|
An interesting paper on Find My stuff https://arxiv.org/pdf/2205.06114.pdf quote:When an iPhone is turned off, most wireless chips stay on. For instance, upon user-initiated shutdown, the iPhone remains locatable via the Find My network. If the battery runs low, the iPhone shuts down automatically and enters a power reserve mode. Yet, users can still access credit cards, student passes, and other items in their Wallet. We analyze how Apple implements these standalone wireless features, working while iOS is not running, and determine their security boundaries. On recent iPhones, Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB) keep running after power off, and all three wireless chips have direct access to the secure element. As a practical example what this means to security, we demonstrate the possibility to load malware onto a Bluetooth chip that is executed while the iPhone is off.
|
# ? May 24, 2022 20:15 |
|
|
# ? Apr 23, 2024 22:21 |
|
> As a practical example what this means to security, we demonstrate the possibility to load malware onto a Bluetooth chip that is executed while the iPhone is off.
|
# ? May 24, 2022 20:16 |
|
that's pretty cool but not unexpected really if you use a BTLE scanner around here there's a bazillion beacons, i really wish there were some way to just nuke them all
|
# ? May 24, 2022 20:19 |
|
hmm yes software vendor I am going to be difficult and you will "have to talk to engineering" about it because your $OtherVendor integration should not require a full administrative account with a static password when there are perfectly good APIs available that provide four different documented authentication methods, none of which require what you're asking for. also "we don't know we'll have to check but can you set this up please it's holding us up?" is the wrong answer when someone asks you why you need admin access to something jfc
|
# ? May 24, 2022 22:03 |
|
lazy vendors
|
# ? May 24, 2022 22:05 |
|
Powerful Two-Hander posted:hmm yes software vendor I am going to be difficult and you will "have to talk to engineering" about it because your $OtherVendor integration should not require a full administrative account with a static password when there are perfectly good APIs available that provide four different documented authentication methods, none of which require what you're asking for. This reminds me of a past project I jumped on, and when asked "why does this run as root?" the answer was "We need to be able to write to the config file!" I changed the permissions on the config file and root was no longer needed.
|
# ? May 24, 2022 22:37 |
|
fins posted:An interesting paper on Find My stuff
|
# ? May 24, 2022 22:44 |
|
CRIP EATIN BREAD posted:the term “nonce” for one time use predates the dumb brits version of it. yeah why should we change, they’re the one who sucks
|
# ? May 24, 2022 22:45 |
|
haveblue posted:my new cryptocurrency uses poof-of-stake
|
# ? May 24, 2022 22:57 |
|
please use poof-of-steak where you feed me wagyu
|
# ? May 24, 2022 23:04 |
|
lmao https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/ NSW offers a digital driver's license app. the identity file data can be backed up to a pc via itunes. the file is encrypted with a 4-digit numeric pin. the data on the phone is never checked against a central server. the qr code only contains the name and whether the person is over 18.
|
# ? May 25, 2022 02:26 |
|
Nice MVP, they’ll fix it in the next release!!
|
# ? May 25, 2022 02:36 |
|
Client side validation of drivers' licenses
|
# ? May 25, 2022 03:14 |
|
Chris Knight posted:their POC requires a jailbroken iphone so lol i never knew of the existence of dck 3.0. can't seem to find much, but lol this: fins fucked around with this message at 04:01 on May 25, 2022 |
# ? May 25, 2022 03:58 |
|
Jenny Agutter posted:lmao https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/ do you know how fast you were going Mr. Drop Table?
|
# ? May 25, 2022 03:59 |
|
fins posted:i never knew of the existence of dck 3.0. can't seem to find much, but lol this: alternately, we could use a physical token that’s permanently paired to the car and is 100% non-interceptable
|
# ? May 25, 2022 14:24 |
|
Captain Foo posted:alternately, we could use a physical token that’s permanently paired to the car and is 100% non-interceptable *posts photo of key online* id like to see anyone intercept this!
