Archive for November 26, 2023

Sunday, November 26, 2023

Receipt Validation With All the Ethernet Interfaces

Jeff Johnson:

I’ve recently run into a case that seems to call into question all extant sample code for Mac App Store receipt validation. […] I learned that the ethernet port of the customer’s Mac was fried as a result of electrical damage from a lightning strike. The Mac’s motherboard was replaced, but afterward the customer still couldn’t launch Magnet, and now they couldn’t launch Link Unshortener either. It turns out that the Mac’s ethernet port is now en11 rather than en0. Apple’s old sample code checked only en0, and Apple’s new sample code checks only en0 and en1, so that technique won’t work. And the technique suggested by Chris Liscio won’t work, because querying for kIOPrimaryInterface returned no results! The customer’s Mac reported having no primary ethernet interface.

My solution was to query all built-in ethernet interfaces—in technical terms, kIOBuiltin devices of kIOEthernetInterfaceClass—and attempt to validate each interface’s MAC address with the App Store receipt until a match was found. This might be the same technique suggested by Paulo Andrade, but that blog post contains no sample code.


NVIDIA Sued for Stealing Trade Secrets

Mariella Moon (via Hacker News):

NVIDIA is facing a lawsuit filed by French automotive company Valeo after a screensharing blunder by one of its employees. According to Valeo’s complaint, Mohammad Moniruzzaman, an engineer for NVIDIA who used to work for its company, had mistakenly showed its source code files on his computer as he was sharing his screen during a meeting with both firms in 2022. Valeo’s employees quickly recognized the code and took screenshots before Moniruzzaman was notified of his mistake.


Moniruzzaman allegedly gave his personal email unauthorized access to Valeo’s systems to steal “tens of thousands of files” and 6GB of source code shortly after that development. He then left Valeo a few months later and took the stolen information with him when he was given a senior position at NVIDIA, the complaint reads. He also worked on the very same project he was involved in for Valeo, which is why he was present at that video conference.

We don’t hear about this sort of thing happening very often.

Cavium Networking Hardware May Contain Backdoor

Bruce Schneier:

Jake Appelbaum’s PhD thesis contains several new revelations from the classified NSA documents provided to journalists by Edward Snowden.

Stefania Maurizi:

Communication in a world of pervasive surveillance is a public document and has been downloaded over 18,000 times since March 2022 when it was first published.


In 2013, Jacob Appelbaum published a remarkable scoop for Der Spiegel, revealing the NSA had spied on Angela Merkel’s mobile phone. This scoop won him the highest journalistic award in Germany, the Nannen Prize (later known as the Stern Award).

Nevertheless, his work on the NSA revelations, and his advocacy for Julian Assange and WikiLeaks, as well as other high-profile whistleblowers, has put him in a precarious condition. As a result of this, he has resettled in Berlin, where he has spent the past decade.

Thomas Claburn:

Cavium, a maker of semiconductors acquired in 2018 by Marvell, was allegedly identified in documents leaked in 2013 by Edward Snowden as a vendor of semiconductors backdoored for US intelligence. Marvell denies it or Cavium placed backdoors in products at the behest of the US government.


In a phone conversation, Appelbaum told The Register, “Marvell is answering a question that no one asked.” He explained further in an email, essentially arguing that Marvell may have inadvertently backdoored its equipment by implementing weak and exploitable algorithms, such as the infamous Dual EC DRBG, that were championed by the US government so that they would be adopted by suppliers and deployed in the wild possibly for snoops to abuse.


“As far as I know, Marvell has not reported performing an internal audit on the intellectual property that they acquired from Cavium to search for any NSA sabotage, nor have they reported performing a similar audit on Marvell related technologies,” he said.

Matthew Green (Hacker News):

To give some context, here are the contents of an initial Snowden leak from September 2013. Cavium was a leading manufacturer of cryptographic co-processors for VPN devices at that time.


The formal name for this stuff is “algorithm substitution attacks.” Basically, you replace a cryptographic algorithm with a different one that “looks the same” from the outside, but contains a trapdoor for the NSA to exploit.

Appelbaum’s thesis is available here and contains this passage:

In a related document the NSA describes a normal situation where the NSA intercepts VPN traffic to decrypt the contents, modify the traffic if desired, and then re-inject and re-encrypt the traffic to send on to the original destination. The NSA estimated in 2011 that they performed around one thousand attacks against VPN sessions per hour and NSA projected it would soon be performing one hundred thousand such attacks in parallel per hour. It is reasonable to assume that this number is significantly higher after more than a decade.


Data Analytical Services (DAS)

Dell Cameron and Dhruv Mehrotra (Hacker News):

A little-known surveillance program tracks more than a trillion domestic phone records within the United States each year, according to a letter Wired obtained that was sent by US senator Ron Wyden to the Department of Justice (DOJ) on Sunday, challenging the program’s legality.

According to the letter, a surveillance program now known as Data Analytical Services (DAS) has for more than a decade allowed federal, state, and local law enforcement agencies to mine the details of Americans’ calls, analyzing the phone records of countless people who are not suspected of any crime, including victims. Using a technique known as chain analysis, the program targets not only those in direct phone contact with a criminal suspect but anyone with whom those individuals have been in contact as well.

The DAS program, formerly known as Hemisphere, is run in coordination with the telecom giant AT&T, which captures and conducts analysis of US call records for law enforcement agencies, from local police and sheriffs’ departments to US customs offices and postal inspectors across the country, according to a White House memo reviewed by Wired.

