For anyone looking for an off-the-shelf solution for wireless texting, I've used the BTECH GMRS-PRO. You can send messages on the device, but it's much easier to connect it to your phone via BLE and text through the app.
However, it uses GMRS bands, not LoRA, so all the FCC restrictions apply.
1. Your main domain is important.example.com with provider A. No DNS API token for security.
2. Your throwaway domain in a dedicated account with DNS API is example.net with provider B and a DNS API token in your ACME client
3. You create
_acme-challenge.important.example.com not as TXT via API but permanent as CNAME to
_acme-challenge.example.net or
_acme-challenge.important.example.com.example.net
4. Your ACME client writes the challenge responses for important.example.com into a TXT at the unimportant _acme-challenge.example.net and has only API access to provider B. If this gets hacked and example.net lost you change the CNAMES and use a new domain whatever.tld as CNAME target.
Check this out. This was at one point one of the cheapest and smallest Linux computers around. It’s USB powered and this project turns a WiFi device designed to share photos from an SD card over a standalone SSID into a male USB A powered miniature SBC. (Edit: okay it’s two PCBs technically)
Microsoft’s version of “Zero Trust” doesn’t care if things are reachable from the public internet. They have been preaching “identity is the new perimeter” [1] for years, and it doesn’t wash.
The NIST Zero Trust Architecture (ZTA) implementation guides (SP 1800-35) [2] cut through the nonsense and AI generated marketing smoke.
In ZTA, ALL network locations are untrusted. Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
Microsoft doesn’t have any products that can do full ZTA, so several pillars are missing from their “Zero Trust” marketing materials.
Bonus points for a non-unique UEFI UUID that is already enrolled in some random company's Microsoft Intune / Windows Autopilot instance so when you fire it up off a fresh Windows install it begs you to sign into $RANDOM_COMPANY_WITH_BAD_IT_CONTROLS.
Triple-points if the vendor includes a sticker telling you to complete Windows OOBE without connecting it to the Internet to avoid this.
Be careful with SDR's. One minute you're scrolling around the spectrum, and the next you'll find yourself ordering parts for a 36 element Yagi and AZ/EL rotator, and a $3k radio to do Earth Moon Earth bounce communication.
Generators must synchronize with the grid. Huge spinning rotor masses that will experience tremendous forces to coerce them into matching an RPM that corresponds to the grid's frequency.
Frequency is also impacted by load: the greater the load on the generator the more torque required at its input shaft to maintain the same RPM. If the generator's input engine is already at max torque then RPM must decrease all else equal. That in turn requires that every other generator on the grid also slow down to match.
When a huge chunk of generating capacity disappears there isn't enough power feeding the remaining generator input shafts (all else equal) to maintain RPM so the grid frequency must drop. That tends to destroy customer equipment among other problems.
Generators are motors and motors are generators. If the capacity disappears too quickly the grid _drives the generator as a motor_ potentially with megawatts of capacity all trying to instantly make that 100 ton rotor change from 3600 RPM to 2800 RPM or whatever. Inertia puts its $0.02 and the net result is a disintegrating rotor slinging molten metal and chunks of itself out while the bearings turn into dust.
Protective equipment sees this happening and trips the generator offline to protect it. Usually the coordinating grid entity keeps spare capacity available at all times to respond to loss of other capacity or demand changes. This is also the point of "load shedding": if spare capacity drops below a set level loads are turned off.
If spare capacity is not maintained or transmission line choke points present problems then capacity trip outs can cause progressive collapse as each generator sees excessive load, trips, and in turn pushes excess load to the next generator. If your grid control systems are well designed they can detect this from a central location and command parts of the grid to "island" into balanced chunks of load/capacity so the entire grid does not fully collapse.
Of course when you want to reconnect the islands it takes careful shifting of frequency to get them aligned before you can do that.
If all generators collapse you end up in a black start situation that requires careful staging lest more load than you expected jumps on the grid (maybe due to control devices being unpowered or stuck somewhere), triggering a secondary collapse.
