Hacker News: tkems

New comment by tkems in "My Journey to a reliable and enjoyable locally hosted voice assistant (2025)"

tkems — Mon, 16 Mar 2026 16:29:29 +0000

One that I have been experimenting with is using analog phones (including rotary ones!) to act as the satellites. I live in an older home and have phone jacks in most of the rooms already so I only had to use a single analog telephone adapter. [0] The downside is I don't have wake word support, but it makes it more private and I don't find myself missing my smart speakers that much. At some point I would like to also support other types of calls on the phones, but for now I need to get an LLM hooked up to it.

[0] https://www.home-assistant.io/voice_control/worlds-most-priv...

New comment by tkems in "Suspension of inbound parcels from China and Hong Kong"

tkems — Wed, 05 Feb 2025 01:54:32 +0000

I can confirm that Aliexpress doesn't allow me to checkout with a USA address and states that items can't be shipped to my region. -edit: Since this post it seems that I can order items again? Very odd.

New comment by tkems in "FTC takes action against GoDaddy for alleged lax data security"

tkems — Tue, 28 Jan 2025 15:57:44 +0000

I was shocked when I purchased a domain recently on GoDaddy (I normally use Cloudflare or AWS) and noticed that they have an 'upsell' with more security options (MFA and some other features) for something like $10/yr. Why wouldn't they want their customers to be more secure by default? To me it just reeks of money-grabbing for people that are none the wiser.

New comment by tkems in "Installed an open source garage door opener, and I'm loving it"

tkems — Fri, 15 Nov 2024 21:23:09 +0000

From what I've read, myQ is pretty locked down and doesn't support local control (outside of a HomeKit device that I think is no longer supported).

I would guess that the cert pinning would prevent such MITM attack, but I could be wrong. I'm not a huge fan of Chamberlain and myQ since they are so against 3rd party use of their products [0].

[0] https://www.home-assistant.io/blog/2023/11/06/removal-of-myq...

New comment by tkems in "MicroPython on Flipper Zero"

tkems — Fri, 20 Sep 2024 00:43:45 +0000

Yes, RF (radio frequency) remotes I've seen include my garage door opener, some overhead fans in bedrooms, gates, remote outlet/light controllers.

New comment by tkems in "MicroPython on Flipper Zero"

tkems — Thu, 19 Sep 2024 20:33:16 +0000

I would check out the Unleashed firmware [1]. I've had pretty good luck with it so far.

[1] https://github.com/DarkFlippers/unleashed-firmware

New comment by tkems in "MicroPython on Flipper Zero"

tkems — Thu, 19 Sep 2024 20:30:12 +0000

As someone in cybersecurity, it is handy as a low frequency RFID reader as Android phones only support higher frequency. Having something compact and in a single unit (compared to a Proxmark) makes it easier to 'grab-n-go'. It is neat to show people how insecure common access control systems are.

I've also used it as a universal remote more than a few times on devices that didn't come with a remote. The App running on a phone makes it somewhat easy to transfer new remote templates to the Flipper over Bluetooth.

It also comes in handy as a serial adapter as it has GPIO pins you can connect to things (UART headers).

The RF transceiver is also cool to capture RF remotes (garage doors, overhead fans, etc.) and replay them.

Unmasking Vulnerabilities in Cheap IoT Cameras from One Chinese Manufacturer

tkems — Thu, 19 Sep 2024 15:42:16 +0000

Article URL: https://www.trevorkems.com/operation-big-brother-iot-camera/

Comments URL: https://news.ycombinator.com/item?id=41593048

Points: 1

# Comments: 0

New comment by tkems in "Reverse-Engineering an IP Camera (2019)"

tkems — Wed, 17 Jul 2024 15:42:39 +0000

This is a great run down of the process to extract the firmware from these types of devices without desoldering the flash. I've done a fair amount of reverse engineering and a lot of devices have similar vulnerabilities.

I think more time needs to be spent looking into these commonly used, cheap IoT devices and educating consumers on the risks of using a poorly secured device on their network.

The upside of these vulnerabilities is that you can run your own code on these! 'Declouding' is great as it can extend the lifetime of these devices and make using them more private.

New comment by tkems in "Reverse engineering Ticketmaster's rotating barcodes"

tkems — Mon, 08 Jul 2024 16:42:21 +0000

With Google Wallet (the only one I have at the moment), it is not static for the ticket. It has a NFC and barcode option. The barcode changes every 15 seconds for me.

