Xanza
@Xanza@lemm.ee
- Comment on Undocumented "backdoor" found in Bluetooth chip used by a billion devices 19 hours ago:
Hundreds of millions. They’re used in an almost uncountable number of IoT devices.
It’s only this specific chip that is affected. It’s not all bluetooth chips. The article doesn’t even specify which of their tens of chips is affected; ESP32-D0WD-V3, ESP32-D0WDR2-V3, ESP32-U4WDH, ESP32-PICO-V3, ESP32-PICO-V3-02, or the ESP32-PICO-D4.
Even if it were all of them, and even if it were hundreds of millions of devices it would still pale in comparison to HeartBleed in all aspects. It’s an interesting but sophisticated attack vector which severely limits its usage. But lets say you execute a MITM attack from one of these ESP32 chips. What are you feasibly able to do? A MITM attack? Considering these are all low power devices its extremely unlikely that they would be able to output enough power to overtake your home AP. Without doing more research on it, the actual attack surface is opaque. I mean, I guess a guy in China can remotely turn on your sprinklers or get your WiFi password… Lot of good that’s gonna do him from China.
- Comment on Undocumented "backdoor" found in Bluetooth chip used by a billion devices 19 hours ago:
Yeah, looks like I was gonna respond to the other guy too, but ended up rolling both replies into the same post for some reason. lol oops.
The first part of my post is just backing up what you had said, and the second half was for the guy you were also replying to, to point out how crazy he was.
- Comment on [Help] OpenWrt wifi to ethernet repeater 20 hours ago:
- Comment on Retailers who pack & ship HDDs right?! 20 hours ago:
I’m not saying its contentious. I’m saying if you’re gonna be mad, be mad at the right people. And in this specific case, the retailer is probably not the only issue, so switching to another retailer really won’t help you.
I might sound like a dick, but I’m trying to help you out–telling you that even if you switch retailers, if whomever is delivering your mail is a dick, you’re not going to experience a better situation.
- Comment on Undocumented "backdoor" found in Bluetooth chip used by a billion devices 21 hours ago:
No way they’re on the same level. Heartbleed allowed for remote memory reads.
I professionally studied HeartBleed as a security researcher and wrote a peer reviewed opinion piece which was published. I won’t say where or the title because it would give you my full name, so deal with it. Not trying to humble-brag, just trying to say, I’ve done the research myself here.
HeartBleed was an oversight which sent out enabled by default (!) a TLS heartbeat read overrun error in OpenSSL v1.0.1 to 1.0.2-beta which allowed any third party with an internet connection the ability to request information, 64kb at a time, stored in an affected servers memory. Anything. Private keys, encryption keys, TLS private keys (imagine SSL verified MITM attacks), decrypted sensitive files (which are HDD encrypted and decrypted in memory), passwords, anything.
All’s you had to do was know how to request the information, and the server you wanted to attack. It went undiscovered for a number of months before it was found. The extension was enabled by default, and came bundled with software used on literally billions of private computing devices, servers, IoT devices, and even interstitial devices used over network connection.
Here’s an excerpt from some other security researchers on the subject, in case you don’t want to take my word for it;
We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication. 1
You’re correct that they’re not on the same level, but completely backwards in thinking that an undocumented bluetooth backdoor is worse than the worst vulnerability found since the invention of the internet. HeartBleed affected hundreds of millions of critical servers. Literally billions of devices in total. How many consumer devices do you think have this exact bluetooth chip? 10,000? 100,000? 10 million? Still small peanuts in comparison.
- Comment on Retailers who pack & ship HDDs right?! 22 hours ago:
I owned my own tech firm for 10 years or so. I setup any number of backup solutions with enterprise level HDDs. I’ve seen HDDs packaged impeccably. I’ve seen them come in a cardboard box with absolutely no protection and it’s an absolute crap shoot no matter what. As a matter of fact, there’s a HDD connected to a NAS attached to the computer I’m typing this out on that’s been working for over 8 years non-stop and it was one that just came direct in a cardboard box. Didn’t have a lick of paper or bubble-warp in it.
