DNLTC Belated Second Episode

Show Notes

Regarding the delay

This program is intended to be bi-weekly, on the off-weeks of my other podcast/ radio program The Truth Is So Boring. I went on a code-sprint and haven’t been doing much episode-planning for either program in the past few weeks to month. Infrastructure reforms are wrapping up to the state where I’m pretty sure I can get these out every other week, and I especially want to make a concerted effort around the holiday season so that you have something to listen to when all the other pods are doing “year in review” bullshit.

This week I’ll be working on TTISB so DNLTC will be back next weekend.

Zero Motorcycle DLC

Last month, Zero announced their 2022 Zero SR/F electric motorcycle. The Zero SR/F is a electric sporting motorcycle with 140ft-lbs of torque and 110HP with a 17.3 kWh battery, which gives it an impressive range. Cruising on the highway takes enough juice to keep you under 100 miles per trip, but I can’t imagine riding almost 200 miles of stop-and-go traffic between one-hour charge- cycles.

(Lets be honest, the appeal of the electric motorcycle is neither in the city nor the highway)

This all costs around $22k, which is already…well out of my price range, but I’m also not in the market for a brand-new crotch-rocket. For comparison, a 2022 GSX-R1000R is MSRP ~$18k, which has less torque but way more horesepower and won’t leave you waiting for an hour after 93 miles of twisties.

I can see an argument in paying extra for that sweet electric motor torque… after all, I’m not planning on going over 124MPH anyway, so what’s all that extra HP going to get me? But that’s not the only monetary downside to purchasing a 2022 bike from Zero.

Remember that less-than-an-hour charge time? Thanks to Zero’s new Cypher III OS,That’s limited out-of- the-box to twice that long! The proper speed at which the battery can charge is an extra $1500 on top of the $22k price tag.

And you’ll be reminded of that extra-long charge time much more frequently as you have to hit the charging station 20% sooner, unless you want to shell out an extra $2200!

discuss

So, to summarize, through software limitations, your new Zero motorcycle will taunt you into trying to get an extra $3700 – almost as much as you’re already paying extra for that electric motor experience on top of the MSRP, and I’m sure taxes and delivery fees.

Apple Offers Official 3rd-party repair channels

In reply to:

We never thought we’d see the day: Apple will offer parts, tools, and software to DIY fixers starting next year. There are some catches, but we’re thrilled to see Apple admit what we’ve always known: Everyone’s enough of a Genius to fix an iPhone

- https://twitter.com/iFixit/status/1460980628896296963

The main caveat is that you can’t harvest other devices for parts - all repairs have to use new parts from the apple repair storefront, and the storefront has the apple tax built right in

- https://twitter.com/IanCutress/status/1460985496440655880

Limited to display, battery, and camera.

Better than enforcing turning them into bricks, but still massive ecological problem.

discuss

The Guardian on secure messaging apps

I had a very nice conversation on Twitter, where we discussed Matrix’s place next to Signal and other secure- and insecure-messaging platforms.

It began with this tweet from the Guardian:

The FBI produced this nice chart comparing what kinds of privacy leaks the various messaging apps have.

Bottom line of the chart from the FBI is Signal doesn’t leak anything to them aside from “this person uses signal”. It does allow them to see, to an extent, that you are a regular user, because they are able to determine the “last date of a user’s connectivity”, but compared with every other platform listed it’s head and shoulders above all except Threema (and still leaks less than Threema).

I was disappointed that Matrix doesn’t seem to be popular enough to even warrant the FBI being aware of it, so I responded:

kinda disappointed to not see Matrix on there but thanks for sharing

Liam Dawson (@liamdaws) replied to me, saying:

Matrix would be a case of the weakest link problem, right? If I ran it on a VPS and the provider got subpoena’d, they’d probably hand over the details of every conversation I’d had, or have a way to compromise the box so that would all leak next time I logged in etc.

Nathan Freitas (@n8fr8) from the Guardian weighed in in a couple replies:

Yes, Matrix really should be seen as an alternative to Slack or Discord, and not a competitor to Signal or Telegram… there are important design choices made that make limiting metadata for a room and the history of that room difficult to protect.

That said, yes, it comes down to who is hosting your Matrix server, how they have logging configured, and how long data retention is configured for. At @guardianproject we run various Matrix instances that are much more locked down and ephemeral than the typical deployment

@Quest4TheSnark brought up e2e rooms before I noticed the conversation, and Liam replied again:

In a strict technical sense, that’s possible. However, if the client you’re using is served by a compromised host (e.g. a web-based UI hosted by that server), then that client can be compromised and exfilrate the messages after they’re decoded.

…

The problem is not just whether you’re using a secure client, it’s whether everyone involved is too. So for anything shared with others, you’re only as safe as the weakest security posture in that group.

So a few conclusions:

1. perhaps there is still some work to be done on having federated interactions. End-to-end encrypted rooms hosted by the same homeserver will certainly not leak metadata, but that may not be the case if a member of the chat is connecting from a federated server which is serving up a hostile web client.
2. this emphasizes the need to trust a homeserver, and highlights the value in decentralizing the platform as much as possible, while also hardening the default settings
3. Matrix was originally designed more as a Discord or Slack competitor. We should be patient before trying to rely on it’s implementation of secure messaging for anything the FBI may be concerned with, while supporting the Matrix project and building up Matrix-based infrastructure in case Signal is legally compelled to abandon their privacy-respecting policies.

