’ll see.
The wet bird
> This image won the March-April 2000 round of the Internet Ray-Tracing Competition, with the topic “City”
> There are many city pictures in Oyonale. Cities are a favourite subject of mine, so that the IRTC “City” topic was somehow perfect.Too perfect actually, because it came at a time when I was of tired of making urban pictures. I didn’t want to make another “something strange happens here” picture, or model another building. I wanted fresh ideas that would involve the use of new techniques.
> Of course, even with the city as the main attraction, the image still lacked concept. The Megapov documentation provided the solution: because meshes can be copied (almost) endlessly, they?re good candidates for motion blur. So here it was: the picture would be about New York (actually a fantasy twin), and it would involve a motion-blurred character. Since motion blur is primarily a photographic effect, it was another excuse to make the picture highly realistic. The character could be a ghost from the past : a human being, like a XIXe century lady, or even an animal. I briefly ran experiments with a deer, but I decided that I had made enough of “animals in the city” pictures. The character also could be a simple, hurried passer-by. In fact, I’m still not sure of what the blurred character really is.
The Bytecode Alliance: Building a secure, composable future for WebAssembly
> We have a vision of a WebAssembly ecosystem that is secure by default, fixing cracks in today’s software foundations. And based on advances rapidly emerging in the WebAssembly community, we believe we can make this vision real.
> WebAssembly can provide the kind of isolation that makes it safe to run untrusted code. We can have an architecture that’s like Unix’s many small processes, or like containers and microservices. But this isolation is much lighter weight, and the communication between them isn’t much slower than a regular function call. This means you can use them to wrap a single WebAssembly module instance, or a small collection of module instances that want to share things like memory among themselves.
TAA and other RIDL issues
> On Nov 12, 2019, we (VUSec) disclose TSX Asynchronous Abort (TAA), a new speculation-based vulnerability in Intel CPUs as well as other MDS-related issues, as described in our new RIDL addendum. In reality, this is no new vulnerability. We disclosed TAA (and other issues) as part of our original RIDL submission to Intel in Sep 2018. Unfortunately, the Intel PSIRT team missed our submitted proof-of-concept exploits (PoCs), and as a result, the original MDS mitigations released in May 2019 only partially addressed RIDL. You can read the full story below.
> On July 3, 2019, we finally learned that, to our surprise, the Intel PSIRT team had missed the PoCs from our Sep 29 submission, despite having awarded a bounty for it, explaining why Intel had failed to address - or even publicly acknowledge - many RIDL-class vulnerabilities on May 14, 2019.
When you have so many problems you’re paying out bounties without knowing what for...
Tearing apart printf()
> If ‘Hello World’ is the first program for C students, then printf() is probably the first function. I’ve had to answer questions about printf() many times over the years, so I’ve finally set aside time for an informal writeup.
> This wild goose chase is not only a great learning experience, but also an interesting test for the dedicated beginner. Will they come back with an answer? If so, how detailed is it? What IS a good answer?
The Google Squeeze
> OTAs have always been a special case when it comes to Aggregation Theory; like Aggregators, they serve customers on a zero marginal cost basis, and they have power over supply (hotels, primarily) by virtue of delivering them demand. The hangup for me is how they acquire that demand: first and foremost from Google.
> This arrangement between OTAs and Google has long been beneficial to both sides. Google drives traffic to the OTAs, which can monetize that traffic via commissions extracted from suppliers.2 Google, meanwhile, not only receives relevant results it could serve to customers, but also makes billions of dollars from OTAs buying search ads.
TPM—Fail TPM meets Timing and Lattice Attacks
> We discovered timing leakage on Intel firmware-based TPM (fTPM) as well as in STMicroelectronics’ TPM chip. Both exhibit secret-dependent execution times during cryptographic signature generation. While the key should remain safely inside the TPM hardware, we show how this information allows an attacker to recover 256-bit private keys from digital signature schemes based on elliptic curves.
> This research shows that even rigorous testing as required by Common Criteria certification is not flawless and may miss attacks that have explicitly been checked for. The STMicroelectronics TPM chip is Common Criteria certified at EAL4+ for the TPM protection profiles and FIPS 140-2 certified at level 2, while the Intel TPM is certified according to FIPS 140-2. However, the certification has failed to protect the product against an attack that is considered by the protection profile.
On the Internet, No One Knows You’re Not Rich. Except This Account.
> In February, an Instagram account called @BallerBusters cropped up and began wreaking havoc on the flashy Instagram entrepreneur community.
> Its goal: To expose phony entrepreneurs. Using a mix of screen-shotted receipts, memes and crowdsourced information from followers, the account seeks out people who don’t “act their wage.”
children_tcache writeup and tcache overview
> This article is intended for the people who already have some knowledge about heap exploitation. If you already know some heap attacks on glibc<2.26 it’ll be fully understandable to you. But if you don’t, don’t worry - I’ve tried to make this post approachable for everyone with just basic knowledge. If you really know nothing about the topic, I recommend heap-exploitation.
> Tcache is an internal mechanism responsible for heap management. It was introduced in glibc 2.26 in the year 2017. It’s objective is to speed up the heap management. Older algorithms are not removed, but they are still used sometimes - for example for bigger chunks, or when an appropriate tcache bin is full. But heap exploitation with this mechanism is a lot easier due to a lack of heap integrity checks.
Snap: a microkernel approach to host networking
> This paper describes the networking stack, Snap, that has been running in production at Google for the last three years+. It’s been clear for a while that software designed explicitly for the data center environment will increasingly want/need to make different design trade-offs to e.g. general-purpose systems software that you might install on your own machines. But wow, I didn’t think we’d be at the point yet where we’d be abandoning TCP/IP! You need a lot of software engineers and the willingness to rewrite a lot of software to entertain that idea.
> Rolling forward 15 years, isogeny-based cryptography is another area with many technical subtleties, but is moving into the mainstream of cryptography. Once again, not everything that can be done with discrete logarithms can necessarily be done with isogenies. It is therefore not surprising to find papers that have issues with their security.
> It is probably time for an Isogenies for Cryptographers paper, but I don’t have time to write it. Instead, in this blog post I will mention several recent examples of incorrect papers. My hope is that these examples are instructional and will help prevent future mistakes. My intention is not to bring shame upon the authors.