I was surprised by that, too. When I went looking for a way to decode them with RTL-SDR, I assumed it wouldn’t be parsing the audio but a narrowband data stream. TIL also.

Edit: It does kind of make sense with it being AFSK encoded in-band, though, or maybe I’m just so used to it being that way. I always thought the screeches were there to demand attention (and also be something that headend equipment can pick up and respond to). So it’s interesting they’re doing double duty as both an unmistakable audio cue to pay attention as well as containing the actual alert data.

Plus there are NOAA stations all over the country rather than centralized like the time signal transmitters. It was probably cheaper to do it in band at that scale.

That’s what I’ve done for years. Makes managing things much easier, and I run multiple APs (all with the same SSID/PSK) and you can just roam to the best one. One upstairs, one downstairs, one in the weird dead zone in my office, and one on the back patio (it’s not hardwired and uses the mesh connection for uplink).

These are all old Aruba APs running OpenWRT but that’s the plan for this Cudy Model. I may pick up a few more and just replace all of my trusty but very old Arubas.

I bought this one last month when it was on sale for $39: https://www.amazon.com/dp/B0BRK3CYY3

Haven’t deployed it yet, but it’s fully supported by OpenWRT. I would only be using it as an access point, though. My router is a USFF Optiplex with an extra NIC and runs OpenWRT.

Yep, that’s the one.

I’ll reserve a phone but not a truck, lol. Looks like those are scheduled to be out late 2026, so probably at least next year before I can even think about getting my hands on one.

At least it’s still a thing.

I used to drive a 2004 Ranger and loved it. Would absolutely love an EV version even if the range isn’t super great. Mostly need a truck occasionally and for hauling stuff from the home improvement store or if I find furniture at a garage sale or something.

Need to check and see if that $20,000 no-frills EV truck is making any progress.

And the auto-submitting TOTP entry form where you’re apparently not allowed to make a typo. And obscuring the TOTP number like it’s a password or state secret.

I used to buy their stuff and use tuya-convert to flash Tasmota onto them. But they kept updating the firmware to lock that out, and I ended up returning a batch of 15 smart plugs because none of them would flash. They were too much of a PITA to try to crack open and flash the ESP8266 manually so I returned the whole batch as defective, left a scathing review, and blackballed the whole brand.

Solutions that work for a corporate application where all the staff know each other are unlikely to be feasible for a publicly available application with thousands of users all over the world

This is something of a hybrid. There will be both general public users as well as staff. So for staff, we could just call them or walk down the hall and verify them but the public accounts are what I’m trying to cover (and, ideally, the staff would just use the same method as the public).

Figure if an attacker attempts the ‘forgot password’ method, it’s assumed they have access to the users email.

Yep, that’s part of the current posture. If MFA is enabled on the account, then a valid TOTP code is required to complete the password reset after they use the one-time email token. The only threat vector there is if the attacker has full access to the user’s phone (and thus their email and auth app) but I’m not sure if there’s a sane way to account for that. It may also be overkill to try to account for that scenario in this project. So we’re assuming the user’s device is properly secured (PIN, biometrics, password, etc).

If you are offering TOTP only,

Presently, yes, but we’re looking to eventually support WebAuthn

or otherwise an OTP sent via SMS with a short expiration time

We’re trying to avoid 3rd party services, so something like Twilio isn’t really an option (nor Duo, etc). We’re also trying to store the minimum amount of personal info, and currently there is no reason for us to require the user’s phone number (though staff can add it if they want it to show up as a method of contact). OTP via SMS is also considered insecure, so that’s another reason I’m looking at other methods.

“backup codes” of valid OTPs that the user needs to keep safe and is obtained when first enrolling in MFA

I did consider adding that to the onboarding but I have my doubts if people will actually keep them safe or even keep them at all. It’s definitely an option, though I’d prefer to not rely on it.

So for technical, human, and logistical reasons, I’m down to the following options to reset the MFA:

1. User must contact a staff member during business hours to verify themselves. Most secure, least convenient.
2. Setup security questions/answers and require those after the user receives an email token (separate from the password reset token). Moderately secure, less convenient, and requires us to store more personal information than I’d prefer.
3. Similar to #2 except provide their current password and a short-term temporary token that was emailed to them when they click “Lost my MFA Device”. Most convenient, doesn’t require unnecessary personal info, possibly least secure of the 3. Note that password resets require both email token and valid TOTP token, so passwords cannot be reset without MFA.

I’m leaning toward #3 unless there’s a compelling reason not to.

I thought about generating a list of backup codes during the onboarding process but ruled it out because I know for a fact that people will not hold on to them.

That’s why I’m leaning more toward, and soliciting feedback for, some method of automated recovery (email token + TOTP for password resets, email token + password for MFA resets, etc). I’m trying to also avoid using security questions but haven’t closed that door entirely.

Personally, I love that layout.

