The latest “branded” vulnerability that’s getting hysterical coverage is “Thunderspy”, in which all your data are belong to us if your computer has a Thunderbolt port. In less than five minutes. With only $400 in off-the-shelf hardware.

Except the details of the story contradict that. First is the assumption that your powered-down computer is available to the attacker for long enough that they can crack the case and reflash the Thunderbolt port’s firmware; five minutes on a desktop, maybe, but most laptops? A quick look at the sites that crack them open and test for repairability suggests that it’s not going to be as easy as the claimed “unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate”.

Second is the assumption that the attacker will be able to return when your computer is sleeping and exfiltrate your data through the compromised port. Admittedly, Thunderbolt is fast at data transfer, but how many trips do you have to make before you find it in the right state?

The mitigation strategy is simply “power down or hibernate”. Even after compromising your ports, physical access to a powered-up or sleeping computer is required to access your encrypted data. (if your data wasn’t encrypted, they didn’t need a hardware hack to steal it in the first place)

The researcher branding agent does offer a second scenario that’s at least plausible: find a not-currently-plugged-in Thunderbolt peripheral (monitor, etc) that has previously been connected to your computer, steal the 64-bit ID code that was used to establish a trust arrangement, flash that to a naughty data-exfiltration device, and then plug it into your awake-or-sleeping computer.

Mitigation strategy? “power down or hibernate”.

Or use a Mac, which apparently is only vulnerable if it’s been rebooted into Windows with Boot Camp and then put to sleep.

So, if you care enough about security to fully encrypt your laptop, but care so little about security that you casually leave it running unattended or just put it to sleep for convenience, and you don’t notice when it was power-cycled while you were out of the room, then this can be used to steal all your data.

That pretty much restricts the vulnerable population to senior executives at tech companies. The rest of us are safe.

(and, yes, state actors can easily accomplish this, but we already knew that they were compromising unattended phones and laptops to spy on foreign executives and politicians, especially in Corona-chan’s motherland)

Top of the “trending” list on Twitter just now:

Not entirely unrelated:

Two months into the lockdown, some people can’t handle the pressure:

In response to criticism, California has simplified their convoluted stages-within-stages “reopening” roadmap, which was about as smooth as a typical California road:

Someone found an upside to all this nonsense:

I went looking for updates on the story of Detroit-area grocery-store security guard Calvin Munerlyn, murdered in cold blood for “disrespecting” a woman by instructing her to wear a mask, as required by the state. To no great surprise, the mass media is… “not aggressively pursuing this local news story of no particular national significance”.

I managed to find local news coverage sharing the good news that Ramonyea Travon and Larry have finally been arrested; surprisingly, the family that kills together split up, with Larry hiding out in Texas (two unnamed accomplices drove him to Houston and checked him into a motel under his own name).

The killer’s sister Brya Shatonia was also arrested, for tampering with evidence and interfering with a murder investigation. Momma Sharmel is being held without bond on the charge of first degree murder.

In addition to murder, the fact that Larry is also charged with “felon in possession of a firearm” completes the explanation of why this story was dropped like a hot potato.

Today, California entered early stage 2 of the Grand Non-ReOpening And Gluten-Free Bake Sale. This means that they gradually, grudgingly, allow a small percentage of businesses to reopen for curbside delivery of orders placed online or over the phone. No in-person sales or merchandise on sidewalks, or else. It’s stages all the way down, though, so there’s no telling when we’ll even reach middle stage 2, much less late-early-middle stage 3 when it might become possible to get a haircut or go to a church.

Unrelated, there’s a big sale on telephoto lenses in Tokyo…

Also unrelated, Good Eats: Reloaded season 2 episode 4 wasn’t bad,

…but it didn’t do anything for me, perhaps because I never tried the cake recipe from the original episode, and wouldn’t really want to make the revised one, either; I just don’t bake cake.

Now, I did make a batch of Bigger Bolder Baking’s Crazy Dough and use it to make fresh soft pretzels. WARNING: disable Javascript on this site or be inundated with a constant stream of page-reflowing Google ads.

It’s an interesting dough, tangy without the overpowering sourness of California sourdough. The flavor comes from yogurt, and since she said her favorite kind to use is Greek, I used the good stuff: Fage’s with 5% milkfat. I think that would be too rich for some of the other suggested uses for the dough, like pizza or naan, but it worked great for pretzels.

The one snag with this dough is something that my Baker’s Percentage script called out: she lists 3 1/3 cups all-purpose flour as being equivalent to 500 grams. Her other weight conversions are reasonable, since different sources give slightly different results, and she likely rounded a bit to make the numbers clean. But you’d really have to pack your flour in to get to that weight, which most conversion tables would call 4 or 4 1/8 cups.

And that’s a lot of flour for the amount of liquid, and since Greek yogurt has less water than the standard stuff, substituting it in makes things even worse. I used the quick-dough cycle on my bread machine to do the kneading, and I’ve never heard it make squeaking noises like that before; I had to add more milk twice to get a nice smooth dough out of it.

The milk and yogurt also gave the yeast quite a feast. The recipe says to let it proof for about two hours until it doubles in size; it tripled in one hour. I gently punched it down and stuck it in the fridge, and the next morning it had tripled again. After that, it was well-behaved, and I separated it into 105-gram balls and put them back in the fridge until needed. Two pretzels a day for four days was a nice treat, especially since they only needed 10 minutes in my convection toaster oven.

