First of all, thank you for reading this. It’s been a while since I haven’t written publicly. Hope you enjoy it!

As this is my first note to all of you, I will try a format and if you like it I’ll keep it, if you hate it tell me what you’d change. I’m here for you, so just let me know!

This week I read about the John Deere jailbreak, and I thought once again about the right to repair. Being the son of an electronic repairman, who made a living repairing all sorts of electronic equipment, the current situation of the reparability of electronics ashames me. I was used to the possibility of being able to repair everything, no matter what the issue was with the device, but that’s not the case anymore. Not to mention the planned obsolescence practices that some manufacturers apply to their products, where even when the device is perfectly fine, it just stops working. Farmers have been fighting for a long time against John Deere's restrictions on tractor repair. Similarly, as with cars, which are nowadays computers with wheels, the possibility to roll your own repairs can be jeopardised at the manufacturer’s will.

However, there is some light on the horizon as some countries like France and the USA are passing laws to enforce the creation of long-lasting products and to protect the right to repair.

By the way, if you want to know more about how farming has become highly technified and the vision of John Deere’s CTO on it, check out this Decoder podcast.

My highlights on cybersecurity this week

• 💻 CPU vulns: Vulnerabilities have been discovered for Intel (ÆPIC) and AMD (SQUIP) CPUs.

  ÆPIC is a micro-architectural vulnerability that affects SGX enclaves (Intel’s Trusted Execution Environment solution) and can lead to leaks of AES and RSA keys with 94% and 74% success rate respectively.

  SQUIP (Scheduler Queue Usage via Interference Probing) is a side-channel vulnerability in the scheduler queues, which are are critical for deciding the schedule of instructions to be executed in superscalar CPUs. The researchers have been able to fully recover a 4096-bit RSA key with 50500 traces from a co-located process in a co-located virtual machine.

• 🔓 Broken crypto: SIKE, a post-quantum cryptographic algorithm that made it to round 4 of the NIST standardisation process has been broken with very basic hardware. In their preliminary paper they state that the attack only needs 1 hour of processing on a single core of an Intel Xeon E5. Quite surprising as this algorithm already underwent brutal cryptanalysis (as the other candidates) as part of the NIST standardisation process.

• 🍎 Apple Patch updates: Apple issued patches for MacOS, iPadOS and iOS to mitigate a couple of 0-day vulnerabilities (CVE-2022-32893 and CVE-2022-32894) that affect WebKit component and the kernel.

  The count of the 0-day vulnerabilities patched by Apple from the start of this year sums to a total of 6.

• 🚗 Car Hacking: This story is a complete 🤦‍♀️: A developer explains why it was possible to run their own software on the a Hyundai Ioniq SEL infotainment hardware after discovering the vehicle's manufacturer had secured its system using cryptographic keys that were not only publicly known but had been lifted from programming examples.

  Developer tip: Remember to always create your own keys and never copy them from public sources.

♥ My favourite things

• 🎙Podcast: 99% invisible is an amazing podcast hosted by Roman Mars about all the thought and design that goes into everything that we do not think about, the unnoticed design and architecture that shapes our surroundings. Definitely one of the podcasts that I enjoy the most.