PrintListener, Post-Quantum Crypto in iMessage, Silent Sabotage, Rust Survey Results – ASW #274

I don't recall seeing cache errors on any top ten lists, but I've many real-world security events associated with cacheing problems.

The disclosure from Wyze demonstrates a nice degree of transparency. The precise numbers of affected users and resources implies they have good visibility and logging -- a capability that's a a fundamental engineering principle that also aids appsec.

Cool reconstruction of fingerprints from finger swipes on phones. The research is based on real-world situations, not just an acoustically ideal environment. The success so far is relatively low, about 27% for partial fingerprints and about 10% for complete ones.

Another example where measuring something with increased accuracy creates new and interesting threat scenarios. Not necessarily new in concept, but new in its application.

Check out the paper (PDF).

Apple's security blog has a rather infrequent publication cycle, so it's nice to see a new post and new details on their security work.

In this case, it's a move to quantum-safe key exchange and key refresh for iMessage conversations. Given the immense size of their user base, it's nice to see this security design being done now. It's also important for the cohort of users (journalists, activists, political opponents) that might be targeted by the threat actors capable of the "collect now, decrypt later" approach.

Not every app needs to move to post-quantum cryptography algorithms now. If you still haven't made the transition to TLS 3.0, it's likely your processes around key management, software updates, and infrastructure design need to be improved first.

Some additional news coverage here.

Two great topics that go great together: AI and supply chain.

First, some commentary on the article itself. It's notable that the automatic translation fared poorly. And yuck those pie charts are awful -- poor readability and poor presentation. A table would have been better and, and visualization is important, a horizontal bar chart would have made for more readable labels that would have been easier to compare and easier to order from top (most, longest) to bottom (least, shortest).

One the survey results itself, it's useful to understand why developers do or do not favorite a language and its features. It's cool to see WebAssembly show up fourth in the runtimes being developed for -- although I'd love to know the real-world apps coming out of that work.

I mean, of course GitHub would have the stance that their AI helps developers. As a fancy tab completion, AI-generated code that quickly sets up basic scaffolding or API calls sounds useful and a nice convenience. But I think we'll be relying on developers for quite a long time for business logic and decisions on software design.

Kelly Shortridge and Ryan Petrich have posted their response to CISA's call for information on Secure Design.

Check out the PDF here.

Chrome now provides the option to disable JIT for improved security. Microsoft did this in Edge about a year ago, noting that the performance impact for users was minimal -- there's a difference between absolute performance numbers and performance that affects real-world sites. It was nice to see a more nuanced discussion about security and performance rather than just repeat a tired trope of the two in constant opposition.

We talked about Microsoft's design choice and its "Super Duper Secure Mode" in Edge last year back in episode 185.

John noted this back in episode 272.

I'm trying a new thing for our list of news articles where I include useful followups and additional reading on a topic, even though we're not likely to cover it on the show.

Nice, brief write-up related to the recent Ivanti vulns. The researcher breaks down some PHP code and walks through how a cluster of cookies are used to execute code through a backdoor.

I'm trying a new thing for our list of news articles where I include useful followups and additional reading on a topic, even though we're not likely to cover it on the show.