Road with a guy to visit a friend in a gated community. We didn't know the access code for the gate but the guy I was with is an Amazon delivery driver.
"Let's see if I can't get us in," he said. He got out of the car, walked over to the access panel and looked on top, bottom and sides. Then he punched in some numbers and the gate opened.
Turns out, so many people in gated communities and apartment complexes order things from Amazon, and other delivery services, and want front door delivery but don't give them any way to get in. Eventually, some frustrated driver who gets the code will write it on the side of the access panel to help everyone out.
"Apartments are awful," he said. "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
> "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
This is a huge misconception about GenZ. Unlike Millennials and GenX who had to hack around on PC's to figure out how to torrent, run games, build our own lans for local multiplayer, and generally avoid our parent's prying eyes. GenZ has grown up on devices. You don't modify the OS on devices. You don't hack around on devices; Apps tend to just work with little configuration. GenZ is entering the workforce with lower baseline computer / computer security skills than people think they have.
Same I just was talking with my daughter (16) about this because she hated her intro programming class in high school. No biggie if it isn't for her, slightly disappointing that I can't share knowledge, but she should pursue what she enjoys.
What irked me was she claimed "I just hate being on the computer", but her screen time on the phone easily crests 8 hours daily. Maybe we are just entering a similar phase to auto mechanics. In the 1950s anyone who owned a car was at least somewhat proficient in its inner workings, now many people need to consult the manual to figure out how to pop their hood.
There's a reason for that. I ran across a video recently that talked about how his dad would replace an engine over the weekend. But then he showed what the old cars looked like under the hood (very simple with lots of empty space) and new cars (very complicated). More importantly, he showed the manuals that came with the car. The old car's manual showed how the engine was put together and explained what everything did, and how to rebuild it. The new manual was only full of warnings and told you to take it to the dealer for everything.
Think about how I (and probably you) learned computers. My IBM PC has a manual that has a page just to show where the power switch is and how to use your hand to flip it. It has a diagram for what the keyboard cable looks like when it's plugged in correctly. It continues on and on and tells you how to open it and what the dip switch settings do. People always thought I was a computer wiz kid when I all I ever did was read the manuals and try out what they said.
The empty space in older cars is definitely a big contributer to how much simpler it was to work on them. Plenty of project cars I owned or worked on that had more than enough room in the engine bay to actually STAND inside between the frame and engine with the engine / wiring / hoses still present and both feet planted on the ground.
Much less daunting and convenient to work on an engine or replace a part when you don't have to take off (and potentially break) a million other parts to get at what you want to replace and you actually have the room to see what you're doing instead of blindly groping around for something vaguely shaped like something you've only seen a picture of.
That and the absolute sheer amount of electronics in modern cars. Older cars had the absolute bear minimal amount of wiring to the point that it was entirely plausible to more or less keep the wiring schematic in your head and even (speaking from experience) redo the entire wiring harness front to back on your own with a few different colored rolls of wire from a hardware store yourself.
I can't imagine how people getting into the hobby now with newer cars feel looking at the unholy mess of endless amounts of wiring, sensors, mechanical parts all jammed together in tightly packed space efficient layouts probably designed by someone purely working on them in a digital space. On the bright side at least they have youtube and better resources on the Internet to look up how to actually do something though.
I’m comfortable doing mechanical work and when my Honda Fit said I had to remove a shitload of parts just to replace a spark plug I said fuck it and traded it in.
I've had a knee-jerk reaction to that job too. But realistically optimizing spark plug changes isn't really important like the old days where you needed to change them every 10k miles or less. It's maybe 2-3 times in the entire life of the car.
Removing the wipers and windshield cowl is generally easy, just takes some extra time. Dealers/mechanics charge for time, not difficulty. So that simple 2hr job can easily be 500-600+. Still something that could be a rewarding Saturday morning project for someone who likes doing DIY type stuff.
My brother had to have something (AC fan?) replaced and it involved removing the entire dash. I've seen photos of this and it looks like the car exploded.
Some fan in my (late 90s) Taurus wagon was buried behind a bunch of stuff in the engine area and while we didn’t have to take out the whole block, it was still pretty dense and a lot had to move and come out to replace it. And that’s still relatively “simple” compared to today’s cars.
In comparison my 80’s Bronco II, I bought it from my neighbor for $300 and my dad told me I’d fix whatever broke myself if I could. Gave me a service manual that had schematics and layouts of just about every part of that car that was serviceable, and the book wasn’t even that thick considering what it detailed. I was able to pin out some repurposed Christmas lights for the dash in a pinch, and we tore down and rebuilt some component from under the hood ourselves though I don’t recall exactly what now.
Not sure how fair of a comparison that is given how much of what makes that vehicle go is not in that bay, but an example more of what he's talking about...
It's definitely not a hard and fast rule for everything. You'll find older cars with head scratching design and poor engine bays. And newer cars with more room and sensible design than you'd expect. But as a general rule from experience the exceptions seem to be mostly outliers.
It’s definitely hard(er). I’ve found it’s impossible to get any diagrams or (repair shop) manuals for some dirt-common 2000s/early 2010s vehicles, and have been forced to play many a game of ‘trace the wire.’
That's true but YouTube has been a godsend. There's been some mid 2000s cars owned by family or friends I've helped them with (including a transmission swap) where we weren't able to get an entirely satisfactory answer from a service or repair manual but we were almost always able to find several hour videos of random guys on YouTube willing to talk their way through even fairly major jobs and even mention hangups/practical advice for doing it the way the manual wouldn't tell you to but will make the job easier in a home garage setting.
Same. I learned to code as a kid by reading the manual that came with my brother's TRS-80 Model 100 "laptop". The manual contained a complete documentation of the BASIC language that came on the computer. The computer itself, other than a couple simple built-in note-taking and calendar programs, was mainly designed for you to write your own programs for your own use. I remember the first time when I was 8 years old that I got past IF and GOTO and figured out what an array was. Suddenly all kinds of things were possible.
I think the crucial missing thing is being locked into undivided boredom. My mom would be getting her afternoon nap and I couldn't go anywhere so I just walked around the house, opened drawers and cabinets and boxes with old parts, magnets and whatnot and experimented with them. With zero distractions, no internet, no mobile phone, nothing. So either read a book (I read mine many times over) or tinker away. And I am still tinkering, just with software instead, while getting paid for it.
Yep. When I was playing around with Linux, it was pretty much “spend all the time in the world editing config files until things work.” It’s a much different ballgame when you can’t google your boot errors because the only thing that can connect to the internet won’t boot, even when it does you’ll have to futz around in kernel driver source code for your particular brand of external modem, and finally once you’re online Google doesn’t even exist but at least you don’t need it anymore!
I grew up in the 80s and we were strictly forbidden from watching TV. There were no video games in the house. I only got to see Nintendo at friends houses... and I barely understood how they could get through level after level. Tabletop RPGs were also forbidden. Encouraged: building stuff out of sticks and mud or whatever was in the yard, mandatory reading of history books, chess. In the 80s, my parents viewed computing with equal suspicion to video games. I had to really make a case that what I was doing with BASIC and Pascal and later Hypercard was educational for me... and even then I was restricted to 1 hour per day on the family computer. But I had this 16K TRS80-100 that no one considered a game or a threat... and I was already dialing BBSs at 300 baud and getting kicked off after the parents were asleep.
Um. So I've told this all to friends and girlfriends, and often they say "oh wow you were really abused" or something. I don't really fault my parents, I think it was good for me and my siblings in the end. But boredom is not the thing. Limited resources is the thing. Give a mind the ability to make the most of limited resources, and the mind will always find things of interest to stave off boredom. Boredom is the province of those with nothing to think about when not being stimulated. That's why "people who get bored are boring," as my ex used to say.
There's definitely some truth to that. Consider the demoscene, where wildly creative stuff is typical made under certain limitations. For example, demos where the executable + resources is only 64kb [0] or 4kb [1] are often full of surprising creativity. That and of course demos made for primitive systems (by today's standards) like C64 [2] or Commodore Amiga [3].
I think that is true. When we didn't have access to a proper football at school, we took used notebook papers, made a ball out of it, put that in several layers of small plastic bags (for water proofing) and tightened that in with a thick string looped to cover the surface. It served perfectly as football for a bunch of noisy kids and was easily replaceable.
Likewise, I found a studio tape recorder in a shop once (silver metal, so probably 80's or 90's era), it came with the manual which was mostly just electrical schematics so that you could both figure out exactly how it works, and figure out how to repair or replace components of it.
I think a lot of the older cars either came with or were easier to buy the shop manuals. Those will tell you how to do basically everything. You can still get them for modern cars, but they're $100-250. Even then, many procedures require specialized equipment that most individuals do not have.
TBF digital access and lookup is a far better solution for troubleshooting as opposed to gaining a holistic understanding of the car as an entity. It's more StackOverflow, less 'Inside Macintosh'.
More to the point, as cars evolve to digital control and signalling systems with associated firmware, the problems are increasingly diagnosed via the ODB or CAN-BUS and rectified at e.g. and Engine Management System level rather than at a mechanical level. This necessitates up-to-the minute sources of truth detailing the various firmware versions, caveats and advisories - much more suited to a digital medium and distribution channel.
The haynes manuals for newer stuff were generally trash but at least they provided information in the same format and order as every other haynes manual so they were useful for that.
That's a fun analogy to think about. One side of it holds up: People don't know how to pop their hood now because they don't need to.
But on the other hand, cars before the 1990s were infinitely simpler to grok and to fix than modern vehicles. The learning curve was much gentler, and really no specialized knowledge was required. Changing the timing on your engine was easier than putting together an Ikea cabinet. Now it requires specialized equipment.
The opposite is true of computers. It has never been easier to snap together a cross-platform app to do almost anything than it is today. Friendly scripting languages, APIs for access to every kind of sensor and data imaginable, and devices fast enough to run terrible code at reasonable speeds. Almost everything you would have had to do from scratch hand in the 1980s has been done for you; a huge amount of coding now is just plug and play. And basically everyone in the first world has access to the necessary equipment to write their own code.
> It has never been easier to snap together a cross-platform app to do almost anything than it is today
Software engineering is weirdly harder today than it's ever been in many domains.
A cross platform app might have to support iOS, iPadOS, MacOS, Android, Windows, Linux and the Web. Music and Video apps might additionally have to support various flavours of vehicle and TV platforms too.
On the server side your friendly scripting language will probably be running in a venv in a container on a VM on a cloud. Or potentially just a venv locally keeping the containerisation for the cloud.
Back in the day, emails could be sent from my computer to your computer if I knew your IP address. Nowadays my email won't get past your spam filters unless I buy and warm up a reputable domain on a respectable IP address and adhere to the correct content standards. The precise rules for these aren't documented anywhere.
> Back in the day, emails could be sent from my computer to your computer if I knew your IP address. Nowadays my email won't get past your spam filters unless I buy and warm up a reputable domain on a respectable IP address and adhere to the correct content standards. The precise rules for these aren't documented anywhere.
Funny enough, the ease of running a mail server and sending email back in the day is probably why it’s so scuffed these days. Email did hit a weird overcorrection though that never evened out, whereas everything else seemed to either standardize or die off (rip the days of telnet’ing into a random domain and being able to actually do things)
> People don't know how to pop their hood now because they don't need to.
you don't need to figure how to create your own note taking/list making/accountancy software, you just open your favorite/default search engine, write the query and get a plethora of options, for nearly any platform under the sun, because of all the work has already been done, as you pointed out in your last paragraph.
It's in a section called "do-it-yourself maintenance" that's pretty much entirely just topping off fluids. It doesn't even include instructions for replacing the battery.
Just asking coz whenever I try to talk about what computers could already do or when something was invented in the 1960s or 1970s I tend to start with "well 40 years ago..." and then I look at the calendar and notice that it's 2025 and I'm officially old now and 40 years ago was more like 60 years ago.
And my car in 2005 definitely had no such thing and it wasn't a 2005 model.
I never thought about that, but it's true. My dad and every guy his age in my hometown can talk about cars nonstop. They'll go on for hours about changing the oil, messing with the transmission, or whatever (I don't know what they're saying--I'm a millennial and I'm used to vehicles that Just Work™).
Meanwhile, my friends and I can go on about the most banal computer stuff and my parents have no clue what we're talking about or why it's interesting to us. Kids probably don't either.
I saw someone joke that there's only one generation in the history of mankind that knows how to set the time on a microwave. Our parents couldn't do it. And now our children can't do it.
[Millennial take] When older generations say "the kids these days are so good with computers", it's because they are incorrectly inferring competence from confidence. In a way, the kids are more capable, but mainly because of attitudes rather than knowledge.
The devices the (grand-)kids are using are much more explorable and idiot-proofed. Nobody is going to make a single "dd" typo and erase their drive.
> Nobody is going to make a single "dd" typo and erase their drive.
Alas, how does one learn if one cannot dd the wrong hard drive, wiping all the films you've spent most of the summer illegally downloading at night because you only had a dial up connection at the time.
I am very lucky that my youthful years were the mid 90s, when mp3s were still too slow to encode and DVD didn’t exist. I got to accidentally wipe or crash drives on purely experimental computers.
You've never truly lived until you've had to recover an accidentally-wiped LUKS header to find that one semester-long final project buried in the depths of your computer's filesystem that's due tomorrow, where of course you never bothered to back it up anywhere :)
Perhaps these purported "itoddler" peers of ours were on to something, after all...
Definitely. I recently taught a class with a practical computer component and many undergraduates seemed to have a hard time understanding where their files were saved -- even at a GUI level, not talking about the command line. But it makes sense if their primary tech experience was with phones and tablets. The idea of a file system may never have occurred to them (even if most phones and tablets really run a UNIX-derived OS behind the scenes).
So true. Fortunately I had my kids (well one of them anyway) recently complain to me about how their teachers "don't know anything about computers" and how they "cheated" by using actual computer software that was much better than the "mandatory to use" software on the school tablets.
> (even if most phones and tablets really run a UNIX-derived OS behind the scenes).
Key phrase being "behind the scenes", iOS completely obscured the concept of files to its users for a long time. I don't remember how downloading files off of a website worked though.
Which is wild to me. My high school offered a technology course that included NET certification testing sponsored by Cisco. Our final was to setup a local network on hardware, leave the room, and come back in to troubleshoot whatever the teacher broke. She would change three things - it might be a typo in your DNS records, a barely loose cable between two bridges, or a wiped hosts file, etc. We knew the OSI model and understood IP masking and shakes fists at cloud (computing)
We have the “get a job in tech because it pays well” generation entering the workforce. They have no passion, no true interest in the field. Thankfully, they’re pretty easy to spot in interviews.
GenZ also grew up in an era where doing anything mildly interesting on a computer risks getting expelled and having the feds called. The shit I did to learn my trade as a kid would absolutely not fly today.
In high school (2000) I had a course where I downloaded some (freely available) videos for my project. The wrong person caught wind and hauled me in under the computer policy that everyone signed that said “I promise not to download anything”. I made my case that it was 1) condoned by my teacher, 2) relevant to my project, and 3) literally going to websites downloads files (cookies were just stored in a folder back then, as well as temp files for caching) so everyone is in violation.
Had they actually found out about the fact that we bypassed security measures on a bootable CD-ROM that allowed us full system access, including a nifty Visual Basic launcher to install Quake and GTA, or that we figured out every computer used VNC and they all had the same password stored in plaintext in the registry (which we accessed via that bootable media), or that we figured out the same password accessed every networked printer in the county so we could print our school’s logo on that week’s rival school’s printers in barely off-white ink…they’d have had a good case.
> Had they actually found out about the fact that we bypassed security measures on a bootable CD-ROM that allowed us full system access, [...] or that we figured out every computer used VNC and they all had the same password stored in plaintext in the registry (which we accessed via that bootable media)
Hey, sounds familiar!
