Breaking into apartment buildings in five minutes on my phone

There's a reason for that. I ran across a video recently that talked about how his dad would replace an engine over the weekend. But then he showed what the old cars looked like under the hood (very simple with lots of empty space) and new cars (very complicated). More importantly, he showed the manuals that came with the car. The old car's manual showed how the engine was put together and explained what everything did, and how to rebuild it. The new manual was only full of warnings and told you to take it to the dealer for everything.

Think about how I (and probably you) learned computers. My IBM PC has a manual that has a page just to show where the power switch is and how to use your hand to flip it. It has a diagram for what the keyboard cable looks like when it's plugged in correctly. It continues on and on and tells you how to open it and what the dip switch settings do. People always thought I was a computer wiz kid when I all I ever did was read the manuals and try out what they said.

That's a fun analogy to think about. One side of it holds up: People don't know how to pop their hood now because they don't need to.

But on the other hand, cars before the 1990s were infinitely simpler to grok and to fix than modern vehicles. The learning curve was much gentler, and really no specialized knowledge was required. Changing the timing on your engine was easier than putting together an Ikea cabinet. Now it requires specialized equipment.

The opposite is true of computers. It has never been easier to snap together a cross-platform app to do almost anything than it is today. Friendly scripting languages, APIs for access to every kind of sensor and data imaginable, and devices fast enough to run terrible code at reasonable speeds. Almost everything you would have had to do from scratch hand in the 1980s has been done for you; a huge amount of coding now is just plug and play. And basically everyone in the first world has access to the necessary equipment to write their own code.

> now many people need to consult the manual to figure out how to pop their hood.

Sorry to be the bearer of bad news, but auto manuals haven't included such technical information for close to two decades.

I never thought about that, but it's true. My dad and every guy his age in my hometown can talk about cars nonstop. They'll go on for hours about changing the oil, messing with the transmission, or whatever (I don't know what they're saying--I'm a millennial and I'm used to vehicles that Just Work™).

Meanwhile, my friends and I can go on about the most banal computer stuff and my parents have no clue what we're talking about or why it's interesting to us. Kids probably don't either.

We won't be able to do it either soon, as they will mandate connecting with it through an app and we're like fuck that. (if we're not already there)

I have heard that told with “VCR” in place of microwave. We still have a microwave that needs clock set when power fails. We do not have a VCR.

> Nobody is going to make a single "dd" typo and erase their drive.

Alas, how does one learn if one cannot dd the wrong hard drive, wiping all the films you've spent most of the summer illegally downloading at night because you only had a dial up connection at the time.

I mean, I'm considered gen Z and I've definitely dd-ed my fair share of drives...

So true. Fortunately I had my kids (well one of them anyway) recently complain to me about how their teachers "don't know anything about computers" and how they "cheated" by using actual computer software that was much better than the "mandatory to use" software on the school tablets.

Not all hope is lost.

> (even if most phones and tablets really run a UNIX-derived OS behind the scenes).

Key phrase being "behind the scenes", iOS completely obscured the concept of files to its users for a long time. I don't remember how downloading files off of a website worked though.

It's unbelievably bad.

I know 3rd and 4th year IT/Cybersecurity students that don't understand how to ssh into servers and the different layers of the OSI model.

I hate to sound insufferable, but I really truly believe some people are just too stupid for this field.

I'm so sick of dealing with them.

Yay job security?

Yikes – this GenXer remembers being told the tools found in my account were grounds for expulsion but the meeting ended with employment.

In high school (2000) I had a course where I downloaded some (freely available) videos for my project. The wrong person caught wind and hauled me in under the computer policy that everyone signed that said “I promise not to download anything”. I made my case that it was 1) condoned by my teacher, 2) relevant to my project, and 3) literally going to websites downloads files (cookies were just stored in a folder back then, as well as temp files for caching) so everyone is in violation.

Had they actually found out about the fact that we bypassed security measures on a bootable CD-ROM that allowed us full system access, including a nifty Visual Basic launcher to install Quake and GTA, or that we figured out every computer used VNC and they all had the same password stored in plaintext in the registry (which we accessed via that bootable media), or that we figured out the same password accessed every networked printer in the county so we could print our school’s logo on that week’s rival school’s printers in barely off-white ink…they’d have had a good case.

The dark ugly places I travelled on IRC or BBS as a youngster. I saw a lot.

Some can still learn in spite of that, however.

Arguably, that's even why some gravitate towards it in the first place.

Its not the same. Nowadays you press a button in steam and the game is installed for you and just works. It does not provide an entrance into technical layers like configuring the soundblaster irq in config.sys did.

