Readit News logoReadit News
alufers commented on NYC wants you to stop taking traffic cam selfies, but here's how to do it anyway   pcmag.com/articles/nyc-wa... · Posted by u/gnabgib
dave78 · a year ago
Isn't the most likely outcome here that the city will simply stop allowing public access to the camera feeds?

This feels like it has the potential to be a "this is why we can't have nice things" outcome even though I don't think the app author is doing anything wrong.

alufers · a year ago
A bit tangential, but in Poland we also had such traffic cameras with public access (it wasn't a live feed, but a snapshot updated every minute or so). It was provided by a company which won a lot of tenders for IT infrastructure around roads (https://www.traxelektronik.pl/pogoda/kamery/).

What is interesting to me is that the public access to the cameras has been blocked a few months after the war in Ukraine started. For a few months I could watch the large convoys of equipment going towards Ukraine, and my personal theory is that so did the MoD of Russia. I haven't seen any reports about that, just my personal observation.

alufers commented on OpenWRT One Released: First Router Designed Specifically for OpenWrt   sfconservancy.org/news/20... · Posted by u/m463
hamandcheese · a year ago
Huge +1 to this. Managed switching with hardware offload is the only thing standing between me and a fully open source* homelab.

I'm vaguely aware of some enterprise options. I want something quieter and reasonably power efficient. Price is no object within reason. I would pay low 4 figures for something equivalent to a Mikrotik CRS326, but with upstream kernel drivers and an X86 CPU.

* I don't run libreboot or anything, I'm sure there's a fair bit of closed blobs in my lab, but almost all my devices can boot any standard Linux boot image.

alufers · a year ago
Wouldn't a switch with ONIE [1] and Sonic NOS support [2] do the trick?

(I don't know the prices of such switches or whether they are available to prosumers, which would explain why almost nobody has them in a homelab)

[1] https://opencomputeproject.github.io/onie/ [2] https://sonicfoundation.dev/

Deleted Comment

alufers commented on Is Telegram really an encrypted messaging app?   blog.cryptographyengineer... · Posted by u/md224
Canada · a year ago
Let's stop repeating this word "moderate" when what we're talking about is censorship.

Moderation is what happens here on HN: Admins have some policies to keep the conversation on track, users voluntarily submit to them.

Censorship is when a third party uses coercion to force admins to submit to them and remove posts against their will.

Durov has been arrested for refusing to implement censorship, not for anything concerning moderation.

alufers · a year ago
I don't know how much you have used Telegram, but it's ridden with absolutely vile stuff.

You open the "Telegram nearby" feature anywhere and it's full of people selling drugs and scams. When I mistyped something in the search bar I ended up in some ISIS propaganda channel (which was straight up calling for violence/terrorism). All of this on unencrypted public groups/channels ofc (I'm pretty sure it's the same with CP, although I'm afraid to check for obvious reasons).

I think there is a line between "protecting free speech" and being complicit in crime. This line has been crossed by Telegram.

alufers commented on Show HN: I am building an open-source Confluence and Notion alternative   github.com/docmost/docmos... · Posted by u/Pi9h
j33zusjuice · a year ago
Are we talking about Confluence from Atlassian’s login? What’s so bad about it? It’s usually tied to your SSO provider, so you just have to sign in to your work account. In the server days, it was connected to your AD/LDAP password.

I don’t like Atlassian products very much for a lot of reasons (each iteration of the UI gets worse), but the login process has never been an issue for me, so I’m surprised to see your comment.

alufers · a year ago
Not OP, but have to use the cloud version of Jira and Confluence. My biggest complaint is that they put the "Yes! Send me news and offers from Atlassian about products, events, and more." checkbox in the place where I would expect the "Remember me" checkbox.

Absolutely psychopatic behaviour.

alufers commented on What the damaged Svalbard cable looked like   nrk.no/tromsogfinnmark/th... · Posted by u/ingve
Kon-Peki · 2 years ago
What, no mention that the Norwegian police use evidence markers with inches printed on them? That company sells them with CM markers.
alufers · 2 years ago
Some gun calibers are measured with inches, so maybe they have some imperial markers on hand to measure bullet casings?
alufers commented on T-Mobile employees across the country receive cash offers to illegally swap SIMs   tmo.report/2024/04/t-mobi... · Posted by u/miles
mjmahone17 · 2 years ago
In your scheme, how do I transfer money from my bank after my phone is stolen and I need to get a new phone without access to the original sim? Or access my email?

If that’s just impossible, how do I fix the issue? A “fallback 2FA” what is that exactly?

alufers · 2 years ago
Probably one time use recovery codes you are supposed to print and keep in a safe place. In case of a bank this could also mean a trip to the nearest branch for ID verification.

The same issue you mentioned applies to other 2FA methods. Your TOTP codes and passkeys also live on your phone, Yubikeys can be stolen too.

alufers commented on T-Mobile employees across the country receive cash offers to illegally swap SIMs   tmo.report/2024/04/t-mobi... · Posted by u/miles
alufers · 2 years ago
I know everybody says how bad SMS 2FA is, and how we should replace it with the next cool thing $BIGCORP invented (thus requiring you to have an account with them, which only defers the problem).

