Same here! I was making this before I saw the teaser announcement. Figured I'd wait until Friday before continuing work since it may obviate this entirely. :-)
Anyone have a good resource of backdoor / spy / sketchy China computer manufacturing things?
I always see info about the Huawei scandal for example, and I would love to read a great write up of more specific technical details of things going on
But, you'll have an easier time finding out what companies who sell services related to supply chain integrity protection and counterfeit detection. Googling about those topics and companies like Harris Corp are good places to start. If you look at what these companies do, you should be able to infer what they are protecting against.
From what I gather, the usual threat for this sort of compromise is that adversaries in the supply chain or channel either provide or inject bogus parts or equipment. This may be done for spying purposes, but most often are just ways to make a little extra money.
The alleged difference with a state-owned entity like Huawei is that the "trusted" supply chain itself is doing untrustworthy things.
Depending on how you define it, I don't think Huawei is technically "state-owned", but because "communism" technically all business are owned by the PRC?
According to the NY Times, Huawei is owned by a holding company, which is in turn 1% owned by the CEO and 99% by the company's employee union, which is an affiliate of the Shenzhen Government Employee union.
But the union has no control, other than after-work social activity.
It's about as complex and weird as a situation can get. Spies hide in complexity.
I have a feeling the majority of this research is conducted by Five Eyes military counter-intelligence branches (ripping it out of the hands of whoever was on the trail before), with the resulting reports passed around in redacted form to those who need to know (e.g. the manufacturers, suppliers, investors, etc.) but not generally bubbling up to the public, except through backchannels (like my friend in the Navy who warned me ten years ago to avoid buying anything with Huawei chips in it, saying he couldn’t get into the details.)
If the current approach is more of the same, we’ll see these reports declassified in 30 years or so, when China is (in one way or another) no longer the same looming threat it is today.
I suspect any modified hardware would be targeted, not every single computer. You probably shouldn't order a computer online if this is your threat model, and instead pay for one off the shelf.
If a state actor is sufficiently motivated, even in a physical purchase, your computer will just get switched out for a bugged one at the cashier.
Common OPSEC practice re: buying hardware (or anything you don’t want your name associated with, really), is to pay an unaffiliated proxy to buy it for you.
>your computer will just get switched out for a bugged one at the cashier.
I doubt it. How would they swap it in time if you drove to a random Best buy, picked out a laptop (I think they still keep them in locked cages on the show floor), and kept eyes on it until checkout? Nevermind that they'll need surveillance on you 24/7 and have the exact model ready to go (or be able to plant the bug within minutes) to pull this off. It's much more feasible to only bug delivered/ordered equipment.
It seems really implausible to pull off without making a scene with a bunch of retail workers thinking you're trying to pull off some kind of scam/fraud.
>Push notifications for the token to all your devices instantly
... including non-Apple devices.
I've been faffing with this for the past few days - I had to reformat and reinstall OSX on my rather old MBA (2013), and I didn't notice at first, but it only restored Mavericks (was previously Mojave).
As my only Apple device, I was SOL when it asked me enter my verification code for me to log into the App Store to upgrade the OS (as Mavericks is pre-2FA).
There were no other options for verification and the only other device I own is an Android phone (not entirely unreasonable).
I can't see a way round this other than getting ahold of another Apple device to get the code. Am I missing something obvious?
I did this recently and basically there's a way of requesting adding another mobile number to the account as a recovery number.
You put in the application, wait about 4 days and then you'll get auto approved (I can't believe any human looked at this process) and you can then set that number as the recovery number.
It seemed to circumvent the whole MFA thing pretty easily but the penalty was time.
No idea what checks were performed in the background by Apple, I suspect none. It seems like the 4 day wait was just to make me feel the system would be secure if someone tried it to me.
You can use Command + Option + R to boot internet recovery instead of the on-disk recovery. That'll download and install the latest version of the operating system associated with your Mac.