Anti-work Hacktivism

Apparently, someone from r/antiwork is bombarding the internet with RAW TCP/IP printing requests. I’m going to tag this just for kicks.

- (from @4b4c41 on twitter)

Many thermal printers are exposed publicly to the internet, and this is a common and acceptable-risk practice in lots of places. /u/Necronger on reddit says:

I work in network security for a grocery chain. Was specifically told I can’t put security controls on these printers by the vendor and management signed off on the risk. I imagine this is fairly common given the amount of shitty vendors that have told me this.

So, every morning, at retail chains across the world right now, messages like this are printing out every morning on all the receipt printers:

========================
ARE YOU BEING UNDERPAID?
========================

You have a proteted LEGAL
RIGHT to discuss your pay
with your coworkers.

This should be done on a
regular basis to ensure that
everyone is being paid fairly.

It is ILLEGAL for your employer
to punish you for doing this.

If you learn that you are being
paid less than someone else who
is doing the same job, you
should demand a raise or
consider getting fired and
finding a better employer.

POVERTY WAGES only exist
because people are "willing"
to work for them.

Learn More:
=====================
reddit.com/r/antiwork
=====================

I would amend this statement – if you find out that you are being paid more than someone else who is doing the same job, you should demand that they get a raise. If your boss suggests that the company “can’t afford to pay you both” that much, ask him to prove it. We need to stand up for each other and have solidarity with those who are less fortunate than us, not leave the onus to them to demand what we know the boss will try to keep from them.

=========================
WHAT TO DO ON BREAK TODAY
=========================
1. Talk about your PAY
2. Talk about your RIGHTS
3. Begin ORGANIZING A UNION

GOOD employers are not afraid
of these, but ABUSIVE ones are.

Learn More:
=====================
reddit.com/r/antiwork
=====================

and my favorite:

==========================
ABUSIVE EMPLOYER CHECKLIST
==========================

[ ] Can't talk about PAY
[ ] Can't talk about RIGHTS
[ ] Can't talk about UNIONS
[ ] Punished for getting SICK
[ ] Punished for taking VACATION

If your employer checks ANY of
these, please contact support:

reddit.com/r/antiwork

But HOW??

This topic reminds me of an article I saw a few weeks back.

I recently migrated my daily laptop to FreeBSD. I have a networked HP LaserJet. After 10+ years of CUPS on Linux, I had been dreading setting up this printer on yet another machine. But the day came. I had to print quite a few documents so I decided to bite the bullet and setup printing on FreeBSD.

Off to the FreeBSD Handbook I went. Conveniently, they have a chapter on Printing. Given my past experience with CUPS, I figured this was going to be a treacherous journey so I read the entire document before getting started. Section 4 stood out:

The author then quotes an excerpt from Ch 9.4 of the FreeBSD manual, which I’m going to include in full:

For occasional printing, files can be sent directly to a printer device without any setup. For example, a file called sample.txt can be sent to a USB printer:

cp sample.txt /dev/unlpt0

Direct printing to network printers depends on the abilities of the printer, but most accept print jobs on port 9100, and nc(1) can be used with them. To print the same file to a printer with the DNS hostname of netlaser:

# nc netlaser 9100 < sample.txt

The author goes on to say:

I had to read this several times. WTF. Use netcat? Surely I was missing some wizardry in the FreeBSD kernel that configured a network printer as some local network target aliased to netlaser, which handled all the printing magic for me. But how? Years of arbitrarily picking from a list of similarly named print drivers in CUPS prevented my brain from accepting what was written. I was confused. After trying to decipher the other sections in the document, I decided I would go for it.

$ nc 192.168.1.226 9100 < file.pdf

It. Just. Prints.

So it appears we can just send arbitrary data to port 9100 and some printers will just print.

Linux:

• Apparently CUPS doesn’t offer this interface, so linux boxes which listen on 9100 are probably not going to print anything.
• Furthermore, it doesn’t appear linux offers the /dev/unlptX pseu$ https://www.grc.com/x/ne.dll?bh0bkyd2uudo-file which FreeBSD offers (try FreeBSD sometime?).
• Other services listen on port 9100, so if you send a document to every port 9100, you’re likely to get a lot of nothing happening and a lot of responses like this:

$ echo ping| nc localhost 9100
HTTP/1.1 400 Bad Request
Content-Type: text/plain; charset=utf-8
Connection: close

400 Bad Request

That said, a tool like nmap, masscan, or hacking search engines like Shodan would reveal all publicly discoverable devices on port 9100. Spamming every one of them is a great way to get your connection kicked, fired, or worse, an unfriendly visitor – almost 2% of all valid IP addresses, or 83,886,080 out of the 4,294,967,295 available IPs route to the United States DoD. Could this be misconstrued as “unauthorized access”? I doubt it, but it’s all fun and games until someone goes to prison for 10 years, or goes the way of Aaron Schwartz under threat of the same.

That said, if you find an open port 9100 on your home LAN, it might be fun to see what happens if you pipe something to it. And considering all the activity on port 9100 right now, it may be prudent to run GRC’s ShieldsUp! against your home IP address.

Hosts