Our school district had a policy that all new computers went to the high schools, then when those aged out and were replaced went to the elementary schools. They wanted iMacs for the elementary schools. That meant that for a couple years our high school had to have iMacs.
Of course literally everything we were trying to do, all the courses and curriculum, etc were built around Windows. So all of them were set up to dual-boot... Which is to say we didn't even need to haul in any bootable media.
Rebooted into mac, which had absolutely no respect for NTFS file permissions, and copied the SAM registry hive off. Took that home, ran the password hash through a cracker and a day later had the local admin password that was shared among all of the computers in the school.
It too was mostly used for running GTA.
There was also that time with a little light B&E and doing some network cabling under the cover of night. Though I think there's technically no statute of limitations on that so that's probably enough said.
Well - kind of. PC gaming is bigger than ever before, and PC gaming was how a lot of my generation got into computers.
My nephew for a while was very much one of those "grew up on devices" kind of kids - until he got off of gaming on phones and tablets, and got a gaming PC. Now he's reading about technology and tinkering and stuff.
Its not the same. Nowadays you press a button in steam and the game is installed for you and just works. It does not provide an entrance into technical layers like configuring the soundblaster irq in config.sys did.
> My IRQ conflict resolution skills or knowledge about himem.sys aren't really useful these days.
Your ability to meticulously solve a problem using a systematic troubleshooting approach is always useful. You just happened to hone the skill w/ IRQ conflicts and himem.sys.
Agreed. And while what we did to get into the details and discover are different some kids still do.
Heck I did the same. Dip switches galore. Did I know what an IRQ actually is on the OS level while solving IRQ conflicts as a kid? Heck no! Only years later when I no longer needed to did I understand what those actually are/were.
The today equivalent of learning about autoexec.bat and config.sys to not load the cdrom driver because else this one game wouldn't start because it did not have enough memory is figuring out what's behind the Steam "Start" button and where the games "live" and how you can get what you want instead of doing everything through steam.
The kids that are the today equivalent of us in the old days do exist.
That hasn't changed. Of course there are pre builts but there were twenty years ago, too. I should know -- I had one. I built my third gaming PC myself.
I think coding skills don't lag as far behind with those who enjoy coding. It's a hell of a lot easier to learn and more accessible than it ever was. Plus applications like modding make learning fun.
It's more systems, networks, OS fundamentals... i.e. how you pull all the pieces together and make them work especially among your "non-technical" user set.
I code more for fun now, because the proliferation of higher end languages and libraries for practically everything drastically reduces the time to that first "wow cool!" moment.
Many older games are shipped in a full DOSBox setup with preconfigured config.sys. The question is that is there any will to "conquer the past" and poke around, or not.
> It does not provide an entrance into technical layers like configuring the soundblaster irq in config.sys did
All that did was result in extreme frustration. My knowledge of creating game-specific boot disks to eek out 1k more memory did nothing for my ability to write software, except perhaps to appreciate having more RAM and good UX.
I've seen both sides- my nephew is large into pc gaming, but is woefully unaware of how to operate a computer in most capacities. I only realized this when trying to help him troubleshoot and realizing he didn't really understand the concepts of archives or even folders.
I don't even know how that's possible because he plays modded versions of some of his games- how you get by without knowing what a zip file works at the surface level is a mystery to me lol.
I don't know if it's a "uses tech" issue or just not realizing the steps needed. Even we knew you had to go to the campus gate to meet Dominos after dark (when the gate would be automatically closed).
There was no fancy intercom ability to remotely open it.
I realized this while working as a tutor for programming students at my college back in 2013... When people would ask or say they didn't know or understand really basic computer things (I can't remember what it was) I still showed them what they were, but I realized, not everyone grew up with computers the way I did. Some explore, but most people don't necessarily explore.
I think people who grow up with computer games have a lot more exposure than normal users. Smartphones somewhat made computers irrelevant for most people.
I noticed that even the generation that came after me (I was born in the 70s) produced IT engineers with a bit less skills because they've never had to mess stuff. People these days are afraid to mess with the windows registry even. I used to manually patch blocks together when I deleted a file by mistake.
These skills are getting less and less useful though now that everyone is happy to give up their privacy to big tech in return for something that 'just works' :(
"with lower baseline computer / computer security skills than people think they have."
I fear this is true with most life skills. Things are easier and it seems kids today are just handed more stuff. The freedoms and expectations in many areas are lower. Kids don't grow up due to age, they grow up due to experience. It seems we are pushing that farther down the road with each generation.
Yeah, I know someone who works in a high school and the average skill level is "struggles to figure out how to save a document on a USB stick". Kids know how to press the power button on an Xbox or tap an icon on their iPhone. The staff member I know is aware of ONE kid in the entire school who has used Linux. When I was a kid, basically every single kid who had a computer at home (and actually used it) knew how to defrag the hard drive (and probably install Windows lol), set IRQ values for their sound card, all that kind of stuff -- because you had to know this to even use it. My friends and I went on BBSes and later stuff like IRC and Hotline, ran Linux or pre-release versions of our respective OSes, set up our own bedroom LANs and personal game/web servers, etc. etc..
Indeed, as you say, I learned a lot about computers simply by wanting to circumvent the limitations that school admins put on the computers (especially as I wanted to utilize the full power the computers provided, as opposed to some sheltered/limited experience -- "At Ease" -- surprisingly reminiscent of smartphones/tablets today)... I went to great lengths to regain net access when my parents repeatedly revoked my access, again another huge learning opportunity.
I think we technical people have wrong perceptions of the past. When I was young, family members would say 'ah you know everything about computers, I can't get this (illegal) copy of game x working, please help.' 99 percent of people did NOT know how to resolve IRQ conflicts or even know that 'my documents' is just a folder on the C drive.
I know what you mean, but I'm also specifically calling out the "percentage of homes with computers" and their respective technical literacy.
My friends and I, as kids, knew "everything" about computers and how to operate them, and there was this base level of knowledge that pretty much every computer-owning kid had.
I remember one friend figured out himself how to hex-edit his WarCraft 1 save files, this would have been at the age of 10 or 11, with zero instruction/guidance from parents or anything. I'd be impressed today if you found a singular kid in an entire high school who can hex-edit anything, let alone game saves, despite probably every single household of every student in that school having at least one personal computer, if not more.
Simultaneously, there's an important aspect that computers and the software for them are more abstract than ever, so "hex editing" is a pretty obscure thing for someone to have any reason to do.
Regardless, being able to save the currently-open Microsoft Word document to the USB stick one just inserted is pretty much the bare minimum of technical literacy I expect from anyone who has a computer at home -- yet this is apparently not the case. I'm talking like, even on a Mac, students couldn't figure it out.
My conclusion here is that, as many people lament, there was a spike in time where computer enthusiasm was a real thing, where a relatively high % of kids wanted to "know everything about computers", but now computers are normal and boring and most people see them as "thing to launch game/chat/web on", for better or for worse (and for a wide variety of reasons).
But we're talking about the current generation of "technical people" - CS students who don't know what a file system is. Or a command line. Or a compiler.
There are some Minecraft superbrains doing incredible things, but the median level of experience and insight seems much lower.
Ahh, the modern verson of the written note under the keyboard...
In my area, there is a universal access key (physical) for postal service and newspaper delivery people. So if you want access to a random building, all you need to do is apply as a newspaper delivery guy, or, find one that is willing to give you that master key. To add insult to injury, that type of job is extremely low paying, so much room for abuse.
Fact is, locks and closed doors are there to make the ownersfeel cozy and safe. If you ever needed a locksmith service and watched them do their job, you know your appartment door is just a prop.
When I lived in town, on a street that was somewhat common for people to walk down, twice (that I know of) someone had walked up, tried to open my door, then walked off after finding it locked. The amount of work to break into that house was quite minimal, but apparently a locked door did help.
That's not true. They raise the bar above the bare minimum. Lots of crimes are ones of opportunity. A gate is the difference between 0 effort and some effort. It makes it a bit harder for a petty thief to cruise through and find low hanging fruit.
I didn't propose to leave your door unlocked. It was a cynical take on how much hurdle most locked doors are when someone is determined to get access. Maybe I am that cynical because I attended a lockpicking tutorial once (CCC Camp summer 2003, fun with tech at 37C temperatures, good old times), and as a tech person with some interest in security, learnt my share about social engineering (mostly to pretect myself).
You can just go over to Amazon, search for "pentesting keys" and for a the price of a decent dinner you can order oodles of master keys for most everything out in public. Elevators, police and fleet cars, mailboxes, file cabinents, RV external storage compartments, lift gates, tractors, electrical panels, toiler paper dispensers, etc.
Modern apartment building. Low rise. Full visibility of courtyard. Cycle gone missing with a baby seat attached. Nothing anyone can do about it. How did they get the key, who let them in, how did they manage to pry open the lock in full visibility? I was seething for a week. But somehow I knew this wasn’t really that big a security challenge for the thief.
I bet you could examine the keypad for wear. The worn keys (or the shiny ones) are the ones for the code.
In the days before cell phones, a burglar alarm would dial the alarm company. The phone company likes to install the phone box on the outside of the building. The alarm is defeated by an axe to the cable going in the box.
I had a fight with the phone company at my house, as I wanted the box on the inside rather than the outside. They finally agreed on the condition that I maintain the wire to the box.
These days, of course, the alarms use wifi or a cell phone to call the alarm company.
That only works if there's a single code? I would think many keypad systems assign a code to each apartment (so the one written on the side is not a master key, just Joe in #303).
I've definitely worked somewhere they tell all the users they have individual codes, not to share them, and if there is unauthorized access it can be traced who leaked their code. Everyone gets told the same story and given the same code.
Do your alarms not have an actual - you know - alarm? Or won't the alarm go off if it can't phone home first?!
Here in the UK the alarms make a noise as the absolute minimum. Getting one that is "monitored" by a call center is not standard, especially one that calls the cops if it goes off or a panic button is pressed.
You can get those of course, but it costs extra. I pay something like £40-50 a month for the panic button service that will summon the police, but even then the police won't be summoned if just the alarm goes off without a panic button getting pressed (you can get that, but it is even more expensive)
In my area of London, burglary is a virtually abandoned trade.
Anyone with anything of value works from home at least part of the week. Why risk entering someone's actual house when you can make easy money on drugs, fraud, crypto, bicycle theft, phone snatching, or umpteen other hustles I don't even know about.
Bicycle theft especially. You could easily clear a grand or two a week with zero fear of prosecution.
Unfortunately if you live in a nice area, they assume everyone has a Rolex collection or loads of jewellery just hanging around. If nothing else they'll take the keys to your cars.
There's enough bandwidth to go around nowadays that alarms can send regular keepalives (which doesn't mean all of them do).
If the keepalives stop coming without a proper disarm signal, a fault is raised.
Some old alarms had a weaker version of this, where they would dial the security company whenever the door was opened, and then again when the alarm was disarmed. If the second call didn't come in time, the company would instantly know that something was up.
This protected against thieves that would enter the house and smash the alarm before it had time to activate.
If you have 4 unique digits, otherwise it gets even easier.
However, for a 6-digit combination, you'd have to try out 720 combinations in the worst case, so that's already quite a bit less feasible. Although given enough time...
It's far simpler than that. Ever gated community I've ever visited, press any digit 4 times. You're in. The only exception is community with a security guard. The guy obviously isn't just going to let some guy not on the guest list in
There's a door at work I regularly need to access. It used to be used for another purpose but now is just an extension of the work area. It's got a badge reader and simplex lock but I can't get badge access because I don't actually belong to that work area yet I'm there everyday anyway. However, someone wrote the simplex lock code on a sign in very small numbers for this exact purpose. Other simplex locks in the building use the default code you can find online. The whole building is secure so you'd never be able to walk up to these doors without proper credentials, they are mostly just there to keep out the curious or someone looking to borrow tools that they shouldnt.
Look like you belong and act confident and you can get nearly anywhere. Props help-- wear a high-vis vest and a hard hat, carry a tablet / folio / clipboard around an office, etc.
The point isn't really for these communities to be Fort Knox. It is understood that if someone really wants to get in they will get in, similar to how if someone really wants to break into your house they will do it regardless of what brand of lock you have on your front door.
People live in gated communities because of what the gate represents – a very clear sign telling you and everyone else passing by that you don't belong here.
In a similar vein, 0911 or 9111 will often work too for communities in the US. EMS and other first responders run into the same issue with automated calls or panicked people, so they’ll try that first while waiting for dispatch.
That code was also used at our (EMS) depots to secure the controlled drugs as well, as if none of us could have guessed it.
My parents live in a very upscale country club community down in Florida and their gate security is laughable. They assign every household a 4 digit code to enter the community. Given how many homes are in this community, entering any 4 digit code > 1000 and < 2000 will work.
My girlfriend lives in an upscale, gated community. Her HOA has done the exact opposite. They change the gate code weekly as way to "protect" themselves from this situation. However, it's kinda had the opposite effect - tailgating has become totally acceptable, even the norm, as people can't keep up with the gate code changes. Amazon drivers usually just sit outside for a minute or two, then tailgate into the neighborhood.
The only gated community / apartment complex's I've ever seen where that was not normal are a subset of the ones that have an on-duty guard - specifically the subset with guards who recognize all the occupants and take the information of anyone they don't recognize.
Her community is not guard-gated, but it's extremely snooty/snobby. A number of years ago, before the weekly gate-code changes, the HOA started doing annual code changes on Halloween. Why Halloween, you might ask? Because the service staff of the community (landscapers, house cleaners, etc.) had the audacity to bring their children/grand-children to the neighborhood to trick-or-treat. Residents felt the service staff was just trying to guilt them into giving candy. Keep in mind, all these residents are multi-millionaires, mostly retirees, and they were bitching about having to spend 5 bucks in candy to make children happy.
It's an over generalization. The other way the story goes is that the big house with the long driveway in my neighborhood is the one that gave out king sized candy bars on Halloween.
My townhouse HOA decided it was totally worth money to replace our fob system with a system that's deliberately incompatible with Homelink. They claimed without evidence that used car sales were a severe security risk.
Nevermind that you can wave any conductor under the gate to trigger the egress wire loop sensor, or just wait a minute or two for someone else to go through. From 6AM to 10PM the other gate is simply open, too.
Now I have to pay more for crappier fobs with worse range. It's deeply disappointing.
A route book or note is already an assumption drivers need to have some method to quickly get through gates. Where it missed out was there are even more efficient solutions to the problem. That's because of not knowing all of the options, not because of assuming drivers just have a lot of spare time to kill so must like the slower and more complicated option.
Why are College campuses the bane of existence for your friend?
Because college kids write codes on the site of access panels? Wouldn't that make life easier for your friend as a delivery driver?
Because college kids don't write codes on the side of access panels? If so, why does your friend describe them as not smart? Isn't it smart to avoid writing codes?
Their routers only have this feature because the internet providers who sell those routers pay for bandwidth themselves lol. If residential internet plans sold on a pay-per-byte basis you can bet routers’d still ship with non-unique passwords.
Oddly enough, these default unique passwords usually are in the format of word+word+digit+digit+digit. If you look up the model, it won't take long to find the word list they use and can trivially bruteforce it.
So even then, I'd recommend changing it, or push for these companies to provide generated passwords with a much larger key space.
Yep! But the admin password is paramount. Often it's trivial, and necessary to add your device to WiFi. The true danger in our https land is what your admin can do,
Oh speaking of which. A lot of places i rented on holidays had internet access with that default unique password. Which is a pain to type on your phone and laptop when you get there.
Did anyone think to at least try to add OCR-ing those labels on our phones to automatically enter the wifi password?
On Android User A taps on the wifi they are connected to and gets a QR code, and User B taps on the icon for scanning wifi QR codes, so one tap each once you are in your wifi settings.
