Robert Bruce Park

Just over a year ago Bastille security announced the discovery of a suite of vulnerabilities commonly referred to as MouseJack. The vulnerabilities targeted the low level wireless protocol used by Unifying devices, typically mice and keyboards. The issues included the ability to:

• Pair new devices with the receiver without user prompting
• Inject keystrokes, covering various scenarios
• Inject raw HID commands

This gave an attacker with $15 of hardware the ability to basically take over remote PCs within wireless range, which could be up to 50m away. This makes sitting in a café quite a dangerous thing to do when any affected hardware is inserted, which for the unifying dongle is quite likely as it’s explicitly designed to remain in an empty USB socket. The main manufacturer of these devices is Logitech, but the hardware is also supplied to other OEMs such as Amazon, Microsoft, Lenovo and Dell where they are re-badged or renamed. I don’t think anybody knows the real total, but by my estimations there must be tens of millions of affected-and-unpatched devices being used every day.

Shortly after this announcement, Logitech prepared an update which mitigated some of these problems, and then again a few weeks later prepared another update that worked around and fixed the various issues exploited by the malicious firmware. Officially, Linux isn’t a supported OS by Logitech, so to apply the update you had to start Windows, and download and manually deploy a firmware update. For people running Linux exclusively, like a lot of Red Hat’s customers, the only choice was to stop using the Unifying products or try and find a Windows computer that could be borrowed for doing the update. Some devices are plugged in behind racks of computers forgotten, or even hot-glued into place and unremovable.

The MouseJack team provided a firmware blob that could be deployed onto the dongle itself, and didn’t need extra hardware for programming. Given the cat was now “out of the bag” on how to flash random firmware to this proprietary hardware I asked Logitech if they would provide some official documentation so I could flash the new secure firmware onto the hardware using fwupd. After a few weeks of back-and-forth communication, Logitech released to me a pile of documentation on how to control the bootloader on the various different types of Unifying receiver, and the other peripherals that were affected by the security issues. They even sent me some of the affected hardware, and gave me access to the engineering team that was dealing with this issue.

It took a couple of weeks, but I rewrote the previously-reverse-engineered plugin in fwupd with the new documentation so that it could update the hardware exactly according to the official documentation. This now matches 100% the byte-by-byte packet log compared to the Windows update tool. Magic numbers out, #define’s in. FIXMEs out, detailed comments in. Also, using the documentation means we can report sensible and useful error messages. There were other nuances that were missed in the RE’d plugin (for example, making sure the specified firmware was valid for the hardware revision), and with the blessing of Logitech I merged the branch to master. I then persuaded Logitech to upload the firmware somewhere public, rather than having to extract the firmware out of the .exe files from the Windows update. I then opened up a pull request to add the .metainfo.xml files which allow us to build a .cab package for the Linux Vendor Firmware Service. I created a secure account for Logitech and this allowed them to upload the firmware into a special testing branch.

This is where you come in. If you would like to test this, you first need a version of fwupd that is able to talk to the hardware. For this, you need fwupd-0.9.2-2.fc26 or newer. You can get this from Koji for Fedora.

Then you need to change the DownloadURI in /etc/fwupd.conf to the testing channel. The URI is in the comment in the config file, so no need to list it here. Then reboot, or restart fwupd. Then you can either just launch GNOME Software and click Install, or you can type on the command line fwupdmgr refresh && fwupdmgr update — soon we’ll be able to update more kinds of Logitech hardware.

If this worked, or you had any problems please leave a comment on this blog or send me an email. Thanks should go to Red Hat for letting me work on this for so long, and even more thanks to Logitech to making it possible.

My friend just spent four and a half hours explaining GamerGate to me. I am not active on the Internet, nor do I enjoy day-long video game sessions. He introduced me to the pejorative connotations of Social Justice Warriors. He recounted nasty, illogical, emotional, ad hominem fallacies and all sorts of attacks. He readily admitted that some gamers were equally uncouth. What surprised me about the feminist debate over the representations of women in game media was the level of invective from both sides. Gender and race struggles and matters of class inequity are very dear to my political heart. I see the effects and live with poverty and White cultural supremacy every day. I am a Social Justice Warrior and I want to talk to you about hate.

I employ one woman with a mental illness. I keep one woman healthy and sober. I was there 100% for a woman all through university and into grad school. I am a Social Justice Warrior: I have fought long battles with the benefits office, in the workplace, with the tenancy board, the university committee, with doctors and in hospitals and witnessed racism and sexism in action in all these places. I would describe myself as socially conscious, committed to preserving wild spaces and minimizing human impact on the environment and of being somewhat introverted. I don’t like the idea of White Privilege even though I benefit from it. I am a Christian who believes that all people, whatever race, colour or creed, are worthy of respect as members of our collective humanity, and I believe, (although I have no proof), that my individual efforts in justice and kindness really do affect my community and our world.

I have done some researching and reading of social media posts from women, and occasionally men, and learned that even that doesn’t cover the diversity of human gender norms on the internet. I am exploring a vast new intellectual expanse of articles and opinions and finally really listening to the voices of people who speak out and raise awareness about issues that should concern all citizens. I commend you, bloggers. I, too, have seen hate in action, from major (illegal, in my opinion) denials of rights and freedoms to small snubs and infantile rudeness. All because someone else is different than you or fails to agree with your point of view. So much human misery is unnecessary.

Monty Python “Spam” skit still

Why does #GamerGate matter? In any public debate, you are going to get what Monty Python correctly identified as Spam. If you are analytical like me, schooled by Aristotle, Spam is like cheating at poker, it’s simply not allowed and I won’t play with anyone with their hands caught in it. If, on the other hand (different fingers) you are more omnivorous or grew up in a war-time economy, Spam is just a way of life and good clean fun.

GG tears across a fundamental divide in contemporary culture. You can either believe, or be convinced, that the truth does not care how you feel about it and there is a real reality to contend with, or you can believe, or be convinced, that truth is a relative prospect based on your (metaphorical) lens, perspective, tunnel-reality scope, etc. Let me explain. Either women are sexually objectified in games media marketed primarily to men and that is true on the whole, or it depends on your personal views of a) womanliness, b) interactive media and c) manliness as well as d) the notion of Objectification proper or e), f) and g): your race, social, or economic status, among a million other factors.

If you wanted to know the truth of the statement in the first sense, that games media sexually objectifies women, you would go about collecting incidents of it, basically as you saw fit. You would present this collection to the public, who could then decide if you had made your case or failed to make your case. If you want to know the truth of the matter in the second sense, subjectively, things get complicated, because life is complicated and things aren’t ever cut-and-dried. Either way, you must hash out the issues on your own. You need to think for yourself, dear blog reader, and ask yourself questions about your values, where you stand, and how you relate to the issue. And it’s okay if someone else comes to a completely different conclusion than you. Nerds taught me something else very important. It’s called love and tolerance.

I am a Social Justice Warrior. Unfortunately, due to what I have seen, and how the leaders of the Feminist and Social Justice movements have behaved in public, I must hang up my cape. I’m reading what I would exemplify as white colonial privilege in such a way that I am embarrassed. Calling yourselves racial allies – doesn’t that imply a certain superiority? Self-labelling as a Feminist and then degrading, insulting, humiliating and dehumanizing others for their gender – isn’t that the height of hypocrisy? What if I was saving that word for my daughter’s future, one where I’d hope she would find more equitable relations?

And beat Dark Souls 2.