Archive for January 4, 2018

Thursday, January 4, 2018

Fingerprinting Swift Code Using Spacecrypt


Spacecrypt works by converting your private message into binary data, and then converting that binary data into zero-width characters (which can then be hidden in your public message). These characters are used:

  • Unicode Character 'WORD JOINER' (U+2060)
  • Unicode Character 'ZERO WIDTH SPACE' (U+200B)
  • Unicode Character 'ZERO WIDTH NON-JOINER' (U+200C)

Craig Hockenberry (tweet):

It appears that these hidden payloads can work their way into code, not just data (such as the string shown above.)


I think this poses some serious issues, not just for Stack Overflow, but for the languages which are discussed on this Q&A site. Hidden characters in code make effective code review much more difficult. In the example above, a quick review of the code would lead someone to believe that foo * bar would be 11111111, not the actual value of 12345678987654321. This would be an easy way for someone to hide a security vulnerability in plain sight.

It’s also very difficult to see these hidden characters at the point-of-origin: They don’t appear at all in Safari’s Web Inspector and in Chrome the HTML entities blend right in with the other HTML and CSS for this site.

Update (2018-01-05): Craig Hockenberry:

And before you say, “just ban zero width joiners and combining characters”, remember that Emoji uses both extensively.

The T2 Chip Makes the iMac Pro the Start of a Mac Revolution

Jason Snell (Hacker News):

On most Macs, there are discrete controllers for audio, system management and disk drives. But the T2 handles all these tasks. The T2 is responsible for controlling the iMac Pro’s stereo speakers, internal microphones, and dual cooling fans, all by itself.


As for the disk controller? There isn’t one—or more accurately, the disk controller is built into the T2 itself. This gives the T2 complete control over internal storage on the iMac Pro. This has some major benefits in terms of speed and security. Every bit of data stored on an iMac Pro’s SSD is encrypted on the fly by the T2, so that if a nefarious person tried to pull out the storage chips and read them later, they’d be out of luck.


This new boot process means there’s also a new utility for Mac users to get to know: Startup Security Utility, which you can only access by booting into Recovery mode by holding down Command-R while starting up. Startup Security Utility gives the T2 guidance about just how strict it should be when judging whether it should boot your computer.

Update (2018-01-05): @nurtopsc:

Everyone is talking about Meltdown & Spectre, but no one is really talking about exploits enabled by the Intel Management Engine. I think Apple’s T2 solves this.

Update (2018-01-08): See also: Tim Perfitt and Rich Trouton.

Update (2018-01-16): Pepijn Bruienne:

If you didn’t spot it yet, it’s the apparent existence of an “Erase all content and settings” feature for macOS. As I noted in November, this would be possible with the iMac Pro’s T2 via mobile_obliterator

A Branchless UTF-8 Decoder

Chris Wellons (via Matías N. Goldberg):

The CPU must correctly predict the length of the code point or else it will suffer a hazard. An incorrect guess will stall the pipeline and slow down decoding.


This reads four bytes regardless of the actual length. Avoiding doing something is branching, so this can’t be helped. The unneeded bits are shifted out based on the length. That’s all it takes to decode UTF-8 without branching.

Dash’s Year in Review: 2017

Bogdan Popescu:

I’m happy to report Dash has had its best year to date. Revenue in 2017 was 30% higher than Dash’s previous best year, 2015.

Previously: 100 Days Without the App Store.

Alexa Everywhere

M.G. Siegler:

Look, I think Apple positioning the HomePod around music is smart — at least at first. Such a device strengthens and expands the Apple Music ecosystem, while giving Apple an avenue to focus on what they do best: creating high-end hardware sold at a premium.

But I think Amazon — and to a lesser extent Google — has not only established a market ahead of Apple’s entry, but has done so in such a way that will make the HomePod sound a bit out of touch upon launch. Again, I know this is a risky prediction to make. But per above, I also know that Amazon is the number one seller of speakers in the world right now. And they’re doing this not by focusing on quality, as Apple will, but by focusing on making their digital assistant, Alexa, ubiquitous.

Update (2018-01-15): Matt Birchler:

I didn’t understand how a voice assistant could possibly be more convenient by being somewhere stationary in my home, rather than in my pocket or on my wrist.

I’m here to say I was a fool.