On iOS, the guest attempts to connect and anyone with them in their contacts list is prompted to share. The common use case of a friend visiting is very simple. If you want to share a different network, there's a similar flow to the Android one:
A lot of inns and B&Bs in tiny towns etc. have these complicated passwords that seem like overkill. You're probably right that they're some sort of default. Even if they're not 12345, it seems as if they could be something pretty simple and that would be fine.
How do you change the label on the router that got installed 8 years ago and is working fine? Especially since the owner of the cabin in the woods that you just rented for the weekend is into ... renting cabins in the woods, not geekery.
> have these complicated passwords that seem like overkill. You're probably right that they're some sort of default.
It is the default. If you find their router you'll find that overkill password printed on a label on the bottom. More enlightened ISPs give you extra stickers with the same info that you can put on the fridge or somewhere like that.
The manual clearly says you need to press the "do not explode" button if you don't want the car to explode. It is conveniently located under the rear seats.
Viscount has hilariously bad security. I used to live in a building in Toronto that used Viscount infrared fobs for access control. They were no more secure than TV remotes; no rolling codes, no encryption, nothing. An attacker could easily sit nearby with an IR receiver and collect everyone's fob codes at a distance, allowing access to all floors.
This was 30 years ago, so I'm sure a lot has changed since then. I was a missionary and the way we got into buildings in Toronto to knock on doors was to just pick the last name with the most letters from the directory, buzz them, and when they answered, we would just say "pizza delivery" and 95% of the time they buzzed the door open.
It'd be nice if missionaries weren't such hypocrites. Claiming to be the pizza guy when you're actually selling magic underwear is bearing false witness.
Technically it depends on the interpretation of "עֵ֥ד" and "בְרֵעֲךָ֖" whether that commandment is admonishing against telling any lie, just lies in court when making a legal accusation against another person, or somewhere in between.
Even if we accepted the premise that one book should be the basis of all morality, this one contains within itself contradictions, satire, sarcasm, and a community context we no longer have: with individual quotes I can make anyone look like a hypocrite.
To my mind the more interesting question is, does a singular community condemn a behavior in out-group members that they tolerate or even praise in in-group members?
Yes. The inevitable rejection is the point. It reinforces the otherness of the outside world, creating more separation from non-believers and stronger connection and devotion to the cult.
Yes. I'm no longer a Mormon, but I baptized around a dozen people on my mission and they were all found from knocking on doors. But this was also thirty years ago, before the internet was a thing for most people.
Exactly. This article should be titled "I figured out a really obtuse way to break into apartment buildings."
A rock will get the job done in a fraction of the time.
It's like all those nobodies on HN who go through all kinds of software gymnastics to secure their phone against imaginary "threat actors," when a mugger is just going to keep twisting their arm behind their back until they enter their PIN.
This is way better than a rock. It raises no suspicion and leaves no trace. Maybe it doesn’t matter for burglary, as you’re probably going to take things anyway, but if you want access anyone knowing you were there this is gold.
In a lot of modern buildings the elevator will not let you up to any floor unless you've been admitted, so the rock won't do you much good unless you also use it to smash the lock on the elevator control panel and override the security there.
Wait, what? You have to point a powered device at an IR receiver and press a button like a TV remote? I've never seen a building entry system like that!
Exactly that, yes! IR receivers outside every exterior door to the building, and IR receivers in the elevators to control access on a floor-by-floor basis.
The fobs were visible by an IR camera (including the average smartphone) and could trivially be decoded as a short bit sequence with an IR sensor wired into a microphone jack, as the bit pattern was transmitted at ~audio rates.
There was a time where somebody in SF has figured admin access code to older apartment intercoms (I believe they were manufactured by Linear and maybe other companies too). These intercoms would call the programmed in phone number whenever you type in the apartment access code at the door.
So what they did is add a new fake tenant with a premium 1-900 number and used the intercom to call it, earning themseleves a bit of cash. Naturally, landlords had to foot the bill.
That sounds like a fairly open/shut case of fraud/abuse if it can be proven.
At my last apartment my LL would only allow a single number per apartment... well I was sharing the apartment with someone else and I was sick of being the only person to get called. 30 seconds of Googling revealed the user manual for the intercom, and of course the default password of "5555" was still set on it...
I programmed both our lastnames and phone numbers to our apartment unit number. I did that in 2014 and I moved out in 2016.
To this day -- NINE YEARS AFTER MOVING OUT -- I am still getting calls whenever someone hits #25 on that intercom.
I did something similar to my highschool in the 90s. They had a free student phone in the office. It had long distance blocked on it, but I learned you could circumvent the block using those 1010-321 and other long distance prefixes. Some of them had $5 access fees, billed once, in addition to the per minute rate. I called several of these and prided myself on getting the phone removed from the office for a few months.
Can you elaborate on why having the phone removed was itself a source of pride?
I do appreciate the hacking around aspect, particularly with respect to old phone systems, but having a free student phone removed seems like it would be a bad thing for everyone, no?
The Polish spin on this were unsecured office landlines that used radio for some reason, I don't remember if that was for cordless handsets or just an access technology.
People would walk around big cities, usually on Friday evenings, radio scanner out, trying to find one of these. They would then dial a premium-rate number, preferably on more than one line. In most cases nobody would realize that something was up until Monday morning, and if they had a way to disconnect the calls before then, not until the bill came.
You could do similar shenanigans with unsecured PBXs or insecure answering machines that had a "call my mobile if somebody leaves a message" feature.
This is the kind of thing where responsible disclosure is really very important.
Let's say you're a woman. A woman who lives in one of these apartment complexes. A woman with a stalker. A stalker who has threatened to kill you, multiple times. Who has shown up at your apartment, but was rebuffed by the building security.
One day you wake up and find out that a "security researcher" found a way that anyone in the world can get into the building at any time, in addition to looking up who lives at each address. And it turns out the security researcher waited only two months (including over christmas break) to try to resolve the issue in a way that would not leave the existing buildings exposed.
If I were that woman, and something happened to me as a result of this disclosure, and assuming I was still alive, I would, at a minimum, sue the shit out of that security researcher.
Tbh if someone's determined to kill you, enough to look up CVEs and so on on your security system, they might as well wait by the door to brick you in the head when you inevitably come out. It's even better for them since you're bound to be less armed than at home surrounded by kitchen knives, tools, chairs, etc.
> assuming I was still alive, I would, at a minimum, sue the shit out of that security researcher.
If you wanted to stay alive you'd be wise to think twice about going after people who go out of their way to inform you that the security you are dependent on is not doing its job. You'd be much better off instead going after the company who was negligent enough to create the system with such obvious flaws or the landlord who subjected you to it without even bothering to read the manual.
The alternative is that researches will stop telling the public when they aren't safe and you stay ignorant while some attacker spends the 15 minutes it takes to find and try the default password.
The person who disclosed this was right to get the information out as widely as possible as quickly as possible because, as you said, some people are likely depending on those locks for their safety. Thankfully everyone who learns that this product has made them vulnerable can now take measures to protect themselves accordingly.
We'd probably agree that there could have been better ways to disclose this, ways that made it instantly clear that this product was putting people in danger, while also not making quite as easy for others to repeat the attack, but in this case you can bet that trying the default password was going to be high on the list of things people would try anyway. I think it's extremely unlikely that this security researcher was the first it.
The most important thing is letting as many people as possible learn about their risk so that vulnerable people can protect themselves ASAP and so that the negligent company/landlord feels a lot of pressure to fix the situation as quickly as possible. If you make security researchers think twice about doing that you'll only allow yourself/others to come to harm. Ignorance really isn't always bliss.
I'm disappointed you're downvoted. I know a woman who is the exact situation you describe (sans hacker); their ex-husband has made threats to her life and has made attempts to act on those threats. She's extremely privacy sensitive as a result.
You are right. But remember you can be sued for anything, and further remember that suing someone doesn't mean you have good cause to win.
So it stands to reason that a white hat hacker who, in good faith, publicly releases information in an attempt to get things fixed shouldn't face negative repercussion.
But they should face consequences if they were irresponsible, regardless of intention.
If you found the nuclear launch codes, and you're pretty sure nobody else has found them, should you wait a week and then release them, because you had a good faith interest in exposing this hole? No, of course not, that'd be insane. What one should do in that situation is wait, and try to get the codes changed. You shouldn't wait forever, because someone else might find them. But you also should wait for as long as you reasonably can, because of how severe the risk of releasing is.
This risk analysis is the calculus of responsible disclosure. Any ethical security researcher should err on the side of avoiding harm, making every effort to ensure the disclosure doesn't harm unnecessarily. For most researchers, that means waiting more than 2 months over a holiday season, even if it was just a bug in a javascript library or something. Knowingly exposing the privacy and security of thousands of people is pretty fucked up, imo. I'm pretty sure they could have come up with a half dozen different ways to try and get the issue resolved, if not through the company directly, then through individual apartment complexes, law enforcement, etc.
Looking at this closer, it's actually worse than I originally thought. You can see what time everyone comes home every day, what their weekly routines are. So you know when they're gone, so you can rob their house. Or you know when they come home, so you know when you can attack them. This is fucking chilling.
The author contacted the current and former vendors, got a flippant answer, asked again, and was ghosted for two weeks.
I see here a desire for a random person to accept a staggering amount of your personal responsibility. Anyone under long-term active threat without defense-in-depth redundancy isn't someone I can save by waiting longer before disclosure. I am frankly amazed you expect so much from a stranger for so little benefit.
It is fucking chilling -- that the publisher would do this, in the first place, and blow him off now, too.
Why don't YOU pick up what you said, and start contacting apartment buildings and police? How many of those half-dozen ways you mentioned will YOU act upon?
> But they should face consequences if they were irresponsible, regardless of intention.
Intention is important.
If their intention is to highlight that a problem exists, then sure. They should be forced to participate in resolution (at the very minimum). As for liability? No, that definitely belongs on the owners of the insecure devices.
If their intention is to show to "the bad guys" where the spots are vulnerable? Then yes, they are partly culpable.
Again, being a good samaritan (showing that a problem exists) should NOT make you liable for the problems that already existed.
> you also should wait for as long as you reasonably can
That word, "reasonably", is loaded. I think waiting a couple of months is perfectly reasonable when being stonewalled by other parties, especially the owner.
> that means waiting more than 2 months over a holiday season
Yup, sure, because thieves definitely don't operate during holiday season. And please ask Russia and the US to hold off on their nuclear war. It's called Nuclear Winter, but that doesn't mean it has to happen during Winter, right?
> This is fucking chilling.
The problem existed before the announcement was made. You think it was chilling before? Just imagine that nobody who was capable of fixing it didn't know about the problem. So it could be abused without anyone being the wiser. That is fucking chilling. It's chilling that people would be more upset about the announcement and less upset about the apartment building owners not fixing the problem in the first place. That is fucking chilling.
I downvoted, because they wanted to create sympathy with a victim, and to achieve that, they made it a woman. What is the takeaway from that? I'm out of charitable explanations.
> because they wanted to create sympathy with a victim
I did not read that at all. I read that they wanted to discuss a problem that might need addressing. That's a normal part of conversation.
> to achieve that, they made it a woman
First, gender doesn't matter here. It's far more telling that you'd jump to conclusions about gender instead of thinking just a little bit further about who or why.
Second, if you were a person who read any books or paid attention to the speech of both sexes, you'd realize that the gender expressed in a conversation piece often reflects the person speaking or the person in action. Again, gender (who) doesn't matter here.
Third, women are often in situations where their livelihoods are threatened. Men are too, but not nearly as often as women are (why).
> What is the takeaway from that? I'm out of charitable explanations.
We can discuss your lack of imagination if you want.
I can't find your argument in that wall of personal attacks. I guess your nick checks out. Maybe some day you'll find a princess to save, but it will surely not be me.
Many many many years ago I worked at basically an MSP for telcos on the helpdesk. So customers would call their telco or isp for help and that would be routed to us. Anyways this one small isp with idk 10k customers had deployed their routers to customers with the default username/password and remote authentication enabled. A single script from a bad actor logged into all of the routers, changed credentials, and iirc updated dns settings so they lost internet, phone, tv. Cue 10k people calling as we had to basically walk through everyone one by one on changing the credentials and updating their config.
Sort of, they changed it to a different username password that was the same on every box. So it wasn't easily findable from the internet but the same issue could have potentially happened again.
After watching a lot of tv series, my non techie wife has come to the conclusion that real life systems are trivial to hack : just click ‘skip password’, or ‘password override’, or just use ‘password’ as a password.
Google's own browser phones home with the URLs you put in it, presumably for malware scanning or some other "security"-excuse reason.
I don't remember if there was a setting to stop that from happening, or if there was, whether the setting may still exist today, but that would be a good way for them to get otherwise-private URLs.
Breaking into an apartment building in 30 seconds without a phone:
Carry a brown paper (food delivery) bag. Stand by the intercom pretending to press buttons. When someone comes in or out, tailgate behind them and say "thanks". 9 out of 10 times they'll even hold the door open for you.
> Default credentials that “should” be changed, with no requirement or explanation of how to do so. Surely no building managers ever leave the defaults, right? And even if they did, they’d surely have no reason to expose this thing to the Internet, right?
My theory is this is one of the reasons so many internet-of-things devices nowerdays omit any sort of offline/local network control.
No default passwords, no ports you can forward without knowing what you're doing, all the credentials sorted out on a cloud server.
I don't want some complicated random password. At least where I live, my router password is a very modest security shim to protect against very random casual access. If I have a visitor who needs WiFi access, I want to give them an easy password to type in.
So change it afterwards. Good defaults are important. If someone doesn't change it, it's important that they be on the right path instead of...this one.
You can always change the passwords. I was bringing this up as a solution to the default passwords issue. You don't want to have a static default password used by everyone, so you need the initial password to be randomized. People are dumb so you need to print it on the device. There is no need to default to cloud-based authentication to close the default password security hole.
If it's too hard for a guest to type in a password, you can also have them join by scanning a QR code. Obviously this works better for phones and tablets with QR scanning built into the camera, but that's what guests are frequently using.
It doesn't have to be complicated. A random passphrase can be much simpler and include significantly more entropy: four to six words plus a six-digit number. Any password generator worth a damn can generate something like this.
No device comes off the shelf with OpenWRT. If you're the type of person that's aware of OpenWRT and then install it, it's not that far of a stretch to think you'd also be the type to know to check the password.
GL-inet devices come off the shelf with OpenWRT. They don't have a blank password. Every single one ships with 'goodlife' as the default password, as printed on the label on the back.
I am only thinking of a router with OpenWRT installed. Nothing about a wifi router with OpenWRT has anything to do with a door access device installed by a trained technician or not. The conversation only pertains to the words used, not the unwritten ones you're trying to insert in between the lines of my comment to make a totally unrelated point
i worked as an engineer in an industry that required on-site access to buildings all over manhattan, some residential. all you have to do is hit a couple random buttons on the intercom and 100% of the time one of them would just buzz the lock
This is pretty much all it takes in any western country. Some areas might require a little more effort but nothing substantial.
In fairness, the blame for this kind of enabling attitude is mostly attributable to me locking myself out of the building and having to buzz my long suffering neighbours at all kinds of ungodly hours. Proud moments.
Could you also lock out specific residents? Or get their daily home arrival patterns for the last few years? Or find unused flats to squat in? IoT still wins. :)
We laugh at hollwood movies where the protagonist calls his hacker sidekick and says "get me into this building. quick." and the friend goes "one sec. done." and click! the door opens.
Try going to YouTube and look for The Lock Picking Lawyer or McNally. Both are really skilled lock pickers, but the majority of the locks they review and demos does not require anything near their skills level to break. Half of all padlocks seems to be susceptible to comb picking, which require zero skill.
