I actually had written more about the exploit & vulnerability in my original drafts but I cut it out because it was a bit boring to read.
You are correct that with domain control I am able to serve content to any sign but the content will only be loaded once at boot time. Any future updates would have needed to come from their defunct AWS IoT connection (ignoring full restarts).
Using the exploit I remove the connection to AWS IoT and update some of the code to better connect it to the recreated API so users can update their signs in mostly real time.
> Good question! No signs connected to the server until I reached out to some other sign owners to try out my instructions.
I do not know how many signs are out there. I imagine most people would have just unplugged their sign after the company's API vanished since any data would be stale and useless.
Yes I reached out to another owner who was able to connect the sign to the API. I've reached out to more people but haven't gotten too many responses. It's been 5 years after all. If you know anyone with one of these signs send them this post!
The key point here would be "did things correctly" :)
The sign did use AWS IoT for real time configuration updates however initial configuration was pulled from their HTTP server. Using the vulnerability I describe in the article I just remove the connection to AWS IoT.
I had found some tweets by the company where they talked about using an Adafruit panel that was $40. The price on Amazon was about $30 so I figured I would go with the lower price. They may have switched to a lower cost panel but my guess is that didn't happen.
Another explanation that I saw [0] was that it was for people to pop the back panel out. I think this is the most likely explanation but it didn't occur to me while working with the sign. I feel like a little notch would have been more appropriate for an actual product.
Hello, author here. Happy to answer any questions!
My apologies for the downtime, I wasn't expecting much traffic today since I submitted the post to HN yesterday but I've started scaling my server now!
I've eaten their strawberries and they're pretty good! The berries are held in a plastic tray with the berries individually floating on plastic wrap so they don't get squished from their own weight.
While I don't think the berries are worth the price tag, I'd definitely be interested in trying some of the new products they mention in the article (tomatoes, melons).
The Gitlab integration for Pages is also pretty immature. It doesn't appear to currently work with Groups/Subgroups. I've been back and forth with people on their Discord for maybe a week now trying to just get it setup for a test.
I used to use this site until I found https://checkip.amazonaws.com/. Switched because I wasn't sure who was behind icanhazip.com and it's tough to beat AWS. Glad to hear that it will likely be maintained for awhile longer!
Sure, I reported an issue to the Gogs maintainer over two weeks ago and he hasn't acknowledged it at all. Here's the public reference that their SECURITY.md asks for: https://github.com/gogs/gogs/issues/6534