Caveat: not a grid engineer so I may have gotten some of this wrong but hopefully it helps anyone who wonders why load shedding exists or how a grid can "collapse" and what the consequences are if you don't do those things and just let it ride.
Yeah also in general the WFC code is a bit dated and not very secure.
This actually reminds me of two very interesting bugs which used together basically make it so that you can play WFC games (basically just Mario Kart Wii, nowadays) as simple as changing the DNS settings on your Wii
1. Firstly, as long as you set a particular field in the certificate, it just is completely happy with an invalid cert. (This was fixed by the NWC library by the time it was released In Korea, notably, although this bug was present in DWC for a long while.
(Aside:
I actually suspect that this bug was present in the RVL SDK (used by games and such on the PPC), but also is caused by the same cause as the signing/Trucha bug[1]. While the latter is a IOS specific exploit, it wouldn't surprise me if the same code was used in both this and DWC (the networking library). Given that Mario Kart Wii has an associated IOS version of IOS36[2], but DWC code isn't part of IOS, my hunch is that they used either the same or similar validation logic OR both bugs were squashed a part of some security related cleanup.
I haven't actually gone through the reverse engineering effort to confirm this yet, but given that this doesn't work on the Korean version of MKW, which notably uses a later version of IOS and other libraries, my hunch is that those bugs are one in the same. The fix timing at least seems interesting to me. Anyway side note over.)
2. The networking library also has an RCE caused by a buffer overrun, basically from the first message it has a length that's unchecked and the DWC library blindly memcpys data from the packet. This is kinda why it's important to have some sort of patchset that fixes these bugs (because the operating system and libraries ship with the game and you can't update those except for in memory).
The culmination of this is all you have to do is
1. Change your DNS settings on your unmodified Wii to point to a specified DNS server.
2. Start Mario Kart Wii (probably, although some other games work too), open up WFC
So that the game...
3. Does a DNS lookup for the WFC server which intentionally links to a 3rd party server
4. Passes validation of a bad cert which intentionally sets one of the fields to a null value in order to make the Wii accept it
5. Receives a message that contains an exploit which patches the game in memory to fix the known RCEs and setup URLs to resolve to different domains instead of using the old WFC ones among other things (such as cheat reporting that is all client-side based, etc)
all so you can play Wii games (probably Mario Kart Wii) online 11 years after WFC shut down for good :)
>1. I ended up directly using solvespace's solver instead of the suggested wrapper code since it didn't expose all of the features I needed. I also had to patch the solver to make it sufficiently fast for the kinds of equations I was generating by symbolically solving equations where applicable.
(anyone looking for an easy-to-use opensource 3D CAD program should consider it)
Check out pinchflat. Think of it like sonarr for yt channels. I use it to grab content for my kid that he consumers via Plex so I can limit what he sees and remove the algo.
Pinchflat does all the renaming, metadata, and file structure as I configure.
Is this intended to be a password replacement or not? Because attestation requirements for roaming keys are incompatible with a password replacement.
> Being able to zero-effort cleartext a passkey strips it of the HSM-lite properties that make it safer than passwords.
You might have an argument if we were talking about device-bound keys. But the second we start talking about roaming keys, this just becomes a bad excuse. iCloud accounts can be phished, Google accounts can be phished. Roaming keys are vulnerable to phishing. The ability to export a key (encrypted or not) does not change that.
Device-level attestation and platform control over keys is out-of-scope and inappropriate for a credential that is fundamentally designed to live on multiple devices. We aren't talking about Yubikeys or device-bound keys, we're talking about roaming keys that are designed to get synchronized to the cloud and moved between devices at the direction of the user. Necessarily, there is going to be some level of phishing risk. We've accepted that because device-bound keys are unacceptable for most average users even if they're more secure.
Notably, this does not mean that passkeys are useless or that they are not phishing resistant. There are a large number of security benefits from passkeys even though they are not completely phishing proof. Those benefits do not go away if attestation is not supported for roaming keys, nor do they go away if users are able to decrypt their own keys. And given that companies like Apple led on zeroing out attestation requests for roaming keys, there clearly is not consensus in the FIDO Alliance about whether attestation is desirable or necessary for roaming keys.