I’m always at a loss for what to put up as wall decorations, and I hate rats nests of cables. Win-win!

New U.S. rules will soon ban Chinese software in vehicle systems that connect to the cloud

Seems to me that the easiest way to get into compliance would be to not make the car connect to the cloud/internet. I’m gonna drive my 2017 model until I can buy a new car that isn’t a smartphone on wheels.

I don’t even bother with local ports anymore. It’s just too much hassle when I switch providers, email services all seem to universally sinkhole anything originating from a residential IP even if I am able to convince them to unblock 25/TCP, and I refuse to pay extra for a static IP or upsell to business class at a massive price increase.

My ISP, while otherwise fine, still has not rolled out IPv6 yet and the DHCPv4 lease duration is short and will randomly assign a different IP rather than renewing the lease on the existing one. I don’t like relying on dynamic DNS or relying on running a daemon to update my public DNS records when my public IP changes. Been there, done that, and bought a crappy t-shirt at the gift shop.

I’ve had a VPS for close to 10 years now that is my main frontend and, through some VPN and routing trickery, allows me to have my email server on-prem but use the VPS for all inbound and outbound communication. A side effect benefit of this setup is I can run my email server from literally anywhere and from anything with an internet connection. I’ve got a copy of my email stack on a Pi Zero clone that stays in sync with my main one. During long power outages, I can start that up and run it from a hotspot with a power bank running it for almost 2 days (or indefinitely when I’m also charging the power bank from a solar panel lol).

Yep, same except being one of the first ones in the state.

The best part is it works when the power is out and doesn’t flap constantly if the electricity blips. Every cable provider I’ve ever had has failed spectacularly at maintaining the UPSs in the neighborhood nodes.

I can understand that speeds vary by area, but it’s not like it’s difficult at all to have those in a database where a web tool can return them based on your zip code. But yeah, it was like that when I signed up with Optimum (nee Suddenlink) years ago.

The other thing they do is require a truck roll for any kind of hookup. They almost got some of my business back but were so rigid that I said “the hell with it”. My fiber provider was having some growing pains and I called Optimum to reactivate my service on a lower plan to use as a backup connection (I work from home). All they needed to do was setup the account and re-authorize my modem (my hookup was still live and I had my own modem). They flat out refused to do any of that and required a tech to come “within 3-5 business days” and read the modem serial number to them to activate it. So I said hell with it, called T-Mobile, and activated my old 5G hotspot.

I would guess it’s not just Comcast. Optimum serves my area and they’ve basically been begging people to switch back since this area got fiber a few years ago.

Their offers are like $25/mo for 200/10 Mbps and no data caps. But they’re not guaranteeing the price. Seems like they’re going after the lower end of the market.

I basically say “boo hoo”. This is what actual competition looks like. Cable companies have sat on their ass and milked their infrastructure for decades (only updating the headend equipment to keep up).

Optimum cold called me once and I flat out told them if they wanted me back, they need to run fiber to my home, give me the same symmetrical speed I have now, for at least $10 less than I’m paying my fiber provider, and lock that price for at least 5 years. The rep basically kinda sighed, so I guess they’ve heard that response from more than just me.

I’m not optimistic for a full crash (though I’d love to see it), but at some point the “introductory price” is going to be replaced by the real cost and I am optimistic some people will not want to pay it. As OP said in their post, the guy on the flight would probably keep paying it no matter how much it costs but most people, I hope, would just opt to use their brains for free instead (I said overly-optimistically and probably very naively).

Basically, like the drug dealer cliche, we’re still in the “first hit is free” phase of adoption.

If it means a bunch of people not qualified for the jobs they hold get the boot and are replaced by people who actually know what they’re doing, I consider that a net gain for society.

It’s like Malcolm says in Jurassic Park (slightly modified):

I’ll tell you the problem with the scientific power that you’re using here: it didn’t require any discipline to attain it. You read what [the chatbot shat out] and you [just copied it]. You didn’t earn the knowledge for yourselves, so you don’t take any responsibility for it. You stood on the shoulders of geniuses [whose knowledge was stolen] to accomplish something as fast as you could and before you even knew what you had you patented it and packaged it and [now you’re pretending you’re qualified].

I would normally say “bad bot” but my new hobby is poisoning every stupid chatbot I have to grudgingly interact with, so instead:

“Good bot. That answer is perfect. Don’t change a thing”

https://noai.duckduckgo.com/

If you want to add it to your browser’s search, the pattern is https://noai.duckduckgo.com/?q=%25s

That’s supposed to be percent ‘s’ but Lemmy keeps mangling it

Isn’t that the whole shtick of the AI PCs no one wanted? Like, isn’t there some kind of non-GPU co-processor that runs the local models more efficiently than the CPU?

I don’t really want local LLMs but I won’t begrudge those who do. Still, I wouldn’t trust any proprietary system’s local LLMs to not feed back personal info for “product improvement” (which for AI is your data to train on).