The lingering feeling of instability. This is my second install of OpenSUSE, after I messed up something leading to my computer having some files which it wanted to update, but using urls which didn’t exist. After this, I’ve been feeling a bit insecure and afraid of doing something that ruins my installation. I know there’s the saying that Linux ‘just works’, but I’ve never messed up a Windows installation…

IMO this is a right of passage. Sure, windows babies you to the point where you can’t really mess much up, but that doesn’t mean its impossible to mess up. I’ve also borked Windows installs just by using them over long periods of time. You bork linux a few times and learn what not to do.

Hundreds of millions. They’re used in an almost uncountable number of IoT devices.

It’s only this specific chip that is affected. It’s not all bluetooth chips. The article doesn’t even specify which of their tens of chips is affected; ESP32-D0WD-V3, ESP32-D0WDR2-V3, ESP32-U4WDH, ESP32-PICO-V3, ESP32-PICO-V3-02, or the ESP32-PICO-D4.

Even if it were all of them, and even if it were hundreds of millions of devices it would still pale in comparison to HeartBleed in all aspects. It’s an interesting but sophisticated attack vector which severely limits its usage. But lets say you execute a MITM attack from one of these ESP32 chips. What are you feasibly able to do? A MITM attack? Considering these are all low power devices its extremely unlikely that they would be able to output enough power to overtake your home AP. Without doing more research on it, the actual attack surface is opaque. I mean, I guess a guy in China can remotely turn on your sprinklers or get your WiFi password… Lot of good that’s gonna do him from China.

Yeah, looks like I was gonna respond to the other guy too, but ended up rolling both replies into the same post for some reason. lol oops.

The first part of my post is just backing up what you had said, and the second half was for the guy you were also replying to, to point out how crazy he was.

https://openwrt.org/docs/guide-user/network/wifi/relay_configuration

Major thing is to enable AP mode and that can only be enabled when you have DHCP disabled on your AP node with an IP range that doesn’t conflict with your main router. So if your main router has 192.168.1.0/24 you should choose the 192.168.2.0/24 range. Next AP should be 192.168.3.0/24, etc.

I’m not saying its contentious. I’m saying if you’re gonna be mad, be mad at the right people. And in this specific case, the retailer is probably not the only issue, so switching to another retailer really won’t help you.

I might sound like a dick, but I’m trying to help you out–telling you that even if you switch retailers, if whomever is delivering your mail is a dick, you’re not going to experience a better situation.

No way they’re on the same level. Heartbleed allowed for remote memory reads.

I professionally studied HeartBleed as a security researcher and wrote a peer reviewed opinion piece which was published. I won’t say where or the title because it would give you my full name, so deal with it. Not trying to humble-brag, just trying to say, I’ve done the research myself here.

HeartBleed was an oversight which sent out enabled by default (!) a TLS heartbeat read overrun error in OpenSSL v1.0.1 to 1.0.2-beta which allowed any third party with an internet connection the ability to request information, 64kb at a time, stored in an affected servers memory. Anything. Private keys, encryption keys, TLS private keys (imagine SSL verified MITM attacks), decrypted sensitive files (which are HDD encrypted and decrypted in memory), passwords, anything.

All’s you had to do was know how to request the information, and the server you wanted to attack. It went undiscovered for a number of months before it was found. The extension was enabled by default, and came bundled with software used on literally billions of private computing devices, servers, IoT devices, and even interstitial devices used over network connection.

Here’s an excerpt from some other security researchers on the subject, in case you don’t want to take my word for it;

We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication. 1

You’re correct that they’re not on the same level, but completely backwards in thinking that an undocumented bluetooth backdoor is worse than the worst vulnerability found since the invention of the internet. HeartBleed affected hundreds of millions of critical servers. Literally billions of devices in total. How many consumer devices do you think have this exact bluetooth chip? 10,000? 100,000? 10 million? Still small peanuts in comparison.

You should operate under the assumption that all VPN providers will eventually make that list. There’s no VPN provider out there that will function better than one you setup yourself on a VPS. Find one with a good and stable connection speed and you shouldn’t have any issues. Generally they’re really inexpensive, too.

