The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies – Bloomberg

The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
— Read on

I like this quote from the TV show Elementary:

Are governments capable of evil? Yes. Of corse they are. All institutions are. But they are more capable of incompetence.

Apply a bit of Occam’s Razor as well and the puzzle gets a bit less scary.

Again, the news is still forthcoming so I may well eat my words.

Also on:

TaoSecurity: Network Security Monitoring vs Supply Chain Backdoors

The limitations of this approach are worth noting. First, if the intruders never activated their backdoors, then there would be no evidence of communications with C2 servers. Hardware inspection would be the main way to deal with this problem. Second, the intruders may leverage popular Internet services for their C2. Historical examples include command and control via Twitter, domain fronting via Google or other Web sites, and other covert channels. Depending on the nature of the communication, it would be difficult, though not impossible, to deal with this situation, mainly through careful analysis. Third, traditional network-centric monitoring would be challenging if the intruders employed an out-of-band C2 channel, such as a cellular or radio network. This has been seen in the wild but does not appear to be the case in this incident. Technical countermeasures, whereby rooms are swept for unauthorized signals, would have to be employed. Fourth, it’s possible, albeit unlikely, that NSM sensors tasked with watching for suspicious and malicious activity are themselves hosted on compromised hardware, making their reporting also untrustworthy.

The remedy for the last instance is easier than that for the previous three. Proper architecture and deployment can radically improve the trust one can place in NSM sensors. First, the sensors should not be able to connect to arbitrary systems on the Internet. The most security conscious administrators apply patches and modifications using direct access to trusted local sources, and do not allow access for any reason other than data retrieval and system maintenance. In other words, no one browses Web sites or checks their email from NSM sensors! Second, this moratorium on arbitrary connections should be enforced by firewalls outside the NSM sensors, and any connection attempts that violate the firewall policy should generate a high-priority alert. It is again theoretically possible for an extremely advanced intruder to circumvent these controls, but this approach increases the likelihood of an adversary tripping a wire at some point, revealing his or her presence.

— Read on

An assessment of the Bloomberg hardware compromise report which provides insights I hinted at but are better articulated here.

I remain skeptical this happened. It seems cheaper and easier to introduce fear, uncertainty, and doubt (FUD) into the supply chain than to actually compromise it (beyond what the Chinese supply chain already does to skim money). Again, time will tell.

Also on:

The Trail Mix of iOS Keyboards – Tablet Habit

With my iPad only lifestyle, there has been a pain point that’s been present with a lot of iPad Pro users: keyboards.

There never seems to be a perfect keyboard for the iPad that is agreed upon with everyone. In fact there are a number of choices that seem to have some sort of drawback no matter how you look at it.

— Read on

This is one of my gripes with iOS and why I won’t (yet) go iPad only. If Apple intends the iOS platform to be more than just consumption devices, fixing input – both with the keyboards (physical and soft) and pointing devices (Apple Pencil and introduce trackpad!) would go long way.

For example, when I use a non-Apple Japanese JIS Bluetooth keyboard it defaults to a US QWERTY layout. There is no way to tell iOS what layout is needed when it does the wrong thing.

Also on:

Notes on the Bloomberg Supermicro supply chain hack story

Notes on the Bloomberg Supermicro supply chain hack story:

Bloomberg has a story how Chinese intelligence inserted secret chips into servers bound for America. There are a couple issues with the story I wanted to address.

The story is based on anonymous sources, and not even good anonymous sources. An example is this attribution:

a person briefed on evidence gathered during the probe says

That means somebody not even involved, but somebody who heard a rumor. It also doesn’t the person even had sufficient expertise to understand what they were being briefed about.

The technical detail that’s missing from the story is that the supply chain is already messed up with fake chips rather than malicious chips. Reputable vendors spend a lot of time ensuring quality, reliability, tolerances, ability to withstand harsh environments, and so on. Even the simplest of chips can command a price premium when they are well made.

(Via Errata Security)

The truth on this story is still revealing itself. I do know that I already tire of it.

Robert Graham’s article is the strongest critique of the Bloomberg story I’ve read. My skeptical nature tends to agree with him until more facts are known.

Also on:

hW fAiLz: Nexus 6P & iPod Touch 6gen & Mac Mini

I lost two gadgets in short order. I will miss them both, but they are just things.