|
# ? May 25, 2022 15:38 |
|
Jenny Agutter posted:*posts photo of key online* id like to see anyone intercept this! Maybe cars should just have usb slots for fido2 tokens.
|
# ? May 25, 2022 15:42 |
|
FlapYoJacks posted:This reminds me of a past project I jumped on, and when asked "why does this run as root?" the answer was "We need to be able to write to the config file!" so their answer is "we need it to set up an oath token and the admin access is needed to provision users" but their documentation says that the user provisioning function is deprecated (and you don't need full admin for this anyway). at least they are using one of the actual APIs though, I was expecting them to be doing a headless login and screen scraping or something
|
# ? May 25, 2022 19:04 |
|
FlapYoJacks posted:"We need to be able to write to the config file!" this alone loving destroys me. i rage tirelessly against server applications that insist on being able to rewrite their own config files. i get that it isn't all that different from just storing configuration data in the application's data store, but i really like having a line between startup configuration with credentials for connecting to a data store and runtime configuration that can live in said data store
|
# ? May 25, 2022 19:21 |
|
fins posted:i never knew of the existence of dck 3.0. can't seem to find much, but lol this: Could we, you know, NOT do this?
|
# ? May 25, 2022 19:23 |
|
Jenny Agutter posted:*posts photo of key online* id like to see anyone intercept this! you're right, but I think they were referring to key fobs
|
# ? May 25, 2022 19:38 |
|
CommieGIR posted:Could we, you know, NOT do this? yeah, let's crowdsource a blockchain that proves car ownership
|
# ? May 25, 2022 20:21 |
|
Beeftweeter posted:yeah, let's crowdsource a blockchain that proves car ownership Hm, yes. This is better.
|
# ? May 25, 2022 20:27 |
|
car is up on blocks chain
|
# ? May 25, 2022 20:30 |
|
CommieGIR posted:Hm, yes. This is better. it can be powered by the cars! they're computers these days, you know
|
# ? May 25, 2022 20:33 |
|
yeah i got an nft, a Nice loving Truck
|
# ? May 25, 2022 20:34 |
|
dpkg chopra posted:yeah i got an nft, a Nice loving Truck Aren't you worried someone could just like "right click" on the driver side window and "download" your truck?
|
# ? May 25, 2022 21:29 |
|
Captain Foo posted:car is up on blocks chain security fuckup megathread: car is up on blocks chain
|
# ? May 25, 2022 21:38 |
|
Captain Foo posted:car is up on blocks chain
|
# ? May 25, 2022 21:39 |
Beeftweeter posted:that's pretty cool but not unexpected really
|
|
# ? May 26, 2022 13:16 |
|
They have some flipper zeroes in stock rn if people are looking for them the page says unavailable but seems like you can actually order them
|
# ? May 26, 2022 22:58 |
|
Jenny Agutter posted:They have some flipper zeroes in stock rn if people are looking for them how does one order them? the buy button says sold out for me
|
# ? May 26, 2022 23:06 |
|
Flippers zero
|
# ? May 26, 2022 23:07 |
|
i got one in my cart but then it says it can't calculate shipping for my address
|
# ? May 26, 2022 23:10 |
|
Crime on a Dime posted:how does one order them? the buy button says sold out for me I clicked this link but they might be gone https://twitter.com/gmman_bzflag/status/1529912433392766976?s=21&t=LbeAwE1fTmYGob6nWZz81g
|
# ? May 26, 2022 23:14 |
|
US only
|
# ? May 26, 2022 23:16 |
|
drat I really want one of those but I don't have enough of a use for it to justify the 180 bucks.
|
# ? May 26, 2022 23:19 |
|
Crime on a Dime posted:US only yeah found that out too 🤬
|
# ? May 26, 2022 23:20 |
|
|
# ? Apr 23, 2024 22:21 |
|
Im coordinating the goon group buy Joke Rufus Ping fucked around with this message at 11:40 on May 27, 2022 |
# ? May 27, 2022 00:04 |