Digital Restrictions (DRM) and Spying, Proprietary Software and (In)Security
macOS Leaks Application Usage, Forces Apple to Make Hard Decisions
Last week, users of macOS noticed that attempting to open non-Apple applications while connected to the Internet resulted in long delays, if the applications opened at all. The interruptions were caused by a macOS security service attempting to reach Apple’s Online Certificate Status Protocol (OCSP) server, which had become unreachable due to internal errors. When security researchers looked into the contents of the OCSP requests, they found that these requests contained a hash of the developer’s certificate for the application that was being run, which was used by Apple in security checks.[1] The developer certificate contains a description of the individual, company, or organization which coded the application (e.g. Adobe or Tor Project), and thus leaks to Apple that an application by this developer was opened.
Moreover, OCSP requests are not encrypted. This means that any passive listener also learns which application a macOS user is opening and when.[2] Those with this attack capability include any upstream service provider of the user; Akamai, the ISP hosting Apple’s OCSP service; or any hacker on the same network as you when you connect to, say, your local coffee shop’s WiFi. A detailed explanation can be found in this article.
Microsoft developing ‘Pluton’ security chip for Windows
Microsoft will work with Intel, Advanced Micro Devices Inc. and Qualcomm Inc. to help them build Pluton into their personal computer processors. Firmware updates to CPU-integrated Pluton chips will be released by Microsoft as part of Windows updates.
Microsoft's new 'Pluton' security processor gets buy-in from Intel, AMD
Advocates of the new security chip, known as Pluton, say it will cut off a key vector for data-stealing attacks: a communication channel between a computing system’s central processing unit (CPU) and another piece of hardware known as the trusted platform module (TPM). In one example of that type of attack, researchers from security company NCC Group in 2018 showed how an attacker could undermine the booting process for “a large number of TPM-enabled computing platforms.”
The Pluton chip will be built into Windows computers through “future chips” made by AMD, Intel and Qualcomm, Microsoft said. It’s unclear when, exactly, all of that hardware will be on the market. Microsoft would only say that the work is ongoing.
Apple Reduces App Store Commission for Small Businesses
Apple has been getting hit by app developers lately for its commission policy of taking 30 percent of all purchases. It has made a change that makes it seem like it will benefit smaller businesses, but critics say it really doesn’t mean much.
Apple spins better than Warnie as it backs down on AppStore commission
The fact that even a company valued at US$2 trillion (A$2.7 trillion) has to sometimes heed public sentiment has been aptly illustrated by Apple announcing overnight that it would be lowering its take on apps sold from its App Store to 15% for small businesses that pull in less than a million.
Nordea [crackers] face prison and hefty fines, court rules [iophk: Windows TCO]
Ostrobothnia District Court on Tuesday sentenced two men to prison terms as well as fines and compensation payments after finding the pair guilty of [cracking] into Nordea Bank's computer system in an attempt to steal several million euros.
The M1 Macs
Apple, in its keynote last week, emphasized that the M1 MacBook Air has no fan. (Intel-based MacBook Airs most definitely do. The defunct 12-inch no-adjective MacBook was Apple’s only fanless Intel Mac.) Apple’s point there was to brag that the M1 runs so cool that a high-performance MacBook could be designed without one. Some Mac users, I think, mistakenly took this to mean that the Air had an advantage over the M1 MacBook Pro, in that the fanless Air would always run silently, if sometimes slower. I think this assumption was wrong: the M1 MacBook Pro is, to my ears, always silent as well. Whatever its active cooling system is doing, it isn’t making even a whisper of noise.
No Intel-based laptop with vaguely comparable performance to these machines can possibly match that silence. If you care about noise, the game is already over.
Security updates for Thursday
Security updates have been issued by Arch Linux (chromium and firefox), CentOS (bind, curl, fence-agents, kernel, librepo, libvirt, microcode_ctl, python, python3, qt and qt5-qtbase, resource-agents, and tomcat), Debian (drupal7, firefox-esr, jupyter-notebook, packer, python3.5, and rclone), Fedora (firefox), Mageia (firefox, nss), openSUSE (gdm, kernel-firmware, and moinmoin-wiki), Oracle (net-snmp), SUSE (libzypp, zypper), and Ubuntu (c-ares).
We can’t move forward by looking back – Open Source Security
For the last few weeks Kurt and I have been having a lively conversation about security ratings scales. Is CVSS good enough? What about the Microsoft scale? Are there other scales we should be looking at? What’s good, what’s missing, what should we be talking about.
There’s been a lot of back and forth and different ideas, over the course of our discussions I’ve come to realize an important aspect of security which is we don’t look forward very often. What I mean by this is there is a very strong force in the world of security to use prior art to drive our future decisions. Except all of that prior art is comically out of date in the world of today.
An easy example are existing security standards. All of the working groups that build the standards, and ideas the working groups bring to the table, are using ideas from the past to solve problems for the future. You can argue that standards are at best a snapshot of the past, made in the present, to slow down the future. I will elaborate on that “slow down the future” line in a future blog post, for now I just want to focus on the larger problem.
It might be easiest to use an example, I shall pick on CVSS. The vast majority of ideas and content in a standard such as CVSS is heavily influenced by what once was. If you look at how CVSS scores things, it’s clear a computer in a datacenter was in mind for many of the metrics. That was fine a decade ago, but it’s not fine anymore. Right now anyone overly familiar with CVSS is screaming “BUT CVSS DOESN’T MEASURE RISK IT MEASURES SEVERITY”, which I will say: you are technically correct, nobody cares, and nobody uses it like this. Sit down. CVSS is a perfect example of the theory being out of touch with reality.
Linux Foundation, CNCF Launch Kubernetes Security Specialist Certification
