Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
denysvitali 4 hours ago

Disclaimer: This comment is not intended to be political - I don't care about the specific party she's part of.

Out of all the people I would trust on the matter, Kamala Harris doesn't certainly end up at the top of my list, for reasons such as this one: https://youtu.be/O2SLyBL2kdM?si=Zq-EN8zxj4Y_UCwI

You also don't need to be in classified meetings to understand that Bluetooth/ BLE (and specifically the way most vendors implement the spec) is not as secure as other more battle-tested technologies

ahoef 4 hours ago | parent | next [-]

What she says isn't necessary untrue, now is it? She just skips a lot of steps most people have no clue about.

I had files in a cabinet, now they are digital. And most often also on a cloud drive, which is metaphysical in some sense. For most it is indistinguishable from magic.

dijit 4 hours ago | parent | prev | next [-]

I think many people would be justified in making the argument that bluetooth has existed for at least 20 years and thus is the established battle tested protocol.

denysvitali 4 hours ago | parent | next [-]

Yeah, but Bluetooth spec changed a lot over the years (3000+ pages) and the certification price is rather expensive.

There's an interesting article from Wired [1] about this, although some interesting comments from the engineers working on BT stacks are far more interesting. It seems like most of the manufacturers do not create spec-compliant devices, and that the tests from the certification are just poor.

I'd love to hear more from an expert on the topic, but this looks to be the consensus.

[1]: https://archive.ph/6201V

balou23 21 minutes ago | parent [-]

I'm by no means an expert, but I've recently implemented a small BLE based IoT device, and had a look at the security/privacy of a medical BLE device.

Some points:

* there's a real lack of quality, up-to-date documentation. I would have thought that at least on Linux you'd find some documentation, but most of it seems to be "RTFS".

* BLE is in general very unfamiliar to most developers. There's no client and server, there's central and peripheral. GATT profiles are a mix between TCP connections and binary REST-ish interface.

* Encryption/authentication is possible, but depending on the manufacturer's API/quality of documentation it's not really apparent a. how to select a secure connection method b. how to even check if and which authentication/encryption was chosen

* Coming from the previous point, many BLE devices have the same generic GATT profiles, sometimes with the same sample data. This looks like a lot of BLE devices just copy&pasted sample code from the manufacturer and added the minimal changes "to make it work"

* It's probably really easy to do passive/active fingerprinting to find out the manufacturer and/or chip version used in a device. Default services, ordering of advertising options etc

* Many BLE devices are not conformant. Uninitialised name fields with garbage in them ("Device Name: WHOOP\020��=u5״\023n"), manufacturers using random identifiers that clearly don't belong to them

* when doing passive BLE sniffing: the biggest obstacle isn't getting data. It's how to filter it. One of the most useful filters of the nRF Connect app for android is to filter out all advertisement packages for apple and ms devices, to cut down the overwhelming amount of such devices

IshKebab 3 hours ago | parent | prev [-]

I think people are generally aware of how low quality the Bluetooth protocol suite is though so maybe they'd guess that extends to security too.

I definitely remember lots of folk security advice to keep bluetooth off on your phone back when smartphones were new (nobody does that now though, and Android auto-enables it these days).

quesera 3 hours ago | parent | prev | next [-]

> doesn't certainly end up at the top of my list

There hasn't been a POTUS or VPOTUS with a technical background in the last 45 years (Jimmy Carter was a nuclear engineer). So obviously none of them would be authoritative on such topics.

However the individual in question is not delusional or conspiratorial, and we know for sure that they are receiving advice or restrictions from extremely well-informed sources, so there's every reason to believe they are (lo-fi) repeating that.

ycombinary 3 hours ago | parent | prev | next [-]

It's essentially a statement about the view of gov security, not about the view of an individual.

janez2 an hour ago | parent | prev [-]

you have a tracking "si=..." parameter in the youtube link

denysvitali 31 minutes ago | parent [-]

Too late to edit. I missed that, sorry!