I’m not telling you not to be critical of retailers who don’t properly protect the things you buy. I’m telling you to measure your response because at the end of the day they’re incredibly fragile no matter how they’re packaged. Properly packaging doesn’t mean you’re going to get a 100% success rate. If you’re that worried about it, then find a local retailer and don’t buy them online.
- Comment on Retailers who pack & ship HDDs right?! 22 hours ago:
I have a robust system to package those orders correctly
This is my point. You can package your electronics as good as you want, but when it comes to hard drives, if the middle man decides to play ice hockey with your package it doesn’t matter. If you want to blame something blame Newton’s second and third Laws of Motion. 🤷♂️
- Comment on Retailers who pack & ship HDDs right?! 22 hours ago:
This isn’t the fault of retailers. Shipping things is hard. It entirely depends on the people in transit willing to do their jobs, and sometimes you just don’t get lucky.
- Comment on Undocumented "backdoor" found in Bluetooth chip used by a billion devices 23 hours ago:
HeartBleed level.
- Comment on Google Photos will no longer sync with third-party digital photo frames 1 day ago:
Does that run on top of next cloud or can I run it independently of next cloud?
- Comment on Amazon Boycot March 7-14th | No Purchases. Its time to disrupt the system. 1 day ago:
So anyways, that’s the impact one of these “pointless” boycott posts had on me.
I didn’t say they were pointless. I say they don’t do anything. What does do something is this;
I ended up cancelling my Prime subscription
That’s it. You “buying a ton” on amazon is small peanuts in the grand scheme. Even if you buy a lot amazon is only making a percentage of whatever you spend. Something like 30%. So even if you spend $10k in a year, they make $3,000 net and have to deduct for the cost of getting those items to you. When all the financials are worked out, it’s next to nothing.
The price of their subscription service is their e-penis. They get to say “500 million people pay for Amazon Prime!” @ $139/yr is $69.5 billion. You can buy nothing and they can still survive… But if you stop paying for Prime they lose their e-penis, which affects their stock price, which loses them bargaining rights with their suppliers and ultimately can affect the price of Prime itself.
It’s the surest way to kill them.
- Comment on Amazon Boycot March 7-14th | No Purchases. Its time to disrupt the system. 1 day ago:
Boycotts like this do nothing because the people most willing to “participate” are people who already don’t purchase from Amazon. Even if you were able to get a critical mass of people to participate for even 3 months. So what? Amazon will post 1 bad quarter and then things go back to business as usual. Nothing happens. They don’t even really lose any money. At least none out of pocket, of which they have plenty for things such as this.
Amazon is a subscription model. You want to hurt them, then hurt their subscriptions. Don’t boycott them, cancel Prime.
- Comment on Amazon Boycot March 7-14th | No Purchases. Its time to disrupt the system. 1 day ago:
The problem with boycotts like this, is they do essentially nothing… A single day, week, or even a full month of boycotts can only be successful if a critical mass of people do it at once. And frankly, they’re not going to get that.
The people most likely to boycott Amazon and the like are people whom already don’t purchase things from Amazon, or lightly do it. Amazon if fine with that, because eventually people go back to buying. So what, they’re gonna post one bad quarter? Small price to pay for doing business.
You can’t boycott evil businesses. You have to stop using them entirely. Forever. And most people simply aren’t willing to.
- Comment on Google Photos will no longer sync with third-party digital photo frames 1 day ago:
I dumped Google photos for self hosted immich and it’s been great.
I went to install immich but it was very heavy… I don’t need AI in a selfhosted Google Photo’s replacement.
- Comment on Random people started sharing child pornography on my matrix server, what are my options? 2 days ago:
Then definitely don’t follow my advice. lol I have no idea what french law is.
- Comment on Random people started sharing child pornography on my matrix server, what are my options? 2 days ago:
HelloRoot is correct. You should not have deleted anything. You should have simply shutdown the server and contacted the FBI (not the police). Child porn is a serious federal offense and because they committed the offense across state lines (or aren’t in the US at all), FBI wold have jurisdiction. Because you deleted the evidence (a crime, by the way) there’s nothing for them to go on now.