It was apparently never difficult to break into buildings, physical security has always been pretty poor. Unless you have an armed guard patrolling your property, there's no real reason to believe it secured beyond the fact that most people weren't going to break in anyway, or simply can't be bothered.
I was once investigating an uptick of telnet traffic, when I came across something that looked like a pppoe router web interface.
For shits and giggles, I decided to try admin/admin, and to my surprise, I was logged into this device with full control.
I immediately logged out, but I could have easily changed the password or changed their configuration, knocking them offline...
I'm sure there are legal issues surrounding that, and I have no idea what kind of devices connected to the thing, but you'd be surprised how many random internet junk is out there with default credentials.
I would say this is highly irresponsible of the researcher to expose this publicly. These are people’s homes, along with their PII and locations. The residents didn’t choose this system, their building just uses it. They don’t even know that their info is being leaked, nor that the doors to their places were just rendered neutered.
I think this falls under responsible disclosure guidelines. A lot of times companies refuse to fix misconfiguration issues like these, and users/customers deserve to know. Not publishing it is security by obscurity, you're just hoping that a bad actor doesn't figure this out (or hasn't already figured this out).
If something bad is done by a bad actor because of this vulnerability being discussed in public, that's no worse than something bad happening because this vulnerability exists but is only discussed in secret.
This is not some highly-technical vulnerability only accessible to nation-states with genius engineers and million-dollar labs with exotic instrumentation and brute-force supercomputers compute pulling down many megawatts of power. The OP literally logged into an open Wifi SSID, searched for the text on the page, and scrolled to the default password. None of those steps are hard to do, any jealous ex or disgruntled employee or divorced parent fuming in the parking lot for 5 minutes could effortlessly accomplish the same thing.
I honestly think it's likely that bad things have already happened due to this vulnerability - but not due to this disclosure.
But because it was only discussed in secret, no one ever got to the root cause of the issue and the hazard continued to be out there. Now that it's public, hopefully something will be done, and relatively quickly.
Not shining a spotlight is worse. The important thing is providing time to address the found vulnerability, ie. responsible disclosure. For which OP has indeed provided a timeline.
The debate has long since been settled comprehensively in favor of openness.
I don't know why you picked a random date 2 weeks before publication instead of the relevant one:
2024-12-27: Current vendor of MESH identified as Hirsch (subsidiary of Vitaprotech Group) and contacted
They were contacted 7 weeks before publication
and
2025-01-11: Hirsch product security responds requesting details and are asked if they intend to alert clients
They responded 5 weeks before publication, and so were aware of the issue for at least 5 weeks before it was disclosed, during which time they did nothing about it
The only recourse for what problem? Aren't there other plausible creative ways to apply pressure and get it fixed, with less risk to the people unwittingly at mercy of this vendor's negligence?
Or are you speaking of the transactional convention, in which people can break into systems, and then are entitled to publicity for that, so long as they give the vendor advance notice?
The whole responsible disclosure convention seems an imperfect compromise, among various imperfect actors. On occasion, individuals might decide that other options are more appropriate to the specific situation, and to Perfect Tommy it.
I strongly disagree. You’re literally putting people’s lives and possessions at risk who have no knowledge of this. There are many alternative methods, from getting the government involved to giving a a very long lead time to the vendor before you disclose this, to sitting on it and never disclosing.
The information is already sitting on Google for anyone to find, vendor doesn't give a shit.
Best to get it out there, at least if you're stuck in one of these buildings you can log in and change the admin password yourself till your building management does something about it.
Software vendor and building manager are putting people's lives at risk.
Can't software coders ever take responsibility? And this is on the programmer who implemented this, too. You just not let your product manager do this, ever. It's 2025 already.
And this is a security product, wtf? Residents should be suing individual programmers here. OWASP was created 24 years ago. Default credentials is like number 1 on their IoT app security list. Only a moron would not defend against this. If your manager requires this, you just send him:
I second this. Just because it feels right to them as "I've reported it, It's not on me anymore...", doesn't mean he should enable bored people to revoke access cards, jam elevators, etc.
Criminals were already enabled to do that, and the people in those buildings had no way to know.
The more-responsible thing might have been to also reach out to residents of individual buildings & give them time to correct the situation, rather than relying on the company (which has a vested interest in ignoring the problem) to do the right thing. But security through obscurity is not a solution.
That depends on the individual's weighing of the various factors and their personal moral position. If someone wants to prevent a bunch of easy break-ins where the method of entry won't get noticed in most cases, and they feel that the discomfort of denying access for a bit (impacting hundreds of people perhaps) outweighs the trauma of being robbed (maybe impacting just a few), than doing that might be the only morally defensible position to take. For all we know they actually are planning to hammer the open installations until they get fixed to prevent the bigger harm.
Other people will shrug and move on after trying everything they can via the proper channels.
And then of course there are the assholes who will just do it because it entertains them.
It's all very educative and makes a point until you read a news story about someone dying because ER couldn't get there in time. The road to hell is paved with good intentions hits hard here.
That too has a chance of happening associated with it. Lacking a convenient table to look up the chance of that happening (and its impact), and the chance of a break-in caused by an open admin panel causing irreparable harm, there is nothing left to do but weigh the chances as best as one can.
Many people will choose to do nothing in that case, but not everyone will accept that inaction which might lead to bigger harm is preferable to action which might lead to another possible negative outcome, but at a much smaller chance.
(It's basically that dumb trolley meme, but with undetermined outcomes.)
Every choice we make can have an adverse effect on others. Take the car today instead of walking? You just might cause an ambulance to be delayed leading to an unfortunate death. The chance of that happening is negligible of course, but not absent (it never is).
Such ridiculous laws. The real crime here is that the software vendor lets people use the software without creating a new password. Even that is suspect, since I bet most people's password would be 1234 anyway. So really they should force people to set up passkeys to access the system. Or, cut out the setup, and just send them a couple of USB's which allow them to access the system.
This "manufacturer" is not doing its due diligence in any way, shape, or form. They are the ones who should face jail time for not implementing bare minimum security practices.
The idea that the guy revealing a complete lack of security is committing a crime is like saying a guy informing someone that they're naked is guilty of forcibly stripping that person. Or that telling someone there's a giant red button that drains the landlord's bank account is guilty of pressing it. Maybe they should remove the giant red button?! Or at least put it in a locked room?
I just tried it (via Tor) and was able to get into the first 5 that duckduckgo found. Someone had been there before me and (apparently) changed names of things. (I looked but didn't touch.)
The more I look at electronic access systems for buildings, the more I appreciate a manual lock that takes multiple minutes to pick and makes the intruder create a large noise or light signature while doing so.
If I'm reading this correctly, is this just the "public" areas of apartments, and not the doors to the actual suites themselves? There's a huge difference between getting access to those two.
Even with just the public area, you can still:
- Steal packages
- Access storage areas and bike lockers
- Walk down the hall and check which doors aren't locked
- Smash the coin-operated laundry machines and steal the money
- Just wait for someone to open their door
(All of which happened in an apartment building I lived in a few years ago)
>2025-01-29: Hirsch replies stating that these vulnerable systems are not following manufacturers’ recommendations to change the default password
this is why i like the 'secure by design' or 'secure by default' responsibility being put on connected product providers, e.g. EU CRA and implied in US M-22-09.
i am always fearful of unintended consequences of regulation like this, but it does seem necessary in today's world.
Jesus. The whole system seems to have been designed to maximise the damage that can be caused with minimal effort.
Why are these admin pages web findable? Why is there a public database of them? Why have they tried so hard to make it so accessible? Why is there no security? Arrrrrgggh.
You can get in the building with a bit of social engineering. I live in an apartment complex. Put on a DHL or Dominos cap and nobody cares.
It's your front door lock that is the real barrier.
Nowadays you don't even need that. Just carry a brown paper bag. Every mid-large sized building gets a food delivery every 5 minutes, and no one looks twice.
Interesting story but a CVE for this is a bit melodramatic and why no one takes security folk seriously (cry wolf too many times).
OpenWRT ships with no password at all (!) with full root access on default install. The situation is the same: they politely suggest you change it from the default (blank) password but do not force you to do so.
By this logic every OpenWRT install (and many other softwares) dating back many years should be subject to CVE.
I assume you have to be on that network to access the login. I'm 95% sure it the UI/admin is not accessible to the internet by default... but also, yes that shit should be way better. Even Comcast and other ISPs have done better than this for a decade or more now.
Road with a guy to visit a friend in a gated community. We didn't know the access code for the gate but the guy I was with is an Amazon delivery driver.
"Let's see if I can't get us in," he said. He got out of the car, walked over to the access panel and looked on top, bottom and sides. Then he punched in some numbers and the gate opened.
Turns out, so many people in gated communities and apartment complexes order things from Amazon, and other delivery services, and want front door delivery but don't give them any way to get in. Eventually, some frustrated driver who gets the code will write it on the side of the access panel to help everyone out.
"Apartments are awful," he said. "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
> "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
This is a huge misconception about GenZ. Unlike Millennials and GenX who had to hack around on PC's to figure out how to torrent, run games, build our own lans for local multiplayer, and generally avoid our parent's prying eyes. GenZ has grown up on devices. You don't modify the OS on devices. You don't hack around on devices; Apps tend to just work with little configuration. GenZ is entering the workforce with lower baseline computer / computer security skills than people think they have.
Same I just was talking with my daughter (16) about this because she hated her intro programming class in high school. No biggie if it isn't for her, slightly disappointing that I can't share knowledge, but she should pursue what she enjoys.
What irked me was she claimed "I just hate being on the computer", but her screen time on the phone easily crests 8 hours daily. Maybe we are just entering a similar phase to auto mechanics. In the 1950s anyone who owned a car was at least somewhat proficient in its inner workings, now many people need to consult the manual to figure out how to pop their hood.
There's a reason for that. I ran across a video recently that talked about how his dad would replace an engine over the weekend. But then he showed what the old cars looked like under the hood (very simple with lots of empty space) and new cars (very complicated). More importantly, he showed the manuals that came with the car. The old car's manual showed how the engine was put together and explained what everything did, and how to rebuild it. The new manual was only full of warnings and told you to take it to the dealer for everything.
Think about how I (and probably you) learned computers. My IBM PC has a manual that has a page just to show where the power switch is and how to use your hand to flip it. It has a diagram for what the keyboard cable looks like when it's plugged in correctly. It continues on and on and tells you how to open it and what the dip switch settings do. People always thought I was a computer wiz kid when I all I ever did was read the manuals and try out what they said.
The empty space in older cars is definitely a big contributer to how much simpler it was to work on them. Plenty of project cars I owned or worked on that had more than enough room in the engine bay to actually STAND inside between the frame and engine with the engine / wiring / hoses still present and both feet planted on the ground.
Much less daunting and convenient to work on an engine or replace a part when you don't have to take off (and potentially break) a million other parts to get at what you want to replace and you actually have the room to see what you're doing instead of blindly groping around for something vaguely shaped like something you've only seen a picture of.
That and the absolute sheer amount of electronics in modern cars. Older cars had the absolute bear minimal amount of wiring to the point that it was entirely plausible to more or less keep the wiring schematic in your head and even (speaking from experience) redo the entire wiring harness front to back on your own with a few different colored rolls of wire from a hardware store yourself.
I can't imagine how people getting into the hobby now with newer cars feel looking at the unholy mess of endless amounts of wiring, sensors, mechanical parts all jammed together in tightly packed space efficient layouts probably designed by someone purely working on them in a digital space. On the bright side at least they have youtube and better resources on the Internet to look up how to actually do something though.
I’m comfortable doing mechanical work and when my Honda Fit said I had to remove a shitload of parts just to replace a spark plug I said fuck it and traded it in.
I've had a knee-jerk reaction to that job too. But realistically optimizing spark plug changes isn't really important like the old days where you needed to change them every 10k miles or less. It's maybe 2-3 times in the entire life of the car.
Removing the wipers and windshield cowl is generally easy, just takes some extra time. Dealers/mechanics charge for time, not difficulty. So that simple 2hr job can easily be 500-600+. Still something that could be a rewarding Saturday morning project for someone who likes doing DIY type stuff.
Friend has a Fiat 500 which had to have the engine removed to access the AC compressor to change it. Cost her $3000. Mostly labor.
My brother had to have something (AC fan?) replaced and it involved removing the entire dash. I've seen photos of this and it looks like the car exploded.
Some fan in my (late 90s) Taurus wagon was buried behind a bunch of stuff in the engine area and while we didn’t have to take out the whole block, it was still pretty dense and a lot had to move and come out to replace it. And that’s still relatively “simple” compared to today’s cars.
In comparison my 80’s Bronco II, I bought it from my neighbor for $300 and my dad told me I’d fix whatever broke myself if I could. Gave me a service manual that had schematics and layouts of just about every part of that car that was serviceable, and the book wasn’t even that thick considering what it detailed. I was able to pin out some repurposed Christmas lights for the dash in a pinch, and we tore down and rebuilt some component from under the hood ourselves though I don’t recall exactly what now.
https://www.reddit.com/r/TeslaModel3/comments/r9lfqt/install...
Idk man seems like plenty of space to me. Also comes with service mode which shows all the inner working and status of components:
https://www.notateslaapp.com/news/2046/tesla-service-mode-ho...
Not sure how fair of a comparison that is given how much of what makes that vehicle go is not in that bay, but an example more of what he's talking about...
A relative drives an old truck. This is more or less his engine bay: https://www.onallcylinders.com/wp-content/uploads/2014/11/ch...
I've walked into his garage and found him inside the engine bay with a stool, sitting down and working on something.
Where-as I drive a newer car, and this is similar to mine: https://i.redd.it/4ks75mma4pmb1.jpg
It's definitely not a hard and fast rule for everything. You'll find older cars with head scratching design and poor engine bays. And newer cars with more room and sensible design than you'd expect. But as a general rule from experience the exceptions seem to be mostly outliers.
There's basically nothing you can even work on in there though.
Rich Benoit would disagree
https://www.youtube.com/watch?v=NuAMczraBIM
It’s definitely hard(er). I’ve found it’s impossible to get any diagrams or (repair shop) manuals for some dirt-common 2000s/early 2010s vehicles, and have been forced to play many a game of ‘trace the wire.’
That's true but YouTube has been a godsend. There's been some mid 2000s cars owned by family or friends I've helped them with (including a transmission swap) where we weren't able to get an entirely satisfactory answer from a service or repair manual but we were almost always able to find several hour videos of random guys on YouTube willing to talk their way through even fairly major jobs and even mention hangups/practical advice for doing it the way the manual wouldn't tell you to but will make the job easier in a home garage setting.
My Prius requires a proprietary tool to change the oil.
Same. I learned to code as a kid by reading the manual that came with my brother's TRS-80 Model 100 "laptop". The manual contained a complete documentation of the BASIC language that came on the computer. The computer itself, other than a couple simple built-in note-taking and calendar programs, was mainly designed for you to write your own programs for your own use. I remember the first time when I was 8 years old that I got past IF and GOTO and figured out what an array was. Suddenly all kinds of things were possible.
I think the crucial missing thing is being locked into undivided boredom. My mom would be getting her afternoon nap and I couldn't go anywhere so I just walked around the house, opened drawers and cabinets and boxes with old parts, magnets and whatnot and experimented with them. With zero distractions, no internet, no mobile phone, nothing. So either read a book (I read mine many times over) or tinker away. And I am still tinkering, just with software instead, while getting paid for it.
Yep. When I was playing around with Linux, it was pretty much “spend all the time in the world editing config files until things work.” It’s a much different ballgame when you can’t google your boot errors because the only thing that can connect to the internet won’t boot, even when it does you’ll have to futz around in kernel driver source code for your particular brand of external modem, and finally once you’re online Google doesn’t even exist but at least you don’t need it anymore!
