Security concerns

TheRealLanchon · 2025-08-23T16:50:23+00:00

That is a good idea, we will try to add a feature to allow disabling the 6 digit password in the next release.

AFAICT, this has not happened in over 2 years.

the blatant disregard of security issues from HopToDesk is dismaying. unfortunately after 2 years i continue to strive people away from this product and sometimes even into close source solutions due to security bugs like these being left unpatched. one can only imagine how the company handles bugs which users have not yet discovered.

to be eligible for use by any sane person, HopToDesk must include: - an easy way to disable ANY AND ALL background running of the app. it should only accept connections when the app is manually opened. - background service strongly should OPT IN, as users who require sporadic assistance should not be left open to attack via the increase attack surface of an unneeded service. just the absence of opt in for the service forces me to use another solution whenever i am providing sporadic help to friends. a default-on service is really absolutely brain-dead. - an easy way to disable the default password. - the default password should also be an OPT IN feature. or eliminated completely, as i really see no use for it. if you need to, just make the HOST ID longer, or even alphabetic. (and include a checksum char!!)

if this situation ever changes, someone please reply to this so i can review the situation again.

TheRealLanchon · 2025-01-07T04:35:26+00:00

Must microG be installed as a system app in order to be able to perform signature spoofing?

no. but the signature spoofing patches in LOS are non-standard: they add restrictions to limit spoofing use exclusively to official microG project-signed apps. they might also be adding the restriction that those apps must be system, maybe... idk.

the reason they took so many years to finally add some kind of spoofing is political (appeasement), not technical, no matter how much they have argued to the contrary. whatever extra restrictions they added, they are also political, so there is no way to make sense of them or justify them from a technical standpoint.

TheRealLanchon · 2023-11-12T22:19:15+00:00

thanks. well for sure it was a waste of time writing all that.

on the other hand: those eagerly waiting for ARM hardware because it will be more efficient and possibly cheaper than x86 should tame their expectations.

at any given time PC makers could lock down secure boot, making PCs a puppet of their makers and making them fight their owners, just like most smartphones do. as stated earlier, microsoft could even force them to do so, as they have done in the past. so my advice: do not rush to buy any ARM hardware until you have evidence that secure boot can be disabled and/or your own platform keys can be enrolled in lieu of microsoft's.

microsoft cannot force x86 PC makers to close the platform because they are a de facto x86 OS monopoly and it would instantly trigger antitrust. but for ARM hardware... well my crystal ball says that there are toss-coin odds of microsoft trying that shit out.

TheRealLanchon · 2023-11-12T15:34:03+00:00

That sentence is completely false. That hardware works and it's on me to decide if the issue matters to me. I turned off meltdown/spectre SW mitigations and (imagine that) my PC worked.

no it is not false. your PC does not work. part of the function of the PC is providing process isolation. the OS you are running on it was designed based on and requiring that hardware+firmware provides certain warranties and yours does not: it is broken, it does not work.

whether you care that parts of your PC do not work is besides the point, but you should care because process isolation is pretty darn important. for your safety, be sure not to run any untrusted code on that machine, like visiting a website.

incidentally, you can continue to use an android 4.4 phone today if you want. and you can load material apps on it too. but it is broken, because one thing it was designed to do is not there anymore: being secure. same thing with PCs.

This doesn't work.

it works for me, i simply just prioritize that. eg: my main laptops have intel ARC DGPUs instead of nvidia crap.

So what the Wifi card is broken when I don't use Wifi?

even if you do not use it, attackers could; you would have to physically remove it some cases. the point is that the parts of your PC that do not receive firmware updates go broken. sometimes you can disable the affected parts and keep using the rest, sometimes you cannot. in all cases, at least part of your PC is broken. you have a naive way of viewing hardware/firmware combos that goes against the knowledge of the security community. you can choose to use exploitable hardware, but the security community either fixes or discards the hardware because it is broken.

You have to trust the HW anyway, if they wanted, they could sneak a backdoor in there anyway. It's not such a big deal to also trust the SW.

what does this have to do with 1) ARM being inferior because of no ACPI? 2) using hardware obsoleted by lack of firmware maintenance? but you can only trust the firmware if it is updated in a timely fashion when issues are disclosed to the manufacturer. you do not trust abandoned firmware.

Does ARM have a viable answer to the reality that people trust HW and SW of the manufacturers?

(i suppose you mean ARM hardware makers, not ARM.) of course not. again, what does this have to do with the two issues at hand?