The Google Nexus 6P declined recently. It terminally reached a point a few weeks ago where it wouldn’t power up past the boot screen. It’s my personal phone, my Project fi phone, and my main connection to the US.

My backup was my iPod Touch. Today, in a fit of me eating lunch, it landed on concrete. It would not power on after.

This weekend my Mac Mini started overheating for no clear reason. There’s no malware AFAICT but the bearings in the CPU fan might be failing on this replacement. While again just a thing, this one would cause significant inconvenience should it fail.

I don’t believe in coincidence, yet Murphy’s Law cannot be ignored.

There’s risk running hardware past the manufacturer’s shelf life. Components degrade. Bits and bobs fail eventually. Maybe they are replaceable and maybe they are not.

Bitrot, the loss of data because of time in one way or another, is the real enemy. Going analog is no panacea. Fire, neglect, and nature degrade analog systems.

Backups are key. Analog data can be scanned. Digital data can be printed.

Also on:

Mobile Websites Can Tap Into Your Phone’s Sensors Without Asking

Mobile Websites Can Tap Into Your Phone’s Sensors Without Asking:

When an app wants to access data from your smartphone’s motion or light sensors, iOS and Android require them to get your permission first. That keeps a fitness app, say, from counting your steps without your knowledge. But a team of researchers has discovered that those rules don’t apply to websites loaded in mobile browsers, which can often often access an array of device sensors without any notifications or permissions whatsoever.

That mobile browsers offer developers access to sensors isn’t necessarily problematic on its own. It’s what helps those services automatically adjust their layout, for example, when you switch your phone’s orientation. And the World Wide Web Consortium standards body has codified how web applications can access sensor data. But the researchers—Anupam Das of North Carolina State University, Gunes Acar of Princeton University, Nikita Borisov of the University of Illinois at Urbana-Champaign, and Amogh Pradeep of Northeastern University—found that the standards allow for unfettered access to certain sensors. And sites are using it.

(Via Security Latest)

Clearly this is a gap in vendor protection and user informed consent. When paired with the amount of bandwidth and other resources consumed by scripts, trackers, ads and the like, this news reinforces my opinion on ad-blockers that also deal with javascript.

Before we all panic, please note that the study only found 3.7% of the top 100,000 sites make use of this. And bear the following in mind:

That unapproved access to motion, orientation, proximity, or light sensor data alone probably wouldn’t compromise a user’s identity or device. And a web page can only access sensors as long as a user is actively browsing the page, not in the background.

Regardless, there is clearly an attack surface here that will be exploited. I can imagine something targeted using watering hole attacks being particularly successful.

“There’s a difference between the access from the web scripts compared to say mobile apps,” Acar says. “And a lot of this is legitimate. But the fact that access can be granted without prompting the user is surprising. It’s currently up to the vendors, and vendors tend to choose the side of more usability.”

Also on:

Juggling domestic and international App Store accounts in iOS 12

Juggling domestic and international App Store accounts in iOS 12:

I can’t find the link right now but some blogs reported back in early summer that iOS 12 gained the ability to update App Store content from 2 different account IDs, USA and international.

I have juggled USA and Japan App Store content since App Store day 1 2008. Updating meant constant logging out and logging in to different accounts manually, a pain in the neck that I grew accustomed to over the years. Things have slowly improved but seamless savvy domestic~international App Store switching is still not there yet in iOS 12.

iOS 12 updates Apps from both USA and Japan accounts but only for content that is exists in both App Stores. Any attempt to update Japan only content from Yahoo Japan, Docomo, etc., and the USA App store coughs up a ‘This item is no longer available’ error. Back to the old tried and true ‘log out of US store log in to Japan store’ update maneuver.

This kind of ‘USA English version first, internationalization and optimization later when we can get to it’ attitude seems to be getting worse at Apple instead of better. On iOS 12 alone we have Apple Music Japan content that still does not Kana sort, half-assed Apple Maps Japan content, no Japanese TV content what-so-ever even though Netflix Japan and Amazon Prime Japan are going all out. On the just released macOS Mojave 10.14 iMessages is still missing Location settings. The list goes on.

Apple likes to pride itself on being, slightly, ahead of the curve on software internationalization. Sometimes it is, sometimes not. Smart, savvy internationalization of OS, cloud and content services that lead the industry may not sound sexy or produce big profits, but they have a huge impact on product quality around the world.