"Boredom is the fount of learning and creativity"
But, you must have tools. Some kind of tools.
I grew up in the 80s and we were strictly forbidden from watching TV. There were no video games in the house. I only got to see Nintendo at friends houses... and I barely understood how they could get through level after level. Tabletop RPGs were also forbidden. Encouraged: building stuff out of sticks and mud or whatever was in the yard, mandatory reading of history books, chess. In the 80s, my parents viewed computing with equal suspicion to video games. I had to really make a case that what I was doing with BASIC and Pascal and later Hypercard was educational for me... and even then I was restricted to 1 hour per day on the family computer. But I had this 16K TRS80-100 that no one considered a game or a threat... and I was already dialing BBSs at 300 baud and getting kicked off after the parents were asleep.
Um. So I've told this all to friends and girlfriends, and often they say "oh wow you were really abused" or something. I don't really fault my parents, I think it was good for me and my siblings in the end. But boredom is not the thing. Limited resources is the thing. Give a mind the ability to make the most of limited resources, and the mind will always find things of interest to stave off boredom. Boredom is the province of those with nothing to think about when not being stimulated. That's why "people who get bored are boring," as my ex used to say.
There's definitely some truth to that. Consider the demoscene, where wildly creative stuff is typical made under certain limitations. For example, demos where the executable + resources is only 64kb [0] or 4kb [1] are often full of surprising creativity. That and of course demos made for primitive systems (by today's standards) like C64 [2] or Commodore Amiga [3].
[0] https://www.youtube.com/watch?v=UCjSG_15kcw
[1] https://www.youtube.com/watch?v=RCh3Q08HMfs
[2] https://www.youtube.com/watch?v=KCmUIcdG5wo
[3] https://www.youtube.com/watch?v=eqnZH7Pa3vo
> Limited resources is the thing
I think that is true. When we didn't have access to a proper football at school, we took used notebook papers, made a ball out of it, put that in several layers of small plastic bags (for water proofing) and tightened that in with a thick string looped to cover the surface. It served perfectly as football for a bunch of noisy kids and was easily replaceable.
Paucity provides the spark for creativity.
I learned BASIC to screw with the demo computers at Sears and setup print loops.
Likewise, I found a studio tape recorder in a shop once (silver metal, so probably 80's or 90's era), it came with the manual which was mostly just electrical schematics so that you could both figure out exactly how it works, and figure out how to repair or replace components of it.
I think a lot of the older cars either came with or were easier to buy the shop manuals. Those will tell you how to do basically everything. You can still get them for modern cars, but they're $100-250. Even then, many procedures require specialized equipment that most individuals do not have.
In some cases you can't even buy them anymore, they want a bloody digital subscription.
I am very fortunate that my local library maintains digital access to useful stuff.
I was stunned to see that Haynes went to that model I used to have a manual for every car I owned
TBF digital access and lookup is a far better solution for troubleshooting as opposed to gaining a holistic understanding of the car as an entity. It's more StackOverflow, less 'Inside Macintosh'.
More to the point, as cars evolve to digital control and signalling systems with associated firmware, the problems are increasingly diagnosed via the ODB or CAN-BUS and rectified at e.g. and Engine Management System level rather than at a mechanical level. This necessitates up-to-the minute sources of truth detailing the various firmware versions, caveats and advisories - much more suited to a digital medium and distribution channel.
The haynes manuals for newer stuff were generally trash but at least they provided information in the same format and order as every other haynes manual so they were useful for that.
I replaced the engine on my 1983 Ford Bronco in my driveway year ago. I wouldn't even consider it with a modern car.
That's a fun analogy to think about. One side of it holds up: People don't know how to pop their hood now because they don't need to.
But on the other hand, cars before the 1990s were infinitely simpler to grok and to fix than modern vehicles. The learning curve was much gentler, and really no specialized knowledge was required. Changing the timing on your engine was easier than putting together an Ikea cabinet. Now it requires specialized equipment.
The opposite is true of computers. It has never been easier to snap together a cross-platform app to do almost anything than it is today. Friendly scripting languages, APIs for access to every kind of sensor and data imaginable, and devices fast enough to run terrible code at reasonable speeds. Almost everything you would have had to do from scratch hand in the 1980s has been done for you; a huge amount of coding now is just plug and play. And basically everyone in the first world has access to the necessary equipment to write their own code.
> It has never been easier to snap together a cross-platform app to do almost anything than it is today
Software engineering is weirdly harder today than it's ever been in many domains.
A cross platform app might have to support iOS, iPadOS, MacOS, Android, Windows, Linux and the Web. Music and Video apps might additionally have to support various flavours of vehicle and TV platforms too.
On the server side your friendly scripting language will probably be running in a venv in a container on a VM on a cloud. Or potentially just a venv locally keeping the containerisation for the cloud.
Back in the day, emails could be sent from my computer to your computer if I knew your IP address. Nowadays my email won't get past your spam filters unless I buy and warm up a reputable domain on a respectable IP address and adhere to the correct content standards. The precise rules for these aren't documented anywhere.
> Back in the day, emails could be sent from my computer to your computer if I knew your IP address. Nowadays my email won't get past your spam filters unless I buy and warm up a reputable domain on a respectable IP address and adhere to the correct content standards. The precise rules for these aren't documented anywhere.
Funny enough, the ease of running a mail server and sending email back in the day is probably why it’s so scuffed these days. Email did hit a weird overcorrection though that never evened out, whereas everything else seemed to either standardize or die off (rip the days of telnet’ing into a random domain and being able to actually do things)
but for computers, it's the same
> People don't know how to pop their hood now because they don't need to.
you don't need to figure how to create your own note taking/list making/accountancy software, you just open your favorite/default search engine, write the query and get a plethora of options, for nearly any platform under the sun, because of all the work has already been done, as you pointed out in your last paragraph.
> now many people need to consult the manual to figure out how to pop their hood.
Sorry to be the bearer of bad news, but auto manuals haven't included such technical information for close to two decades.
Just checked my 2024 Toyota Rav4 manual, I can confirm it is there.
Page 393.
https://cdn.dealereprocess.org/cdn/servicemanuals/toyota/202...
It's in a section called "do-it-yourself maintenance" that's pretty much entirely just topping off fluids. It doesn't even include instructions for replacing the battery.
Are you sure on your timing?
Just asking coz whenever I try to talk about what computers could already do or when something was invented in the 1960s or 1970s I tend to start with "well 40 years ago..." and then I look at the calendar and notice that it's 2025 and I'm officially old now and 40 years ago was more like 60 years ago.
And my car in 2005 definitely had no such thing and it wasn't a 2005 model.
I never thought about that, but it's true. My dad and every guy his age in my hometown can talk about cars nonstop. They'll go on for hours about changing the oil, messing with the transmission, or whatever (I don't know what they're saying--I'm a millennial and I'm used to vehicles that Just Work™).
Meanwhile, my friends and I can go on about the most banal computer stuff and my parents have no clue what we're talking about or why it's interesting to us. Kids probably don't either.
I saw someone joke that there's only one generation in the history of mankind that knows how to set the time on a microwave. Our parents couldn't do it. And now our children can't do it.
We won't be able to do it either soon, as they will mandate connecting with it through an app and we're like fuck that. (if we're not already there)
I have heard that told with “VCR” in place of microwave. We still have a microwave that needs clock set when power fails. We do not have a VCR.
Only our gen knows how to hook up and how to enter the main menu of a DVD player.
[Millennial take] When older generations say "the kids these days are so good with computers", it's because they are incorrectly inferring competence from confidence. In a way, the kids are more capable, but mainly because of attitudes rather than knowledge.
The devices the (grand-)kids are using are much more explorable and idiot-proofed. Nobody is going to make a single "dd" typo and erase their drive.
> Nobody is going to make a single "dd" typo and erase their drive.
Alas, how does one learn if one cannot dd the wrong hard drive, wiping all the films you've spent most of the summer illegally downloading at night because you only had a dial up connection at the time.
I am very lucky that my youthful years were the mid 90s, when mp3s were still too slow to encode and DVD didn’t exist. I got to accidentally wipe or crash drives on purely experimental computers.
I mean, I'm considered gen Z and I've definitely dd-ed my fair share of drives...
You've never truly lived until you've had to recover an accidentally-wiped LUKS header to find that one semester-long final project buried in the depths of your computer's filesystem that's due tomorrow, where of course you never bothered to back it up anywhere :)
Perhaps these purported "itoddler" peers of ours were on to something, after all...
Definitely. I recently taught a class with a practical computer component and many undergraduates seemed to have a hard time understanding where their files were saved -- even at a GUI level, not talking about the command line. But it makes sense if their primary tech experience was with phones and tablets. The idea of a file system may never have occurred to them (even if most phones and tablets really run a UNIX-derived OS behind the scenes).
So true. Fortunately I had my kids (well one of them anyway) recently complain to me about how their teachers "don't know anything about computers" and how they "cheated" by using actual computer software that was much better than the "mandatory to use" software on the school tablets.
Not all hope is lost.
> (even if most phones and tablets really run a UNIX-derived OS behind the scenes).
Key phrase being "behind the scenes", iOS completely obscured the concept of files to its users for a long time. I don't remember how downloading files off of a website worked though.
It's unbelievably bad.
I know 3rd and 4th year IT/Cybersecurity students that don't understand how to ssh into servers and the different layers of the OSI model.
I hate to sound insufferable, but I really truly believe some people are just too stupid for this field.
I'm so sick of dealing with them.
Yay job security?
Which is wild to me. My high school offered a technology course that included NET certification testing sponsored by Cisco. Our final was to setup a local network on hardware, leave the room, and come back in to troubleshoot whatever the teacher broke. She would change three things - it might be a typo in your DNS records, a barely loose cable between two bridges, or a wiped hosts file, etc. We knew the OSI model and understood IP masking and shakes fists at cloud (computing)
We have the “get a job in tech because it pays well” generation entering the workforce. They have no passion, no true interest in the field. Thankfully, they’re pretty easy to spot in interviews.
GenZ also grew up in an era where doing anything mildly interesting on a computer risks getting expelled and having the feds called. The shit I did to learn my trade as a kid would absolutely not fly today.
Yikes – this GenXer remembers being told the tools found in my account were grounds for expulsion but the meeting ended with employment.
Netbus on a floppy, print out an enticing label and leave them around school. Half the teachers computers were infected. Good times.
In high school (2000) I had a course where I downloaded some (freely available) videos for my project. The wrong person caught wind and hauled me in under the computer policy that everyone signed that said “I promise not to download anything”. I made my case that it was 1) condoned by my teacher, 2) relevant to my project, and 3) literally going to websites downloads files (cookies were just stored in a folder back then, as well as temp files for caching) so everyone is in violation.
Had they actually found out about the fact that we bypassed security measures on a bootable CD-ROM that allowed us full system access, including a nifty Visual Basic launcher to install Quake and GTA, or that we figured out every computer used VNC and they all had the same password stored in plaintext in the registry (which we accessed via that bootable media), or that we figured out the same password accessed every networked printer in the county so we could print our school’s logo on that week’s rival school’s printers in barely off-white ink…they’d have had a good case.
> Had they actually found out about the fact that we bypassed security measures on a bootable CD-ROM that allowed us full system access, [...] or that we figured out every computer used VNC and they all had the same password stored in plaintext in the registry (which we accessed via that bootable media)
Hey, sounds familiar!
Our school district had a policy that all new computers went to the high schools, then when those aged out and were replaced went to the elementary schools. They wanted iMacs for the elementary schools. That meant that for a couple years our high school had to have iMacs.
Of course literally everything we were trying to do, all the courses and curriculum, etc were built around Windows. So all of them were set up to dual-boot... Which is to say we didn't even need to haul in any bootable media.
Rebooted into mac, which had absolutely no respect for NTFS file permissions, and copied the SAM registry hive off. Took that home, ran the password hash through a cracker and a day later had the local admin password that was shared among all of the computers in the school.
It too was mostly used for running GTA.
There was also that time with a little light B&E and doing some network cabling under the cover of night. Though I think there's technically no statute of limitations on that so that's probably enough said.
The dark ugly places I travelled on IRC or BBS as a youngster. I saw a lot.
Some can still learn in spite of that, however.
Arguably, that's even why some gravitate towards it in the first place.
Well - kind of. PC gaming is bigger than ever before, and PC gaming was how a lot of my generation got into computers.
My nephew for a while was very much one of those "grew up on devices" kind of kids - until he got off of gaming on phones and tablets, and got a gaming PC. Now he's reading about technology and tinkering and stuff.
Its not the same. Nowadays you press a button in steam and the game is installed for you and just works. It does not provide an entrance into technical layers like configuring the soundblaster irq in config.sys did.
It's not the same, but I don't know if it's worse.
My IRQ conflict resolution skills or knowledge about himem.sys aren't really useful these days.
But I've seen genz kids do incredible things with Minecraft mods and the like that make me reminisce about quake modding.
The masses are just blindly using devices, but the masses didn't even have a PC at home 30 years ago.
> My IRQ conflict resolution skills or knowledge about himem.sys aren't really useful these days.
Your ability to meticulously solve a problem using a systematic troubleshooting approach is always useful. You just happened to hone the skill w/ IRQ conflicts and himem.sys.
Agreed. And while what we did to get into the details and discover are different some kids still do.
Heck I did the same. Dip switches galore. Did I know what an IRQ actually is on the OS level while solving IRQ conflicts as a kid? Heck no! Only years later when I no longer needed to did I understand what those actually are/were.
The today equivalent of learning about autoexec.bat and config.sys to not load the cdrom driver because else this one game wouldn't start because it did not have enough memory is figuring out what's behind the Steam "Start" button and where the games "live" and how you can get what you want instead of doing everything through steam.
The kids that are the today equivalent of us in the old days do exist.
(Smile) 30 years ago was 1995, when most people did. You're thinking 1985. Forty years ago.
In 1995 around 1 in 3 US homes had a computer.
Yeah in Canada it looks like about 28% of homes had a personal computer in 1995, according to Stats Canada: https://www150.statcan.gc.ca/n1/pub/56f0004m/2005012/c-g/c1-...
It used to be that if you wanted to do gaming on a PC you started by building the PC.
That hasn't changed. Of course there are pre builts but there were twenty years ago, too. I should know -- I had one. I built my third gaming PC myself.
There were pre builts many years before your 20 years ago too. I used to build my computers myself as well 30 years ago and my dad did 40 years ago ;)
I dunno... My C64 required very little assembly.
I think coding skills don't lag as far behind with those who enjoy coding. It's a hell of a lot easier to learn and more accessible than it ever was. Plus applications like modding make learning fun.
It's more systems, networks, OS fundamentals... i.e. how you pull all the pieces together and make them work especially among your "non-technical" user set.
I code more for fun now, because the proliferation of higher end languages and libraries for practically everything drastically reduces the time to that first "wow cool!" moment.
I'm sure it's the same with young people.
Many older games are shipped in a full DOSBox setup with preconfigured config.sys. The question is that is there any will to "conquer the past" and poke around, or not.
> It does not provide an entrance into technical layers like configuring the soundblaster irq in config.sys did
All that did was result in extreme frustration. My knowledge of creating game-specific boot disks to eek out 1k more memory did nothing for my ability to write software, except perhaps to appreciate having more RAM and good UX.
I've seen both sides- my nephew is large into pc gaming, but is woefully unaware of how to operate a computer in most capacities. I only realized this when trying to help him troubleshoot and realizing he didn't really understand the concepts of archives or even folders.
I don't even know how that's possible because he plays modded versions of some of his games- how you get by without knowing what a zip file works at the surface level is a mystery to me lol.
I don't know if it's a "uses tech" issue or just not realizing the steps needed. Even we knew you had to go to the campus gate to meet Dominos after dark (when the gate would be automatically closed).
There was no fancy intercom ability to remotely open it.