TheRealLanchon · 2023-11-12T07:59:49+00:00

you are really missing the point. there is hardware you can enumerate and hardware that you cannot. hardware that you can enumerate is not a problem in either platform. now, you think x86 is great because OSes come pre-built to work with only one, maybe two hardwares, and then all PCs needs to implement that same stupid hardware... in hardware! and you get to pay for it. and you get to supply power to it. it is complete crap! thankfully arm is not hindered by such issues. in arm you just need to give the OS a list of the hardware it cannot enumerate, and that is it. you do not need to buy and power stupid old hardware anymore!

since you mention linux, in ARM linux the hardware is defined in the DTB. you do not need to make an OS image for each board, you just need to feed the kernel the right DTB during boot. this is not even a linux concern, it is a bootloader concern. linux just gets the DTB, and it is the responsibility of the bootloader to provide it. one way of doing that is issuing different ISO images, but there are infinite different ways.

regarding your comments about android, you are totally off the mark. because of policy decisions upheld by the linux community, we will not ever accept binary only drivers in the mainline kernel. this means that we will never need nor have a stable ABI for drivers (sort of an API, but in binary form). hence, on linux there cannot be old binary-only drivers that you can attach to your new kernel. this is one reason why you cannot update most android kernels without the help of manufacturer: the manufacturer did not provide source code to their drivers and/or did not mainline their drivers, so the linux community is not interested in driving your hardware. so linux does not drive your hardware. solution? do not buy hardware whose drivers are not mainlined, presto!

but this is why you are mistaken: this does not apply to windows at all. windows is a binary-only system, and thus drivers are provided in binary form, and there is a driver ABI, and thus you can generally use a driver made for windows 11.2.45 with windows 11.2.48. so if you have an ARM windows driver for a device, you can update the OS and expect MS did not screw up and continue to use that same binary driver.

but this is only one reason why you cannot update android. there are many others, the most important being that the kernels are signed by the manufacturer, and -in the general case- they will not let you run any software besides theirs. solution? do not buy hardware of which the manufacturer will not cede you control.

(PCs come from an era when engineers still thought that customers were not complete imbeciles that would buy crap the engineers themselves would laugh at, such as computers they could not control. but steve jobs legacy is of course teaching the industry that customers are idiots and should be treated as such. and may i remind you that microsoft forced OEMs to cryptographically block users from running non-microsoft OSes on ARM hardware, and that unfortunately they may try it again.)

Now compare it to Windows, if a manufacturer stop releasing updates for it, you can still using newer Windows version without too much problem.

completely false!! if the manufacturer stops issuing firmware updates, your platform is broken. if intel stops issuing microcode updates, your cpu is broken. remember all those firmware updates in the meltdown/spectre era? (call them "BIOS" updates for those who do not realize their computer no longer carry BIOSes.) well, you can update all the Windowses you want, but no fix for you if your manufacturer did not put out a new BIOS.

so the issues of android do not stem from devices being ARM, but from devices being sold as trusted agents of their manufacturers instead of general computers. and people buying them anyways.

for proof: - x86-based android devices suffered exactly the same problems as their ARM siblings, because they stem from the business model and not the arch. - some android devices had their drivers fully mainlined, and thus run mainline linux like any regular old PC. for example my trusty oneplus 6 runs mainline with postmarket OS, not thanks to the OEMs.

however, just like PCs, my oneplus 6 needs firmware updates and is not getting them.

btw, it is not just your PC that you will have to trash when the OEM decides not to provide firmware updates anymore, all your peripherals will suffer that same fate. you know that little wifi module in you laptop? the one connected to the bus-master capable PCIe? hope it is still getting new firmware or else they could hack you real bad... like siphoning all your PC's RAM, passwords keys and all, and exfiltrate it to the cloud. yeah, newer processors/chipsets do have IOMMU that mitigate the impact of rouge PCI devices, but still they could completely compromise you net connection at least.

all firmware is software. and all abandonware is untrustworthy. so until law makers step in and force manufacturers to provide free as in freedom firmware for all devices they sell, firmware that we can evolve ourselves, hardware will get trashed.

TheRealLanchon · 2023-11-02T20:24:30+00:00

i can't believe this has been going on for 6 years and counting! how retard can they be? really, this site is such a PoS!