But couldn't we pressure the telecoms to improve it?

I have an idea that would make SIM swaps way harder to execute. Namely a website that wants to authenticate you should be able query the telecom for some kind of SIM card ID. This would happen before sending a 2FA code.

With such a feature it would be easy to store the SIM card ID in a database when enrolling the phone number. Later when the user tries to authenticate and the ID does not match what saved before, the account is locked out. For enterprise accounts you would need to explain yourself to IT and for personal accounts a fallback 2FA would have to be used. Alternatively the authentication would be delayed for a few days to give the legitimate owner of the SIM card time to react.

Another thing that could be added on top of this is to send a SMS to the old "inactive" SIM, alerting the original owner of the attack.

EDIT: To add to this, here are some advantages of SMS 2FA over time based OTP or passkeys:

1. My grandma can use it with her dumb phone and poor digital skills. 2. Your SIM card will most likely survive if your phone is destroyed due to water or physical damage. (Sadly not true for eSIM) 3. You can dictate an SMS/OTP code over the phone, or forward it to somebody you trust. 4. Banks can append a short description of what you are currently authorizing. It can tip you off in case your computer is infected with malware, or you are victim to one of those TeamViewer scams.

alufers commented on Backdoor in upstream xz/liblzma leading to SSH server compromise   openwall.com/lists/oss-se... · Posted by u/rkta
Roark66 · 2 years ago
Sadly this is exactly one of the cases where open source is much more vulnerable to a state actor sponsored attack than proprietary software. (it is also easier to find such backdoors in OS software but that's BTW)

Why? Well, consider this, to "contribute" to a proprietary project you need to get hired by a company, go through their he. Also they have to be hiring in the right team etc. Your operative has to be in a different country, needs a CV that checks out, passports/ids are checked etc.

But to contribute to an OS project? You just need an email address. Your operative sends good contributions until they build trust, then they start introducing backdoors in the part of the code "no one, but them understands".

The cost of such attack is a lot lower for a state actor so we have to assume every single OS project that has a potential to get back doored had many attempts of doing so. (proprietary software too, but as mentioned, this is much more expensive)

So what is the solution? IDK, but enforcing certain "understandability" requirements can be a part of it.

alufers · 2 years ago
Is that true? Large companies producing software usually have bespoke infra, which barely anyone monitors. See: the Solarwinds hack. Similarly to the xz compromise they added the a Trojan to the binary artifacts by hijacking the build infrastructure. According to Wikipedia "around 18,000 government and private users downloaded compromised versions", it took almost a year for somebody to detect the trojan.

Thanks to the tiered updates of Linux distros, the backdoor was caught in testing releases, and not in stable versions. So only a very low percentage of people were impacted. Also the whole situation happened because distros used the tarball with a "closed source" generated script, instead of generating it themselves from the git repo. Again proving that it's easier to hide stuff in closed source software that nobody inspects.

Same with getting hired. Don't companies hire cheap contractors from Asia? There it would be easy to sneak in some crooked or even fake person to do some dirty work. Personally I was even emailed by a guy from China who asked me if I was willing to "borrow" him my identity so he could work in western companies, and he would share the money with me. Of course I didn't agree, but I'm not sure if everybody whose email he found on Github did.

https://en.wikipedia.org/wiki/2020_United_States_federal_gov...

alufers commented on Ask HN: Why does it seem hard to buy an ONT for fiber?    · Posted by u/apollo_mojave
alufers · 2 years ago
I'm not sure where you live (probably the US), but here in Europe you can easily get GPON ONTs from different manufacturers. There even are whole communities dedicated to replacing your ISP's ONT+modem combo: https://hack-gpon.org/quick-start

In some countries (Germany) it's super easy, because there are laws forcing the ISPs to allow customer provided equipment, while in other countries you need to do some hackery with spoofing serial numbers and such of the original modem. People even make utilities to scrape that information via the administrative interface, and make the process semi-automated: https://github.com/StephanGR/GO-BOX

The biggest problem for me about the ISP routers is their sheer size, they probably make them big so that they seem "powerful" to the average person and he chooses that ISP believing that their router provides superior Wi-Fi. New apartments built here (in Poland) even have nice boxes with the incoming fiber and an electrical socket where you are supposed to hide your Router, but the shoebox-sized devices don't fit there and you have to put them on the floor, or somewhere else. I myself have bought a SFP+ GPON (LEOX LXT-010S-H) transceiver, which is the smallest form-factor you can get. It goes inside my Banana-Pi R3 router, together with an LTE modem for backup connectivity. And this setup is still smaller than the box provided by my ISP, which only served as a bridge between GPON and my router.

a

u/alufers

KarmaCake day1296June 9, 2018
About
Front-end developer, dabbling in some hacking

hn@alu.dog (you can try other things before the @sign, I will probably get a lot of spam on this particular address)

View Original