VPN providers have a lot of customers, so when a service gets a connection hundreds of times a minute from a single IP, they either know they’re being attacked in some way or people are using a VPN to access their services. Generally its not a big deal until they start IP banning. If it’s just you and your devices on a single VPN, it’s much much more difficult to tell and likely won’t be blocked for arbitrary reasons.

I owned my own tech firm for 10 years or so. I setup any number of backup solutions with enterprise level HDDs. I’ve seen HDDs packaged impeccably. I’ve seen them come in a cardboard box with absolutely no protection and it’s an absolute crap shoot no matter what. As a matter of fact, there’s a HDD connected to a NAS attached to the computer I’m typing this out on that’s been working for over 8 years non-stop and it was one that just came direct in a cardboard box. Didn’t have a lick of paper or bubble-warp in it.

I’m not telling you not to be critical of retailers who don’t properly protect the things you buy. I’m telling you to measure your response because at the end of the day they’re incredibly fragile no matter how they’re packaged. Properly packaging doesn’t mean you’re going to get a 100% success rate. If you’re that worried about it, then find a local retailer and don’t buy them online.

Removed by mod

I have a robust system to package those orders correctly

This is my point. You can package your electronics as good as you want, but when it comes to hard drives, if the middle man decides to play ice hockey with your package it doesn’t matter. If you want to blame something blame Newton’s second and third Laws of Motion. 🤷‍♂️

This isn’t the fault of retailers. Shipping things is hard. It entirely depends on the people in transit willing to do their jobs, and sometimes you just don’t get lucky.

Removed by mod

In your BIOS, ensure that you have compatibility mode enabled for USB devices. Sometimes it’s called legacy mode. If not, your PC could refuse to boot from some devices. Sounds like what’s happening here at least. Usually if this mode is disabled the USB device won’t show, but its worth a shot.

HeartBleed level.

Does that run on top of next cloud or can I run it independently of next cloud?

So anyways, that’s the impact one of these “pointless” boycott posts had on me.

I didn’t say they were pointless. I say they don’t do anything. What does do something is this;

I ended up cancelling my Prime subscription

That’s it. You “buying a ton” on amazon is small peanuts in the grand scheme. Even if you buy a lot amazon is only making a percentage of whatever you spend. Something like 30%. So even if you spend $10k in a year, they make $3,000 net and have to deduct for the cost of getting those items to you. When all the financials are worked out, it’s next to nothing.

The price of their subscription service is their e-penis. They get to say “500 million people pay for Amazon Prime!” @ $139/yr is $69.5 billion. You can buy nothing and they can still survive… But if you stop paying for Prime they lose their e-penis, which affects their stock price, which loses them bargaining rights with their suppliers and ultimately can affect the price of Prime itself.

It’s the surest way to kill them.

Boycotts like this do nothing because the people most willing to “participate” are people who already don’t purchase from Amazon. Even if you were able to get a critical mass of people to participate for even 3 months. So what? Amazon will post 1 bad quarter and then things go back to business as usual. Nothing happens. They don’t even really lose any money. At least none out of pocket, of which they have plenty for things such as this.

Amazon is a subscription model. You want to hurt them, then hurt their subscriptions. Don’t boycott them, cancel Prime.

The problem with boycotts like this, is they do essentially nothing… A single day, week, or even a full month of boycotts can only be successful if a critical mass of people do it at once. And frankly, they’re not going to get that.

The people most likely to boycott Amazon and the like are people whom already don’t purchase things from Amazon, or lightly do it. Amazon if fine with that, because eventually people go back to buying. So what, they’re gonna post one bad quarter? Small price to pay for doing business.

You can’t boycott evil businesses. You have to stop using them entirely. Forever. And most people simply aren’t willing to.

I dumped Google photos for self hosted immich and it’s been great.

I went to install immich but it was very heavy… I don’t need AI in a selfhosted Google Photo’s replacement.

GDU: http://i.xno.dev/u/WWyrND.png