I realized this while working as a tutor for programming students at my college back in 2013... When people would ask or say they didn't know or understand really basic computer things (I can't remember what it was) I still showed them what they were, but I realized, not everyone grew up with computers the way I did. Some explore, but most people don't necessarily explore.
I think people who grow up with computer games have a lot more exposure than normal users. Smartphones somewhat made computers irrelevant for most people.
Huh never knew that. Kinda good for me.
I noticed that even the generation that came after me (I was born in the 70s) produced IT engineers with a bit less skills because they've never had to mess stuff. People these days are afraid to mess with the windows registry even. I used to manually patch blocks together when I deleted a file by mistake.
These skills are getting less and less useful though now that everyone is happy to give up their privacy to big tech in return for something that 'just works' :(
"with lower baseline computer / computer security skills than people think they have."
I fear this is true with most life skills. Things are easier and it seems kids today are just handed more stuff. The freedoms and expectations in many areas are lower. Kids don't grow up due to age, they grow up due to experience. It seems we are pushing that farther down the road with each generation.
Yeah, I know someone who works in a high school and the average skill level is "struggles to figure out how to save a document on a USB stick". Kids know how to press the power button on an Xbox or tap an icon on their iPhone. The staff member I know is aware of ONE kid in the entire school who has used Linux. When I was a kid, basically every single kid who had a computer at home (and actually used it) knew how to defrag the hard drive (and probably install Windows lol), set IRQ values for their sound card, all that kind of stuff -- because you had to know this to even use it. My friends and I went on BBSes and later stuff like IRC and Hotline, ran Linux or pre-release versions of our respective OSes, set up our own bedroom LANs and personal game/web servers, etc. etc..
Indeed, as you say, I learned a lot about computers simply by wanting to circumvent the limitations that school admins put on the computers (especially as I wanted to utilize the full power the computers provided, as opposed to some sheltered/limited experience -- "At Ease" -- surprisingly reminiscent of smartphones/tablets today)... I went to great lengths to regain net access when my parents repeatedly revoked my access, again another huge learning opportunity.
I think we technical people have wrong perceptions of the past. When I was young, family members would say 'ah you know everything about computers, I can't get this (illegal) copy of game x working, please help.' 99 percent of people did NOT know how to resolve IRQ conflicts or even know that 'my documents' is just a folder on the C drive.
I know what you mean, but I'm also specifically calling out the "percentage of homes with computers" and their respective technical literacy.
My friends and I, as kids, knew "everything" about computers and how to operate them, and there was this base level of knowledge that pretty much every computer-owning kid had.
I remember one friend figured out himself how to hex-edit his WarCraft 1 save files, this would have been at the age of 10 or 11, with zero instruction/guidance from parents or anything. I'd be impressed today if you found a singular kid in an entire high school who can hex-edit anything, let alone game saves, despite probably every single household of every student in that school having at least one personal computer, if not more.
Simultaneously, there's an important aspect that computers and the software for them are more abstract than ever, so "hex editing" is a pretty obscure thing for someone to have any reason to do.
Regardless, being able to save the currently-open Microsoft Word document to the USB stick one just inserted is pretty much the bare minimum of technical literacy I expect from anyone who has a computer at home -- yet this is apparently not the case. I'm talking like, even on a Mac, students couldn't figure it out.
My conclusion here is that, as many people lament, there was a spike in time where computer enthusiasm was a real thing, where a relatively high % of kids wanted to "know everything about computers", but now computers are normal and boring and most people see them as "thing to launch game/chat/web on", for better or for worse (and for a wide variety of reasons).
But we're talking about the current generation of "technical people" - CS students who don't know what a file system is. Or a command line. Or a compiler.
There are some Minecraft superbrains doing incredible things, but the median level of experience and insight seems much lower.
Yeah, younger generations have no clue how to use computers. They just know how to consume content. The level of IT literacy is at all times low.
Ahh, the modern verson of the written note under the keyboard...
In my area, there is a universal access key (physical) for postal service and newspaper delivery people. So if you want access to a random building, all you need to do is apply as a newspaper delivery guy, or, find one that is willing to give you that master key. To add insult to injury, that type of job is extremely low paying, so much room for abuse.
Fact is, locks and closed doors are there to make the owners feel cozy and safe. If you ever needed a locksmith service and watched them do their job, you know your appartment door is just a prop.
When I lived in town, on a street that was somewhat common for people to walk down, twice (that I know of) someone had walked up, tried to open my door, then walked off after finding it locked. The amount of work to break into that house was quite minimal, but apparently a locked door did help.
That's not true. They raise the bar above the bare minimum. Lots of crimes are ones of opportunity. A gate is the difference between 0 effort and some effort. It makes it a bit harder for a petty thief to cruise through and find low hanging fruit.
Also for insurance.
It doesn't matter if it took a guy 10 seconds to break your lock, if you didn't lock your house, chances are your insurance won't pay.
I didn't propose to leave your door unlocked. It was a cynical take on how much hurdle most locked doors are when someone is determined to get access. Maybe I am that cynical because I attended a lockpicking tutorial once (CCC Camp summer 2003, fun with tech at 37C temperatures, good old times), and as a tech person with some interest in security, learnt my share about social engineering (mostly to pretect myself).
You can just go over to Amazon, search for "pentesting keys" and for a the price of a decent dinner you can order oodles of master keys for most everything out in public. Elevators, police and fleet cars, mailboxes, file cabinents, RV external storage compartments, lift gates, tractors, electrical panels, toiler paper dispensers, etc.
One of my favorite talks: https://www.youtube.com/watch?v=a9b9IYqsb_U (Deviant Ollam - This Key is Your Key, This Key is My Key)
Modern apartment building. Low rise. Full visibility of courtyard. Cycle gone missing with a baby seat attached. Nothing anyone can do about it. How did they get the key, who let them in, how did they manage to pry open the lock in full visibility? I was seething for a week. But somehow I knew this wasn’t really that big a security challenge for the thief.
I bet you could examine the keypad for wear. The worn keys (or the shiny ones) are the ones for the code.
In the days before cell phones, a burglar alarm would dial the alarm company. The phone company likes to install the phone box on the outside of the building. The alarm is defeated by an axe to the cable going in the box.
I had a fight with the phone company at my house, as I wanted the box on the inside rather than the outside. They finally agreed on the condition that I maintain the wire to the box.
These days, of course, the alarms use wifi or a cell phone to call the alarm company.
That only works if there's a single code? I would think many keypad systems assign a code to each apartment (so the one written on the side is not a master key, just Joe in #303).
I've definitely worked somewhere they tell all the users they have individual codes, not to share them, and if there is unauthorized access it can be traced who leaked their code. Everyone gets told the same story and given the same code.
Do your alarms not have an actual - you know - alarm? Or won't the alarm go off if it can't phone home first?!
Here in the UK the alarms make a noise as the absolute minimum. Getting one that is "monitored" by a call center is not standard, especially one that calls the cops if it goes off or a panic button is pressed.
You can get those of course, but it costs extra. I pay something like £40-50 a month for the panic button service that will summon the police, but even then the police won't be summoned if just the alarm goes off without a panic button getting pressed (you can get that, but it is even more expensive)
In my area of London, burglary is a virtually abandoned trade.
Anyone with anything of value works from home at least part of the week. Why risk entering someone's actual house when you can make easy money on drugs, fraud, crypto, bicycle theft, phone snatching, or umpteen other hustles I don't even know about.
Bicycle theft especially. You could easily clear a grand or two a week with zero fear of prosecution.
I think general burglary is heading in that direction across the country.
The things people used to pinch like VCRs, stereos, TVs, laptops just aren't as expensive or sellable now.
Unfortunately if you live in a nice area, they assume everyone has a Rolex collection or loads of jewellery just hanging around. If nothing else they'll take the keys to your cars.
Just look at the prices those bring in the thrift store or the pawn shop. I just bought an HD Roku TV for $50.
> These days, of course, the alarms use...
And the crooks use RF jammers instead of axes.
There's enough bandwidth to go around nowadays that alarms can send regular keepalives (which doesn't mean all of them do).
If the keepalives stop coming without a proper disarm signal, a fault is raised.
Some old alarms had a weaker version of this, where they would dial the security company whenever the door was opened, and then again when the alarm was disarmed. If the second call didn't come in time, the company would instantly know that something was up.
This protected against thieves that would enter the house and smash the alarm before it had time to activate.
These days, alarms use quantum entanglement. Beat that :)
I set the Fires of Gondor.
> I bet you could examine the keypad for wear. The worn keys (or the shiny ones) are the ones for the code.
That still doesn't give you the order of the key strokes.
But it drastically reduces the number of plausible key strokes, so you might just give your luck a try.
Right. If it's 4 digits, you have 432 combinations. Exhaustive search then works.
If you have 4 unique digits, otherwise it gets even easier.
However, for a 6-digit combination, you'd have to try out 720 combinations in the worst case, so that's already quite a bit less feasible. Although given enough time...
It's far simpler than that. Ever gated community I've ever visited, press any digit 4 times. You're in. The only exception is community with a security guard. The guy obviously isn't just going to let some guy not on the guest list in
Gated communities around me have 2 lanes, one with a sensor activated gate for residents and a guest lane next to the guard hut
If it's busy and you pull up in a nice enough car and just wait in front of the sensor gate looking annoyed, the guard will eventually just let you in
911 or 9911 is usually a good shot too.
There's a door at work I regularly need to access. It used to be used for another purpose but now is just an extension of the work area. It's got a badge reader and simplex lock but I can't get badge access because I don't actually belong to that work area yet I'm there everyday anyway. However, someone wrote the simplex lock code on a sign in very small numbers for this exact purpose. Other simplex locks in the building use the default code you can find online. The whole building is secure so you'd never be able to walk up to these doors without proper credentials, they are mostly just there to keep out the curious or someone looking to borrow tools that they shouldnt.
> The whole building is secure
Given what you just said and the article you're commenting under, are you sure?
Anyone wearing a maintenance uniform and carrying a step-ladder could surely find a way in via an overly helpful victim.
Look like you belong and act confident and you can get nearly anywhere. Props help-- wear a high-vis vest and a hard hat, carry a tablet / folio / clipboard around an office, etc.
Confidence is the key, though.
You also have to fit a certain expected demographic.
Sadly, yes-- that's true. It's a game of playing to stereotypes, for sure.
The point isn't really for these communities to be Fort Knox. It is understood that if someone really wants to get in they will get in, similar to how if someone really wants to break into your house they will do it regardless of what brand of lock you have on your front door.
People live in gated communities because of what the gate represents – a very clear sign telling you and everyone else passing by that you don't belong here.
In a similar vein, 0911 or 9111 will often work too for communities in the US. EMS and other first responders run into the same issue with automated calls or panicked people, so they’ll try that first while waiting for dispatch.
That code was also used at our (EMS) depots to secure the controlled drugs as well, as if none of us could have guessed it.
My parents live in a very upscale country club community down in Florida and their gate security is laughable. They assign every household a 4 digit code to enter the community. Given how many homes are in this community, entering any 4 digit code > 1000 and < 2000 will work.
My girlfriend lives in an upscale, gated community. Her HOA has done the exact opposite. They change the gate code weekly as way to "protect" themselves from this situation. However, it's kinda had the opposite effect - tailgating has become totally acceptable, even the norm, as people can't keep up with the gate code changes. Amazon drivers usually just sit outside for a minute or two, then tailgate into the neighborhood.
The only gated community / apartment complex's I've ever seen where that was not normal are a subset of the ones that have an on-duty guard - specifically the subset with guards who recognize all the occupants and take the information of anyone they don't recognize.
Her community is not guard-gated, but it's extremely snooty/snobby. A number of years ago, before the weekly gate-code changes, the HOA started doing annual code changes on Halloween. Why Halloween, you might ask? Because the service staff of the community (landscapers, house cleaners, etc.) had the audacity to bring their children/grand-children to the neighborhood to trick-or-treat. Residents felt the service staff was just trying to guilt them into giving candy. Keep in mind, all these residents are multi-millionaires, mostly retirees, and they were bitching about having to spend 5 bucks in candy to make children happy.
Isn’t that usually how the rich stay rich? Does this really seem too surprising?
In my experience, and I’m generalizing a lot, the less people have the more generous they tend to be.
It's an over generalization. The other way the story goes is that the big house with the long driveway in my neighborhood is the one that gave out king sized candy bars on Halloween.
Considering the origin of trick-or-treating and Halloween customs, that carefree night of fun for kids sounds more like a protection racket.
They're doing a great job of "protecting" themselves from feeling anxious about Bad Things somehow happening.
For an all-too-large fraction of humanity, that's the "protection" which actually matters.
And of course, the gated communities have 6 ft high walls that any 8 yr old could climb over.
My townhouse HOA decided it was totally worth money to replace our fob system with a system that's deliberately incompatible with Homelink. They claimed without evidence that used car sales were a severe security risk.
Nevermind that you can wave any conductor under the gate to trigger the egress wire loop sensor, or just wait a minute or two for someone else to go through. From 6AM to 10PM the other gate is simply open, too.
Now I have to pay more for crappier fobs with worse range. It's deeply disappointing.
I was under the impression that delivery drivers had a book or something with these codes.
Like, the HOA just like calls the delivery companies and says "hey, here's a code to get in"
Missed the stories about these guys shitting in the backs of the trucks and vans for lack of time to do their jobs, eh?!
A route book or note is already an assumption drivers need to have some method to quickly get through gates. Where it missed out was there are even more efficient solutions to the problem. That's because of not knowing all of the options, not because of assuming drivers just have a lot of spare time to kill so must like the slower and more complicated option.
This is often left to USPS, UPS, and DHL drivers to figure out on their own.
You folks are living in a fantasy land.
No wonder it's considered socially acceptable to order multiple Amazon deliveries in a week....
Why are College campuses the bane of existence for your friend?
Because college kids write codes on the site of access panels? Wouldn't that make life easier for your friend as a delivery driver?
Because college kids don't write codes on the side of access panels? If so, why does your friend describe them as not smart? Isn't it smart to avoid writing codes?
I assume it's because they don't give the drivers the access code when they order
Here in our building they just ring the doorbell, there's always someone letting them in without even checking.
Unfortunately that caused several burglaries too including in my flat :( my alarm scared them off but still..
> Hirsch replies stating that these vulnerable systems are not following manufacturers’ recommendations to change the default password
These manufacturers’ recommendations are not acceptable. They should mandate a non-default secure password before allowing the system to be used.
Even my parents & grandparents modems/routers each have a unique password printed on the bottom! There's just no excuse for this.
Their routers only have this feature because the internet providers who sell those routers pay for bandwidth themselves lol. If residential internet plans sold on a pay-per-byte basis you can bet routers’d still ship with non-unique passwords.
Nah, it's to deflect customer support contacts. Which often in the case of ISPs, results in a truck roll which is hugely expensive.
It's also the law in the EU.
Oddly enough, these default unique passwords usually are in the format of word+word+digit+digit+digit. If you look up the model, it won't take long to find the word list they use and can trivially bruteforce it.
So even then, I'd recommend changing it, or push for these companies to provide generated passwords with a much larger key space.
German fritzbox routers (the most common non-isp routers here, and actually very capable) have a fully random password
Idk in Romania routers come with random passwords.
https://imgur.com/a/x915ZfO
function generatePassword() { // comply with Romanian regulations return "gaGc52eP" }
This function doesn’t evaluate, something something expected expression of }, premature end of file.
I know you're making a joke but it's just HN formatting not respecting single line breaks in comments.
HN supports code format using spaces in front
That's usually the wifi password, not the admin password.
Yep! But the admin password is paramount. Often it's trivial, and necessary to add your device to WiFi. The true danger in our https land is what your admin can do,
Oh speaking of which. A lot of places i rented on holidays had internet access with that default unique password. Which is a pain to type on your phone and laptop when you get there.