If this ever happens again, shut down the server so no one can connect, and contact the FBI Criminal Division who has their own child crimes division that specifically deals with child pornography.
- Comment on What host names do you use? 2 days ago:
Depends on how many hostnames I need. If I just need 2, using opposite duals is fun,
{romeo,ruliet}.shakespeare.com. 4 I almost always use cardinal directions or the seasons;{north,south,east,west}.domain.comor{spring,summer,fall,winter}.domain.com.If I need a lot of potential subdomains, you can’t beat the Greek or NATO alphabet, giving you 24 and 26 hostnames respectively which can be further enhanced by using the purpose of the server with the alphabet;
- beta-w02.domain.com # second webserver on beta
- beta-db02.domain.com # second db on beta
- Comment on FCC chair says we’re too dependent on GPS and wants to explore ‘alternatives’. 2 days ago:
Having functional GPS in a tunnel would be very nice
In a tunnel
a tunnel
tunnel
I fear for the world. You afraid that you’re gonna make a wrong turn? Inside of a tunnel? A fuckin’ tunnel my guy?
- Comment on FCC chair says we’re too dependent on GPS and wants to explore ‘alternatives’. 2 days ago:
GPS is incredibly fragile.
No, not really. The GPS signal isn’t designed to penetrate concrete, no. But that doesn’t make it fragile.
Also very terrestrial…it doesn’t work once you leave the atmosphere.
Considering it was never meant to…that’s really not that goddamn weird. It’s a global positioning satellite system. So clearly for it to work you have to be on the fuckin’ globe…
- Comment on FCC chair says we’re too dependent on GPS and wants to explore ‘alternatives’. 2 days ago:
It’s literally him convincing someone to sell their house that they own outright to rent from them because it’s somehow much better (for him of course). It’s so fucking stupid.
- Comment on FCC chair says we’re too dependent on GPS and wants to explore ‘alternatives’. 2 days ago:
We’re too dependent on a technology that we spent tens of billions of dollars researching and perfecting over decades of research!
Possibly the dumbest statement I’ve heard this week.
- Comment on Self-hosting minecraft 3 days ago:
- Comment on Gaming chat platform Discord in early talks with banks about public listing 3 days ago:
Where did that I say that it was though? I posted it as an alternative. Not once did I say or even hint that it was ready… You’re going to great lengths to put words in my mouth on a public forum where anyone can see what’s been written. It’s very bizarre.
- Comment on Gaming chat platform Discord in early talks with banks about public listing 3 days ago:
I mean, what’s “ready” mean in this context? Voice and video are still being worked on. They’re going for maximum compatibility so they have to reverse engineer the way Discord does things, so it’s taking a while.
- Comment on You knew it was coming: Google begins testing AI-only search results | This version of Google won't show you the 10 blue links at all—Gemini completely takes over the results in AI Mode 3 days ago:
It’s never not worked, but they’re running sponsored links now. I’ve hit them 3 times today out of maybe 50 searches. But they’re there.
- Comment on Discord in Early Talks With Bankers for Potential I.P.O. 3 days ago:
- Comment on Gaming chat platform Discord in early talks with banks about public listing 3 days ago:
- Comment on You knew it was coming: Google begins testing AI-only search results | This version of Google won't show you the 10 blue links at all—Gemini completely takes over the results in AI Mode 3 days ago:
I noticed today that UDM mode for Google is displaying sponsored results now, too…
- Comment on Does it make sense to buy a lifetime supply of honey? 3 days ago:
Bulk honey is significantly less expensive if you buy direct from an apiary, and in bulk. It never expires (but can go bad! you still have to store it properly) and will last longer than you if you treat it good.
Go for it. The price of honey is bound to just go up.
- Comment on Reddit will warn users who repeatedly upvote banned content 3 days ago:
Same. I used Reddit for 12 years. Got perma-banned last year for saying things about Israel that people didn’t like, I guess.
Moved to lemmy.