便宜的 HSM

當然速度就不用想太多了...

一個是 Yubico 推出的 YubiHSM 2:「YubiHSM 2 is here: Providing root of trust for servers and computing devices」。

另外一個是 Mozilla 在 2013 年提到的 CryptoStick,不過現在連過去看到的是 Nitrokey HSM:「Using CryptoStick as an HSM」。

兩個都是走 USB 1.1 Type A,運算效能都普普通通,感覺自己用比較合適?像是 GnuPG 加解密。拿給線上服務用的效能還是要夠好...

Savitech (盛微) 的 USB 音效驅動程式會安裝 Root CA (被發了 CVE-2017-9758)

Hacker News 上看到 CERT 的「Savitech USB audio drivers install a new root CA certificate」提到 Savitech USB audio driver 會安裝自己的 Root CA:

Savitech provides USB audio drivers for a number of specialized audio products. Some versions of the Savitech driver package silently install a root CA certificate into the Windows trusted root certificate store.

出自「Inaudible Subversion - Did your Hi-Fi just subvert your PC? (原網站已經無法訪問,參考備份連結 https://archive.is/K6REr)」,CVE 編號是 CVE-2017-9758,最初是由 n3kt0n 提出的:「某單位 drivers silently install certificate in trusted root certificate authorities store [CVE-2017-9758]」:

Mitre assigned this exposure the identifier CVE-2017-9758, but was initially tracked by HITCON ZeroDay project as ZD-2017-00386.

有兩把 CA public key 被塞進去。雖然目前還沒有徵兆 private key 有外洩,但還是建議儘快移除:

There is currently no evidence that the Savitech private key is compromised. However, users are encouraged to remove the certificate out of caution. The two known certificates are:

SaviAudio root certificate #1
‎Validity: Thursday, ‎May ‎31, ‎2012 - ‎Tuesday, ‎December ‎30, ‎2036
Serial number: 579885da6f791eb24de819bb2c0eeff0
Thumbprint: cb34ebad73791c1399cb62bda51c91072ac5b050

SaviAudio root certificate #2
Validity: ‎Thursday, ‎December ‎31, ‎2015 - ‎Tuesday, ‎December ‎30, ‎2036
Serial number: ‎972ed9bce72451bb4bd78bfc0d8b343c
Thumbprint: 23e50cd42214d6252d65052c2a1a591173daace5

另外 Savitech 也放出了新版的 driver,不包含 Root CA:

Savitech has released a new driver package to address the issue. Savitech drivers version 2.8.0.3 or later do not install the root CA certificate. Users still must remove any previously installed certificate manually.

看了一下說明,看起來是當時為了支援 Windows XP 而做的,但微軟已經不提供驅動程式的數位簽章了,所以就只好這樣搞...

Amazon Device Farm 支援讓使用者直接連上去 debug 了...

Amazon Device Farm 推出這樣的功能又朝著設備租賃服務更進一步了:「Amazon Device Farm Launches Direct Device Access for Private Devices」。

Now, with direct device access, mobile applications developers can use individual devices in their private test set as if they were directly connected to their local machine via USB. Developers can now test against a wide array of devices just like they would as if the devices were sitting on their desk.

這樣就可以使用更底層的東西了...

因為一條 USB 線燒了三個設備...

Benson Leung 花了不少時間在測試 USB 線 (「Google 工程師在 Amazon 上留下對 USB-C 線的精彩評價...」與「Google 工程師在 Amazon 上對 Type C USB 線的評論」),而前陣子他測到一條超棒的 USB 線,把他三個測試設備都燒壞了:(出自這邊)

Surjtech's A-to-C cable seriously damaged a Pixel 2 laptop and two USB PD analyzers.

他在 Amazon 上留下的說明可以看到他發現廠商直接把 GND 與 Vbus 的線接錯了 (這個有厲害...):

I directly analyzed the Surjtech cable using a Type-C breakout board and a multimeter, and it appears that they completely miswired the cable. The GND pin on the Type-A plug is tied to the Vbus pins on the Type-C plug. The Vbus pin on the Type-A plug is tied to GND on the Type-C plug.

另外在回覆裡也有更完整的說明:

I've had the cable taken apart, and we've discovered some interesting details. I'll post a post with pictures soon.

