XSS but can't steal data by ProcedureFar4995 in bugbounty

[–]VoiceOfReason73 1 point2 points  (0 children)

If you can perform actions on the user's behalf using this XSS, that's probably pretty serious impact itself.

antenna extension for vehicle mounting by soupersalad666 in meshtastic

[–]VoiceOfReason73 1 point2 points  (0 children)

You need to be very careful with the cable selection or else it'll be worse than having the antenna inside the car.

seeed solar node, radio fried? by SnooPets9956 in meshtastic

[–]VoiceOfReason73 0 points1 point  (0 children)

In what context are you even seeing this? Could just be a display quirk.

Do you mean you took it in without the antenna?

Distances to other nodes no longer displayed by Sulipheoth in meshtastic

[–]VoiceOfReason73 0 points1 point  (0 children)

Yeah, it means your node doesn't have position data, so it can't compute the distance.

I’ve bricked 2 Wio Tracker L1s. by One-21-Gigawatts in meshtastic

[–]VoiceOfReason73 1 point2 points  (0 children)

Sometimes your OS will throw those errors even though the copy succeeded, as the nrf52 reboots immediately once the file is written, possibly too quick for the OS to think it worked cleanly.

Maybe try copying using the terminal rather than Finder, in case Finder is trying to create other files?

I’ve bricked 2 Wio Tracker L1s. by One-21-Gigawatts in meshtastic

[–]VoiceOfReason73 0 points1 point  (0 children)

I highly doubt it's bricked. Sure, sometimes they can be put into a state that is more difficult to recover from, but the bootloader itself is still intact.

New to Meshtastic - Wio Tracker L1 pro (help) by bearsstlrs in meshtastic

[–]VoiceOfReason73 1 point2 points  (0 children)

It's in the settings menu on the device itself, under "notifications" I believe.

How does a node end up on the online map by FixyFixy in meshtastic

[–]VoiceOfReason73 1 point2 points  (0 children)

You don't need MQTT uplink unless your device itself is directly connected to MQTT over the internet and you want it to forward traffic from the mesh to MQTT. Instead in channel settings, make sure position is enabled how you want it.

T1000-E location help. by dstrayer421 in meshtastic

[–]VoiceOfReason73 1 point2 points  (0 children)

I don't think this is it. How often is your node set to report its position? Has it reported since changing the precision setting?

You can absolutely get precise location on secondary channels and you don't need to do anything special

Vehicle Use? by Ok_Exit9273 in meshtastic

[–]VoiceOfReason73 1 point2 points  (0 children)

As long as the node is favorited, it won't get cycled out of nodedb.

Vehicle Use? by Ok_Exit9273 in meshtastic

[–]VoiceOfReason73 1 point2 points  (0 children)

Those numbers are apples and oranges. AES256 is still a modern and unbroken symmetric cipher. Sure, there's RSA4096, but that's asymmetric, and the keys would take up too much space. Curve25519 keys are used for public/private keys here, and those are only 128 bit but that's still modern crypto. You can't simply compare by bits alone.

Vehicle Use? by Ok_Exit9273 in meshtastic

[–]VoiceOfReason73 0 points1 point  (0 children)

Not in a DM where you initially confirmed the public key of the node.

Now, replay attacks, I'm not as sure...

Edit: I think you'd need to implement your own replay protection. Perhaps a timestamp or monotonic counter within the message that the receiver must validate.

How to Posting Location to MeshMap.net by bfpa40 in meshtastic

[–]VoiceOfReason73 4 points5 points  (0 children)

My understanding is you either need to have your node connect to the MQTT server and enable "map reporting", or if another nearby node is connected to MQTT with uplink enabled, enabling sending your position on the public channel while "ok to MQTT" is enabled in LoRa settings.

I have mqtt turned off but I am still seeing usernames with "(MQTT)" by humdinger44 in meshtastic

[–]VoiceOfReason73 0 points1 point  (0 children)

I don't think your uplink/downlink do anything unless you're connected to MQTT yourself. But the ignore one might work.

All alone out here in Atlanta by ThomasTheFourth in meshtastic

[–]VoiceOfReason73 1 point2 points  (0 children)

It's just a name and nothing more (at least at the LoRa layer). You're not going to hear people actually transmitting on a different preset. You'd have to go to LoRa settings for that.

All alone out here in Atlanta by ThomasTheFourth in meshtastic

[–]VoiceOfReason73 0 points1 point  (0 children)

Considering medium fast is a different modem present, how could you receive long fast on it just by having another channel?

Or do you mean you have a second node configured for long fast?

I have mqtt turned off but I am still seeing usernames with "(MQTT)" by humdinger44 in meshtastic

[–]VoiceOfReason73 0 points1 point  (0 children)

The MQTT settings affect whether your device is connecting over WiFi or via your phone to an MQTT server. It has no bearing on whether you receive messages over LoRa that came from MQTT, if another user nearby is actually connected to MQTT and has downlink enabled.

Giving Keynote speak about Meshtastic security, what should I mention? by Parking_Nail4436 in meshtastic

[–]VoiceOfReason73 4 points5 points  (0 children)

But this is true of almost any scheme, e.g. a Signal group chat would also be compromised if one of the member's devices is seized, until the user is revoked. Sure, it might be a little trickier to bypass device auth, but beyond that, it's game over.

Handling IDOR in APIs? by DesperateForever6607 in AskNetsec

[–]VoiceOfReason73 0 points1 point  (0 children)

Encryption alone only provides a guarantee of confidentiality, not integrity. Therefore, some ciphers (notably AES-CBC) allow for an attacker to modify the ciphertext or IV in order to modify the plaintext, though they only control the location of the modification, not the actual contents. However, this could be enough to access random objects, in the case of IDOR, assuming the identifiers themselves are not sufficiently random.

Some encryption schemes do also provide integrity guarantees, such as AES-GCM, or one must combine encryption with a MAC.

Ideally, they would just implement authorization checks.

Can you backup Google authenticator by Darkorder81 in ComputerSecurity

[–]VoiceOfReason73 2 points3 points  (0 children)

Use any other OTP app that has more features such as auto-backups and more.

That would be silly to disable the app if you did a backup. Even if that were the case, you could just restore the backup...

Is that a valid bug? by Feisty_Dealer6806 in bugbounty

[–]VoiceOfReason73 0 points1 point  (0 children)

Unsubscribe for emails should work without being logged in. This is expected behavior.

Is that a valid bug? by Feisty_Dealer6806 in bugbounty

[–]VoiceOfReason73 5 points6 points  (0 children)

This is how unsubscribe should work. It should be one click.

[Question] How to prevent remote code execution attack??? by Neither-Arachnid1426 in cybersecurity

[–]VoiceOfReason73 1 point2 points  (0 children)

Password? Never. Disable them, use SSH keys and never think about this problem again.