thomasdankara [he/him]

  • 1 Post
  • 7 Comments
Joined 4 years ago
cake
Cake day: July 25th, 2020

help-circle

  • Good post, @fuschiaRuler

    I’d also add that Text-based MFA is insecure. What’s more recommended is TOTP, where you scan a barcode with an app like Authy or Google Authenticator on your phone and then it provides codes to you that you enter in the website. What’s most recommended is hardware based 2FA with a physical token like a yubikey, but this isn’t widely supported yet and requires the purchase of a specific device.

    Everyone (I repeat, EVERYONE) should be using a password manager. Password reuse is a serious problem, and everyone’s guilty of it to some degree - but you need to work hard to make sure you can prevent password compromise. I know it’s annoying, and I know you don’t want to do it, but trust me: it’s worth it. Once you have it set up it can make your life easier by typing in passwords for you, and it makes your online life infinitely more secure. You should absolutely use new, uncompromised, PASSPHRASES for your password manager password, and you need to enable 2FA.


  • This is sweet!

    I had a similar idea a while back that I never fully fleshed out, but using WiFi mesh networking instead of lora. I figured lora was more specific, but I didn’t know as much about it’s long range capability. The idea was to build handsets using esp32 modules with external antennas, and build out a huge city wide mesh network working on wifi bands based on small, local repeaters (also ESP based). Esp32 since you can encrypt the onboard flash, they’re pretty powerful and decently cheap.

    Since your threat model here includes the most enthusiastic spy agency of any nation-state, I would be EXTREMELY careful about the firmware flashed onto the phones. Frankly, I don’t trust android or IOS for something like this - maybe using a linux ROM on android would be good enough, but I’d say the preferable and way more labor intensive option would be to build your application specifically for your hardware, and only using open source packages. I’d also encourage the ability to perform on-air key revocation, so if a radio is confirmed to have been compromised it can be removed from the talkgroup immediately.

    Maybe using a pi would be a good idea, since the radio can communicate over both serial and usb? Or if you can manage to shave the code down enough, you could try to run it directly off of another microcontroller.

    I’d love to talk more about this if you’re able to, let me know.