New comment by tkems in "Reverse engineering Ticketmaster's rotating barcodes"

tkems — Mon, 08 Jul 2024 16:36:55 +0000

I just added a ticket to my Google Wallet for a concert last night and it was very similar to the Ticketmaster/LiveNation app. The PDF417 barcode changed and had an animation around it. My guess is that it is the same or very similar on Apple devices.

New comment by tkems in "Flock Safety is the biggest player in a city-by-city scramble for surveillance"

tkems — Wed, 01 May 2024 16:22:55 +0000

One issue I have with the Flock cameras installed in my city is that they are installed on public land (right next to the road) and paid for with tax dollars.

New comment by tkems in "Flock Safety is the biggest player in a city-by-city scramble for surveillance"

tkems — Wed, 01 May 2024 16:19:29 +0000

One of the Flock cameras was installed in my city nearby where I live. Once I noticed it, I thought it was a red light camera at first since it was near an intersection.

I did some research on them and found that they are completely wireless (cellular network most of the time) and powered by a 65w solar panel. Since they capture every license plate that passes by, I wasn't thrilled it was a private company keeping the data, even if they say they only keep it for 30 days.

I did a FOIA request with my city to see how many are in use and their locations to share with my community. I also plan on asking why my city thinks it is a good use of tax dollars. I think it should be a requirement for cities to disclose their use since it is a private company installing private equipment (and a camera at that!) on public land to monitor the public.

New comment by tkems in "Ask HN: Should Banks Phish Their Own Customers"

tkems — Thu, 28 Mar 2024 16:08:59 +0000

If banks would spend money on this and not enabling support for hard to phish MFA options like hardware keys (FIDO2), I would change banks.

We have solutions to most of the phishing attacks, but most people find them hard to use or don't want to use them as they are seen as not important. I've made comments to several companies that SMS or TOTP based MFA is not phish-proof and that they need to implement something stronger, but it often is ignored.

New comment by tkems in "Class Action Against General Motors LLC, OnStar LLC, LexisNexis Risk Solutions [pdf]"

tkems — Fri, 15 Mar 2024 00:33:13 +0000

Wow, I just submitted the consumer disclosure report this morning after finding out about it from somewhere else. I am VERY interested to see if anything is reported from my car since I don't have any of the addons/monthly fees.

New comment by tkems in "Reverse engineering a car key fob signal"

tkems — Thu, 14 Mar 2024 16:40:30 +0000

This sounds like HomeLink and is indeed more complex. My understanding of it is that they partner with lots of companies to support their rolling/fixed codes and remotes so that they can be paired to your garage door.

I linked this in a sub comment, but the largest garage door maker in the US is Chamberlain [0] (which owns a ton of other brands) and uses known rolling code algorithms that can be decoded. [1]

[0] https://www.chamberlain.com/ [1] https://github.com/argilo/secplus

New comment by tkems in "Reverse engineering a car key fob signal"

tkems — Thu, 14 Mar 2024 16:36:14 +0000

The largest garage door manufacture in the US uses the Security+ and Security+ 2.0 algorithms that are rolling, but can be fairly trivially decoded to gain the serial number and rolling value of a remote. [0] This is how the flipper zero decodes remotes for playback later.

[0] https://github.com/argilo/secplus

New comment by tkems in "FCC rules AI-generated voices in robocalls illegal"

tkems — Thu, 08 Feb 2024 18:47:53 +0000

I would say that money is the root of the problem. I think that most VOIP providers don't want to loose out on unencrypted traffic (both legitimate and spam).

Also, why do I seem to always get spam from a few providers? And why aren't we holding them accountable?

New comment by tkems in "FCC rules AI-generated voices in robocalls illegal"

tkems — Thu, 08 Feb 2024 18:43:35 +0000

This was my thought too. While I do think going after this kind of scam is a good first step, I don't see overseas operators not using this any less. Most spam calls I get don't follow the do not call list, why would they follow this either?

I think the FCC needs to step up and have a hard deadline for STIR/SHAKEN with fines for operators who don't comply. That is the only way, IMHO, that the VOIP operators will take it seriously.

New comment by tkems in "DEF CON 32 Was Canceled. We Un-Canceled it"

tkems — Mon, 05 Feb 2024 03:47:51 +0000

I find this strange but not surprising. I've heard of speed bumps in the past related to 'hackers in town' and I wouldn't be surprised if it comes out later that it had something to do with it, even if unfounded. I think overall, having that many 'hackers' in town makes people overly paranoid.

I wonder if the ransomware incident last year played a role in this decision? [0] I'm guessing they wouldn't announce it for fear of boycott, but who knows.

[0] https://www.cnbc.com/2023/09/14/caesars-paid-millions-in-ran...