FOXTROT/ALFA: OpenSSL Vulnerability, Zoom Update, Flight Simulator 2020 Specs
Good evening, everyone and welcome to FOXTROT/ALFA for Wednesday, 22 April 2020 – Humpday Edition! Does that still matter? Are you still holding on to these routines of normalcy in a tide of madness? Are you even working at the moment? I hope that you are. If you want to be. Anyway, this is issue 106 of this newsletter and here’s what’s been going on in tech today.
Denial of Service Vulnerability in OpenSSL
A vulnerability in OpenSSL (CVE-2020-1967) has just been fixed, which can be abused for denial-of-service (DOS) attacks.
Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the “signature_algorithms_cert” TLS extension. The crash occurs if an invalid or unrecognised signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.
OpenSSL version 1.1.1d, 1.1.1e, and 1.1.1f are affected by this issue. This issue did not affect OpenSSL versions prior to 1.1.1d. Affected OpenSSL 1.1.1 users should upgrade to 1.1.1g
Zoom Fighting Zoombombing with Another Update
Zoom [has released another update]() in its continuing fight against the phenomenon of zoombombing.
A new Zoom 5.0 update is rolling out today that’s designed to address some of the many complaints that Zoom has faced in recent weeks. With this new update, there’s now a security icon that groups together a number of Zoom’s security features. You can use it to quickly lock meetings, remove participants, and restrict screen sharing and chatting in meetings.
Zoom is also now enabling passwords by default for most customers, and IT admins can define the password complexity for Zoom business users.
Wow. Password by default. That is some really next level security shit right there. Did they get this amazing security insight from Microsoft in 1995?
Zoom is also improving some of its encryption and upgrading to the AES 256-bit GCM encryption standard.
Again. How very state-of-the-art of them.
How Contact Tracing Works and What it Means for Our Privacy
Do you want to understand how DP-3T and the Apple/Google proposal for contact tracing works? How does PEPP-PT fit into that? What other contact tracing methods are there? Do we actually need them? Will they solve the COVID-19 problem? What does it all mean for our privacy?
I’ve given my best to answer these and many other questions in a two hour long podcast episode I just released earlier today. It also includes many of the things that have happened in this arena in the last two weeks and that I rather put into podcast form once than writing about them in this newsletter piecemeal from day to day. Give it a listen, I poured a lot of research into that one.
Flight Simulator 2020 System Specs
Microsoft has announced the specs you’ll need to run its upcoming Flight Simulator on your PC. And they ain’t modest.
CPU: Ryzen 3 1200 / Intel i5-4460
GPU: Radeon RX 570 / NVIDIA GTX 770
Bandwidth: 5 Mbps
CPU: Ryzen 7 Pro 2700X / Intel i7-9800X
GPU: Radeon VII / Nvidia RTX 2080
HDD: 150GB (SSD recommended)
Bandwidth: 50 Mbps
What? No HOTAS mentioned? Shame on you, Microsoft!
The Voodoo Ceremony That Keeps the Internet Going
This is a fascinating story. I had no idea this was going on to keep DNS running, to be honest…
Every quarter, a small group of people cram inside a secure facility in either California or Virginia in America, get locked in, and spend the next two to three hours cryptographically signing the digital key pairs used to secure the internet’s root zone, the text file that shapes the ‘net as we know it. The integrity of the digital signing process is so critical that the organization that runs it, IANA, part of DNS overlord ICANN, flies in trusted internet community representatives from across the world, out of a pool of 14, to methodically run through the steps. These representatives each possess a set of physical keys required to gain access to the necessary equipment, held in safe deposit boxes in IANA’s key-signing facilities.
Once inside one of these facilities, which requires the use of fingerprint and retinal scanners, those present use their physical keys to access electronic key cards that activate a special locked-away device – a hardware security module (HSM) – that signs the digital key pairs for the root zone file for the next three months. Every step is meticulously recorded, and no one is allowed to enter or leave until the job is done.
This shit reads like something Dan Brown thought up.
This Thursday, the 41st of these ceremonies will take place, and, as you may have already gathered, the ongoing coronavirus pandemic has thrown a spanner in the works.
First, it is not terribly easy to fly people into either California or Virginia due to global travel restrictions and virus safety concerns. The 41st ceremony is supposed to take place in Virginia – it alternates between the two, the 40th being in Cali. IANA staff are based in Los Angeles, California, for what it’s worth. Second, even if you can fly in the reps, how do you obey mandatory social distancing rules while squashed inside a metal cage?
How did they solve it? What else has gone wrong in the past? The whole story is way too long to reproduce here, but it’s well worth reading it in full over at The Register. Fascinating stuff.
CSS Design System to Recreate the Windows 98 Look
Wanna make your website look like Windows 98? See, I knew you’d want to. Well, you’re in luck!
It’s all done in CSS. Incredible!
Another story I read today:
- Attack of the clones: If you were relying on older Xilinx FPGAs to keep your product’s hardware code encrypted and secret, here’s some bad news
This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.