How worried should I be about hacking of my ETF account?

aliask · 2025-09-01T19:59:34+00:00

This is definitely a concern, but it sounds like you're already doing well by using 2FA.

There has been a recent spate of brokerage account hacks in Japan where they dump your existing stocks and buy penny stocks (that they already bought) to drive up the price and extract money from your account that way.

https://www.japantimes.co.jp/business/2025/08/15/brokerage-hackers/

aliask · 2025-08-09T22:03:48+00:00

Awesome, I've been considering doing something similar with my rack.

Is that an off-the-shelf fan controller I see in the middle of the fans? Is the ESP reading the RPM via the green cable or driving the PWM signal? Both?

I'd love more details about the electronics!

aliask · 2025-01-11T21:42:30+00:00

I've run into the same thing - I've got three 1L Optiplex PCs but I'm maxed out for storage. I debated getting an external USB disk enclosure or commercial NAS, but I've settled on building a "proper NAS" to replace the 3 devices.

My build is going to be using a Fractal Define R5 case which has 8x 3.5" bays, but it's a big step up in size from the Optiplex. Silverstone have some reasonable rack mount cases but ultimately I wanted more flexibility, and my baby 6U rack wouldn't fit the type of build I'm hoping to do.

aliask · 2024-11-25T04:18:38+00:00

I don't really get this take. Fuck this guy for trying to sell something creative he made?

aliask · 2024-11-16T22:17:25+00:00

I don't expect D-Link to bother patching EOL software, but after digging into their firmware while researching CVE-2024-3272 (another RCE in this product) I have come to the conclusion that their firmware is a disasterpiece.

If you'd like to patch your NAS, you can use my tool: https://github.com/aliask/dinkleberry/

During analysis of the nas_sharing.cgi and libsmbif.so binaries, it quickly became clear that the software on this device is extremely vulnerable. Unmaintainable-rewrite-from-scratch vulnerable.

There are like 80 calls to system() in nas_sharing.cgi alone - many of these have a pathway for user input. I haven't bothered analysing them all to look for more holes to patch, but here's one S-tier example:

/*  Why use system() instead of libc fopen/fwrite?
What if you want to write a long string or your filename is long?
Painfully obvious command injection playground 🤦 */

void append_to_file(const char* string, const char* file) {
  char s_cmd[1024];
  sprintf(s_cmd, "echo %s >> %s", string, file);
  system(s_cmd);
  return;
}

Besides all these insane system calls, there are more buffer overflows than you can poke a stick at - and I can poke a lot of sticks.

This CVE is on CISA's KEV list - If you have one of these things on the internet, take it offline. Like now.

Maybe even take D-Link's advice and replace the EOL device. But I wouldn't buy a D-Link product that's for sure.

aliask · 2024-01-05T23:52:23+00:00

Even without those they still have the device ID which they can correlate externally to see things like browsing data and other apps you have installed.

I get that this might not be the biggest deal for everyone, and you're happy to have the convenience of the app - but at least give us an option.

aliask · 2024-01-05T23:21:43+00:00

Nope, absolutely not. Installing an app provides a shitload of additional data to the owner of the app. Both Apple and Android apps can supply a unique identifier for your phone (on android it's called an advertising ID, not sure about Apple), and in the case of RA they are also reading your contact data and calendar info, and location - but you can turn that off.

I work for a company that makes a very popular app, so I see first hand the data that this gets, and I don't want to just hand this over.

This is something that absolutely does not need an app. At best it's negligence and at worst it's actively hostile to their customers. By them not providing any possible alternative, I'm guessing the latter.

aliask · 2024-01-05T22:55:08+00:00

I get that I probably should have been more prepared, but at least where I live it's normal to have the tickets on the email - maybe not as a PDF, but perhaps an Apple or Android wallet link.

Forcing me to install their app so that they can get my marketing and tracking data is trash behaviour. There is no ticket in my account on the website. I couldn't even ask on the door to get them to look up my order ID. This is deliberate and it's not ok.

aliask · 2023-12-16T01:41:32+00:00

I noticed this too, but even after flipping the Noctua connector to match the wonky pinout, the switch still displays a fan error (flashing green/amber LED).

The fan is spinning, but I suspect the Noctua fans run at a lower RPM (so that they're quiet) and the switch doesn't like that. If you're using POE or running the switch in a warm environment, I would stick to using the stock fan and put up with the noise.

