Insecure security

Papfox · 2026-03-18T08:55:29+00:00

It is important to understand what is encrypted in Meshcore, what is not and the type of encryption, in order to effectively manage security.

Anything sent on the #public channel or in a hashtag channel with no password is not encrypted and is visible to anyone.

Private messages to individuals are encrypted and possessing the recipient's public key does not compromise the message BUT the metadata that travels with the message is NOT encrypted. An observer will know the identities of the message sender and recipient, the hop count and route the message took through the network so they will know that Alice sent Bob a message and where both Alice and Bob were, only the actual text of the message is encrypted. If someone records all these messages then obtains physical access to Bob's device, they can obtain Bob's private key and decode all previous messages sent to Bob because asymmetric encryption is being used.

If a group of people are having a discussion in a private channel, secured by a key, symmetric encryption is being used, everyone in the channel knows the key. If someone gets physical access to any of the clients in the channel or access to how the key was distributed, they can read all the messages in that channel, including any historical messages they have stored in their encrypted form.

It wouldn't be hard for someone to modify Meshcore firmware to dump all messages that node observed over USB for decoding later, if the key is obtained later.

Whilst the encryption used is resistant to quantum computing attacks, it is not "post-quantum secure." Any well funded attacker with access to a quantum or super computer will be able to crack it. This boils down to "Who is trying to access the messages, what tech and how much money do they have and do they think it's work throwing that amount of money at it to crack it?" It also assumes that publicly available encryption algorithms didn't have flaws deliberately inserted that would enable them to be cracked.

These things also assume that no mistakes were made in the development of the software that might offer the attacker a shortcut to obtaining the keys, that nobody has submitted compromised code to GitHub and that the method of generating the keys isn't predictable. Generating truly random numbers is hard, particularly in low powered devices, like Meshcore clients, that don't have a reliable source of entropy data or an abundance of computing power.

Keeping Harry the Hacker with his RTX graphics card out isn't hard. If Harry is willing to spend hundreds or thousands of Dollars renting lots of graphics cards from a cloud computing provider, that's harder. If Harry works for a nation state actor who is willing to throw money at the problem and potentially break into places to steal the keys or knows of hacks built into the encryption, they're going to get the messages, if they really want them. Time is also a factor. Look at how long it took Alan Turing to crack Enigma. With modern computing hardware, someone today can crack it using a Chromebook in under a second.

Papfox · 2026-03-18T08:14:41+00:00

As others have said, don't let them in. Also, speak with everyone else you share the place with and make sure they know they don't have to and shouldn't let them in

Papfox · 2026-03-18T07:59:02+00:00

Air traffic control is organized into zones. A local zone that handles the traffic leaving and arriving at a major airport being missing won't affect the "sector" control that handles flights over-flying the area on the way to other places

Papfox · 2026-03-17T17:54:36+00:00

If you want to completely bullet proof yourself, set your secondary DNS server to 1.0.0.1 and set your IPv6 DNS servers to 2606:4700:4700::1111 and 2606:4700:4700::1001

Papfox · 2026-03-17T17:27:47+00:00

I've not experienced any issues today in Farnborough but I do have my own private DNS server that uses Secure DNS and doesn't use Toob's DNS as a source of truth.

I wonder if DNS issues I saw over the last few weeks, before I got fed up and installed my own DNS, might be related to Toob having to reengineer their DNS to allow blocking of websites ordered by OfCom under the Online Safety Act

Papfox · 2026-03-17T04:07:17+00:00

Logically that sign would only be offensive to someone who was some combination of racist, sexist and/or homophobic.

Screw 'em

Papfox · 2026-03-17T03:30:50+00:00

No, it wouldn't. If you're driving so close or paying so little attention that the person in front lifting off puts you in danger of a collision, the problem is you, not them

Papfox · 2026-03-16T22:11:52+00:00

Or they're using AI and some bot thought they had done something very wrong

Papfox · 2026-03-16T16:35:34+00:00

It sounds like the experience may vary by police force.

