Intrinsically/semantically no but the expectation is that the texts are encrypted at rest and the keys are password and/or tpm+biometric protected. That’s just how this works at this point. Also that’s the government standard for literally everything from handheld devices to satellites (yes, actually).

At this point one of the most likely threat vectors is someone just taking your shit. Things like border crossings, rubber stamped search warrants, cops raid your house because your roommate pissed them off, protests, needing to go home from work near a protest, on and on.

RF analysis is kinda difficult, you’d need to take the car out into the middle of nowhere and have access to fairly good equipment. A tinySA would maybe work if you’re very patient but data transmissions are generally very bursty so it may be difficult to nail down where it’s coming from in a sane amount of time.

One option would be to try to figure out if there are any FCC filings for your car. All filings will have pictures of whatever module is being used and what antenna systems it uses which may give you a good idea of where it is and what it looks like. There should be an FCC ID mentioned somewhere at the beginning or end of the cars manual. Googling that should bring up some stuff.

The lower layers all already at least moderately well encrypted, what they’re doing here is trying to pull the unencrypted device ID necessary to establish a connection. It’s not really what you’re sending (though traffic frequency analysis may be included) and more about just figuring out where a particular phone is so they can physically track the user.

I hate that it needs to be said but love that they said it so plainly

Yeah, I’d agree with that.

The point I was making was for people who thought this was cellphone cameras and that it would somehow work even if the camera wasn’t actively running.

As far as war driving with an sdr you’d probably occasionally find something interesting, but the vast majority would be cameras just pointed back out at the street. I think you’d mostly see stuff where if you wanted to spy it would make more sense to hide your own camera because it’s already public.

All that said, I would lose my shit if Hollywood did something believable for once and used this for a heist movie.

$250 per camera that you have to be within meters of best case. That doesn’t include the packaging cost to make this look innocuous so probably significantly more money if you wanted this to be stealthy and reliable. Add in the money for the distribution and “installation” of such devices.

This doesn’t scale at all.

It’s just a tempest attack. Firmware won’t fix anything but the attack is an extremely expensive nation state level operation that doesn’t scale.

I work on this stuff, short answer, no, it’s not possible. This is just yet another overly complicated tempest attack. Especially with phones the camera link is so short it’s just not radiating enough. They claim 30cm so you basically need the receiver in the same backpack as the phones. As phones get higher resolution and faster cameras this will become even less of an issue. Also, most importantly the camera has to be powered and running for this to work so just don’t take pictures of classified stuff while carrying around a weirdly warm battery bank an unusually attractive eastern European girl gave you as an engagement gift and you’re good.

The actual target here is some sort of The Thing https://en.m.wikipedia.org/wiki/The_Thing_(listening_device) style attack where someone with a huge budget can get a wildly expensive device really close to a system through a significant human intelligence effort.

The line of reasoning is valid though. These satellites will have some ability to track and intercept low power intentional emissions like WiFi and cellular packets. While these are encrypted there are still things you can do with the metadata.

Depends on your model. If you believe in the movies, yeah, but that’s not how the end of the world works. We’ve seen it with COVID, countless revolutions and wars, you’ll probably still get up and go to work during the apocalypse, it will just suck more. Being able to help yourself and your community get through it will be extremely helpful.

Realistically you don’t need a years worth of bucket food and a million rounds of ammo, this isn’t Oregon trail. Having knowledge and experience is far more valuable. Learn how to properly clean and store water, how to live/travel day to day without a car (you have a bike right?), go backpacking and camping, potentially learn how to avoid surveillance if you think things are getting kinda judgemental.

Make friends with your neighbors, people don’t actually become psychotic marauders when the power goes out. There are countless stories from hurricane Katrina where the police just assumed everyone would murder each other and ultimately got in the way of people just trying to help each other survive and rebuild.

Part of the issue is the whole thing smells weird.

Like they won’t talk about their monetization strategy at all but they acknowledge that there will be one. They’re trying to randomly apply crypto to something that’s literally already the one proven blockchain tech, and they started at the height of the crypto token scam industry and it looks a lot like they’re trying to suck up the last dregs of that cycle.

If you are hammering crypto into things that don’t obviously need crypto you really need to justify it thoroughly. A relatively old company just hand waving all of it should raise all of the red flags.

They were shilling on HN too. People were getting frustrated because they were being incredibly evasive about their monetization strategy but, being HN, business model critiques were not well received…

Yeah the security angle gets parroted a lot, I’d call it more of a bad practice thing than a “omg you’ll definitely get haxxord”.

Otoh USB C as a spec is sort of necessarily a nightmare. It’s not hard to end up with shitty devices that’ll gleefully provide 20V when the system expects 5V and even if it’s just USB A, it’s not that hard to end up with 120/240v going straight into your phone.

At least with devices you own and control you know if they’re melting things and haven’t spent their lives being kicked/spilled on/cleaned with corrosive solvents or just generally old as hell and unmaintained.

Personally I bring my own because it’s faster and more reliable, and I have trust issues.

Just my opinion but I don’t really like the common belief of separating nation and non nation state actors. We’re getting to the point where nation states are making up a large portion of the really damaging attacks, and it’s frequently ones own government or a government they’re in conflict with which means there are very kinetic consequences for failure even if you’re a nobody. It’s not just someone stealing some money anymore.

The technical term is “dummy load”, most antennas are around 50ohm “impedance” which in an incredibly roundabout way means the antenna is indistinguishable from a 50ohm resistor at whatever frequency it’s tuned to…which means you can replace the antenna with a 50ohm resistor.

This all assumes you care about leaving the radio functional (radio amplifiers will burn up if they can’t dissipate the energy they’re creating) and in most cases it’s probably fine to just cut the trace as close to the source chip as possible. That said, if the system is especially evil and well engineered it’ll throw errors in some cases so better to leave everything functional but unable to hear or transmit.

I suppose there’s nothing wrong with it when the file is at rest, it looks like zip uses AES 128 or 256 which are adequate if you have a very strong password for the encryption. Ideally the encryption would feature a computationally intensive algorithm to slow guessing attempts when attempting to decrypt so you probably don’t want to use a weak password.

Usability won’t be great, you’ll be copy pasting constantly and that presents an opportunity for malware to spy on the paste buffer and steal your passwords but it’s a low to medium severity issue.

If you want to keep everything local I’d recommend KeePass, it’s free, open source, and very strong. It’s kinda the same thing but with the ability to insert passwords directly in some cases and can do more to keep everything organized.

If you want to use this in environments where you can’t install anything on the systems but don’t want anything online, this is probably acceptable though.

Installed it in k3s and then pulled up the Android app but all it does is say every single file is a duplicate and overload my notifications tray while not uploading anything

Judging from how many voters are in the US, it’s basically a totalitarian dictatorship or die.

That like of reasoning is kinda broken. We need people to take responsibility before things go too far. Google engineers can get jobs anywhere, they don’t need to be doing this shit if they don’t want to.

As a SWE you have responsibility for what you do. “Golden handcuffs” isn’t a cover to help wage wars against users. If it becomes an undesirable posting, they’ll either have to pay more or worse engineers will end up working on it.

Recommendation: report the pop-up as a bug with the provided link. Just act confused and claim to not be using an ad blocker. Muddy the waters and make life hell for their devs.

Yeah, that’s the issue ultimately. The ESP32 chips are nice and easy to use but still pale in comparison to getting things working on a pi for the average developer without embedded experience. These devs may not even know they exist to be completely honest.