The Truth: The White Screen of Death, The UK’s Brexit App is Crap, Apple Bans Vaping Apps

Friday, 15 November 2019

Hello and TGIF! Here’s some final tech news for the week.

Two vulnerabilities (CVE-2019-11090 and CVE-2019-16863) in the Trusted Platform Module (TPM) of modern CPUs could allow attackers to exfiltrate the crypto keys stored within. The researchers who have discovered these vulnabilities have named them TPM-Fail. ZDNet explains: “An external observer can record the time differences when the TPM is performing repetative operations and infer the data being processed inside the secure chip – all based on the amount of time the TPM takes to do the same thing over and over again. The research team says the timing leakage they discovered can be used to extract 256-bit private keys that are being stored inside the TPM. More specifically, 256-bit private keys used by certain digital signature schemes based on elliptic curves algorithms such as ECDSA and ECSchnorr. While this sounds like a very narrow attack surface, these two are common digital signature schemes used in many of today’s cryptographically-secured operations, such as establishing TLS connections, signing digital certificates, and authorizing logins.” It seems like these attacks are feasable in real world scenarios, too. Intel has released firmware updates for its chips that are effected. STMicroelectronics actually has to fix its chips in hardware. Other chip manufacturers seem to be in the clear for now.

Google has broken Chrome for hundreds of thousands of enterprise customers who use the world’s most popular browsers via Citrix terminal servers. It’s been termed the “White Screen of Death”, because instead of content, the browser just renders white pages: “We have confirmed and replicated; when any user on a shared session Citrix box locks their screen, all Chrome windows stop rendering until ANYONE unlocks their screen, upon which, all Chrome windows resume rendering. This looks like random behaviour to the user but we have confirmed lock/unlock is the culprit.” That’s just hilarious! Unless you are effected, of course. Or if you’re the poor admin who has to find out what the actual problem is. Apparently Google pushed an experimental flag to the stable version of Chrome at which point it got turned on by default. And the users aren’t happy: “I am stunned by your response. Do you see the impact you created for thousands of us without any warning or explanation? We are not your test subjects. We are running professional services for multi million dollar programs. Do you understand how many hours of resources were wasted by your experiment? Not acceptable…” The Register has more details on this story.

Amazon is suing the US government of giving the hugely lucrative Department of Defense JEDI contract to Microsoft. And The Register is trolling with a Star Trek splash image again. He, he, he…

The UK Home Office’s Brexit app has significant security issues. The Norwegian security company Promon, which has analysed the app, summarises: “From our research, we found that the Brexit app on Android lacks crucial security measures, which is hugely concerning when you consider the sensitive nature of the information that users input into it. At this time of political uncertainty, the last thing that people who are applying to remain in the United Kingdom need, or expect, are concerns around whether their passport information and photo IDs are being stolen by hackers.” Actually, seeing how much of an omnishambles the rest of Brexit is, I had precisely expected something like this from a Brexit app.

Apple is getting in on the war on vaping and will throw all vaping apps out of its App Store. Makes sense. I mean, 42 people have died in the US from vaping. That’s huge when compared with only 480,000 tobacco-related deaths in the US every year. Vaping clearly needs to be banned everywhere. Sure. Makes complete sense.

This story on The Register is so amazingly, unbelievably, stupidly funny, I’ll just have to quote from it verbatim.

The High Court of Justice in London yesterday dismissed another attempt by an unnamed man, who refuses to identify himself to the UK courts, to take his Right To Be Forgotten legal action to the Court of Appeal. The individual, a litigant in person who is only known to court staff and judges as ABC, had asked that a post on be removed from Google search results because it allegedly refers to a spent criminal conviction he had picked up in the past. ABC describes himself as an entrepreneur currently involved in business, investment and civil society ventures in the UK and overseas. He alleges that the continued publication by Google of the materials complained about has prevented him from pursuing his ventures, causing him and his businesses to suffer substantial loss of earnings. He has already had two attempts to take it to the Court of Appeal in London denied by a senior British judge. Mr Justice Saini said in today’s judgment that the procedural history of this claim shows “in my judgment, that the claimant’s approach to the court’s orders and directions might fairly be described as abusive”. “It is obvious that basic common law fair trial requirements require a defendant to know who it is being sued by,” he said. “The material before me also shows that a number of judges have explained to the claimant that these basic requirements are necessary for the proper conduct of the claimant’s claims, which include claims for libel and alleged breaches of data protection legislation. “Regrettably, the claimant simply refuses to accept this. He has adopted an approach which means that, to date, the claim has not progressed at all. Instead, through unwise and misconceived applications, the Claimant has wasted substantial amounts of court time (involving over, I understand, 10 Judges or Masters). He has also clearly caused significant costs to be incurred by the defendant.” In conclusion, Justice Saini said: “I agree with the defendant that not only should the application be dismissed, but I will also certify it as totally without merit.”

You can’t make this shit up.

Microsoft is finally showing some gameplay of Age of Empires IV:

Well, that’s it from me for this week. I hope you have a great weekend! Here’s some Van Morrison to tide you over till Monday. I think everyone can use some healing on the weekends.

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.