FOXTROT/ALFA: Thunderspy, Nintendo Source Code Leak, Eric Schmidt Leaves Google

Hello everyone! This is issue 117 of FOXTROT/ALFA for Monday, 11 May 2020. You might notice a new look to the newsletter today. As promised, I’ve switched to a different provider to send out these newsletters for me. I now have a more streamlined workflow where I can write these things in straight Markdown (yeah!) and the links shouldn’t be redirected any more either (hell yeah!). I hope everything works for you. If you encounter any issues, feel free to reply to this email and let me know.

And with that, here’s the content you’re used to. No changes on that front, of course.


Another pretty bad attack on Thunderbolt has surfaced. The attacker does need access to the internals of the hardware to exploit it, though.

On Sunday, Eindhoven University of Technology researcher Björn Ruytenberg revealed the details of a new attack method he’s calling Thunderspy. On Thunderbolt-enabled Windows or Linux PCs manufactured before 2019, his technique can bypass the login screen of a sleeping or locked computer – and even its hard disk encryption—to gain full access to the computer’s data. And while his attack in many cases requires opening a target laptop’s case with a screwdriver, it leaves no trace of intrusion and can be pulled off in just a few minutes. That opens a new avenue to what the security industry calls an “evil maid attack,” the threat of any hacker who can get alone time with a computer in, say, a hotel room. Ruytenberg says there’s no easy software fix, only disabling the Thunderbolt port altogether. “All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop,” says Ruytenberg.

Security researchers have long been wary of Intel’s Thunderbolt interface as a potential security issue. It offers faster speeds of data transfer to external devices, in part by allowing more direct access to a computer’s memory than other ports, which can lead to security vulnerabilities. A collection of flaws in Thunderbolt components known as Thunderclap revealed by a group of researchers last year, for instance, showed that plugging a malicious device into a computer’s Thunderbolt port can quickly bypass all of its security measures. As a remedy, those researchers recommended that users take advantage of a Thunderbolt feature known as “security levels,” disallowing access to untrusted devices or even turning off Thunderbolt altogether in the operating system’s settings. That would turn the vulnerable port into a mere USB and display port. But Ruytenberg’s new technique allows an attacker to bypass even those security settings, altering the firmware of the internal chip responsible for the Thunderbolt port and changing its security settings to allow access to any device. It does so without creating any evidence of that change visible to the computer’s operating system.

Following last year’s Thunderclap research, Intel also created a security mechanism known as Kernel Direct Memory Access Protection, which prevents Ruytenberg’s Thunderspy attack. But that Kernel DMA Protection is lacking in all computers made before 2019, and it is still not standard today. In fact, many Thunderbolt peripherals made before 2019 are incompatible with Kernel DMA Protection. In their testing, the Eindhoven researchers could find no Dell machines that have the Kernel DMA Protection, including those from 2019 or later, and they were only able to verify that a few HP and Lenovo models from 2019 or later use it. Computers running Apple’s MacOS are unaffected.

Ruytenberg’s technique, shown in the video below, requires unscrewing the bottom panel of a laptop to gain access to the Thunderbolt controller, then attaching an SPI programmer device with an SOP8 clip, a piece of hardware designed to attach to the controller’s pins. That SPI programmer then rewrites the firmware of the chip – which in Ruytenberg’s video demo takes a little over two minutes – essentially turning off its security settings.

You might want to visit the website that documents this exploit. Ruytenberg has a tool on there that can tell you if your machine is vulnerable. The question is: Do you trust this guy enough to run his code?

N64, GameCube and Wii Source Code Leaked

A ton of source code relating to early Nintendo consoles and games has leaked.

Over 2 terabytes of data was allegedly leaked onto the anonymous forum 4chan over the weekend, including the original source code for Nintendo 64, GameCube and Wii. The leaks also reportedly contain internal documentation related to GameCube, Nintendo DS, Nintendo 64 (and its 64DD add-on), Wii and the China-only iQue, showing how the systems work and the development processes behind them. Test software for the Nintendo 64, including the ‘Mirror House Cornflakes’ demo, were also allegedly included in the leaked data.