I’ll make it again sometime when I have guests, or after I’m no longer stuck at home waiting for the mindless horde to end the lockdown. And by that I mean the state and county governments, not the zombies.

I have ethernet drops in every room of my house. I have a Samsung T5 USB SSD. I have a 12-inch MacBook, which has only a single USB-C port for charging and expansion.

This means I have to use some sort of dock to connect ethernet, external drives, and power. Every portable dock I’ve tried at home or at work can do two of the three reliably, but will spontaneously reset the USB hub component if I try to use all three at once (like, say, backing up the SSD contents over ethernet to my Synology NAS).

Doesn’t matter what brand; even reputable ones like Anker do this. Doesn’t matter what power supply; Apple 30-watt, Apple 87-watt, Anker 60-watt, etc. Doesn’t even matter if I deliberately throttle the rsync copy; it lasts longer at very restricted bandwidths, but still eventually resets.

Plug the SSD directly into my 2012 Mac Mini, and I can copy its data to the NAS at full speed, every time. Plug it into a Thunderbolt port on the 15-inch MacBook Pro I had to give back when I was laid off, ditto; it works great.

Right now, the only way I can successfully use both network and USB SSD at the same time on the MacBook is to run on battery and copy data wirelessly.

So, is there a good USB-C dock with ethernet and at least three USB3 ports that works with a 12-inch MacBook? I don’t even care if it’s portable at this point, and I don’t care if it has HDMI or a memory-card reader. Portable would be nice, for travel, but honestly, at the rate things are going, I won’t be traveling until at least November. And I have my fingers crossed that there isn’t another outbreak of virulent stupidity in the fall.

Random Apple WTF

A few years back, Apple made the -i option (display inode data) to df the default, “to conform to Version 3 of the Single UNIX Specification”. Trouble is, Apple’s new file system doesn’t really have inodes, so the number of “free inodes” is 2^63 minus the number of files and directories, which makes the output basically unreadable.

The manpage recommends using the -P option to disable this, which I long ago embedded in a shell alias so it’s always on. Except I haven’t made that change in the dotfiles on my Mini, so when I went to copy the SSD, I ran into the default behavior, and tried manually adding -P to the command, like so: df -h -P /Volumes/Marippe.

This reported disk usage in 512-byte blocks instead of the human-readable format I requested with -h. Why? Because that’s the official behavior of -P, and the fact that it suppresses inode output is apparently just a documented side effect. Which means that the output of df -h -P is not the same as df -P -h.

This feels like a metaphor for Apple’s current UI design principles.

Remember, kids, it’s all fun and games until someone opens their hair salon a few days before the lockdown ends. (next week’s soundtrack)

Unrelated: Dear Apple,

How is this useful in the crash report for my MacBook?

System uptime in nanoseconds: 2589416634187871

For that matter, “your system was restarted because of a problem” isn’t particularly useful in the first place. Also I’d love to know why it takes about five minutes after logging in for the load to drop from 260 to 1.5. How about some diagnostics that cover that?

Vaguely related, what part of “do not disturb” do you not understand?

Now back to our regularly scheduled program

more...

Yesterday

“Beautiful day to open all the windows and get some fresh air in here!”
neighbor’s house is getting power-washed

Today

“Even nicer than yesterday! Time to open all the windows!”
neighbor’s house is getting painted

I timed my grocery/pharmacy run for 1pm, since it’s been a good time to avoid entry lines recently. It’s 72°F outside, and most people were putting on their mandatory masks just before entering the store, because they’re friggin’ hot and they steam up your glasses.

They will not wear them next week Friday when it’s predicted to be 80°F, especially not the homemade or jury-rigged ones. Fortunately, it’s unlikely to escalate into a Michigan Mask Murder scene. And, yes, the attempts to pin that one on Trump are particularly ludicrous. Not a lot of hardcore wacky gun-toting right-wingers yell at security guards for “disrespecting” their women and name their murdering sons “Ramonyea Travon”.

Picture Is Very Unrelated. Fortunately.

Shutdown contest: which movie best describes your government?

For California, I’m thinking we’re approaching the third act of a Zorro movie, but I can’t decide if it’s The Mask Of Zorro or Zorro: The Gay Blade. On the one hand, Catherine Zeta-Jones, which would be nice. On the other hand, Ron Leibman’s insane over-the-top dictator Esteban, which is more realistic.

Michigan has already passed peak Esteban, but we’re getting there. I’ve been hearing a lot of coordinated car-horn honking outside lately, but I have no idea where it could be; my best guess is that it’s on Main Street, over a mile away. There have been formal protests on South Main, but that’s a good five miles away.

Update

Definitely Zorro: The Gay Blade:

"You don't really believe the people are happy!"

"All I know is the soldiers are quite happy shooting the peoples who say the peoples are not happy."

(Esteban pointing to peasant on rack)
"That man was three pesos short in paying his taxes. I can assure you that he will never be short again."

"Arrest that woman! Now!"

"No, wait! Isn't this the village square, where according to law, everyone is allowed to speak his or her mind?"

"You're right, Señorita."
"The woman is allowed to speak! Arrest anyone who listens."

"It looks like it'll buy the peoples a lot of houses, maybe even some schools and roads."

"Roads? What do the people need roads for? They never go anywhere."

"This sword, with which to fight injustice. This mask, with which to deceive tyranny. And this hat, which needs... reblocking."