Did anyone think to at least try to add OCR-ing those labels on our phones to automatically enter the wifi password?
>Did anyone think to at least try to add OCR-ing those labels on our phones to automatically enter the wifi password?
You can do that easily on iOS, I'd be surprised if Android didn't allow it as well...
Tap in the password field, tap Autofill from the popup, and tap Scan Text.
Slightly off topic, but sharing WiFi passwords on iOS is so very user friendly.
How does it work in iOS?
On Android User A taps on the wifi they are connected to and gets a QR code, and User B taps on the icon for scanning wifi QR codes, so one tap each once you are in your wifi settings.
On iOS, the guest attempts to connect and anyone with them in their contacts list is prompted to share. The common use case of a friend visiting is very simple. If you want to share a different network, there's a similar flow to the Android one:
* Go to Wi-Fi in the Passwords app
* Select the Wi-Fi network you want to share
* Share Network QR Code
So they know when you're trying to access a wifi network?
If you are near them, yes.
A lot of inns and B&Bs in tiny towns etc. have these complicated passwords that seem like overkill. You're probably right that they're some sort of default. Even if they're not 12345, it seems as if they could be something pretty simple and that would be fine.
QR codes?
> QR codes?
How do you change the label on the router that got installed 8 years ago and is working fine? Especially since the owner of the cabin in the woods that you just rented for the weekend is into ... renting cabins in the woods, not geekery.
> have these complicated passwords that seem like overkill. You're probably right that they're some sort of default.
It is the default. If you find their router you'll find that overkill password printed on a label on the bottom. More enlightened ISPs give you extra stickers with the same info that you can put on the fridge or somewhere like that.
There is a wifi credentials QR code standard that can be used to pass the network name, and authentication details. Anyone can generate one, here's a generator app: https://www.qr-code-generator.com/solutions/wifi-qr-code/
Most modern phones recognize the standard and can be used through the native camera app.
We used this for our guests at home.
https://qifi.org/
Oh pretty. Now I just need to tell all the hosts in my future holidays about those :)
Yes I saw it literally few days ago when visiting relative (not even airbnb just her home), so easy to do yet it never occured to me.
I have a framed wifi QR code in my house. It's great. Looks like a photo on the wall.
I should cross-stitch one.
https://qifi.org/
You can generate and print a QR code. It's quite a nice solution
google lenses works for this as an OCR copy & paste
The manual clearly says you need to press the "do not explode" button if you don't want the car to explode. It is conveniently located under the rear seats.
Viscount has hilariously bad security. I used to live in a building in Toronto that used Viscount infrared fobs for access control. They were no more secure than TV remotes; no rolling codes, no encryption, nothing. An attacker could easily sit nearby with an IR receiver and collect everyone's fob codes at a distance, allowing access to all floors.
Needless to say, I moved.
This was 30 years ago, so I'm sure a lot has changed since then. I was a missionary and the way we got into buildings in Toronto to knock on doors was to just pick the last name with the most letters from the directory, buzz them, and when they answered, we would just say "pizza delivery" and 95% of the time they buzzed the door open.
It'd be nice if missionaries weren't such hypocrites. Claiming to be the pizza guy when you're actually selling magic underwear is bearing false witness.
Technically it depends on the interpretation of "עֵ֥ד" and "בְרֵעֲךָ֖" whether that commandment is admonishing against telling any lie, just lies in court when making a legal accusation against another person, or somewhere in between.
Even if we accepted the premise that one book should be the basis of all morality, this one contains within itself contradictions, satire, sarcasm, and a community context we no longer have: with individual quotes I can make anyone look like a hypocrite.
To my mind the more interesting question is, does a singular community condemn a behavior in out-group members that they tolerate or even praise in in-group members?
Leviticus 19:11 bypasses the whole "עֵ֥ד" vs. "בְרֵעֲךָ֖" shenanigans.
New International Version (NIV): "Do not steal. Do not lie. Do not deceive one another"
King James: "Ye shall not steal, neither deal falsely, neither lie one to another."
New Living Translation (NLT): "Do not steal. Do not deceive or cheat one another"
New Century Version (NCV): "You must not steal. You must not cheat people, and you must not lie to each other"
The Holman Christian Standard Bible (HCSB): "You must not steal. You must not act deceptively or lie to one another"
[flagged]
Does anyone ever actually get converted by a door knocking missionary?
It's not for the benefit of the potential convertees, it's for the benefit of the ones doing the converting.
Yes. The inevitable rejection is the point. It reinforces the otherness of the outside world, creating more separation from non-believers and stronger connection and devotion to the cult.
Yes. I'm no longer a Mormon, but I baptized around a dozen people on my mission and they were all found from knocking on doors. But this was also thirty years ago, before the internet was a thing for most people.
What’s does the letters in their name have to do with it?
Less likely to speak English in my experience.
I hope you are doing better!
I'm not going to especially defend but you have a way more sophisticated model of how most burglars work than is almost certainly the case.
Exactly. This article should be titled "I figured out a really obtuse way to break into apartment buildings."
A rock will get the job done in a fraction of the time.
It's like all those nobodies on HN who go through all kinds of software gymnastics to secure their phone against imaginary "threat actors," when a mugger is just going to keep twisting their arm behind their back until they enter their PIN.
This is way better than a rock. It raises no suspicion and leaves no trace. Maybe it doesn’t matter for burglary, as you’re probably going to take things anyway, but if you want access anyone knowing you were there this is gold.
In fairness I think that these "locked doors" are to keep the homeless/drug users out or kids starting fires not really burglars.
Randomly press the intercom buttons until someone buzzes you in.
Wait 5 minutes for someone to come in or out (most likely a delivery driver) and tailgate behind them.
A locked building door is the weakest possible form of security. It isn't holding anyone back, whether kids or homeless or whoever else.
In a lot of modern buildings the elevator will not let you up to any floor unless you've been admitted, so the rock won't do you much good unless you also use it to smash the lock on the elevator control panel and override the security there.
They unlocked a lot more power than simply getting into buildings.
> infrared fobs
Wait, what? You have to point a powered device at an IR receiver and press a button like a TV remote? I've never seen a building entry system like that!
Exactly that, yes! IR receivers outside every exterior door to the building, and IR receivers in the elevators to control access on a floor-by-floor basis.
The fobs were visible by an IR camera (including the average smartphone) and could trivially be decoded as a short bit sequence with an IR sensor wired into a microphone jack, as the bit pattern was transmitted at ~audio rates.
That's probably because it's not so good as a building non-entry system.
There was a time where somebody in SF has figured admin access code to older apartment intercoms (I believe they were manufactured by Linear and maybe other companies too). These intercoms would call the programmed in phone number whenever you type in the apartment access code at the door.
So what they did is add a new fake tenant with a premium 1-900 number and used the intercom to call it, earning themseleves a bit of cash. Naturally, landlords had to foot the bill.
That sounds like a fairly open/shut case of fraud/abuse if it can be proven.
At my last apartment my LL would only allow a single number per apartment... well I was sharing the apartment with someone else and I was sick of being the only person to get called. 30 seconds of Googling revealed the user manual for the intercom, and of course the default password of "5555" was still set on it...
I programmed both our lastnames and phone numbers to our apartment unit number. I did that in 2014 and I moved out in 2016.
To this day -- NINE YEARS AFTER MOVING OUT -- I am still getting calls whenever someone hits #25 on that intercom.
I should have done the 1-900 thing :D
I did something similar to my highschool in the 90s. They had a free student phone in the office. It had long distance blocked on it, but I learned you could circumvent the block using those 1010-321 and other long distance prefixes. Some of them had $5 access fees, billed once, in addition to the per minute rate. I called several of these and prided myself on getting the phone removed from the office for a few months.
Can you elaborate on why having the phone removed was itself a source of pride?
I do appreciate the hacking around aspect, particularly with respect to old phone systems, but having a free student phone removed seems like it would be a bad thing for everyone, no?
I was a rebellious teen. I'm not proud of it now.
Breaking the rules so bad that the ability to even interact with the thing the rule was made for was taken away?
The Polish spin on this were unsecured office landlines that used radio for some reason, I don't remember if that was for cordless handsets or just an access technology.
People would walk around big cities, usually on Friday evenings, radio scanner out, trying to find one of these. They would then dial a premium-rate number, preferably on more than one line. In most cases nobody would realize that something was up until Monday morning, and if they had a way to disconnect the calls before then, not until the bill came.
You could do similar shenanigans with unsecured PBXs or insecure answering machines that had a "call my mobile if somebody leaves a message" feature.
> 2025-01-29: Hirsch replies stating that these vulnerable systems are not following manufacturers’ recommendations to change the default password
Ah, yes. It's the children who are wrong.
This is the kind of thing where responsible disclosure is really very important.
Let's say you're a woman. A woman who lives in one of these apartment complexes. A woman with a stalker. A stalker who has threatened to kill you, multiple times. Who has shown up at your apartment, but was rebuffed by the building security.
One day you wake up and find out that a "security researcher" found a way that anyone in the world can get into the building at any time, in addition to looking up who lives at each address. And it turns out the security researcher waited only two months (including over christmas break) to try to resolve the issue in a way that would not leave the existing buildings exposed.
If I were that woman, and something happened to me as a result of this disclosure, and assuming I was still alive, I would, at a minimum, sue the shit out of that security researcher.
Tbh if someone's determined to kill you, enough to look up CVEs and so on on your security system, they might as well wait by the door to brick you in the head when you inevitably come out. It's even better for them since you're bound to be less armed than at home surrounded by kitchen knives, tools, chairs, etc.
> assuming I was still alive, I would, at a minimum, sue the shit out of that security researcher.
If you wanted to stay alive you'd be wise to think twice about going after people who go out of their way to inform you that the security you are dependent on is not doing its job. You'd be much better off instead going after the company who was negligent enough to create the system with such obvious flaws or the landlord who subjected you to it without even bothering to read the manual.
The alternative is that researches will stop telling the public when they aren't safe and you stay ignorant while some attacker spends the 15 minutes it takes to find and try the default password.
The person who disclosed this was right to get the information out as widely as possible as quickly as possible because, as you said, some people are likely depending on those locks for their safety. Thankfully everyone who learns that this product has made them vulnerable can now take measures to protect themselves accordingly.
We'd probably agree that there could have been better ways to disclose this, ways that made it instantly clear that this product was putting people in danger, while also not making quite as easy for others to repeat the attack, but in this case you can bet that trying the default password was going to be high on the list of things people would try anyway. I think it's extremely unlikely that this security researcher was the first it.
The most important thing is letting as many people as possible learn about their risk so that vulnerable people can protect themselves ASAP and so that the negligent company/landlord feels a lot of pressure to fix the situation as quickly as possible. If you make security researchers think twice about doing that you'll only allow yourself/others to come to harm. Ignorance really isn't always bliss.
First of all there is no need in pointlessly gendering the risks involved.
Secondly, if a person is determined enough to look for vulnerabilities in the access control system, they are determined to do much more.
Thirdly, public disclosure more often than not leads to enhanced security down the line, protecting both men and women alike.
I'm disappointed you're downvoted. I know a woman who is the exact situation you describe (sans hacker); their ex-husband has made threats to her life and has made attempts to act on those threats. She's extremely privacy sensitive as a result.
You are right. But remember you can be sued for anything, and further remember that suing someone doesn't mean you have good cause to win.
For corollaries, see good samaritan laws
[0]: (specifically about Texas) https://www.uslawshield.com/can-get-sued-good-samaritan-laws...
[1]: https://www.themirror.com/news/weird-news/i-cpr-crash-victim...
[2]: (More generally) https://en.wikipedia.org/wiki/Good_Samaritan_law
So it stands to reason that a white hat hacker who, in good faith, publicly releases information in an attempt to get things fixed shouldn't face negative repercussion.
But they should face consequences if they were irresponsible, regardless of intention.
If you found the nuclear launch codes, and you're pretty sure nobody else has found them, should you wait a week and then release them, because you had a good faith interest in exposing this hole? No, of course not, that'd be insane. What one should do in that situation is wait, and try to get the codes changed. You shouldn't wait forever, because someone else might find them. But you also should wait for as long as you reasonably can, because of how severe the risk of releasing is.
This risk analysis is the calculus of responsible disclosure. Any ethical security researcher should err on the side of avoiding harm, making every effort to ensure the disclosure doesn't harm unnecessarily. For most researchers, that means waiting more than 2 months over a holiday season, even if it was just a bug in a javascript library or something. Knowingly exposing the privacy and security of thousands of people is pretty fucked up, imo. I'm pretty sure they could have come up with a half dozen different ways to try and get the issue resolved, if not through the company directly, then through individual apartment complexes, law enforcement, etc.
Looking at this closer, it's actually worse than I originally thought. You can see what time everyone comes home every day, what their weekly routines are. So you know when they're gone, so you can rob their house. Or you know when they come home, so you know when you can attack them. This is fucking chilling.
The author contacted the current and former vendors, got a flippant answer, asked again, and was ghosted for two weeks.
I see here a desire for a random person to accept a staggering amount of your personal responsibility. Anyone under long-term active threat without defense-in-depth redundancy isn't someone I can save by waiting longer before disclosure. I am frankly amazed you expect so much from a stranger for so little benefit.
It is fucking chilling -- that the publisher would do this, in the first place, and blow him off now, too.
Why don't YOU pick up what you said, and start contacting apartment buildings and police? How many of those half-dozen ways you mentioned will YOU act upon?
> But they should face consequences if they were irresponsible, regardless of intention.
Intention is important.
If their intention is to highlight that a problem exists, then sure. They should be forced to participate in resolution (at the very minimum). As for liability? No, that definitely belongs on the owners of the insecure devices.
If their intention is to show to "the bad guys" where the spots are vulnerable? Then yes, they are partly culpable.
Again, being a good samaritan (showing that a problem exists) should NOT make you liable for the problems that already existed.
> you also should wait for as long as you reasonably can
That word, "reasonably", is loaded. I think waiting a couple of months is perfectly reasonable when being stonewalled by other parties, especially the owner.
> that means waiting more than 2 months over a holiday season
Yup, sure, because thieves definitely don't operate during holiday season. And please ask Russia and the US to hold off on their nuclear war. It's called Nuclear Winter, but that doesn't mean it has to happen during Winter, right?
> This is fucking chilling.
The problem existed before the announcement was made. You think it was chilling before? Just imagine that nobody who was capable of fixing it didn't know about the problem. So it could be abused without anyone being the wiser. That is fucking chilling. It's chilling that people would be more upset about the announcement and less upset about the apartment building owners not fixing the problem in the first place. That is fucking chilling.
I downvoted, because they wanted to create sympathy with a victim, and to achieve that, they made it a woman. What is the takeaway from that? I'm out of charitable explanations.
> I downvoted
Thanks for explaining!
> because they wanted to create sympathy with a victim
I did not read that at all. I read that they wanted to discuss a problem that might need addressing. That's a normal part of conversation.
> to achieve that, they made it a woman
First, gender doesn't matter here. It's far more telling that you'd jump to conclusions about gender instead of thinking just a little bit further about who or why.
Second, if you were a person who read any books or paid attention to the speech of both sexes, you'd realize that the gender expressed in a conversation piece often reflects the person speaking or the person in action. Again, gender (who) doesn't matter here.
Third, women are often in situations where their livelihoods are threatened. Men are too, but not nearly as often as women are (why).
> What is the takeaway from that? I'm out of charitable explanations.
We can discuss your lack of imagination if you want.
Or we can discuss your sexism if you want.
But I suggest you drop your attitude.
I can't find your argument in that wall of personal attacks. I guess your nick checks out. Maybe some day you'll find a princess to save, but it will surely not be me.
