Cavium (被 Marvell 併購) 在 Snowden leak 中被列為 SIGINT "enabled" vendor

標題可能會有點難懂,比較簡單的意思就是在 Snowden 當年 (2013) 洩漏的資料裡面發現了不太妙的東西,發現 Cavium (現在的 Marvell) 的 CPU 有可能被埋入後門,而他們家的產品被一堆廠商提供的「資安產品」使用。

出自 X (Twitter) 上面提到的:

這段出可以從 2022 年的「Communication in a world of pervasive surveillance」這份文件裡面找到,就在他寫的 page 71 (PDF 的 page 90) 的 note 21:

While working on documents in the Snowden archive the thesis author learned that an American fabless semiconductor CPU vendor named Cavium is listed as a successful SIGINT "enabled" CPU vendor. By chance this was the same CPU present in the thesis author’s Internet router (UniFi USG3). The entire Snowden archive should be open for academic researchers to better understand more of the history of such behavior.

Ubiquiti 直接中槍...

而另一方面,在 Hacker News 上的討論「Snowden leak: Cavium networking hardware may contain NSA backdoor (twitter.com/matthew_d_green)」就讓人頭更痛了,像是當初 Cavium 就有發過新聞稿提到他們是 AWS CloudHSM 的供應商:「Cavium's LiquidSecurity® HSM Enables Hybrid Cloud Users to Synchronize Keys Between AWS CloudHSM and Private Clouds」。

而使用者也確認有從 log 裡面看到看到 Cavium 的記錄:

Ayup. We use AWS CloudHSM to hold our private signing keys for deploying field upgrades to our hardware. And when we break the CI scripts I see Cavium in the AWS logs.

Now I gotta take this to our security team and figure out what to do.

居然是 CloudHSM 這種在架構上幾乎是放在 root of trust 上的東西...

市場上有很多 VPN 都是由中國公司在後面營運

在「Hidden VPN owners unveiled: 97 VPN products run by just 23 companies」這篇分析了 VPN 產業裡面背後的公司。

其中有兩個比較重要的事情,第一個是很多公司 (或是集團) 都擁有多個 VPN 品牌 (甚至有到十個品牌的),所以如果想要透過多家 VPN 分散風險時,在挑的時候要看一下:

另外一個是後面有多中國人或是中國公司在營運:

We discovered that a good amount of the free mobile-only VPNs are owned by Chinese companies, or companies run by Chinese nationals.

  • Innovative Connecting (10 VPN apps): Director Danian “Danny” Chen is a Chinese national (Chen’s LinkSure is the sole shareholder and shares the same address as Innovative Connecting)
  • Hotspot VPN (5 VPN apps): Director Zhu Jianpeng has a residential address in Heibei Province in China
  • Hi Security (3 apps): the VPN apps are part of Shenzhen HAWK Internet, a subsidiary of the Chinese major company TCL Corporation
  • SuperSoftTech (2 apps): while officially owned by Singapore-based SuperSoftTech, it actually belongs to independent app publisher Jinrong Zheng, a Chinese national based in Beijing.
  • LEILEI (2 apps): by the titles of the VPNs (all written in Chinese characters), it’s likely that this developer is Chinese or based in China
  • Newbreed Network Pte.Ltd (6 apps): again, while it has a Singapore address, the websites for its VPN apps SGreen VPN and NodeVPN are completely in Chinese, while NodeVPN’s site lists the People’s Republic of China as its location.

這些公司與產品都應該要直接避開... 在有能力的情況下,在 public cloud 上自己架設還是會比較保險。

Amazon 需要對賣出去的產品造成的傷害負責

前幾天還蠻引人注目的案件,Amazon 被判決要對平台商家透過 Amazon 平台賣出去的產品負責:「Federal appeals court says Amazon is liable for third-party sellers' products」。

這個案例裡面是消費者透過 Amazon 的平台,向上架的商家購買 hoverboard (懸浮滑板?),結果把消費者家給搞爆了:

Last year, a judge in Tennessee ruled the company was not liable for damages caused by a defective hoverboard that exploded, burning down a family's house.

目前最新的判決中指出,Amazon 在合約裡面簽訂消費者必須透過 Amazon 的平台跟賣家溝通,使得賣家與消費者之間沒有直接的管道可以處理爭議,所以 Amazon 不能免責:

"Amazon fails to account for the fact that under the Agreement, third-party vendors can communicate with the customers only through Amazon," the ruling states. "This enables third-party vendors to conceal themselves from the customer, leaving customers injured by defective products with no direct recourse to the third-party vendor."