On the 2fa front: if you only have one Apple device, you really can't leverage the Apple 2fa system, I think. It always requires a past Apple device of some kind to get the code.
ah .. I didn't know about internet recovery. Hopefully, I'll remember your tip if this happens to me again (I borrowed an iPad, in the end).
Unfortunately, it doesn't look like you can turn off 2FA once you've had it on for some time, so it feels like I'm being pushed into buying a second Apple device?
I'm trying to figure out what exactly Google 2-Step Verification is, and whether to trust it or not. It doesn't appear to be a text, and provides a push notification to your device - it's super convenient, I just don't know if it's particularly strong.
Google 2-Step Verification is vulnerable to phishing just like TOTP is. You can go to a phishing site without realizing it's not Gmail, you enter your username and password, the phishing site gives those to Gmail on your behalf, the phishing site causes 2-Step Verification to happen, and Google sends a push notification to your phone for you to let the attacker into your account. (I believe Apple's default 2FA mentioned by GP works the same way.)
Security keys (and the newer project from Google to let your phone act as one over bluetooth) don't have this vulnerability because they connect right to your computer and talk to your browser (and not the attacker's) to verify the domain you're accessing.
How does the security key/browser pair communicate without involving the site? Does it involve more of Google's interference then? While I know you're not saying "yes" to the site, isn't the key doing roughly the same thing?
Right, with Google 2-step verification you don't have to worry about number porting attacks. It's just vulnerable in the sense that a phishing site you've entered your username and password into can still trigger the prompt.
>How does the security key/browser pair communicate without involving the site? Does it involve more of Google's interference then? While I know you're not saying "yes" to the site, isn't the key doing roughly the same thing?
When you use a hardware security key with a browser, your browser tells the security key the page's domain, a user id, and a random challenge token if I remember right. The security key signs a message containing all of these things and gives that back to the browser. If you're on a phishing site, the page will have a different domain than the true site, the message signed by the security key will have the phishing site's domain instead of the true site's domain, and the signed response generated by the security key won't be valid for the attacker to use on the true site.
Yes but could be a dystopian positive for the people...
How long until someone uses this against the “oligarch“ validators?
E.g.: an AdBlock browser extension is on unless they send some microfunds to your account / transfer Libra funds to you.
If you’re not familiar with display ads it’s a literal bidding war per space per user by the advertiser. Platforms don’t care they just get a cut.
Now, I could see this: turn it around and have this “central authority” by having them bidding for you to turn on your ads based on their data’s understanding of likeliness to click.
The front page of Hacker News is pretty much a Google hate hangoutfest -- so maybe cut some slack on this one...
I'm sure the NYT reporter was not acting malicious.
Maybe they will even issue correction or update in time. No one would argue that speed of social media and corrections is not ideal, but I would bet they are trying to be accurate and transparent with their readers.
I just seriously doubt the reporter and editors who published this info did so solely with the goal to attack Google by "promoting" a questionable study.
No, but they published something that confirmed their priors, and didn't due their due diligence on it because it confirmed their priors and was the kind of story they wanted to write. They have to be held to account for that.
Perhaps not malicious, but publishing a more or less BS story to fit a narrative is not far from malicious on the spectrum of intention (especially if the narrative is in the NYT's business interests).
Malice is completely unnecessary for the world to go to shit. Very few people are actually malicious in any meaningful sense of the term. Most bad things happen when generally good people cut corners.
I think you can assume "acting maliciously" was intended to be a catch-all for something more general, like maybe "acting in a grossly disrespectable manner", regardless of whether the intentions were actually malice or not.
The old question is if it makes any difference if you're dumb on purpose or just inherintly ignorant. It makes little difference at the end of the day, it's still your fault to not take steps to correct your ignorance and it doesn't matter for the effects of your actions.
It's also important to remember that social media and tech firms like Google are a direct threat to their long term survival. YouTubers offering low budget news is eating them alive.
>The front page of Hacker News is pretty much a Google hate hangoutfest -- so maybe cut some slack on this one...