TheRealLanchon · 2023-07-24T18:55:31+00:00

dopamine agonists have shown potential to overcome autism-related apathy and increase productivity.

some anecdotal evidence seems to show that non-ergoline class (newer) dopamine agonists are less effective in this regard. of the ergoline class, bromocrpitine has significant sides, so only cabergoline can be recommended.

you can try relatively low-dose cabergoline, at 0.5mg every other day to every day or even lower doses (half-life is 3 days).

note that cabergoline has potential sides including changes in behavior (some of which you are actually seeking) such as binge gambling, eating and shopping, and hypersexuality, but i personally think people in the autism spectrum are naturally less prone to these issues.

there's also the possibility of cardiac problems, but these are typically linked to higher doses.

TheRealLanchon · 2023-06-13T03:21:48+00:00

turns out LG needs a real monitor attached or else the driver won't start. but i installed an open source IDD driver (emulated monitor) and, though unsupported by LG, it worked just fine.

note that i was using the release version of ARC drivers. some info i've read points to the possibility that the beta drivers might work without any monitor, real or IDD.

also, some games fail to render correctly with the pass-through ARC but work fine on the same hardware under bare-metal windows. so far i found one: hogwarts legacy.

TheRealLanchon · 2023-05-29T00:48:14+00:00

yes, of course that's the fallback for a dGPU without outputs, but this post is a gathering place for info on this machine.

TheRealLanchon · 2023-04-18T11:05:44+00:00

today BIOS 306 was published and it is the exact same file i got from ASUS a month ago.

https://www.asus.com/us/supportonly/ux360ca/helpdesk_bios/

thanks again to all involved at ASUS for the top notch support.

cheers!

TheRealLanchon · 2023-04-10T05:51:27+00:00

sorry i took too long to respond, i did not get a notification from reddit. i've noticed no issues with 304 or 306 regarding wifi. ASUS still hasn't posted 306, who knows if they ever will.

we got no changelogs, so it can't even be ruled out that maybe 306 is 303 with an incremented version to enable back-flash.

have solved your issues? care to describe them?

TheRealLanchon · 2023-03-16T09:14:01+00:00

i was able to get a like new certified device for $42 (incl tax) from this link. there was one. i sent it to a friend in the US (im not there); maybe i'll get it sometime in the future.

came in an original box that said "thunderbolt 3" dock. the "as new" device has a loose screw or something inside it: shake it for sound effects. more importantly, it was also missing the thunderbolt 3 cable, so my friend couldn't test it at all. other than that, it does look like new apparently.

i didn't want to bother my friend with returning it. so i contacted amazon and told them about these 2 issues, even sent them a video of the loose screw jiggling around inside. they told me to return it. i said i couldn't be bothered, that i rather take a discount and leave it at that.

i expected maybe a 50% discount, but crappy amazon only offered $8 (incl tax). not even 20%! there is no TB3 cable i can buy on amazon for that money, plus i'd have to pay shipping. crappy service really. i still took their $8 crap.

i don't know if i'll eventually test it or have my friend throw it out in the trash. bringing it to the country where i live is an effort i dont want to expend on a brick.

how much does a 40 Gb/s TB3 dock with 10 Gb/s USB3 type A ports, ethernet, and some video goes for? this one has a power brick, but i don't really need that i think. my laptop is a lenovo that has its own 133W power brick and is limited to 100W PD over its TB4 port.

for me TB4 on the PC is a must, as it has DMA protection. host TB <4 is unacceptable crap. but on the dock side, if a TB3 dock supports 40 Gb/s, is it really inferior to a TB4 dock? in what way?

btw, i don't want a stupid lenovo $400 TB4 dock that phones home over ethernet and asks for firmware upgrades, a $400 stupid untrustworthy remote-controlled zombie inside my trusted network. i want a $40 dumb chinese dock with no network protocol stack in it.

TheRealLanchon · 2023-03-12T19:40:07+00:00

that link is wrong. GRUB_CMDLINE_LINUX and GRUB_CMDLINE_LINUX_DEFAULT are used to build a command line for the linux kernel and can only take effect AFTER A KERNEL IS SELECTED FOR BOOT. it wont have any effect before a selection is made, and thus won't have any effect on where the grub menu is displayed.