Via John Gruber:

The information collected by DAS includes location data.


This is related to the entire U.S. phone system infrastructure — the old Ma Bell. Landline calls and calls from Verizon and T-Mobile cellular customers get routed through this AT&T system, and are thus surveilled by this same system.


It is completely unclear to me whether DAS/Hemisphere collects text messages — SMS, MMS, RCS — in addition to voice calls.


Publicly disclosed for the first time in September 2013 by the New York Times, the Hemisphere program provides police access to a database containing call records going back decades, combined with a sophisticated analytical system.


“Hemisphere” came to light amidst the public uproar over revelations that the NSA had been collecting phone records on millions of innocent people. However, Hemisphere wasn’t a program revealed by Edward Snowden’s leaks, but rather its exposure was pure serendipity: a citizen activist in Seattle discovered the program when shocking presentations outlining the program were provided to him in response to regular old public records requests.

But these documents only painted a partial portrait of the program, and since the New York Times’ initial reporting in 2013, EFF has filed its own Freedom of Information Act and state-level public records requests to learn more. The results have been frustrating, with various agencies providing highly and inconsistently redacted documents in what seems to be an attempt to further hide information from the public.

Via John Gruber:

This slide deck hosted by the EFF is one of those presentations, and worth your attention. The system’s capabilities are terrifying. From page 9 of that deck, highlighting Hemisphere’s “Special Features”:

  • Dropped Phones — Hemisphere uses special software that analyzes the calling pattern of a previous target phone to find the new number. Hemisphere has been averaging above a 90% success rate when searching for dropped phones.

  • Additional Phones — Hemisphere utilizes a similar process to determine additional cell phones the target is using that are unknown to law enforcement.


So the system analyzes not just the phone records of the target, but the records of every single number the target calls.

Jessica Lyons Hardcastle (Hacker News):

According to Senator Ron Wyden (D-OR), these searches “usually” happen without warrants. And after more than a decade of keeping people — lawmakers included — in the dark about Hemisphere, Wyden wants the Justice Department to reveal information about what he called a “long-running dragnet surveillance program.”


Privacy advocates including the Electronic Frontier Foundations have filed Freedom of Information Act and state-level public records lawsuits to learn more about the secret snooping program.


Although the program and its documents are not classified, the Justice Department has marked them as “Law Enforcement Sensitive,” meaning their disclosure could hurt ongoing investigations. This designation also prevents the documents from being publicly released.


Additionally, Hemisphere is not subject to a federal Privacy Impact Assessment due to its funding structure, it’s claimed. The White House doesn’t directly pay AT&T - instead the ONDCP provides a grant to the Houston High Intensity Drug Trafficking Area, which is a partnership between federal, state, and local law enforcement agencies. And this partnership, in turn, pays AT&T to operate this surveillance scheme.

See also: Using Metadata to find Paul Revere.


Section 24220: Advanced Impaired Driving Technology

Jon Miltimore (Hacker News):

“Marketed to Congress as a benign tool to help prevent drunk driving, the measure will mandate that automobile manufacturers build into every car what amounts to a ‘vehicle kill switch,’” wrote Barr, who was the Libertarian Party’s nominee for president in 2008.


To my relief, I saw several fact-checkers at legacy institutions had determined the “kill switch” mandate was not true.


Unfortunately, my relief evaporated once I looked at the bill itself.

Sec. 24220 of the law explicitly states: “[T]o ensure the prevention of alcohol-impaired driving fatalities, advanced drunk and impaired driving prevention technology must be standard equipment in all new passenger motor vehicles.”

The legislation then goes on to define the technology as a computer system that can “passively monitor the performance of a driver of a motor vehicle” and can “prevent or limit motor vehicle operation if an impairment is detected”.

Matt Posky:

There are now fact-checking websites that are designed to counter other fact-checking websites who likewise want to pretend to have the market cornered on factual information. In the end, the vast majority boils down to contradictory talking points and trying to shape a desired narrative. Nobody really knows what the legislation will bring into effect because the relevant decisions haven't been made yet by the National Highway Traffic Safety Administration (NHTSA).

But what is certain is that the provisions included within the trillion-dollar Infrastructure Investment and Jobs Act will eventually result in some form of driver monitoring. That’s likely to come by either an ignition interlocking device that would require drivers to utilize a breathalyzer before setting off, or some kind of comprehensive driver monitoring system that uses audio-visual cues to determine the driver’s present status.

The latter seems the more likely option. Modern automobiles are already loaded up with microphones and are capable of transmitting control inputs, positional data, and plenty more back to the manufacturer. The automotive industry has also begun installing in-cabin camera systems to help track what occupants are doing. Originally, the concept was floated as a way to safeguard from distracted driving. But it’s also more lucrative info for an industry that now seems completely obsessed with data mining its own customers.

There are privacy implications if the data is shared and the possibility of abuse if the system can be remotely controlled. But, even ignoring those issues, there will be false positives. I turned off my 2023 vehicle’s lane keeping assist feature, which seems comparatively simple, because it often nudges in the wrong direction. The system will in some cases incorrectly identify erratic driving or not realize that there may be a valid reason for it. And, though the goal is to prevent deaths by disabling cars, immobilizing a vehicle could also be fatal for its occupants or for those of other vehicles that it’s blocking. You can mandate a secure golden key, but what you end up with may be something else entirely.

See also: Lauren Fix.