這個判決看起來會影響蠻大的,因為這些條款就是希望維持平台業者可以從中獲利,現在反過來殺傷自身... 看起來上訴是跑不掉的?等幾個月後再回來看...

Percona 宣佈提供 PostgreSQL Support...

有點意外的,Percona 宣佈提供 PostgreSQL Support:「Percona Expands Services Offerings with PostgreSQL Support」。看起來是建出熟 PostgreSQL 的團隊來做生意了...

之後應該會在他們站上開始看到與 PostgreSQL 相關的文章了;另外一方面,對於付錢買 Percona 服務的人來說,可以跟同一個廠商通包所有的服務 (從 MySQLMariaDBPercona Server 這三個 MySQL 系列的資料庫,到 MongoDB,然後是昨天推出的 PostgreSQL):

As a result, organizations can, for the first time, work with a single trusted vendor to meet their support needs for MySQL, MongoDB, MariaDB, PostgreSQL, or any hybrid combination of these database technologies, whether deployed on-premises, in the cloud, or in a Database as a Service (DBaaS) environment.

然後也許有機會看到 Percona 客製的 PostgreSQL?

Badlock 安全性問題同時影響 Windows 與 Samba

前幾天發佈了 Windows 與 Samba 共同有的安全性問題,叫做 Badlock:「Hype Around the Mysterious ‘Badlock’ Bug Raises Criticism (WIRED)」。但這個 bug 在 4/12 前不會公佈:

On April 12th, 2016, a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock.

長達三個禮拜的時間可以讓其他人找出問題是很罕見的,主要是因為這已經提供足夠多資訊去挖掘。名稱叫做 Badlock,看起來是某種 lock + race condition 造成的,而 Windows 與 Samba 同時都有問題,應該是 Microsoft 與 Samba 合作後的程式碼,或是某種 protocol workflow 的問題造成的。

It's especially interesting in this case since we have a name "Badlock" so we know it probably involves locking. We know it affects Samba and Windows. And we know who it was found by so we can look at which bits of Samba they've been working on lately. That's a lot of information for a clever person.

我預期這三個禮拜內應該就會有人公佈,目前的資訊真的太多了。更糟糕的有可能不是發 0-day exploit,而是這個漏洞進入黑市被利用。

先發表有漏洞,再給三個禮拜讓 vendor patch 的行為,看起來就是研究團隊為了出名造勢,而搞砸真正的資安問題。

為 Open Source Hardware 發放 USB Product ID 的 pid.codes

pid.codes 的說明就很清楚了:「Welcome to pid.codes」。

由於 USB-IF 對每個 vendor 收 USD$5000,而且不可以跟其他單位共用:

If you’re a maker, hobbyist, or startup company producing your own USB device, you’ve probably discovered that you need a USB Vendor ID and Product ID to uniquely identify your device to computers. The USB-IF’s position is that the only way to do this is for each organisation to pay $5000 for a unique Vendor ID, which they may not share with other individuals or organisations.

所以就造成很多人惡搞 Vendor ID 與 Product ID:

For many makers and small companies, this is a prohibitive amount of money, and forces them to resort to workarounds, such as using other organisations' VIDs without permission, or simply making up a VID and PID. These solutions make things worse for everyone, by damaging the assumption that a VID/PID combination is unique to a given device.

而他們尋求解決方案,取得了一份在 USB-IF 禁止共用前的 Vendor ID,從而解決這個問題:

pid.codes seeks to solve this issue for anyone producing open-source hardware. We have been gifted a Vendor ID by a company that was issued one by USB-IF and has since ceased trading; they obtained the Vendor ID before the USB-IF changed their licensing terms to prohibit transfers or subassignments.

對於現在的瀏覽器,CSS 是否還需要加上 vendor prefix...

在「Do we need box-shadow or border-radius prefixes anymore?」這篇文章開頭就先給懶人包:

  • 如果沒有圓角 (border-radius) 或是陰影 (box-shadow) 會造成使用者不順。
  • 如果這四個平台 (以及瀏覽器) 的量夠大的話:Firefox 3.6-、Safari 4-、iOS 3.2-、Android 2.3-。

在這兩種情況下,你仍然需要加上 vendor prefix...

而比較長的說明,可以參考原文後半段,把這兩個效果分開說明。

如果是 Sass (SCSS) 使用者,就直接加吧,反正程式都幫你做好了... 雖然 validator 會叫 CSS 不合法,但也沒印象看過哪家瀏覽器會因為 css vendor prefix 就罷工... (真的有嗎?XD)