So what you meant was: this isn’t enough evidence to change my mind.

No.

One thing getting more upvotes than another isn’t somehow evidence that reddit is manipulating anything. There’s no immutible law that the original source of something should naturally get more upvotes than anything else. I find that the opposite is most often the case, even when the re-blogged story is crap.

That is not a repost, this is an other article from ProPublica

Ah, I just assume that was a slightly different title for the same article. Maybe a mod made the same assumption.

Are you joking with me? They are using a paraphrased title.

Well, the first part is. But, I don’t know what “munching” means. The second part of the Ars title actually says what it’s about. Don’t get me wrong, I can probably make a guess. But when you’re scrolling social media, I don’t think anyone is stopping to think about what a title really means. If it’s not obvious at first glace most people are just scrolling by. The Ars title, at least to me, skims as “AI bad” since those are the words anchoring each end of the title, that’s probably enough all by itself to get some people to upvote.

I am really curious, what sort of evidence you want/expect to see?

Literally anything vaguely conclusive. I’m not saying you should go find more evidence for me or anything. I’m just trying to explain why I don’t find your evidence here convincing.

I suspect that Reddit has more than enough money to be competently shitty. So, if they are doing what you suggest, unless they fuck up or decide they don’t care, you might not be able to find solid evidence.

I don’t think that shows what you say it does.

First, deleting a repost is clearly not evidence of any kind of bias.

Second, maybe Ars is just more popular/trusted? Maybe it’s more upvoted because the Ars title is more meaningful, it’s super well known that people mostly only read the title.

I’m not saying reddit isn’t manipulating things, I’d be shocked if they weren’t. But this isn’t really evidence that they are.

It’s not even over USB by default. It’s an internal binary driver API. The USB part is a custom firmware for the ESP that exposes that api via USB that the people giving the talk wrote because it’s useful for pentesting / development of exploits for other Bluetooth devices.

Maybe we can find out for sure through the magic of the fediverse…

@antoniovazquezblanco@mastodon.social Is the “backdoor” mentioned in https://www.tarlogic.com/news/backdoor-esp32-chip-infect-ot-devices/ about what you shared in your RootedCON talk? If so, how worried should people using devices containing ESP32s be?

I don’t think is is a backdoor. At the moment I wouldn’t consider this article any more than FUD.

It’s unclear to me if the security company has actually said what the vuln is or not, but if it’s what was presented in the slides linked in the article this is at worst something that can be “attacked” from a computer connected via USB (and I’m pretty sure it would also require special software already on the ESP32), where the attack is sending out possibly invalid bluetooth messages to try to attack other devices or flashing new firmware to the ESP itself. It’s not a general “backdoor” in the ESP32 itself. At least that’s the best interpretation I’ve been able to make. Happy to be corrected if anyone finds more info.

I mean, if it were a backdoor, the one thing you can be sure of is that the people who put it there wouldn’t be calling it a backdoor, ever.

Though, I think it’s worth pointing out that the while the security company’s blog calls whatever it is a “backdoor”, “backdoor” (nor “puerta” (though, I have no idea if that would be translated literally or to something else)) doesn’t appear in the the slides. So I’m going to lay that one at the marketing people trying to drum it up into something more impressive than it really is.

Huh, that is interesting. Though, that post doesn’t seem to have any info about what the backdoor is either.

Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. […] This discovery is part of the ongoing research carried out by the Innovation Department of Tarlogic on the Bluetooth standard. Thus, the company has also presented at RootedCON, the world’s largest Spanish-language cybersecurity conference, BluetoothUSB, a free tool that enables the development of tests for Bluetooth security audits regardless of the operating system of the devices. [Emphasis mine.]

Maybe the presentation has nothing to do with the actual backdoor?

Though, this part later might seem to imply they are related:

In the course of the investigation, a backdoor was discovered in the ESP32 chip, […] Tarlogic has detected that ESP32 chips […] have hidden commands not documented by the manufacturer. These commands would allow modifying the chips arbitrarily to unlock additional functionalities, […].

Which, best I can work out, seems to be talking about the information on slide titled “COMANDOS OCULTOS” (page 39 / “41”).

If the “backdoor” is the couple of commands in red on that slide, I maintain what I said above. If it’s not talking about that and there’s another “backdoor” that they haven’t described yet, well, then ¯\_(ツ)_/¯ we’ll see what it is when they actually announce it.

I fully acknowledge there may be something I’m missing. If there’s a real vuln/backdoor here, I’m sure we’ll hear more about it.

What is this article on about?

Here’s the actual presentation: https://www.documentcloud.org/documents/25554812-2025-rootedcon-bluetoothtools/

I don’t speak Spanish and only have the slides to go off of, but this doesn’t sound like a “backdoor”. This sounds like they found the commands for regulatory testing. To do emissions testing you need to be able to make the device transmit on command so that your testing house can verify you’re within legal limits on everything.

These are commands that can be given over USB. You know what else you can do over USB? Fucking anything, these chips have a JTAG USB device. (Now, if these are commands that can’t be turned off, that would be kinda bad, I guess? But still not really a super big problem. And I don’t see anything that implies that in the slides.)

