zimmie

Xed said:

elijahg said:

Oops. Looks like someone internal to Twitter didn't use 2FA.

Maybe not, but the accounts hacked seem like ones that would use 2FA so this might be a targeted from a different vector. Also, doesn't Twitter still use SMS-based 2FA which is barely better than no 2FA at all in so far as it just requires an extra step by hackers to spoof the SMS.

The evidence we have so far strongly points to an issue which let the attacker create authentication cookies for any account. The account's legitimate owner's access wasn't removed, but a new client gained access (all the posts were from the Twitter Web App). They were also able to change the email address associated with the accounts for password reset.

Together, these suggest the attacker may have had fairly direct write access to the user authentication database.

ITGUYINSD said:

Interesting that Joe Biden and Barack Obama were targets, but not Donald Trump.  Very interesting, indeed.

Nobody with the technical capability to do this wants the CIA and NSA to take a personal interest in finding them.

melgross said:

zimmie said:

melgross said:

rcfa said:

People forget that Apple and Intel developed TB TOGETHER. It’s not like a PROTOCOL is depending on a specific CPU 🤦🏻‍♂️

See, this is interesting. Apple is saying that they developed it together. But shortly after the technology became out, Intel said that it wasn’t true. They said that Apple came to them with the idea of a fast port, but that Intel did all the work, and that Apple had nothing to do with the development. So this statement is interesting.

additionally, as far as TB 4 is concerned, VT-D is the reason I was concerned. While it’s true that TB is part of PCIE, VT-D is a technology inside Intel’s’ x86 chipsets. My concern was how Apple would implement an x86 technology. I guess we’ll find out.

info from Intel on VT-D:

https://software.intel.com/content/www/us/en/develop/articles/intel-virtualization-technology-for-directed-io-vt-d-enhancing-intel-platforms-for-efficient-virtualization-of-io-devices.html

VT-d is just IOMMU. It’s hardly proprietary, just something Apple hasn’t had to implement in their own chips because they have only ever provided PCIe (or equivalent) on-die. IOMMU cores exist for practically any popular processor architecture, and Apple can always design their own entirely in-house.

Just like the reason the DTK doesn’t have Thunderbolt. Like I guessed in another thread, it’s simply because the A12 never needed external PCIe, so the pins just don’t exist for a Thunderbolt controller to connect to.

You’re wrong. It is proprietary. 

VT-d as branding is proprietary. The specific implementation may be proprietary, though the VT-d specification (PDF) has been published since 2007. Sure, a published specification doesn't make something non-proprietary, but it is a strong indicator the owning entity is open to interoperability. You don't publish something you don't want other people to learn from.

IOMMU as a technology is not proprietary. VT-d is one implementation, but IBM's mainframes have had their own since before the POWER4 architecture. I haven't looked into it in detail, but I'm pretty sure at least some variants of the System/370 had it back in the 70s. That's the only way I could see some features of their hypervisor working.

ARM has an IOMMU implementation called SMMU. No telling if Apple would just use that directly or if they would want to make their own implementation.

melgross said:

rcfa said:

People forget that Apple and Intel developed TB TOGETHER. It’s not like a PROTOCOL is depending on a specific CPU 🤦🏻‍♂️

See, this is interesting. Apple is saying that they developed it together. But shortly after the technology became out, Intel said that it wasn’t true. They said that Apple came to them with the idea of a fast port, but that Intel did all the work, and that Apple had nothing to do with the development. So this statement is interesting.

additionally, as far as TB 4 is concerned, VT-D is the reason I was concerned. While it’s true that TB is part of PCIE, VT-D is a technology inside Intel’s’ x86 chipsets. My concern was how Apple would implement an x86 technology. I guess we’ll find out.

info from Intel on VT-D:

https://software.intel.com/content/www/us/en/develop/articles/intel-virtualization-technology-for-directed-io-vt-d-enhancing-intel-platforms-for-efficient-virtualization-of-io-devices.html

VT-d is just IOMMU. It’s hardly proprietary, just something Apple hasn’t had to implement in their own chips because they have only ever provided PCIe (or equivalent) on-die. IOMMU cores exist for practically any popular processor architecture, and Apple can always design their own entirely in-house.

hattig said:

zimmie said:

VirtualApple is 100% a Rosetta thing. The reported processor speed is probably just a lie to software to give it an expectation of performance level.

It's a thin VM/system layer around the translated application, because not everything can be translated. It will trap the issues to do them properly.

That has nothing to do with what I said.

I said the processor model name "VirtualApple" is a Rosetta thing. This benchmark is clearly running emulated, no doubt about it.

hattig said:

zimmie said:

VirtualApple is 100% a Rosetta thing. The reported processor speed is probably just a lie to software to give it an expectation of performance level.

I suspect the clock speed is gained from a syscontrol call so is valid.

You get the processor model and the processor speed in the same way, frequently at the same time. It's clearly lying about the model, the number of cores, and the features the processor supports, so what makes you think it wouldn't also lie about the speed of the fabricated processor model it is presenting?

When a key is used by more than one person, it will eventually leak. The TSA keys leaked and now you can get STLs for rapid prototyping machines. New York's 1620 key is available for around $10.

Once a key is leaked, anybody with access to it can use it. Encryption is math, and math does not care if you believe in truth, justice, and the American way. It also, incidentally, doesn't care if you have a warrant or not.



This will provably make US citizens and companies more vulnerable.

Edited to add: I suspect they aren't thinking through any implications of this. Once tech exists for one country to compel a manufacturer to decrypt a device's data, all countries will have the same access. Several countries notably have very low thresholds for warrants. What do these senators think would happen when China brings a phone to Apple and says "Here's a warrant. Decrypt it.", and it turns out the phone actually belongs to the US ambassador or some large business interest?