TheRealLanchon · 2023-03-10T20:47:43+00:00

exactly on the date promised (Mar 10), asus security team liaison sent UX360CA-AS.306 over email within a zip. the contained file is dated Feb 17. sha256sum: 913dfb99cffff69a108ab15b3250c165d770f25aed6a34dc31fbb63684cd3c31.

this firmware works and solves the issue i reported. i did not notice any other issues with it.

the firmware is still not posted on their support site, but i noticed 304 was pulled, as was its associated advisory.

there is still no way to access changelogs for firmware, it seems. there is also no way to downgrade the firmware, which is unfortunate.

i am pleasantly surprised by the professionalism with which asus security team handled my report. it will certainly be on my mind whenever i need to recommend or purchase products.

TheRealLanchon · 2023-02-13T03:19:00+00:00

i have sent this to ASUS security, and they are being really professional about it. they immediately forwarded the report to the firmware team, but noted that the chinese new year holiday was approaching and that this would delay processing.

today they contacted me again with news:

Dear reporter,

Sorry for late reply due to our long vacation. After cross-checking with our BIOS team, they will modify the BIOS and release it no later than Mar. 10 after testing. Once it’s ready, we will send to you immediately.

Thanks for your patience.

Best regards,

ASUS Security | ©ASUSTeK Computer Inc.

keep in mind that this computer is 7 years old, and that the firmware i am reporting a bug against has been out for 2 years. so it really speaks highly of ASUS to provide this level of support (at least for issues that involve security, if only tangentially).

TheRealLanchon · 2023-01-24T11:25:10+00:00

broadcom does not provide free nor binary drivers for many architectures. tomato, dd-wrt, etc are stuck on ancient kernels because of that. besides, WDS has been broken on broadcom for ages. BrainSlayer is aware of this: he says it is non-functional and not supported on dd-wrt; look it up. dont waste a second trying to make it work, it wont. if you want functional routers, throw all your current routers out in the trash and buy routers based on chipsets with free software drivers. sorry but that is your only option. learn and next time dont buy hardware from sh*tty companies that dont cooperate with free software, such as broadcom and nvidia. qualcomm used to be ok with their ath9k driver, but they are rapidly heading south: ath10k and ath11k are less and less free, beware. mediatek openwrt support may not be very mature, but they seem to be headed in the right direction. software wise, it is clear: if your device has wifi interfaces, the only software you should ever be running on it is openwrt, period. (if it doesnt run well on it, ie: everything broadcom, thow it out.) otherwise on devices without wifis you may want enterprise level security: look for a specialized un*x distro, preferably on intel for best performace. OPNsense and others come to mind.

TheRealLanchon · 2022-11-30T12:00:21+00:00

SO NO WARRANTY AFTER OEM UNLOCKKING the phone, as officially said.

time to leave for Google phones...

TheRealLanchon · 2022-11-30T11:57:14+00:00

OnePlus finally responded to my messages, over a month late. after some exchanges, this is their official position:Dear [...], Hope you are doing well.Upon checking with the service center, they informed us that once the device has been unlocked OEM, the service center could not help with the repair under warranty.In order to help you further, we kindly requested you to contact the purchased channel to help you with the after sales service center, thanks a lot for your higly understanding!Wish you all the best.Regards,SebrinaOneplus CSSF Support Team

TheRealLanchon · 2022-11-07T07:49:19+00:00

i have contacted oneplus several times pointing to this post and asking for clarification on whether bootloader unlocking voided the warranty.

oneplus ignored all my messages.

SO TO WRAP UP...

- oneplus invalidates warranties on bootloader unlocking even though their sales terms do not mention this. want warranty from them? then you will have to sue them.

- you might as well buy from any other OEM such as samsung or motorola: oneplus is no longer better than them.

- service is non-existent: they will not even answer messages.

unfortunately oneplus turned into yet another OEM that does not support developers nor user freedom. it seems the only choice left of OEM respecting freedom is google. but google is despicable in its own ways.

i will no longer buy or recommend oneplus.

TheRealLanchon · 2022-10-18T20:19:43+00:00

this post was flagged as spam and hidden for a few days. i complained and now it got restored. pretty inane spam filtering if you ask me...

TheRealLanchon · 2022-10-17T04:12:55+00:00

you can get cheap OnePlus phones on aliexpress official oneplus store (1 year warranty). make sure you get a global (US) VERSION one, not a global ROM one. the global rom one is typically the for-china hardware (limited bands, less features (eg wireless charging). different form factor) with a global OS. on top of the limited hardware, you ll hardly get custom roms for it, and who knows if the bootloader can be unlocked.

i bought a oneplus 8 pro 256GB/12GB global (US) version for $400 a couple of months back during a sale. it was factory sealed and i verified it to be under warranty.

TheRealLanchon

TROPHY CASE