Yubico 在 CES 2019 上宣佈推出兩用版的 YubiKey，同時支援 USB-C 與 Lightning 接頭：「Yubico Launches the Security Key NFC and a Private Preview of the YubiKey for Lightning at CES 2019」。
目前是 Private Preview，開發者需要跟 Yubico 申請：
If you are a developer or service that would like to support strong hardware authentication on iOS, we invite you to work with us by applying to participate in the YubiKey for Lightning Program. Selected participants will have access to the private preview of YubiKey for Lightning and also the Yubico Mobile iOS SDK for Lightning.
不過看起來是硬體限制沒辦法朝 NFC 支援？另外如果蘋果下一代 iPhone 換掉變成 USB-C 就搞笑了...
在 Hacker News 上看到 CERT 的「Savitech USB audio drivers install a new root CA certificate」提到 Savitech USB audio driver 會安裝自己的 Root CA：
Savitech provides USB audio drivers for a number of specialized audio products. Some versions of the Savitech driver package silently install a root CA certificate into the Windows trusted root certificate store.
出自「Inaudible Subversion - Did your Hi-Fi just subvert your PC? (原網站已經無法訪問，參考備份連結 https://archive.is/K6REr)」，CVE 編號是 CVE-2017-9758，最初是由 n3kt0n 提出的：「某單位 drivers silently install certificate in trusted root certificate authorities store [CVE-2017-9758]」：
Mitre assigned this exposure the identifier CVE-2017-9758, but was initially tracked by HITCON ZeroDay project as ZD-2017-00386.
有兩把 CA public key 被塞進去。雖然目前還沒有徵兆 private key 有外洩，但還是建議儘快移除：
There is currently no evidence that the Savitech private key is compromised. However, users are encouraged to remove the certificate out of caution. The two known certificates are:
SaviAudio root certificate #1
Validity: Thursday, May 31, 2012 - Tuesday, December 30, 2036
Serial number: 579885da6f791eb24de819bb2c0eeff0
SaviAudio root certificate #2
Validity: Thursday, December 31, 2015 - Tuesday, December 30, 2036
Serial number: 972ed9bce72451bb4bd78bfc0d8b343c
另外 Savitech 也放出了新版的 driver，不包含 Root CA：
Savitech has released a new driver package to address the issue. Savitech drivers version 18.104.22.168 or later do not install the root CA certificate. Users still must remove any previously installed certificate manually.
看了一下說明，看起來是當時為了支援 Windows XP 而做的，但微軟已經不提供驅動程式的數位簽章了，所以就只好這樣搞...
Amazon Device Farm 推出這樣的功能又朝著設備租賃服務更進一步了：「Amazon Device Farm Launches Direct Device Access for Private Devices」。
Now, with direct device access, mobile applications developers can use individual devices in their private test set as if they were directly connected to their local machine via USB. Developers can now test against a wide array of devices just like they would as if the devices were sitting on their desk.
Benson Leung 花了不少時間在測試 USB 線 (「Google 工程師在 Amazon 上留下對 USB-C 線的精彩評價...」與「Google 工程師在 Amazon 上對 Type C USB 線的評論」)，而前陣子他測到一條超棒的 USB 線，把他三個測試設備都燒壞了：(出自這邊)
Surjtech's A-to-C cable seriously damaged a Pixel 2 laptop and two USB PD analyzers.
他在 Amazon 上留下的說明可以看到他發現廠商直接把 GND 與 Vbus 的線接錯了 (這個有厲害...)：
I directly analyzed the Surjtech cable using a Type-C breakout board and a multimeter, and it appears that they completely miswired the cable. The GND pin on the Type-A plug is tied to the Vbus pins on the Type-C plug. The Vbus pin on the Type-A plug is tied to GND on the Type-C plug.
I've had the cable taken apart, and we've discovered some interesting details. I'll post a post with pictures soon.
1) Vbus and Gnd are switched. Red wire goes to G on the Type-C's PCB, Black wire goes to V.
2) 10 kΩ resistor instead of 56 kΩ resistor used.
3) resistor hooked up as a Pull-down instead of a pull-up
4) Wire is COMPLETELY missing SuperSpeed wires. It is NOT actually a USB 3.1 cable, even though it has a blue connector on the A side and SuperSpeed logos.
Bad. So bad.
照片可以在這邊看到。看起來 Benson Leung 得再去 Google 內要新的機器來測試了...
記得剛買來的時候是有聲音的，後來突然有一天沒聲音... 試了一堆方法都沒用 (換 kernel 版本、禁用 xHCI、換 USB 線、...)，最後是在「Benchmark DAC2 HGC impressions (and Linux setup notes)」這邊看到方法。
DAC2's USB 1.0 mode doesn't work with Linux kernel 3.8.x, but USB 2.0 does. So switch it to USB 2.0 and forget about it. Next, I figured that the audio was simply being muted in some instances. The solution is to open a terminal window, run AlsaMixer, hit F6 to configure the DAC 2. Even though their levels cannot be altered (they're fixed at 00), the first two items must be unmuted in order to get any sound:
如同文章裡說的，USB 1.0 模式 (會抓到「Benchmark DAC2 USB Audio 1.0」) 是不會動的，而 USB 2.0 可以 (會抓到「Benchmark DAC2 USB Audio 2.0」)，但播放時沒有聲音。
alsamixer，進入後按 F6 選 Benchmark DAC2，將前面兩個用
m 給 unmute 掉就好了：
為此學到一堆底層看 USB 的工具...
pid.codes 的說明就很清楚了：「Welcome to pid.codes」。
由於 USB-IF 對每個 vendor 收 USD$5000，而且不可以跟其他單位共用：
If you’re a maker, hobbyist, or startup company producing your own USB device, you’ve probably discovered that you need a USB Vendor ID and Product ID to uniquely identify your device to computers. The USB-IF’s position is that the only way to do this is for each organisation to pay $5000 for a unique Vendor ID, which they may not share with other individuals or organisations.
所以就造成很多人惡搞 Vendor ID 與 Product ID：
For many makers and small companies, this is a prohibitive amount of money, and forces them to resort to workarounds, such as using other organisations' VIDs without permission, or simply making up a VID and PID. These solutions make things worse for everyone, by damaging the assumption that a VID/PID combination is unique to a given device.
而他們尋求解決方案，取得了一份在 USB-IF 禁止共用前的 Vendor ID，從而解決這個問題：
pid.codes seeks to solve this issue for anyone producing open-source hardware. We have been gifted a Vendor ID by a company that was issued one by USB-IF and has since ceased trading; they obtained the Vendor ID before the USB-IF changed their licensing terms to prohibit transfers or subassignments.
先前幾天 Tor 官方才猜測會被攻擊 (Tor 官方預測將會被攻擊)，在今天的 Hacker News Daily 就看到有機器被扣：「[tor-talk] Warning: Do NOT use my mirrors/services until I have reviewed the situation」。
Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers.
偵測到機器被打開，並且插入 USB device，接下來失去對機器的控制權。