I spent all day looking for vulns in a IoT clothes dryer. What did I find?
* HTTPS to talk to backend service
* XMPP w/ STARTTLS to steam events
* Cert pinning so no MitM
* Android app obfuscated w/ no obvious backend URLs or certs
* Dryer runs an AP for initial setup w/ DHCP and HTTPS servers
* That HTTPS requires auth with a password printed on a label near the door
Best I could do was get the DHCP server to serve the same IP to every request.
Well done GE.
But then again maybe it's better to go for a cheaper $150 Linux phone than the much more expensive librem.
Can you imagine going from an Android device to something running Linux? Linux is great but there is almost no history of it as a phone OS. What's the software story going to be like?
It's likely to make people miss their mainstream devices. Might as well buy a cheap one as a secondary phone and help build the ecosystem while hanging on to your iPhone or Android.
Apparently people are upset with librem because of their policies towards free speech (hate speech is allowed on their platform). Explanation here:
But I'm not sure the pinephone will be an adequate replacent for what librem was promising. It's really not as powerful.
For anyone who fancied the #Librem Five but are fed up with the developers politics, or found the price to be way too high, here is something that might be interesting for you: https://liliputing.com/2019/06/pinephone-149-linux-smartphone-could-support-ubuntu-sailfish-maemo-luneos-and-more.html #PinePhone #Pine64
Oh dear. I found a disbeliever on Reddit. I knew, theoretically, that they'd exist. I never expected to meet one!
The topic: MITM forwarding proxies that decrypt and then re-encrypt your communication with a remote web server, because they are the single point of access to the web.
Everything in this talk about package management could also apply to social media:
- You have no way to hold Jack Dorsey or Mark Zuckerberg accountable.
- The real owners do not care whether it is pork bellies or our commons; the goal is to make money from it
- We have ceded our commons to a private entity.
- We decided this was okay. We voted with our feet.
Does anyone know a #SelfHosted online bullet journal app?
Maybe something that does not include hundreds of dependencies from npm and a "webscale document storage"? Bonus for slurs in the name 😉
PS: Don't recommend paper to me. I know about paper, trust me.
I should link the actual poll:
"How is #Mastodon different from other social networks?"
A year ago I tried learning ActivityPub, and more or less failed. I was confounded by a spec that was so abstract I couldn't make heads or tails of it. Turns out I was missing some key things.
I have written a guide to learning about ActivityPub that I wish existed a year ago when I first set out to learn how to write social media servers that conform to the spec:
WebKit then sends those "tags" and raw text to the "HTMLTreeBuilder". This structures the tree differently based on it's current state and the tag being inserted into the document tree.
To do the actual work it hands the tag on to the HTMLConstructionSite, which in turn wraps HTMLElementFactory (a Perl-compiled C++ hashmap) and the HTMLElement instances it creates.
NOTE: I'm not particularly fond of the parts of the HTML standard which calls for these components, they're overly complex.
New blog post: "Tech veganism" https://nolanlawson.com/2019/05/31/tech-veganism/
Wherein I try to understand what makes a "tech vegan" (i.e. someone who avoids closed-source software and big tech companies, i.e. probably you), and whether there are parallels with real veganism.
Google corporate BS
If you haven't switched to Firefox, now is the time
@asbjorn Firefox over Chrome matters. Rust over Go not so much, as the languages are too detached from the core business, and don't influence common standards.
Also they're not even direct competitors, since Go isn't compatible with no-GC environments Rust is after.
WASI aims to bring cross-platform, sandboxed executables using webassembly as the base to non-browser systems https://github.com/CraneStation/wasmtime/blob/master/docs/WASI-overview.md
It's also ocap-based so there's some hope for security actually working.
However Ben Laurie (who worked on Capsicum) argues that since we have something resembling a clean slate, why try to build it on a broken POSIX'y type design? (Article also talks about how and why containers continue to break their own sandboxing) https://medium.com/@benlaurie_18378/how-to-ruin-a-perfectly-good-container-d33250fca595
I don't mean this in an elitist/exclusionary way. I think it's a bit irresponsible that coding schools and bootcamps start people off by teaching them React/Angular/etc. It's as if you took a woodworking shop and they're like, "OK day one, you will architect an entire five-story building and build it from scratch."
Seeking refuge in a distributed world. Web, future programming. Building things.
One of the first Mastodon instances, there is no specific topic we're into, just enjoy your time!