Of more interest to gaming archivists will be the suggestion that the full leak could also contain early Spaceworld demos of many N64 titles, however, this data is seemingly yet to surface. The data could, in theory, be used to create illegal clone hardware able to run software and operate exactly like the original systems. The PC emulation community could also theoretically use the data to improve their software so that it imitates the original systems perfectly. However, since the leaked documentation has been illegally obtained this would put them in murky territory.

This week a fully functioning PC port of Super Mario 64 began circulating online, following a breakthrough last year when fans were able to decompile the game’s code. It’s not clear if the latest data leak had any influence on the port.

It is highly unlikely that any above board emulator people will use anything from this leak. As the devs of Dolphin Emulator explain it:

We cannot use anything of any sort from a leak. In fact, we can’t even look at it. Dolphin is only legal because we are clean room reverse engineering the GameCube and Wii. If we use anything from a leak, Dolphin is no longer legal and Nintendo will shut us down.

Eric Schmidt Has Left Google

Eric Schmidt, who turned Google into an advertising company – and some would say into the forerunner of an Orwellian nightmare society it is today – has reportedly left the company.

Eric Schmidt, who drove Google’s transformation from Silicon Valley start-up to global titan, is no longer an adviser to the search giant and its parent Alphabet, marking another milestone in recent personnel shake-ups that’ve seen the company’s old guard bow out. Schmidt’s departure comes three years after Schmidt said he was stepping down as executive chairman and would no longer serve in an operational role. Representatives for Schmidt and Google declined to comment.

Schmidt, 65, joined Google after serving as CEO of software maker Novell. He was introduced to Page and Brin by two of Google’s most prominent backers at that time, venture capitalists John Doerr of Kleiner Perkins and Mike Moritz of Sequoia Capital. During Schmidt’s tenure, the company expanded beyond its roots as a search engine to tackle other technologies, including mobile phones and online video. It also adopted a corporate structure that reflected its growing financial success. Schmidt helped take the company public in 2004, a stock market debut that made him a billionaire. (He still holds about $5.3 billion in the company’s stock.)

It’s really interesting to me that this whole CNet story never mentions the word “advertising” once. Even thought it is Google’s core business, which Schmidt played a huge part in shaping.

I know it’s really mean, but whenever I see a picture of Eric Schmidt I have to think of Major Toht from Raiders of the Lost Ark.

DEF CON is Cancelled …No, Really!

The 2020 incarnation of infosec conference DEF CON has been cancelled.

Annual Las Vegas hacker gathering DEF CON has officially called off its physical conference for this year due to the coronavirus pandemic.

That, of course, isn’t surprising. If it weren’t for the annually repeated in-joke:

“The DEF-CON-is-canceled meme has crossed over into real life, courtesy of COVID-19,” the team said on Twitter, referencing a running joke in the industry that DEF CON is canceled each year.

Musk to Break Ties with California

Elon Musk is getting fed up with California.

Elon Musk’s contentious relationship with Alameda County officials reached a tipping point on Saturday, when the Tesla CEO announced plans to relocate the company’s headquarters and “future programs” away from Fremont, California, to facilities in Texas and Nevada “immediately.” This came as a response to the continued forced closure of Tesla’s Fremont manufacturing plant as per COVID-19 stay-in-place regulations.

You can hardly blame him for that, in a way. But I do love how quickly he’s going from the tech bros' darling to most hated man in Silicon Valley, though. Almost as if I’d said from the beginning that they guy is a cold-hearted asshole.

Ah, don’t worry. No matter how much money you steal from people or how many shitty products and shady business deals you are responsible for, a few years of giving away huge amounts of cash and a good PR campaign and people forget it all and hail you as the saviour of the planet. Just look at Bill Gates.

Also Noteworthy

Some other stories I’ve been reading:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.