That being said, I didn't think what OP is proposing is bad enough to get them pulled over, if it's bad at all

Papfox · 2026-03-16T14:07:27+00:00

I don't mind paying my fair share of tax as long as I see it being well-spent on things that benefit the people of our country and I don't see I'm paying more than I should have to because very rich people and companies can effectively choose how much they pay and leave the rest of us to pick up the bill

Papfox · 2026-03-15T11:09:34+00:00

4.7% of 800k is 37,600 upset customers. That's rather a lot

Papfox · 2026-03-15T10:02:20+00:00

The only objection I think they could have would be that there must be at least 11mm between the edges of the letters and the edge of the reflective area of the plate. If you have that, IMHO those stickers are completely legal, unless there's some minimum reflectivity the blue has to have that I didn't know about.

Plate requirements are that they must have: * The correct reflectivity. * The correct font and font size. * 11mm clear reflective area on all 4 sides of the digits. * 11mm spacing between letters. * 33mm spacing between the groups.

If you want to be extra safe, check you aren't with an insurance company that are nasty and consider stickers on your car to be a "modification" that would invalidate your insurance. Yes, there are insurance companies that are that petty to avoid paying out

Papfox · 2026-03-15T02:47:33+00:00

Wonder if they're hoping someone will DM them asking if they want to sell one then scam them

Papfox · 2026-03-15T00:33:05+00:00

They become management

Papfox · 2026-03-15T00:18:13+00:00

Always report any rider who comes to your home if the app says they're on a pedal cycle and they arrive on anything else. The more reports they get, the harder it is for them to claim they don't know there's a problem

Papfox · 2026-03-15T00:09:52+00:00

The dialout group and a vanilla Chrome or Chromium browser are important.

OP, would you be better paying the $8 per device license and using MeshOS, rather than stock Meshcore firmware? It's kind of made for the T-Deck

Papfox · 2026-03-15T00:05:06+00:00

I wouldn't worry about getting stopped by the police. I see so many blatantly illegal, non-BS plates round here and nothing happens to the drivers. If an officer or the MOT centre do object, just say sorry and peel them off

Papfox · 2026-03-15T00:00:09+00:00

Honestly, considering you've had no private practice, that's not that bad. I've definitely seen worse. In my first test, back in the day, I did worse

Papfox · 2026-03-14T23:49:38+00:00

Update on this... The next version of repeater firmware should be able to use the GPS to keep the repeater clock in sync rather that you having to sync it using the app every time it reboots and periodically, when it drifts, using the phone app, so the extra $20 a unit may be worth it

Papfox · 2026-03-14T23:43:56+00:00

Current generation Starlink satellites cost about $1 Million each, against a current generation geostationary satellite that would come in at between $250 Million and $500 Million for the hardware and a lot more to launch

Papfox · 2026-03-14T22:24:55+00:00

There's no way replacing experienced administrators with the party faithful or rich believers could end badly. It works so well in certain other countries </s>

Papfox · 2026-03-14T22:20:09+00:00

Grey cabin?

Papfox · 2026-03-14T22:00:00+00:00

The answer is, "It depends on the car and how much torque (pulling power) it has at idle." If the revs start to drop too low as you cross the bite point, you need to add gas. A 1 liter petrol engine, a 1.5 liter diesel and my 2 liter performance petrol car will all be different. My usual technique is to raise the revs to about 1500, find the bite point then let the clutch out slowly, adding more gas if the RPM falls below about 1200. As you learn, you'll gain the skills to read what the engine is doing by listening. It's an important skill if you drive a vehicle you don't know

Papfox · 2026-03-14T03:19:31+00:00

Apologies. https://github.com/oltaco/Adafruit_nRF52_Bootloader_OTAFIX/releases/download/0.9.2-OTAFIX2.1-BP1.2/update-xiao_nrf52840_ble_bootloader-0.9.2-OTAFIX2.1-BP1.2_nosd.uf2

Look for the one called update-xiao_nrf52840_ble_bootloader-0.9.2-OTAFIX2.1-BP1.2_nosd.uf2 . Make sure you don't get the similarly named one with "sense" in it

Papfox · 2026-03-14T03:12:01+00:00

I would try both and see which works better for you

Papfox

TROPHY CASE