HN is not a newspaper. HN is an opinion-fest. NYT purports to be the "Newspaper of Record." Requiring NYT to publish corrections to factual error is utterly reasonable and has nothing to do with HN or Google in any way.
Oh, and Google are evil. There are more tech-literate people around on HN to have noticed and understood this. Google have become utterly hideous.
The NYT should publish corrections for factually incorrect reporting because it is what separates them from fraudulent pretend news sources such as Fox and CNBC which are simply garbage to be treated as lies until proven otherwise by anyone sane of any political persuasion. The NYT wants to be better than that.
Check out 1Password for 2FA management. It's extremely well done. When it auto-fills your user/password, it also puts your 2FA code into your clipboard so you can just paste it in on the next page.
Alternatively, and if the form supports it, you can use the share sheet on iOS to get 2FA auto fill from 1Password.
>Would be cool if this somehow cleaned up the whole process.
Everyone, just leave 2FA alone. No sms. No custom garbage that sends a push from a cloud and uses a blob on the device. Use TOTP. It's simple and easy. If you want fancier phishing protection, optionally add the newer fido2 or whatever the newer standards end up being. Just no custom garbage.
* you have to install an app, but you can't tell which app you're meant to use
* you have to configure the app with whatever your signin service is
* If you ever delete the app (something that is generally not harmful) you lose the ability to sign in, and reinstalling frequently does not bring back your old authorizations.
But yeah, SMS 2fa is garbage from a security stand point (and will remain so until carriers can be held liable for costs from transferring your number without your authorization), but it is usable and is leaps and bounds better than nothing at all, which is what users will do if you make 2fa hard to set up.
Slightly off topic rant follows:
I don't see a lot of tech sites talk about the fact that Azure and GCP have multi-region outages. Everybody sees this kind of thing and goes "shrug, an outage". No, this is not okay. We have multiple regions for a reason. Making an application support multi-region is HARD and COSTLY. If I invest that into my app, I never want it go down due to a configuration push. There has never been an AWS incident across multiple regions (us-east-1, us-west-2, etc). That is a pretty big deal to me.
Whenever I post this somebody comes along and says "well that one time us-east-1 went down and everybody was using the generic S3 endpoints so it took everything down". This is true, and the ASG and EBS services in other regions apparently were. BUT, if you invested the time to ensure your application could be multi-region and you hosted on AWS, you would not have seen an outage. Scaling and snapshots might not have worked, but it would not have been the 96.2% packet drop that GCP is showing here and your end users likely would not have noticed.
The articles that track outages at the different cloud vendors really should be pushing this.
> AWS has the most granular reporting, as it shows every service in every region. If an incident occurs that impacts three services, all three of those services would light up red. If those were unavailable for one hour, AWS would record three hours of downtime.
Was this reflected in their bar graph or not?
Also, GCP has had a number of global events, e.g. the inability to modify any load balancer for >3 hours last year, which AWS has NEVER had (unless you count when AWS was the only cloud with one region).
While I would like to say AWS hasn't had that issue, in 2017 it did (just not because of load balancers being unavailable, but as a consequence of the S3 outage [1].
When the primary S3 nodes went down, it caused connectivity issues to S3 buckets globally, and services like RDS, SES, SQS, Load Balancers, etc etc, all relied on getting config information from the "hidden" S3 buckets, thus people couldn't edit load balancers.
(Outage also meant they couldn't update their own status page! [2])
There are a handful of companies that will try and sell you this. However Id say anything thats simple enough to be expressed as a chart or 1 page summary is not actually useful. Interesting outages have variable breadth, scope, and severity. Its usually some methods or a subset of customers that are impacted. Thats really hard to communicate as a straight percentage. You need to map it back to your particular workload and dependencies. And the meaningful result is how your particular application or customer experience would be affected.
Source: Im a principal at AWS, historically focused on infrastructure and availability/operations, have been oncall for 20 years, and do some internal incident management as my job.
