HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ColdHeat

no profile record

Submissions

Taking over a Dead IoT Company

blog.kchung.co
4 points·by ColdHeat·4 yıl önce·0 comments

FDA orders Juul to pull all of its vaping products from the U.S. market

npr.org
10 points·by ColdHeat·4 yıl önce·2 comments

Former Seattle tech worker convicted of wire fraud and computer intrusions

justice.gov
1 points·by ColdHeat·4 yıl önce·0 comments

Compass to Cut About 10% of Workforce Amid US Housing Slowdown

bloomberg.com
5 points·by ColdHeat·4 yıl önce·0 comments

Betterment Announces Crypto Portfolios

betterment.com
2 points·by ColdHeat·4 yıl önce·0 comments

Marvel Character or Font?

marvel-or-font.web.app
2 points·by ColdHeat·5 yıl önce·0 comments

Is USDC Another Tether?

singlelunch.com
2 points·by ColdHeat·5 yıl önce·0 comments

Faster Python with Go shared objects

blog.kchung.co
1 points·by ColdHeat·5 yıl önce·0 comments

Show HN: Fast HTML Sanitization in Python

github.com
1 points·by ColdHeat·6 yıl önce·1 comments

comments

ColdHeat
·4 yıl önce·discuss
Sure I took out the relevant section and put it here: https://docs.google.com/document/d/e/2PACX-1vTYSTUp3eTjfD-hG...
ColdHeat
·4 yıl önce·discuss
Thanks for letting me know. I will have to take a look. I setup Ghost a long time ago and just really use it for the blogging...
ColdHeat
·4 yıl önce·discuss
Yes the exploit removes the AWS IoT connection so that updates can come from the recreated API.

There was only one type of sign but it did come in various different cases.
ColdHeat
·4 yıl önce·discuss
I actually had written more about the exploit & vulnerability in my original drafts but I cut it out because it was a bit boring to read.

You are correct that with domain control I am able to serve content to any sign but the content will only be loaded once at boot time. Any future updates would have needed to come from their defunct AWS IoT connection (ignoring full restarts).

Using the exploit I remove the connection to AWS IoT and update some of the code to better connect it to the recreated API so users can update their signs in mostly real time.
ColdHeat
·4 yıl önce·discuss
Here's my reply to him from https://news.ycombinator.com/item?id=34328461

> Good question! No signs connected to the server until I reached out to some other sign owners to try out my instructions.

I do not know how many signs are out there. I imagine most people would have just unplugged their sign after the company's API vanished since any data would be stale and useless.
ColdHeat
·4 yıl önce·discuss
Yes I reached out to another owner who was able to connect the sign to the API. I've reached out to more people but haven't gotten too many responses. It's been 5 years after all. If you know anyone with one of these signs send them this post!
ColdHeat
·4 yıl önce·discuss
Good question! No signs connected to the server until I reached out to some other sign owners to try out my instructions.
ColdHeat
·4 yıl önce·discuss
The key point here would be "did things correctly" :)

The sign did use AWS IoT for real time configuration updates however initial configuration was pulled from their HTTP server. Using the vulnerability I describe in the article I just remove the connection to AWS IoT.
ColdHeat
·4 yıl önce·discuss
I had found some tweets by the company where they talked about using an Adafruit panel that was $40. The price on Amazon was about $30 so I figured I would go with the lower price. They may have switched to a lower cost panel but my guess is that didn't happen.

EDIT: Here is the specific tweet: https://twitter.com/NYCTRAINSIGN/status/926106932573810688
ColdHeat
·4 yıl önce·discuss
Another explanation that I saw [0] was that it was for people to pop the back panel out. I think this is the most likely explanation but it didn't occur to me while working with the sign. I feel like a little notch would have been more appropriate for an actual product.

[0] https://hackaday.com/2023/01/09/iot-archaeology-leads-to-api...
ColdHeat
·4 yıl önce·discuss
Thank you for the kind words! Made my morning!
ColdHeat
·4 yıl önce·discuss
Hello, author here. Happy to answer any questions!

My apologies for the downtime, I wasn't expecting much traffic today since I submitted the post to HN yesterday but I've started scaling my server now!
ColdHeat
·4 yıl önce·discuss
With regards to 3, isn’t the management plane alone $72 for GKE without considering the cost for the nodes? How are your costs so low?
ColdHeat
·4 yıl önce·discuss
I've eaten their strawberries and they're pretty good! The berries are held in a plastic tray with the berries individually floating on plastic wrap so they don't get squished from their own weight.

While I don't think the berries are worth the price tag, I'd definitely be interested in trying some of the new products they mention in the article (tomatoes, melons).
ColdHeat
·5 yıl önce·discuss
The Gitlab integration for Pages is also pretty immature. It doesn't appear to currently work with Groups/Subgroups. I've been back and forth with people on their Discord for maybe a week now trying to just get it setup for a test.
ColdHeat
·5 yıl önce·discuss
I would be very interested if you or tsholmes could discuss the thought process behind identifying and reverse engineering the format!
ColdHeat
·5 yıl önce·discuss
It seems doable. You can edit it under runtime settings: https://aws.amazon.com/blogs/aws/aws-lambda-functions-powere....
ColdHeat
·5 yıl önce·discuss
I believe the owner is https://twitter.com/levicook https://github.com/levicook?
ColdHeat
·5 yıl önce·discuss
I used to use this site until I found https://checkip.amazonaws.com/. Switched because I wasn't sure who was behind icanhazip.com and it's tough to beat AWS. Glad to hear that it will likely be maintained for awhile longer!
ColdHeat
·5 yıl önce·discuss
Sure, I reported an issue to the Gogs maintainer over two weeks ago and he hasn't acknowledged it at all. Here's the public reference that their SECURITY.md asks for: https://github.com/gogs/gogs/issues/6534

Here's another one posted about a week ago: https://github.com/gogs/gogs/issues/6536