I moved from San Francisco to South Florida as an experiment in being fully remote. It's been pretty good so far, but if I was looking for another job, I'd hit up everyone I know in SF for a remote position first.
There aren't many like-minded people here, and that's kind of nice for a change. I still love San Francisco, but it simply priced me out of living there. I'd rather retire in 5 years here than work another 30 there.
> To remove the transmission and on-card storage of OpenPGP PINs in plain text, the YubiKey supports the Key Derived Function (KDF) functionality. With the KDF function enabled, the PIN is stored as a hash on the YubiKey. When entering the PIN to the OpenPGP Smart Card, the OpenPGP client will only pass the hashed value, never passing the PIN directly. KDF functionality is set on the card itself, and communicated to the client; it is transparent to the user. Should the KDF functionality not be enabled, the PIN function will work as previously. The KDF function is listed in section 4.3.2 of the OpenPGP Smart Card 3.4 spec.
Can someone explain to me how KDF matters at all here?
It seems like the keys are encrypted on the yubikey via pin, or at least protected in hardware via pin, and that the pin is stored on the device. KDF seems to take that plain text pin and replace it with a hashed pin. If you steal my yubikey, it looks like KDF would prevent you from... dumping the PIN? But if you could dump the pin, wouldn't you just dump the key instead? I can't seem to figure out the threat model for this feature.
How would that help though? If you have a compromised USB interface, and you're entering your pin on that machine, you could just capture the keyboard input anyway.
Nope, you were right. It's for USB MITM. I guess the assumption is that the keyboard is wired in a different way (a laptop?) or in wireless scenarios (NFC Yubikey).
New firmware is quite interesting if one is using OpenPGP: it supports newer algorithms (25519) and key attestation (proofs that the key was generated in hardware, useful for enterprises). Still, PIV applet has some more advantages (like dozens of possible encryption subkeys) but this is mainly a limitation of OponPGP Card spec.
That does sound awful. Here's what I do: block all ads.
I can't stop the data collection, but I can stop ads. If I ever see an ad, I stop what I'm doing and figure out how to remove that ad from my life forever.
So yeah, I'm fully tracked, and I have no privacy, but at least I'm not being influenced by the ads that come from processing all my data.
I also try to block as much data collection as possible, but I realize that's not fully in my control.
As best as I can tell from this thread, if you make use of any service in any way that could be interpreted as unintended by the service provider, you're a criminal.
It makes me wonder if using 1.1.1.1 on my network is a crime. Sure my ISP is letting my DNS queries through, but think of all the analytics that they're missing about me.
> Note: this is most likely illegal .. in every jurisdiction. So .. don't actually do this.
Sad if true. If a service is providing public DNS access without any service agreement, I don't see how making DNS queries with it could be illegal, especially on a public radio channel.
You might be right, but how?
It's certainly within their right to ban you by filtering out certain queries though.
Remember as abstract as the law can be, the legal system is not going to be amused by contrivances like "they were offering DNS service free and clear, so tunneling youtube over DNS is fine"
The legal system is going to understand that you were trying to circumvent paying for services and treat it appropriately.
How can it be theft of service when they can deny you service at any time automatically by identifying abnormally heavy users and removing them?
This isn't like bypassing the electrical grid by running your own line from somebody else's service.
This is like saying it's theft of service to read a chapter in the bookstore. If you hang out there all day, you might get kicked out, but that's not a crime.
The courts might agree with you, but only because "computers are hard".
There's a world of difference between tunneling over DNS and compromising servers. Or at least, there should be.
"by identifying abnormally heavy users and removing them" - That costs money, ergo, theft. It's like if someone had to hire a security guard for a vending machine.
Or even just let those users alone. Users aren't stealing service if it's not even the same service. It's much slower than buying wifi from the captive portal.
DNS tunnelling is not fast or convenient. Places deploying captive portals have probably looked at the risk to their business from it and have decided not to worry about it.
I can't believe that using a slow DNS connection, intentionally made public, to tunnel traffic would be considered theft or criminal.
How many free samples do I have to eat before I'm a theif? I don't believe I'm a thief until the offer for free samples is rescinded.
Opinion differs, but many ad-supported sites would say yes. I'm not sure if it has every been tested in court. "Fare dodging" might be a better concept to compare this to.
I'm floored that this is apparently how people are reasoning about the world now. Especially on HN.
There is no circumventing of any access control here. If a service is giving a public access point, on public spectrum, and they let you connect, and they allow you to use DNS, you should be able to use DNS however their access control systems allow you to use it.
Now if you find an exploit in their captive portal that allows you access to their service, then sure, that's illegal, because you're breaking into something.
You can't circumvent access controls if the access control list is wide open.
The intent is that you have to pay to use the WiFi. Even if you find a clever technical way to circumvent that that, the judge will see what you were trying to do: avoid paying for the service is offered. The court is not a computer and a judge will use their human brain to make a judgement of your intent.
Is it also theft if I run sshd on udp 53 and I happen to be able to connect?
How about if I run sshd on tcp 22 and it's not blocked?
Is it illegal if I just want to see if a dns change I made has propagated and I query an A record?
It seems obvious (to me) that a judge would say "It's not theft if you're giving it away. If you have a problem with how people are using your free service, add restrictions. Case dismissed."
I would hope that the court uses their human brain to make a judgment of my intent and the intent of the service provider. My intent is to have free DNS access to communicate with my server. The service provider intended to provide a public access point with free DNS and no restrictions on its use. The conclusion should be obvious.
Consider a toll booth without a barrier (commonly known as iPass lanes in some parts). The intention is that you have to pay when passing through. There's no technical measure in place to prevent you from not driving through without paying.
Indeed, sometime I'm also floored about the lack of openness here.
As I often say, self-proclaimed nerds who can't imagine life without a big brother taking care of things love to complain and complain and complain.
The ages of relying on oneself and technology seems gone. Cover-your-ass for 'nerds'
I'll be happy to sell these self proclaimed 'nerds' lessons about how to secure a captive portal with iptables, so that no DNS or HTTP/S or ICMP can go through until the login is entered and the TOS validated.
>>Indeed, sometime I'm also floored about the lack of openness here.
Quite the opposite -- there is complete openness in this thread about the technical aspects of the circumvention or use of the technique, plus open and timely reminders regarding the potential legal ramifications of executing this technique in certain jurisdictions.