1) Vbus and Gnd are switched. Red wire goes to G on the Type-C's PCB, Black wire goes to V.
2) 10 kΩ resistor instead of 56 kΩ resistor used.
3) resistor hooked up as a Pull-down instead of a pull-up
4) Wire is COMPLETELY missing SuperSpeed wires. It is NOT actually a USB 3.1 cable, even though it has a blue connector on the A side and SuperSpeed logos.

Bad. So bad.

照片可以在這邊看到。看起來 Benson Leung 得再去 Google 內要新的機器來測試了...

Google 工程師在 Amazon 上對 Type C USB 線的評論

先前提到「Google 工程師在 Amazon 上留下對 USB-C 線的精彩評價...」,後來這位工程師 Benson Leung 寫了更多的評價出來,在「Amazon.com: Profile for Benson Leung」這邊可以看到。

可以看到大量的線被打了兩顆星,不過還是少數有幾條線測過了:

35 條只過了 6 條,看起來狀況不太好啊 XDDD

Benchmark DAC2 HGC 在 Ubuntu 14.04 LTS 下使用 USB 沒有聲音的問題

記得剛買來的時候是有聲音的,後來突然有一天沒聲音... 試了一堆方法都沒用 (換 kernel 版本、禁用 xHCI、換 USB 線、...),最後是在「Benchmark DAC2 HGC impressions (and Linux setup notes)」這邊看到方法。

這邊有幾個重點:

DAC2's USB 1.0 mode doesn't work with Linux kernel 3.8.x, but USB 2.0 does. So switch it to USB 2.0 and forget about it. Next, I figured that the audio was simply being muted in some instances. The solution is to open a terminal window, run AlsaMixer, hit F6 to configure the DAC 2. Even though their levels cannot be altered (they're fixed at 00), the first two items must be unmuted in order to get any sound:

如同文章裡說的,USB 1.0 模式 (會抓到「Benchmark DAC2 USB Audio 1.0」) 是不會動的,而 USB 2.0 可以 (會抓到「Benchmark DAC2 USB Audio 2.0」),但播放時沒有聲音。

解法則是使用 alsamixer,進入後按 F6 選 Benchmark DAC2,將前面兩個用 m 給 unmute 掉就好了:

為此學到一堆底層看 USB 的工具...

為 Open Source Hardware 發放 USB Product ID 的 pid.codes

pid.codes 的說明就很清楚了:「Welcome to pid.codes」。

由於 USB-IF 對每個 vendor 收 USD$5000,而且不可以跟其他單位共用:

If you’re a maker, hobbyist, or startup company producing your own USB device, you’ve probably discovered that you need a USB Vendor ID and Product ID to uniquely identify your device to computers. The USB-IF’s position is that the only way to do this is for each organisation to pay $5000 for a unique Vendor ID, which they may not share with other individuals or organisations.

所以就造成很多人惡搞 Vendor ID 與 Product ID:

For many makers and small companies, this is a prohibitive amount of money, and forces them to resort to workarounds, such as using other organisations' VIDs without permission, or simply making up a VID and PID. These solutions make things worse for everyone, by damaging the assumption that a VID/PID combination is unique to a given device.

而他們尋求解決方案,取得了一份在 USB-IF 禁止共用前的 Vendor ID,從而解決這個問題:

pid.codes seeks to solve this issue for anyone producing open-source hardware. We have been gifted a Vendor ID by a company that was issued one by USB-IF and has since ceased trading; they obtained the Vendor ID before the USB-IF changed their licensing terms to prohibit transfers or subassignments.

對 Tor 的攻擊開始了...

先前幾天 Tor 官方才猜測會被攻擊 (Tor 官方預測將會被攻擊),在今天的 Hacker News Daily 就看到有機器被扣:「[tor-talk] Warning: Do NOT use my mirrors/services until I have reviewed the situation」。

Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers.

偵測到機器被打開,並且插入 USB device,接下來失去對機器的控制權。

很特別的 Side-channel attack 方法以取得 RSA 與 ElGamel 的 private key

在「A new Side channel attack-how to steal encryption keys by touching PCs」這邊看到一種很特別的 side-channel attack:(直接先看圖)

引用說明:

The signal can also be measured at the remote end of Ethernet, VGA or USB cables.

方法愈來愈特別了 XDDD