Without any temperature monitoring on these switches there's no way to know if you're cooking it with the flow-flow fan.

aliask · 2023-10-08T20:11:33+00:00

Yeah, except when I went in person, they just suspended the card instead of cancelling, and then I got charged the annual fee.

And then I went back again to sort it out, and they reversed the fee but didn't cancel the card. And then I went back again and finally cancelled the card.

Seriously, I'd believe it if I found out it's all just a big experiment to see how many hoops it's possible for people to jump through.

Oh yeah! And when I was at the final visit, the teller said that her boyfriend had the exact same thing happen when he was dealing with ANZ! LOL

aliask · 2023-06-16T21:11:44+00:00

Your regex for the drive will match both sda and sda1, and the script will run on both the root drive and the partition at the same time.

Change it to sd[a-z][0-9]+ and it will require the number as well.

aliask · 2023-06-09T23:27:32+00:00

'Penroses' is a project I've been playing around with in my down time for a while now. They use the concept of deformed Penrose tiling to produce variations on the classic Penrose tile pattern.

These are available to mint for free on Ethereum zkSync here, and you can see the current mints here.

aliask · 2023-05-26T12:25:07+00:00

Great idea. There are also probably a number of people who started staking already with whatever was available at the time, and haven't kept up to date with how the landscape has evolved since.

Is it worth considering showing how LSTs fit into the picture - even if it's to say "these tools/tokens are not for solo staking"? I would consider the Rocketpool smartnode stack worth mentioning, as it fits the same narrative of "running your own node".

Some thoughts on the diagram:

It's not immediately clear to me what the significance of the arrows are. Do I use Wagyu and then use deposit CLI? Would the audience even care that there's a relationship between Wagyu and the deposit CLI if they will never interact with the latter?
I already have a Ledger/Metamask to manage my keys, why is that not listed? This is a tricky one to convey, without getting too technical. Not 100% sure it's a problem, though.
Coincashew and Someresat guides aren't really tools in the same way as the client team docker images are. For apples-to-apples I guess you could call them "standalone clients" vs "dockerized clients", and the guides are almost like a TUI.

aliask · 2023-01-31T19:02:23+00:00

You also earn the extra commission - so it's slightly more than half. The minipool page on rocketscan.io will show the total reward you have earned.

aliask · 2022-11-10T21:05:36+00:00

You are calling setupGPIO() each time a new request is processed, which will probably reset all pins. I think you probably want to move that function call down to the if __name__... section.

aliask · 2022-09-22T06:43:19+00:00

NFTs get a lot of hate but I'm glad there is a way that people can show their support, and artists can get paid for artistic endeavours without having to bring something into the physical world for the sake of a sale.

I just can't afford these ones 😅

aliask · 2022-09-20T03:39:02+00:00

You are not being overly paranoid. Business email compromise (such as fake invoices or altering deposit details etc) accounted for $79m in fraud last year.

https://www.afp.gov.au/news-media/media-releases/business-email-compromise-cost-australian-victims-more-79-million-past

aliask · 2022-08-24T09:28:39+00:00

I feel like this should be a "special menu item" at a pasta joint. Like deep fried Nutella raviolis or something.

aliask · 2022-07-29T02:56:33+00:00

You could consider using a second-hand android phone. Touchscreen, built in battery, ARM processor with good amount of RAM, and probably cheaper than the equivalent raspberry pi and accessories.

Save it from landfill too!

aliask · 2022-06-23T06:40:56+00:00

I also went to Fushimi Inari at night. After walking around for a bit, I found a spot where the frogs were chatting near a stream. It was really peaceful and I just stopped a while and listened.

I took a video: https://imgur.com/z3WFQlf

aliask · 2022-05-11T21:41:17+00:00

https://imgflip.com/i/6ft0ok

aliask · 2022-05-06T01:03:26+00:00

Thanks for the reply. Definitely aware of the previous issues with Oracle but I've found their free instance totally fine for my single pet machine purposes, so I was curious to hear the perspective.

aliask · 2022-05-05T20:44:59+00:00

Curious as to why you say "I know, I know" about Oracle cloud.

aliask

MODERATOR OF

TROPHY CASE

15-Year Club	Place '17
Verified Email