Passkeys in a world where users can inspect and access their own keys are still a meaningful security improvement over passwords. And importantly, the lack of attestation makes it more feasible that they will actually be used. The goal is not to make something perfectly secure, the goal is to replace passwords with something better. I am continually surprised to see how little people understand about the myriads of use-cases that passkeys will need to support if they are going to actually replace passwords, and how little they seem to care about the ability of an attestation-encumbered system to handle those niche cases.
I've been in this space for a while. First, advocates told me that roaming keys were never going to happen because the whole point was for keys to be device-bound. Then it turned out, well, that's a dealbreaker, so we can compromise on that. Then I was told that sharing passkeys was never going to happen because it would destroy the security benefits. Well... okay, now we support sharing. Then I was told that migration was out-of-scope and the FIDO Alliance was not going to get involved. Now the FIDO Alliance is involved. Then I was told that export was fundamentally insecure, and any migration between providers would need to happen via a secure channel online or without ever putting the passkey on disk. And now I'm told that, okay, we can put the passkey on disk, but the problem is that it's zero-effort to get a cleartext. And at every step of that process, I'm told that these are non-negotiable security properties of WebAuthn.
Well, after a while these all start to feel less like security principles and more like excuses for why export isn't happening. It's weird how these security principles only get brought up in regards to user freedom, and not in regards to Apple supporting passkey sharing over Airdrop. I'm sorry, that doesn't open up phishing risks?
Tim suggests in this issue encrypting the passkey with some kind of additional key on export. How does that mean that HSM properties are preserved? The horse is out the barn, we are not doing HSM security on roaming passkeys, we are just pretending to. HSM gets brought up as this important feature but passkeys are already ignoring it. So let us export the keys; enough with this bullcrap double-standard about what does and doesn't count as a phishing risk.
----
> The sky is falling, yet no one discusses how freedom and attestation might coexist, and so the majority use case (end users) is winning.
Sure, I'll start the ball on that conversation. There's a straightforward indication now that attestation and certification can be used to punish and block spec deviations (https://github.com/keepassxreboot/keepassxc/issues/10406#iss...). This comment could not possibly be more clear, FIDO Alliance is looking for ways to force providers to implement in specific ways.
And that's interesting because in the past I have been told that interoperability and universal import/export cannot be required by the spec because the FIDO alliance has no way to force providers to interoperate, and because interoperability is out-of-scope. The only thing we can do (I'm told) is hope that companies support export/import out of the goodness of their hearts.
Well, now we know that those arguments are wrong. FIDO members are willing to get involved in discussions about how projects do or don't handle migration so this is very clearly "in-scope", and FIDO members are willing to get forcefully involved, and are actively working on mechanisms to require independent projects that are not members of the FIDO alliance to seek certification. FIDO is going to have a level of control over how providers act.
So if we must have attestation, is anyone involved in the spec process for WebAuthn willing to publicly commit right now that export/import for roaming keys will be a required part of the spec and that failure to implement export/import will result in blocking certification? Why is it that attestation is being used to shut down user agency, but for corporations we have to just trust that they'll do the right thing?
We've apparently got this amazing tool for forcing compliance. That implies to me that user freedom can be part of the spec and those compliance tools can be used to safeguard it. If we're talking about using attestation to enhance user freedom, then using attestation to require universal export/import controls with every single certified provider would be a pretty big selling point for attestation, and would go a long ways towards avoiding the mistakes that were made with 2FA, where many apps straight up never provided a way to export keys. I wouldn't be thrilled with it, attestation would still be dangerous, but at least it could be used to ensure that the ecosystem guarantees user rights as well as restricts them.
But I'm not holding my breath that the FIDO Alliance is going to require that kind of thing.
It is not for lack of conversation that attestation is primarily used today to curb user freedom and agency. It is that the technology is naturally prone to abuse if it isn't coupled with adequate safeguards. Early on during TPP debates, proposals were made for ways to make TPPs that coexisted with user freedoms and enhanced user freedoms. It is not that Linux communities aren't involved, it's that we correctly recognize at this point that practically every single real-world implementation of attestation has been used to shut down user freedom because it is fundamentally prone to abuse. So what safeguards is FIDO going to put in place? How is FIDO going to use attestation this time to actually help user freedom?