Many many many years ago I worked at basically an MSP for telcos on the helpdesk. So customers would call their telco or isp for help and that would be routed to us. Anyways this one small isp with idk 10k customers had deployed their routers to customers with the default username/password and remote authentication enabled. A single script from a bad actor logged into all of the routers, changed credentials, and iirc updated dns settings so they lost internet, phone, tv. Cue 10k people calling as we had to basically walk through everyone one by one on changing the credentials and updating their config.
Was that enough pain to force some sort of change in how the things were deployed thereafter?
Sort of, they changed it to a different username password that was the same on every box. So it wasn't easily findable from the internet but the same issue could have potentially happened again.
After watching a lot of tv series, my non techie wife has come to the conclusion that real life systems are trivial to hack : just click ‘skip password’, or ‘password override’, or just use ‘password’ as a password.
It seems she’s almost right !
I’ve always wondered: how do all these things end up in Google? What’s submitting the link, or public thing links to it?
Google's own browser phones home with the URLs you put in it, presumably for malware scanning or some other "security"-excuse reason.
I don't remember if there was a setting to stop that from happening, or if there was, whether the setting may still exist today, but that would be a good way for them to get otherwise-private URLs.
That’s all I can think of. That or perhaps emails (in gmail or another web mailed viewed by Chrome) that contained the links.
Breaking into an apartment building in 30 seconds without a phone:
Carry a brown paper (food delivery) bag. Stand by the intercom pretending to press buttons. When someone comes in or out, tailgate behind them and say "thanks". 9 out of 10 times they'll even hold the door open for you.
> Default credentials that “should” be changed, with no requirement or explanation of how to do so. Surely no building managers ever leave the defaults, right? And even if they did, they’d surely have no reason to expose this thing to the Internet, right?
My theory is this is one of the reasons so many internet-of-things devices nowerdays omit any sort of offline/local network control.
No default passwords, no ports you can forward without knowing what you're doing, all the credentials sorted out on a cloud server.
Consumer routers have had this issue solved for ages: you generate a random password and put it physically on the device.
I don't want some complicated random password. At least where I live, my router password is a very modest security shim to protect against very random casual access. If I have a visitor who needs WiFi access, I want to give them an easy password to type in.
So change it afterwards. Good defaults are important. If someone doesn't change it, it's important that they be on the right path instead of...this one.
(See also: opt-in versus opt-out for retirement plans, organ donation...heck, even this from yesterday: https://news.ycombinator.com/item?id=43144611)
You can always change the passwords. I was bringing this up as a solution to the default passwords issue. You don't want to have a static default password used by everyone, so you need the initial password to be randomized. People are dumb so you need to print it on the device. There is no need to default to cloud-based authentication to close the default password security hole.
If it's too hard for a guest to type in a password, you can also have them join by scanning a QR code. Obviously this works better for phones and tablets with QR scanning built into the camera, but that's what guests are frequently using.
https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F...
Wifi password != admin password. The admin password should be random and then you can change it when you take ownership of the device.
> I don't want some complicated random password.
It doesn't have to be complicated. A random passphrase can be much simpler and include significantly more entropy: four to six words plus a six-digit number. Any password generator worth a damn can generate something like this.
Correct! No need to horse around with passwords. A staple approach saves your mental battery.
OpenWRT, the crown jewel of open source firmwares for "insecure" consumer routers, uses a blank (null) password by default with full root access.
No device comes off the shelf with OpenWRT. If you're the type of person that's aware of OpenWRT and then install it, it's not that far of a stretch to think you'd also be the type to know to check the password.
GL-inet devices come off the shelf with OpenWRT. They don't have a blank password. Every single one ships with 'goodlife' as the default password, as printed on the label on the back.
(But remote ssh login is disabled by default.)
Thanks. I was unaware of that company.
[flagged]
Your assumption is large.
I am only thinking of a router with OpenWRT installed. Nothing about a wifi router with OpenWRT has anything to do with a door access device installed by a trained technician or not. The conversation only pertains to the words used, not the unwritten ones you're trying to insert in between the lines of my comment to make a totally unrelated point
i worked as an engineer in an industry that required on-site access to buildings all over manhattan, some residential. all you have to do is hit a couple random buttons on the intercom and 100% of the time one of them would just buzz the lock
This is pretty much all it takes in any western country. Some areas might require a little more effort but nothing substantial.
In fairness, the blame for this kind of enabling attitude is mostly attributable to me locking myself out of the building and having to buzz my long suffering neighbours at all kinds of ungodly hours. Proud moments.
Could you also lock out specific residents? Or get their daily home arrival patterns for the last few years? Or find unused flats to squat in? IoT still wins. :)
We laugh at hollwood movies where the protagonist calls his hacker sidekick and says "get me into this building. quick." and the friend goes "one sec. done." and click! the door opens.
Try going to YouTube and look for The Lock Picking Lawyer or McNally. Both are really skilled lock pickers, but the majority of the locks they review and demos does not require anything near their skills level to break. Half of all padlocks seems to be susceptible to comb picking, which require zero skill.
It was apparently never difficult to break into buildings, physical security has always been pretty poor. Unless you have an armed guard patrolling your property, there's no real reason to believe it secured beyond the fact that most people weren't going to break in anyway, or simply can't be bothered.
Holy freaking crap. ALL OF THESE ARE ONLINE. "It's possible" to log in to the first result with the default password.
If anyone wants, perhaps login, change the password and make a new client as the password or something. This is going to get bad FAST.
I was once investigating an uptick of telnet traffic, when I came across something that looked like a pppoe router web interface.
For shits and giggles, I decided to try admin/admin, and to my surprise, I was logged into this device with full control.
I immediately logged out, but I could have easily changed the password or changed their configuration, knocking them offline...
I'm sure there are legal issues surrounding that, and I have no idea what kind of devices connected to the thing, but you'd be surprised how many random internet junk is out there with default credentials.
I would say this is highly irresponsible of the researcher to expose this publicly. These are people’s homes, along with their PII and locations. The residents didn’t choose this system, their building just uses it. They don’t even know that their info is being leaked, nor that the doors to their places were just rendered neutered.
If something bad happens because of this…
I think this falls under responsible disclosure guidelines. A lot of times companies refuse to fix misconfiguration issues like these, and users/customers deserve to know. Not publishing it is security by obscurity, you're just hoping that a bad actor doesn't figure this out (or hasn't already figured this out).
If something bad is done by a bad actor because of this vulnerability being discussed in public, that's no worse than something bad happening because this vulnerability exists but is only discussed in secret.
This is not some highly-technical vulnerability only accessible to nation-states with genius engineers and million-dollar labs with exotic instrumentation and brute-force supercomputers compute pulling down many megawatts of power. The OP literally logged into an open Wifi SSID, searched for the text on the page, and scrolled to the default password. None of those steps are hard to do, any jealous ex or disgruntled employee or divorced parent fuming in the parking lot for 5 minutes could effortlessly accomplish the same thing.
I honestly think it's likely that bad things have already happened due to this vulnerability - but not due to this disclosure.
But because it was only discussed in secret, no one ever got to the root cause of the issue and the hazard continued to be out there. Now that it's public, hopefully something will be done, and relatively quickly.
Shining a spotlight on an issue is completely different than the issue already existing.
Not shining a spotlight is worse. The important thing is providing time to address the found vulnerability, ie. responsible disclosure. For which OP has indeed provided a timeline.
The debate has long since been settled comprehensively in favor of openness.
2025-01-30: Hirsch asked for an update as to whether clients running vulnerable systems have been alerted (no response as of publication)
2025-02-14: CVE-2025-26793 assigned
2025-02-15: publication
So two weeks after they don’t respond what they’re going to do with their clients this gets published? I’d hardly call that responsible.
I don't know why you picked a random date 2 weeks before publication instead of the relevant one:
2024-12-27: Current vendor of MESH identified as Hirsch (subsidiary of Vitaprotech Group) and contacted
They were contacted 7 weeks before publication
and
2025-01-11: Hirsch product security responds requesting details and are asked if they intend to alert clients
They responded 5 weeks before publication, and so were aware of the issue for at least 5 weeks before it was disclosed, during which time they did nothing about it
https://nvd.nist.gov/vuln/detail/CVE-2025-26793
"Awaiting Analysis This vulnerability is currently awaiting analysis."
This is the only recourse left when the vendor kicks and screams at the CVE disclosure process.
The only recourse for what problem? Aren't there other plausible creative ways to apply pressure and get it fixed, with less risk to the people unwittingly at mercy of this vendor's negligence?
Or are you speaking of the transactional convention, in which people can break into systems, and then are entitled to publicity for that, so long as they give the vendor advance notice?
The whole responsible disclosure convention seems an imperfect compromise, among various imperfect actors. On occasion, individuals might decide that other options are more appropriate to the specific situation, and to Perfect Tommy it.
https://www.youtube.com/watch?v=fKHaNIEa6kA
I strongly disagree. You’re literally putting people’s lives and possessions at risk who have no knowledge of this. There are many alternative methods, from getting the government involved to giving a a very long lead time to the vendor before you disclose this, to sitting on it and never disclosing.
The information is already sitting on Google for anyone to find, vendor doesn't give a shit.
Best to get it out there, at least if you're stuck in one of these buildings you can log in and change the admin password yourself till your building management does something about it.
Software vendor and building manager are putting people's lives at risk.
Can't software coders ever take responsibility? And this is on the programmer who implemented this, too. You just not let your product manager do this, ever. It's 2025 already.
And this is a security product, wtf? Residents should be suing individual programmers here. OWASP was created 24 years ago. Default credentials is like number 1 on their IoT app security list. Only a moron would not defend against this. If your manager requires this, you just send him:
https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Pr...
And tell him no. If he still wants it, you just report him to Reddit or whatever. :D
[dead]
I second this. Just because it feels right to them as "I've reported it, It's not on me anymore...", doesn't mean he should enable bored people to revoke access cards, jam elevators, etc.
Criminals were already enabled to do that, and the people in those buildings had no way to know.
The more-responsible thing might have been to also reach out to residents of individual buildings & give them time to correct the situation, rather than relying on the company (which has a vested interest in ignoring the problem) to do the right thing. But security through obscurity is not a solution.
Reaching out to the residents leaves you open to legal risks. You processed their data without any kind of opt in.
[dead]
That depends on the individual's weighing of the various factors and their personal moral position. If someone wants to prevent a bunch of easy break-ins where the method of entry won't get noticed in most cases, and they feel that the discomfort of denying access for a bit (impacting hundreds of people perhaps) outweighs the trauma of being robbed (maybe impacting just a few), than doing that might be the only morally defensible position to take. For all we know they actually are planning to hammer the open installations until they get fixed to prevent the bigger harm.
Other people will shrug and move on after trying everything they can via the proper channels.
And then of course there are the assholes who will just do it because it entertains them.
It's all very educative and makes a point until you read a news story about someone dying because ER couldn't get there in time. The road to hell is paved with good intentions hits hard here.
That too has a chance of happening associated with it. Lacking a convenient table to look up the chance of that happening (and its impact), and the chance of a break-in caused by an open admin panel causing irreparable harm, there is nothing left to do but weigh the chances as best as one can.
Many people will choose to do nothing in that case, but not everyone will accept that inaction which might lead to bigger harm is preferable to action which might lead to another possible negative outcome, but at a much smaller chance.
(It's basically that dumb trolley meme, but with undetermined outcomes.)
Every choice we make can have an adverse effect on others. Take the car today instead of walking? You just might cause an ambulance to be delayed leading to an unfortunate death. The chance of that happening is negligible of course, but not absent (it never is).
I flagged it for this reason.
Isn't logging into any system unauthorized - in practice - a violation of the Computer Fraud & Abuse Act?
The EFF has a good guide about the relevant laws: https://clinic.cyber.harvard.edu/wp-content/uploads/2020/10/...
Such ridiculous laws. The real crime here is that the software vendor lets people use the software without creating a new password. Even that is suspect, since I bet most people's password would be 1234 anyway. So really they should force people to set up passkeys to access the system. Or, cut out the setup, and just send them a couple of USB's which allow them to access the system.
This "manufacturer" is not doing its due diligence in any way, shape, or form. They are the ones who should face jail time for not implementing bare minimum security practices.
The idea that the guy revealing a complete lack of security is committing a crime is like saying a guy informing someone that they're naked is guilty of forcibly stripping that person. Or that telling someone there's a giant red button that drains the landlord's bank account is guilty of pressing it. Maybe they should remove the giant red button?! Or at least put it in a locked room?
It might be harsh, but the general premise is good that we should not blame the victims of unauthorized access to computer systems.
We should also, as you point out, require vendors to implement minimum security standards.
Not in Canada. Bring that the article mentioned Vancouver. For us it'd be Section 342.1/2 of the CCC.
It is, like getting into a home with open doors without the consent of the inhabitants.
Which is keeping away only the honest and polite persons.
These pages weren't wide open, they had weak and ineffective authentication.
If you bypass a very shitty lock on a house, you've likely committed a crime.
"Key under the mat" sign for you then. Same thing.
I just tried it (via Tor) and was able to get into the first 5 that duckduckgo found. Someone had been there before me and (apparently) changed names of things. (I looked but didn't touch.)
> fortran77 5 hours ago:
> I just tried it (via Tor) [...]
Opsec: Failed
Well, I still have plausible deniability if other people tried it via Tor, too.
Love this stuff, reminds me of old 2600 articles
finally some actual hacking on this site
The more I look at electronic access systems for buildings, the more I appreciate a manual lock that takes multiple minutes to pick and makes the intruder create a large noise or light signature while doing so.
If I'm reading this correctly, is this just the "public" areas of apartments, and not the doors to the actual suites themselves? There's a huge difference between getting access to those two.
Even with just the public area, you can still: - Steal packages - Access storage areas and bike lockers - Walk down the hall and check which doors aren't locked - Smash the coin-operated laundry machines and steal the money - Just wait for someone to open their door
(All of which happened in an apartment building I lived in a few years ago)
That sounds complicated and too much work. I’d prefer <https://www.youtube.com/watch?v=Rctzi66kCX4>
from the timeline:
>2025-01-29: Hirsch replies stating that these vulnerable systems are not following manufacturers’ recommendations to change the default password
this is why i like the 'secure by design' or 'secure by default' responsibility being put on connected product providers, e.g. EU CRA and implied in US M-22-09.
i am always fearful of unintended consequences of regulation like this, but it does seem necessary in today's world.
I suspect putting these on the internet is recommended so they can push firmware updates, and perhaps it's even required to make the thing work.
The sinister part is you get a log of everyone's keyswipes. You can plan a burglary, stalk someone, construct or destroy an alibi and so on.
Jesus. The whole system seems to have been designed to maximise the damage that can be caused with minimal effort.
Why are these admin pages web findable? Why is there a public database of them? Why have they tried so hard to make it so accessible? Why is there no security? Arrrrrgggh.
Exposing a loophole in the best way. Great job
You can get in the building with a bit of social engineering. I live in an apartment complex. Put on a DHL or Dominos cap and nobody cares. It's your front door lock that is the real barrier.
Nowadays you don't even need that. Just carry a brown paper bag. Every mid-large sized building gets a food delivery every 5 minutes, and no one looks twice.
[dead]
[flagged]
[flagged]
Interesting story but a CVE for this is a bit melodramatic and why no one takes security folk seriously (cry wolf too many times).
OpenWRT ships with no password at all (!) with full root access on default install. The situation is the same: they politely suggest you change it from the default (blank) password but do not force you to do so.
By this logic every OpenWRT install (and many other softwares) dating back many years should be subject to CVE.
I assume you have to be on that network to access the login. I'm 95% sure it the UI/admin is not accessible to the internet by default... but also, yes that shit should be way better. Even Comcast and other ISPs have done better than this for a decade or more now.
[flagged]
Yup, worth a CWE but not a CVE.