Making Apple products the best possible products out there was what Steve Jobs was all about. Apple may be stumbling of late, let’s hope they remember their founder by putting all into the job at hand.

(Via Ata Distance)

As usual, I cannot agree more.

Also on:

My Lopsided Listening

Listening to podcasts and audio books takes a toll on my AirPod batteries. They take a toll in stereo, that is, and most of the content benefits little by the extra channel.

This mono approach is nothing new. I would like Apple to take note, never the less.

AirPods have several deficiencies:

  • Microphone is poor to useless on calls in any space other than a perfectly silent room
  • No volume control on its/their own
  • Battery life is ok (they’re tiny, I know)
  • The case is a grime magnet, and the pods themselves are not much better (but surprisingly good depending on the user)
  • The charging case is too easy to lose

AirPods paired with an iPhone paired to an Apple Watch, and maybe when solely paired with the Apple Watch, the Watch can fix the volume control issue. If I could use the Watch on a “raise to speak” mode where otherwise the microphone is muted while the audio is piped through the AirPods, I would be happy. Maybe it’s possible and I haven’t discovered it, but I expect more news would have been made of the functionality.

For the battery life issue, juggling between ears one at a time is the best approach. I can easily get through a day with the pods and their charger case.

Apple clearly didn’t consider this use case. When I get the chime indicating that the battery will soon run out on the AirPod I’m using, then I put the other one in my other ear. I expect iOS will recognize this change and switch me to stereo. If it did, I would pull out the battery depleted unit and double tap the fresh one for my content to continue while I slip the dead one in for a charge.

It does not work that way, or at least for me. Maybe it’s a deficiency with the iPod Touch I use as my content hub. As mentioned, my work issued iPhone lacks the storage needed for my work content. Adding in podcasts and ebooks and audiobooks and music are far too much for it. The two in semi-concert make a workable and portable (both are small form factor) compromise. The iPod Touch also charges quickly and requires little of its power source.

Back to my initial story, swapping AirPods mostly works so long as I don’t want to listen to music. As soon as stereo is needed this model fails.

If some third party created a neck wearable battery pack that the AirPods could plug into for extended use, I would buy one.

As it is, my inexpensive fix for the stereo issue is to carry a set of lighting EarPods. They have the added benefit of not requiring any wireless tech, so my iPod Touch battery lasts that much longer and can move to my iPhone if a conference call is needed. Of course I hate this backup plan. I prefer the analog headphone jack. I still have it on my iPod Touch and my iPads, so maybe I permanently affix a lighting-headphone adaptor to my iPhone.

This can’t be the ideal Apple wants. I’m heartened by the lack of releases of new Beats hardware, which I always saw as a brand and content acquisition. Beats headphones always sounded muddy and heavy to me, like I was scuba diving with a drum section.

It would be good if Apple added location tracking to the charging case or alarm when the AirPods are in use and the case is about to leave the Bluetooth radius.

This is a long, rambling post. Enjoy.

Also on:

“Curated” News Apps & Sponsored Content

In Apple News I came across the following (WARNING: don’t click unless you want to be marketed at): How to become the ‘spreadsheet master’ of your office. It’s a sales pitch disguised as a news story with a click bait-y headline displayed as significant in a (I think) curated news aggregator.

I’m curious what Apple and Google and the others do to judge the value of articles and by what criteria. Sitting here telling Apple what sources are garbage based on click bait and aggressively “sponsored” content can’t be the best solution.

Also on:

Overcast 5.0 Review

Normally I wait at least a week before upgrading any OS, but stories like this make patience seem a burden:

Overcast 5.0 Review:

Standalone Watch Playback

I never thought I would use my watch to play music or podcasts without my iPhone, but I’ve recently discovered that our apartment is just long enough that my headphones or watch are out of range of my iPhone when I’m at one end at it’s at the other. I put some music on my watch and paired my Bose QC35s, and then immediately wished I had podcasts on there. The standalone watch playback in Overcast is great. Sync can be a little fiddly due to watchOS limitations, and I had the best success by putting Overcast in my dock on my watch, opening it, putting it and my iPhone on charge and leaving them to it – and now I’m by the pool listening to podcasts on my watch with my iPhone back in my hotel room!

(Via Rosemary Orchard)

Glob dang it! I’m working from home tomorrow, so maybe …

Also on: