Just converted a month ago from windows 10 to kbuntu 24lts The first thing is really weird bugs when dealing with multi-monitors in plasma/sddm (getting into UI locked states or xrandr settings not sticking for whatever reason). The second annoyance is not having first party support for peripherals like my mouse and webcam (looking at you Logitech) or generally thick client software that has windows/macos candidates but not Linux. Third is publishers with anticheat DRM being extremely hostile to VFIO gaming. EA announced Apex losing Linux support and recently they just blocked all their EAAC protected games from running on VM.
And even despite all that and more I am so happy to be rid of windows as a daily driver.
And what will homeland security or the FBI get out of it after concluding that that these "dudes" are two well known talented security researchers trying to conduct responsible disclosure to make air travel safer?
Absolutely agree the ban is ridiculous, but lets not now humbly hide the fact that FZ makes this way easier than the workflow shown in the video. Even ignoring the antenna construction you still need to record the data and post process it using a laptop and 3rd party software.
An Android smart phone and SDR dongle with antenna will fit in your pocket easily. No construction required. Apps already on the Android app store.
Here's the thing about easier; A determined car thief probably has access to purpose built devices and given the financial incentive will probably put more time into solving this "problem" than an amateur. I would argue that knowing this attack is possible is more than half way there because it opens up avenues of research.
It arguably would have been smarter for FZ to show a video using an SDR dongle/android phone than hobbyist antenna construction if they were trying to drive home the point of simplicity.
Advocating on behalf of the devil: ease of access for determined attackers is not the concern. It's more the undetermined attackers they are worrying about enabling. (again I do not agree with law as the solution to this)
That's true, and I agree to a point. But, I think they wanted to nail the "You don't even need a dongle" part of it. Because none of this is enabled by Flipper or a dongle. A handful of components you can get from a broken radio suffice. There's nothing magical or beyond reach making this attack possible. You don't need custom chips, or a long logistics pipeline to enable it. You don't even need a company to produce anything specific. The from-scratch demo they posted hammers home that working from nothing you can do this in an afternoon with tools you can get at Walmart and it's well within a high school student's abilities.
I too disagree with the Canada ban, however I think the regulators are more concerned with how easy this can be done with a flipper zero. The moment you took out a soldering iron to build an antenna filter you've increased the complexity to the point where the regulators are no longer concerned. Yes this is still very dumb imho.
attack complexity is weird and often flawed,
e.g. you think attackers need advanced hardware, but then someone does it woth a MCDonalds Toy. Same for software stuff.
You can steal many Kia and Hyundai cars on the road with a USB cable[0] that doesn't even involve electronics. It just so happens the physical shape of the USB plug fits well over the ignition tumbler. As the article points out many cars will have a USB A cable in them already and at that point all you need is a rock to break a window (or just open an unlocked door).
Many jurisdictions have laws against carrying theft or burglary tools[1] and needless to say walking around with a USB cable is innocuous enough to be hard to apply these existing laws to. In many instances these are only used to apply an additional charge to suspects that have already been caught for theft or burglary.
To be clear, modern society as we define it functions largely through "security through obscurity", considering that anybody with a sledgehammer can break into your property.
Bans of Flipper Zero are ridiculous but Flipper should have run this by a "lay person" (sales, PR, marketing, an intern). Stripping a wire, showing a schematic with a diode and resistor, winding wires, soldering iron, etc just further proves the point of the regulators.
Meanwhile in the beginning of the video they show decoding the signal with the pocket-sized Flipper Zero with the push of a button in a few seconds. Easy, portable, easily concealable.
Ordering a $20 SDR from Amazon, plugging it in (even an Android phone), and clicking/tapping around in one of the many SDR GUI programs available would have demonstrated:
1) This functionality isn't limited to the Flipper Zero and has been around for years.
2) It's still "plug and play" and relatively low skill level.
3) It's actually cheaper and uses a device everyone already has in their pocket.
They shot themselves in the foot with this and only gave regulators more ammunition to call for bans.
They seem to have combined a sales/marketing video for Flipper Zero with a PR video for regulators.
I follow you, but the use case they mentioned to propose the ban is stealing cars. I'd figure a car theft ring is sufficiently motivated to figure out how to solder.
A car theft ring sophisticated enough to solder is going to realize several things:
1) Flipper Zero = almost no effort and instant.
2) Cheap and plentiful USB SDR = slightly more effort, longer range, higher signal integrity, faster, works with anything that can do host USB.
3) Using a headphone jack and requiring some amount of electronics expertise for what is in the end going to be a very short range and cumbersome tool that requires a 3.5mm jack that isn't even present on many/most modern devices is practically a non-starter.
This is basically a sales and marketing video for car theft rings.
Most likely, it will work. You may need a few tries in case the connections aren't super tight. And it may stop working rather quickly due to corrosion of the contact surfaces.
However, in particular in headphone cables, the wires are often isolated using coating, which is hard to remove without applying q significant amount of heat.
Sure, but aren't you connecting your general purpose serdes to a peer PCIe controller? I don't understand why having raw serdes control is a security concern in this regard unless you are trying to find exploits at the physical layer...
In any regard, a lot of threat models (including mine) consider installing hardware (especially an FPGA) as a trusted action.
The thing is, the PCIe EP on the FPGAs uses the general purpose SerDes that are routed to the PCIe controller in the bitstream. So if you were to load a different malicious bitstream (which is admittedly a challenge in it's own regard) You could turn the FPGA into a malicious PCIe device.
Is the concern the idea that as FPGA fabric is included in more devices, some hypervisor escape is going to present this as additional attack surface?
Otherwise if it's configfs you're root on the system and unless it's integrated peripherals you plan to attack you probably have finer grained hardware context to imply physical access... which seems to minimize the farther reaching, generalizable concerns?
If physical (evil maid attacks) are not in scope I fail to see the concern. To turn the FPGA into a malicious device you would have to gain root access to the system hosting it. So by the time the attacker is able to gain the ability to program the device, there is little need to even make it malicious. One could argue that it adds persistence vector to malware, except that the device likely will get reprogrammed over and over during normal operation. If malware authors wanted persistence they would likely target firmwares of random flash roms on chipsets and commodity PCIe cards that are less likely to be re-programmed. Lastly, the only other valid concern possibly more dangerous than root access is perhaps a remote attacker programming a bitstream to completely fry the FPGA faster than the power regulators can react and thus killing an expensive chip. That one is concerning.
This is exactly why I place SiriusXM on a virtual credit card and a throw away email. I sign up for $6 per month SiriusXM promo with a $7 per month ceiling on the virtual card. When the 7th or 8th month comes around and the offer expires they have the audacity to charge $22+ for this content. The overcharge is caught and they don't get my money, and I'm happy to receive the disconnect signal.
This isn't as much of a hack as people think. Plenty of companies will continue to provide you with service for many months even if the card declines and then send the unpaid debt to collections, resulting in infinitely more headaches for you.
As another person said, this has become standard practice for me. It's less about doing business with shady companies and more about insulating myself from shady practices. I've had a few cases where I've been on a plan that suddenly changes with only a few day's notice, or I get "graduated" to another tier because the previous one is going away. In all cases, I was charged more money than I initially agreed, and the virtual credit cards saved me.
Not the person you're replying to, but when you get in this mindset the workarounds are pretty easy.
I don't trust any business to act responsibly with any information I give them, so I also use a lot of virtual cards and spoofed email addresses (actually I just use a catchall on my domain most of the time which is less secure I guess, but does most of what I need).
It's because generally I do like their product at a $6/mo price point. It's leagues better than FM radio. I just don't like their billing/promo practices and so these are the tricks to protect yourself as a consumer.
You can go to privacy.com and create an account. You then link your real credit cards or bank accounts for payment source.
Privacy.com also has a browser extension and a mobile app. So it's easy to create/manage virtual credit cards per service. You can also create single use virtual credit cards that automatically close after a single transaction with a limit that you can set.
Better than privacy, many credcards themselves now offer virtual card(s), and can cancel them. Capital One is my go to for these. Google Chrome offers capital one virtual cards on the fly if you added the actual capital one card to google pay.
Using privacy.com requires me to give them access to my bank, and I lose points, cashback, any charge back protection.
Unfortunately privacy.com requires the use Plaid, which demands your banks auth details and grants Plaid the ability to scrape your bank accounts (they pinky promise they do not for the account verification product). I thought it undermines the whole "Privacy" aspect.
They don't exactly require Plaid, they can also use a debit card or ACH. You have to email support for the privilege though.
I had tried Plaid at first, but quickly switched when I found out that they would watch your bank balance and disable your Privacy account if it went below $50. They would require you to prove a balance of at least $50 in order to enable the account again. Fortunately, both of the other methods don't really care, and as long as you disconnect Plaid while your balance happens to be over $50, your account will stay enabled.
From what I recall when I registered some time back, it was possible to simply use any debit card for the process. This meant there was no need to share login details with anyone.
Their documentation may provide more current details than I can though.
Is it a common practice for commercial airliners to alternate between being used on a Hollywood set and for regular commercial air travel? Given how important failure analysis is in the airline industry, wouldn't this added complexity in the usage patterns of a commercial jet be a concern?
Shots inside an aircraft usually use a set. If you watch any Netflix series at all, you start to see the same A320-based aircraft cabin set used over and over again in different shows. It looks just like an A320 cabin interior, but split in two lengthways and the aisle widened, with a flat panel added in the ceiling to fill in the gap from the widening. Once you know what to look for you realize it’s the same set every time.
It’s possible they used the actual aircraft in this case because they were filming an ad or some other promotional material for the tour company, perhaps.
Not in my experience. It's typically an older body sitting on a back lot somewhere that they dress up as needed to make shooting easier. If you think lugging your carry-on luggage through the aisle is rough, just imagine trying to move cinema cameras through. They move the seats out of the way, so all of the support gear can be put in place.
These lobbyists who drive specifications for OTA TV and CableTV are basically at the point of being a hammer looking for a nail. Cable/OTA TV is a dying medium (especially with newer generations) and with these tone-deaf advertisement solutions the only nails they are hammering are the ones to their coffin.
It is generally accepted discussion forums are more tolerable when Americans are asleep, but they probably didn't want to outright state this for obvious reasons.
I'm not taking a stance on this one way or another, but using the context of Reddit? Yah, that's the unspoken part.
One of the unfortunate things about the Raspberry Pi Zero is that the second micro usb is power only. For this type of configuration I encourage all to check out the Allwinner ARM-based SoCs and boards built from friendlyelec. With the NanoPi Neo I was able to enable USB ethernet gadget mode on its micro-usb and then have it host and power another device on its USB-A (for me a mobile phone). In my use case the laptop powered both the NanoPi and charging the mobile device all from USB power while also acting a an ethernet packet router from the mobile device back to the laptop all over USB on its own subnet.
I ran out of ports on the usb charger I was using to run my little cluster so I have a couple of the lower power devices daisy chained off of the higher power ones.
It does mean that some devices will power off unexpectedly when others restart but unexpected restarts are something you have to plan for anyway.
Yeah, anything based on H3/H5 SoCs will work fine for this use case due to the SoCs having 4 separate USB host controllers, one of them muxed with OTG controller. That's a lot of I/O flexibility.
And even despite all that and more I am so happy to be rid of windows as a daily driver.