This is consistent with expected behavior from my point of view. A bug in safari's controls would not infect the website. The site clearly sends a policy and safari clearly follows it. Perfectly sensible behavior.
Of course CSP does not allow a way to say -> browser controls are okay. Hence, a debate is quite welcome on whether such a specification is needed.
The most plausible hypothesis of how this attack works is by corrupting firmware loaded at power-on time over SPI. Secure boot would absolutely protect from that by rejecting the signature of the modified code.
By hey, I get that Newsy groupthink means secure boot bad.
>is by corrupting firmware loaded at power-on time over SPI.
>Secure boot would absolutely protect from that by rejecting the signature of the modified code.
Why couldn't you also change out the keys so the signature does match?
Doing so means compromising the TPM on the BMC module which is much harder to do. It's not something that can be done downstream in the supply chain, as this attack is purported to have been.
Secure boot is in no way bad :-) Ofcourse, it must in fact be the first point on any sane security checklist.
And one of the most common attacks aka. malicious firmware is prevented by using secure boot.
Many other classes of attacks like forcing the microcontroller to delete all its data, opening up the debug JTAG port of the microcontroller, preventing the log of certain security events etc. can be achieved with the right settings.
Though these are just remote possibilities with high levels of complexity, so is changing a production design of a board.
Thanks for sharing. I was wondering, why do we need the sleeve ? Can the voltage boosting module be part of the remote itself ? Isn't that what a dc-dc module does ?
In case the remainder of the electronics can not work with the low voltage directly, often a boost converter is integrated in the device. Remotes mostly don't: their electronics can run at very low voltage, at the end of the battery life, the range is reduced because the ir led produces less light.
There's no reasons you can't put a voltage boost circuit into a device other than it would be cheaper not to and consumers will blame the batteries, not your device, if you don't. (also, if your device functions fine with low voltage batteries there is no need to.)
A single cell AA lithium likely already has a 3.7v (IIRC) to 1.5v step down, but also likely has a cut-off voltage to protect the internal cell too.
If it's built-in lithium then you're as likely put in a step-down or a buck-boost to regulate raw lithium cell pack voltages to whatever the device needs internally, but that also needs a self-protection cutoff.
I understand what you mean. But in my remote, the batteries are not arranged in serial; they are arranged in parallel. That being the case, my remote can see both terminals of a given battery. Hence, I fail to see, as to why the mechanism cannot be implemented as part of such devices..
The same applies to my wall-clock (which uses a single battery)
They can be. And in fact, in plenty of electronic devices they are since operating from a variable supply voltage is not an option so the typical battery powered device uses dc-dc converter like the one in the article only it does not operate on a single cell but on all cells in series. And that works just fine.
> But in my remote, the batteries are not arranged in serial; they are arranged in parallel
Are you sure? That's pretty uncommon. Are the poles oriented in the same direction or opposite ones? Is one set of poles connected to a pair of terminals shared by a single conductor and the other set using two distinct terminals?
I need a general purpose email. I am about to sign up an IRC nick. Not sure if I actually have to retain the address so I am hesitant to use guerilla mail etc?
I still don't understand HN's algo. The current 1st post has 301 points in 7 hrs while this post has 301 points in 3 hours but is in the second page ??
Posts like this get massive upvotes but they also get massive flags. The upvotes make the post go up and the flags make it go down. That's what happened here.
Any other projects affected ? Would be nice to start a list of all affected projects. This could also be a case of targeted attack on the gimp account.
Several of those are projects that were never hosted at SourceForge, aren't they? Firefox, for example, I don't believe was ever an SF project. WordPress, I don't recall ever seeing on SourceForge. Are they altering the binaries they are posting on their "mirror"?
I download the bitcoin .exe, and it came clean, with the right signatures, but who knows how they are distributing the stuff. I have a Ubuntu computer. If they're at least a bit smart they will use their download redirects to serve the spyware only to Windows computers or something, so that could be why I got a clean binary. Bitcoin devs investigated, at my request. They removed the sf-editor1 user from the project owners and checked the binaries to see if sigs matched, and they did. But like I said, they could be filtering who they serve the "spyware" to.
The official win32 gimp installers were not made by sourceforge, but by the GIMP contributor now locked out of managing the relevant sourceforge account. The same win32 installers that used to be provided on sourceforge are now provided from gimp.org directly http://download.gimp.org/pub/gimp/v2.8/windows/ the problem is the nice binaries being replaced by sourceforge made installers that also install adware.
wget at least isn't affected, as long as you copy the link from the files page (the one that normally displays ads and a countdown timer in browser - it'll download the file directly with wget, since they apparently do user-agent sniffing).
What does the SourceForge shell access get you? If it's only the ability to edit your website and maybe your code (and not install, compile, etc. things), is it valuable in a world with git-push-to-deploy and with web-based editors?
Trivial, technically, but can still be an unwanted cost for projects that push a lot of bits out. Our software at SF.net burns through several terabytes of bandwidth each year for several million package downloads. We've always appreciated their network of mirrors. But, it seems like it's time to move away from SourceForge.
We already relocated our revision control to github (though I'm considering another move to a self-hosted thing on Phabricator or gogs or gitlab, as I'm more cautious about using third party services for this kind of stuff these days).
The thing is, it's not exactly "their" network of mirrors. They mostly rely on third-party mirrors run by universities and other organisations that offer mirroring for free to a bunch of major open source projects and sites.
You are not paranoid. You could use Chromium which has relatively fewer connections to google servers. You could also look at alternative browsers that have been forked from the chromium project with an emphasis on privacy.
For example: WhiteHat Aviator.
If you are comfortable changing settings of the browser, you could disable most of the google connections from the browser. [The first things I recommend changing is the search URL, disable auto-completion, bad site checking etc.] Then you have the do not track header ..
Of course, if browsing privacy is your biggest concern, the safest browser is Lynx ;) [Though not truly practical for most cases]
Thanks for the reply. Ofcourse, I disabled all the privacy settings that I can through settings in Chromium. But still, I could not avoid connections on startup on Chromium. It generally is not a problem, but I do not want Google to know whenever I open the browser :)
Of course CSP does not allow a way to say -> browser controls are okay. Hence, a debate is quite welcome on whether such a specification is needed.