Because I can think of ways: mandate interoperability, require implementations to be open and documented, require cross-platform support for most providers, require fall-back methods of authentication for users who do not own hardware that can handle attestation requests, publicly commit to making attestation available to De-Googled phones and to "authorized" 3rd-party ROMs.
While we're at it, require clients to support multiple keys per-domain which by extension would effectively force domains to accept multiple keys. Today, there are domains that only allow registering one passkey, which is wildly irresponsible given that registering multiple keys is the only way right now to simulate portability. If we're going to use attestation to threaten non-compliant implementations, then at the very least we could also use attestation to threaten implementations that deny user freedom and agency.
Will FIDO commit to any of that? Or do I have to simultaneously watch Open Source provider implementations get threatened by attestation while also listening to advocates tell me that there's nothing the FIDO alliance can do to require an Open ecosystem with universal data-portability?
I'm convinced Trump is 100% sincere in his belief that his economic ideas are brilliant and will lead the US to a golden age.
I think his (and much of the far right's) mind is characterized by:
- a deep incuriosity and unwillingness to learn about the world
- extreme overconfidence in his own judgment
- an understanding of the world as being pervasively zero-sum (shared with Putin); your loss = his win
- obsessive preoccupation with the dynamics of humiliation: he feels an extreme need to be perceived as strong and to humiliate his enemies, and he greatly fears being humiliated
I feel like these characteristics explain most of his policy. The idea of tariffs arises from his zero-sum mindset: the only way to gain is by making someone else lose. This is of course factually wrong, but he's too incurious to learn from history or economics. And, of course, he's massively overconfident, so the thought that someone else could know better does not occur to him. And once the ball is rolling, his fear of humiliation will ensure that he has to stay the course. His perceived enemies (which is everyone) have to come crawling to his throne, begging to have their tariffs reduced while praising his brilliant policies, and then he might consider it. So if that doesn't happen, his only options are (a) perpetually retaliating with ever-increasing tariffs, disregarding the consequences entirely; or (b) capitulating in the trade war (lowering or abolishing tariffs) while not admitting that it's a capitulation ("don't worry, my brilliant policy fixed the mass influx of fentanyl and illegal immigrants from Canada, so now we can drop the tariffs on Sri Lanka" or something similarly incoherent).
For 2001 it has a rather striking effect. Kylie is walking around a circular area in Paris over and over and everything multiplies each time she completes a loop. It's a very clever effect given the technology of the time. By the end of the video there are five Kylies walking around loosely interacting with each other and the world in odd ways.
This[1] is something I've come across but not had a chance to play with, designed for reading non-smart meters that might work for you. I'm not sure if there's any way to run it on an old phone though.
If anyone is looking for a free/local alternative Continue + Ollama is acceptable. If you're just doing run of the mill programming it will work well out of the box.
I'm glad it's open source so I was able to fix most of the issues I had with it and now my copy is in a great place. The documentation is in places many versions behind the actual code so it can be tough to figure out how to set things up when you're venturing off the beaten path. That all being said the granularity of control you have when using local models leads to an experience that's far better than Cursor/Copilot, I really enjoy that it reads my mind a lot of the time now (because I have prompt engineered it to know how I think).
Counterpoint: The original "Google Wi-Fi" Mesh routers (the hockey puck looking ones) from about 10~ years ago come with *4GB* of storage and 512MB of RAM [1]
Ever since that back and forth about "East Coast being kind vs West Coast being nice" thing a while back[1], I think it's important to distinguish the two. Because they are noticeably different (at least to me) and shouldn't be used interchangeably. I want someone to be kind to me in a meeting. I think niceness could seriously inhibit progress. A kind person will tell me that an idea I have won't work, but they'll offer to help me work through it. A nice person will tell me that a bad idea is good, just to avoid conflict.
