Welcome to All Cloud, No Cattle Weekly #18: Celle-bitten
Tech
Exploiting vulnerabilities in Cellebrite UFED and Physical Analyzer from an app’s perspective
moxie0 on the Signal blog:
In completely unrelated news, upcoming versions of Signal will be periodically fetching files to place in app storage. These files are never used for anything inside Signal and never interact with Signal software or data, but they look nice, and aesthetics are important in software.
chef’s kiss
This is an insane story, and I fucking love how Signal has chosen to handle this situation in light of Cellebrite’s notoriety.
Re: [PATCH] SUNRPC: Add a check for gss_release_msg
Greg Kroah-Hartman, publicly shaming University of Minnesota “security researchers”:
Our community does not appreciate being experimented on, and being “tested” by submitting known patches that are either do nothing on purpose, or introduce bugs on purpose. If you wish to do work like this, I suggest you find a different community to run your experiments on, you are not welcome here.
Because of this, I will now have to ban all future contributions from your University and rip out your previous contributions, as they were obviously submitted in bad-faith with the intent to cause problems.
Speaking of poor form by security researchers, this is a remarkably poor choice by the team at the University of Minnesota, and it had disastrous results for the entire university. Don’t be like them.
As an aside, I love that Greg includes a gag about top posting, along with a link to a Daring Fireball post from 2007 at the tops of his emails.
The FBI wanted to unlock the San Bernardino shooter’s iPhone. It turned to a little-known Australian firm.
Ellen Nakashima and Reed Albergotti in the Washington Post:
The iPhone used by a terrorist in the San Bernardino shooting was unlocked by a small Australian hacking firm in 2016, ending a momentous standoff between the U.S. government and the tech titan Apple.
Azimuth Security, a publicity-shy company that says it sells its cyber wares only to democratic governments, secretly crafted the solution the FBI used to gain access to the device, according to several people familiar with the matter. The iPhone was used by one of two shooters whose December 2015 attack left more than a dozen people dead.
Apparently it’s iPhone security week at ACNC. Our entire industry is built on responsible security practices by both practicioners and security analysts, and firms like Azimuth and Cellebrite subvert this when they do not disclose the vulnerabilities that they uncover.
It’s telling to look at who their customers are.
Also, that’s some serious title gore from the Washington Post.
Disadvantages of Pull Requests
Tomasz Wróbel on the Arkency blog:
Sometimes it’s unavoidable (in a low-trust environment), but often people work with PRs just because everyone else does. And nobody ever got fired for it.
But what are the costs of working in such style? And what are the alternatives?
A lot of great criticism of the Pull Request culture, and I can’t really find any serious fault with any of his points. The big takeaway is to make small changes at high frequency, and I think we (especially those of us in the SRE space) are all on board with that.
“Please don’t upgrade docker without asking first”
Randy Fay, in a ticket filed against the Docker roadmap back in December:
Please don’t auto-upgrade Docker Desktop. Or give us an option to disable upgrades like this. It’s fine to prepare the new patch. It’s fine to simplify the process. But don’t just install without giving us some recourse.
Despite the most heroic efforts of the Docker team, a new release may have new bugs. In software we deal with this all the time. All of us face it, and to move forward there has to be some risk.
However, if there’s no way to stop auto-upgrades, there’s no easy way to go back to the working version.
It boggles the mind that they thought this was a good idea and that they additionally thought that it was a good idea to make people pay to not get automatic updates in the first place.
They backed off to a somewhat more reasonable position - now you will only get nagged if you don’t update, rather than forced to update, but only paying users can disable the nags. Their justification is that “if you care enough about reliability to disable updates over it, you’re a commercial user who should be paying anyway” is a bit ham-fisted, though.
Grab Bag
They Hacked McDonald’s Ice Cream Machines—and Started a Cold War
Andy Greenberg at Wired:
And this opaque user-unfriendliness is far from the only problem with the machines, which have gained a reputation for being absurdly fickle and fragile. Thanks to a multitude of questionable engineering decisions, they’re so often out of order in McDonald’s restaurants around the world that they’ve become a full-blown social media meme. (Take a moment now to search Twitter for “broken McDonald’s ice cream machine” and witness thousands of voices crying out in despair.)
Dairy Queen ice cream is better than McDonalds ice cream, anyway.