chiisana @ chiisana @lemmy.chiisana.net

Posts

4

Comments

500

Joined

2 yr. ago

Beeper is also responding to Apple’s initial statement that its app, which is based on a reverse engineering of the iMessage protocol, comes with potential risks to user privacy and security. “We deeply object to the allegation,” the company wrote, and it’s willing to share Beeper Mini’s entire codebase “with a mutually agreed upon third-party security research firm” to analyze the app for any issues.

Beeper is kind of missing the point here. Apple is not shutting it down because Beeper could do anything bad to its users — these are Android users that might not even own an Apple device. Rather, Apple is shutting it down because other people could use similar exploit (the POC appears to use an unsigned device certificate for device authentication) to send phishing / spam messages to the Apple iOS/macOS users at large. With the exploit taken away, it is harder for bad actors to leverage the same channel to attack regular users because without third party means to do this, bad actors would have to find other ways to automate attacks on a much more restricted device.

Disabled; takes too much space; scrolling is nice and smooth on iOS; and there just aren’t enough deep threads to warrant something that taking up so much space.

Thanks for digging into this and confirming my understanding!

On a quick glance, this looks to be more secure the the old Hackintosh push notification (where it was based solely on a single device ID/serial number), but rather, some kind of certificate based identity system. This makes it more secure because without access to Apple's private signing keys, it should be very difficult to get a certificate signed by Apple to spoof the interaction. Though, I wonder how were the devices getting it in the first place, and if that part would be the next vector that'd need to be compromised (i.e.: if you get a signed certificate during device activation, then it'd be possible to swipe a signed certificate from a Mac you own; or that activation process itself becomes the next attack vector).

Having interacted very briefly with Eric Migicovsky a long time ago (due to Pebble), this does not surprise me that much. He's a great guy, and appears to want to do the right thing to help everyone. Beeper wanted to do it in the cloud with Mac systems/VMs, which is a costly endeavour. This POC would allow the interaction to run natively without themselves essentially MITM'ing all users, so it would save their company a lot of money. POC was done allegedly by some high school kid, and given Eric's Pebble fame, I think he's just thrilled that they could save some money and help some kid get started.

In all cases, it is certainly interesting to see how this has been playing out, and I'd be curious to see how this continue to play out, because I doubt this will be the end of this story.

I was under the impression that interaction with Apple’s servers required some kind of “proof” (honor system really) that you’re using an Apple device, which used device ID that was spoofed; just like how Hackintosh had done for push notifications for years.

Worth noting that Hackintosh got to a point where someone wrote scripts to generate random strings to brute force until they encounter a valid device ID, so they’d literally assume someone else’s legitimate device to get push notifications.

A CA cert is higher up can sign for any desired domain. Certificates are a chain of trust and as long as the entire chain can be validated (by the root level installed by the user), then the entire cert will appear valid. During installation, that’s what gets installed and then the provider signs for whatever domain you’re visiting that they’d need (or want) to MITM.

Cloudflare uses LetsEncrypt, Google and a few other CAs to sign their certs. You’re not forced to use them as registrar, and they could (though they will lose accreditation very quickly) in theory sign any domain without you using them to host your domain’s DNS.

As the person I replied to mentioned, these kind of providers would often also get you to install a cert that they’d use to sign with. Once it is installed, the certificates wouldn’t appear broken anymore.

It’s not so absolute; your DNS provider could resolve domains to their own server’s IP and MITM your traffic. This is how some of those DNS based region bypass work — by re-routing your traffic through their server in a supported region.

all your traffic goes through them right?

Depending on provider and intended purpose… strictly speaking, a DNS server tells your computer that example.com resolves to 169.254.169.254 and nothing more.

However, for example, if your DNS provider adds ad blocking, they may choose to change ads.example.com from 169.254.169.254 to 127.0.0.1 thereby preventing any advertiser JavaScripts from being requested. This is fine and all, but you’d have no way to be automatically alerted if they changed it to 123.234.123.234 and serve their own blank scripts.

If for example your DNS provider provides region bypass for streaming providers, they could resolve streaming.example.com from 169.254.169.254 to a server in another country with address 123.234.123.234; and route your request through that in order to circumvent the region lock.

These are all fine and well, but if the provider was compromised and/or sold to malicious actor, they could resolve your-bank.website to a phishing site, and then MITM all the traffic just like the region lock bypass example.

So… in theory, it shouldn’t do anything more than resolving, but in practice, it may be hard to detect, and they could be doing more than just resolving.

The more I see lemmy devs interactions the less I want to use lemmy. Their attitude with auth migration was super hostile towards developers at large (standard industry practice is them bearing the burden to maintain both, not dump on the burden on to third party devs), and now it seems like they’re just going to brush iOS users under the rug because they’re Android only and doesn’t care about iOS’ security and resource management mandate (ie no background process), and trying to misguide users by deflecting legitimate background concern to their selected upstream framework as an incorrect “battery concern”.

What a terrible developer behaviour all around! Wonder who’s the next group of users they’re going to antagonize for their own convenience next.

Edit: I don’t mean you, @aeharding; I meant the actual Lemmy dev. Sorry if this wasn’t clear.

If you have Apple users in your household, the current generation of Apple TV 4K 128GB is a solid device that’s going to offer the best integrated experience, along with capability of Thread. If not, it’s probably a bit overpriced compared to the other solutions.

Being barefoot could potentially introduce extra risk of contamination from shedding skin cells; this may or may not matter depending on which part of the plant they’re working at. In clean room environments, people usually wear special clothing that prevent cross contamination; these include special coat, hair netting, and extra layer of covering around the shoes. But if the said employee works in the office on administrative tasks, far away from clean areas of production, who cares?

Companies need money to pay their employees. Who would’ve thunk they’d change the licensing to allow them to make money. -surprised pikachu face-

Last I used PiHole many years back, it was possible to use it as DHCP but not possible to add custom DNS records like TXT, SRV, etc. . Perhaps that’s what OP is trying to solve for?

Another angle to consider is the liability of you being responsible for the content on your system. Someone could rent your machine to host very illegal content. At which point, as far as the authorities are concerned, it is coming out of your IP from your computer. You might be able to explain it away, or you might not. It’s not a hassle that’s worth the while.

Pirateweather is free, but I’m not sure if there are pre-built apps for that that’s self hosted.

Strictly speaking, mail clients can’t show the BCC field — technically they don’t exist on the receiving server, the receiving server only knows what address (yours) to be delivered to — so they only display the typical From, To, and CC fields. It’s one of those quirks of email standard and client implementations, I guess.

Yep, if you’re not on the recipient lists, then this right here is the correct answer.

OP you can confirm this by checking the source or original message and check for the “delivered to” info in the mail headers to see which email of yours that it was delivered to. From there you can decide if it is something you can stop (I.e another privacy relay email), or, the more likely case, just not worth the hassle (I.e the real regular email).

For my homelab, I used a constellation so I can name each of my server after a star in the constellation. It is on a generic domain extension.

If it is something long term, I’d generally opt for a more stable extension. I.e. vanilla .com/net/org; or cctld for an existing country that you have close ties with that’s not likely to go away anytime soon. It is extremely rare, but this way I’m not running the odd risk of the company behind those fun new extensions, or a country going away (see .yu, no pun intended).

Not a space I’m familiar with, but a friend of mine was all over Habitica and mentioned you could self host it. Is this something that might fit what you’re looking for?