[Edit: It’s not even that this is a “backdoor” in an internal peripheral interface. I think the “backdoor” is if you have software that exposes that interface somehow? Like you’re running an example that blindly copies stuff from an external UART to this interface? Like I think that’s it?]

The tone I get from the slides is more “hey we found this cool tool for doing Bluetooth stuff that doesn’t require writing embedded software”. Which, cool. But that’s sure not the point this article is trying to make.

It doesn’t sync to homeassistant, but I use a Xiaomi scale with openScale off of F-Droid. There’s a few different scales supported: https://github.com/oliexdev/openScale/wiki/Supported-scales-in-openScale

I asked nicely why do I need to give my phone number and I was told that to register me as a member so I can get the discount.

I declined and said I don’t want to join and would like to just pay.

I’ve just said “I don’t have one” when asked this for awhile. This never seems the phase the cashiers, I’m guessing they know what that really means. Half the time I still get whatever discount, though I’ve never tried to sign up for a membership saying that.

If it’s an online form my phone number is just (local area code)555–5555. I’ve never had that not take, except for one case where it automatically enabled 2-factor auth and I had to create a new account.

deleted by creator

They may block IP addresses associated with consumer ISPs. Assuming that’s the case, I would guess you’re seeing that as an HSTS/TLS error because their network is trying to trick your browser into redirecting to/displaying an error page hosted by some part of their network.

[edit: To be clear, I assume the part that OP is not sure if it’s satire or not is “or switching to a more privacy-conscious browser such as Google Chrome.”] The emphasis in

Firefox is worse than Chrome

is in the original. To me that clearly implies that they are of the opinion that in general Google & Chrome are worse on privacy than Mozilla & Firefox. The comment at the end is just tongue in cheek snark alluding to the fact that in this particular case google did better for privacy in Chrome than Mozilla in Firefox.

or switching to a more privacy-conscious browser such as Google Chrome.

Definitely satire, the context from earlier:

2. Firefox is worse than Chrome in their implementation of ad snitching, because Chrome enables it only after user consent.

IMO, the best free option is https://freedns.afraid.org/. The biggest downside of that one is that you have to login a couple times a year (IIRC?) to keep it active. I actually still use this even though I have a paid domain, I just CNAME my real domains to the afraid dynamic name. That was easier than changing the config every time I become unhappy with my domain registrar and have to reconfigure everything after swapping.

I’ll start off with a proviso, I haven’t s much touched my Librem 5 in at least a year (maybe even 2?), so if they’ve had some massive turn around in that time I don’t know about it. All of this post is just what I think I remember, if you want actual facts go dig around in the wayback machine or something.

The promise of the L5 was super grandiose. They were going to create this mobile device that could completely replace your android device. It was going to launch with a custom matrix client that would let you make voice and video calls, which no other matrix client at the time could do. It was gonna be great and it was going to be delivered in a year.

Now clearly that was never going to go off without a hitch. I don’t blame them for being late nor for not delivering all their promises right at launch. But when things started getting delayed they seemed to be doing everything in their power to not communicate with backers. And anytime they would say something, they would say “well we didn’t hit that deadline, but we promise we’re totally super duper close now”. And then they’d blow through that deadline without a word too.

I did eventually get my phone, obviously, but it wasn’t anything like a usable device. The battery that it came with was smaller than advertised and it didn’t have any power management so you got a few hours of battery life. The cameras just didn’t exist as far as the software was concerned. The privacy switches would randomly kill power to the modem when you lightly brushed against them without the switch moving out of the ‘on’ position. Which was super annoying since you had to reboot the phone any time you wanted to turn the modem back on. And rebooting took ages.

Even at this point I was still rooting for them to succeed. I really want a proper Linux phone and have since 2008.

But ever since then, I really haven’t seen much of anything change with the software, at least for as long as I was paying attention to it. One of the cameras got support added by a community member at some point, but the pictures it was taking were so bad it looked like some 1999 digital camera taking pictures in a dimly lit room even in full sunlight. There was no way to know if an application in their store was going to work or not, most didn’t, mostly because they were meant for a larger screen & a mouse.

I pulled it out a few times on and off over the years, but the last time I did, I couldn’t even figure out how to get it to update. So, I haven’t really even touched it since then. (I’ve got it out connected to power to see what it’s like now. Though, I’m not sure it’s charging, is flashing green (with an occasional flicker of red) a good thing?)

Since receiving it, the only communication I’ve gotten from Purism has been “Investment Opportunities”. I’m not sure why I’d invest in a company that still hasn’t delivered what it promised me over 5 years ago.

I absolutely want them to succeed, and I hope they prove my pessimism wrong, but at this point I absolutely would not put my money on that happening.

As the owner of a Birch batch Librem 5 and former defender I’m sad to say, agreed.

You’re not mistaken, it is definitely possible with at least RSA, though, I would guess it may not always be possible. It also sounds like it’s still a bad idea unless you know all of the parameters used to generate the keys and can be sure what information is actually encoded in the keys.

That doesn’t mean the issue wasn’t/won’t be escalated. It might even mean it’s more likely since someone bothered to make a response macro for it, they presumably got more than one or two emails about it. So it’s probably more likely to make it on a “list of issues we saw this week/sprint/month/quarter”.