I've seen both sides- my nephew is large into pc gaming, but is woefully unaware of how to operate a computer in most capacities. I only realized this when trying to help him troubleshoot and realizing he didn't really understand the concepts of archives or even folders.

I don't even know how that's possible because he plays modded versions of some of his games- how you get by without knowing what a zip file works at the surface level is a mystery to me lol.

One of my favorite talks: https://www.youtube.com/watch?v=a9b9IYqsb_U (Deviant Ollam - This Key is Your Key, This Key is My Key)

I didn't propose to leave your door unlocked. It was a cynical take on how much hurdle most locked doors are when someone is determined to get access. Maybe I am that cynical because I attended a lockpicking tutorial once (CCC Camp summer 2003, fun with tech at 37C temperatures, good old times), and as a tech person with some interest in security, learnt my share about social engineering (mostly to pretect myself).

I've definitely worked somewhere they tell all the users they have individual codes, not to share them, and if there is unauthorized access it can be traced who leaked their code. Everyone gets told the same story and given the same code.

In my area of London, burglary is a virtually abandoned trade.

Anyone with anything of value works from home at least part of the week. Why risk entering someone's actual house when you can make easy money on drugs, fraud, crypto, bicycle theft, phone snatching, or umpteen other hustles I don't even know about.

Bicycle theft especially. You could easily clear a grand or two a week with zero fear of prosecution.

There's enough bandwidth to go around nowadays that alarms can send regular keepalives (which doesn't mean all of them do).

If the keepalives stop coming without a proper disarm signal, a fault is raised.

Some old alarms had a weaker version of this, where they would dial the security company whenever the door was opened, and then again when the alarm was disarmed. If the second call didn't come in time, the company would instantly know that something was up.

This protected against thieves that would enter the house and smash the alarm before it had time to activate.

These days, alarms use quantum entanglement. Beat that :)

But it drastically reduces the number of plausible key strokes, so you might just give your luck a try.

Anyone wearing a maintenance uniform and carrying a step-ladder could surely find a way in via an overly helpful victim.

The only gated community / apartment complex's I've ever seen where that was not normal are a subset of the ones that have an on-duty guard - specifically the subset with guards who recognize all the occupants and take the information of anyone they don't recognize.

They're doing a great job of "protecting" themselves from feeling anxious about Bad Things somehow happening.

For an all-too-large fraction of humanity, that's the "protection" which actually matters.

My townhouse HOA decided it was totally worth money to replace our fob system with a system that's deliberately incompatible with Homelink. They claimed without evidence that used car sales were a severe security risk.

Nevermind that you can wave any conductor under the gate to trigger the egress wire loop sensor, or just wait a minute or two for someone else to go through. From 6AM to 10PM the other gate is simply open, too.

Now I have to pay more for crappier fobs with worse range. It's deeply disappointing.

Nah, it's to deflect customer support contacts. Which often in the case of ISPs, results in a truck roll which is hugely expensive.

It's also the law in the EU.

German fritzbox routers (the most common non-isp routers here, and actually very capable) have a fully random password

Idk in Romania routers come with random passwords.

https://imgur.com/a/x915ZfO

That's usually the wifi password, not the admin password.

>Did anyone think to at least try to add OCR-ing those labels on our phones to automatically enter the wifi password?

You can do that easily on iOS, I'd be surprised if Android didn't allow it as well...

Tap in the password field, tap Autofill from the popup, and tap Scan Text.

A lot of inns and B&Bs in tiny towns etc. have these complicated passwords that seem like overkill. You're probably right that they're some sort of default. Even if they're not 12345, it seems as if they could be something pretty simple and that would be fine.

QR codes?

https://qifi.org/

You can generate and print a QR code. It's quite a nice solution

google lenses works for this as an OCR copy & paste

Technically it depends on the interpretation of "עֵ֥ד" and "בְרֵעֲךָ֖" whether that commandment is admonishing against telling any lie, just lies in court when making a legal accusation against another person, or somewhere in between.

Even if we accepted the premise that one book should be the basis of all morality, this one contains within itself contradictions, satire, sarcasm, and a community context we no longer have: with individual quotes I can make anyone look like a hypocrite.

To my mind the more interesting question is, does a singular community condemn a behavior in out-group members that they tolerate or even praise in in-group members?

[flagged]

It's not for the benefit of the potential convertees, it's for the benefit of the ones doing the converting.

Yes. I'm no longer a Mormon, but I baptized around a dozen people on my mission and they were all found from knocking on doors. But this was also thirty years ago, before the internet was a thing for most people.

Less likely to speak English in my experience.

This is way better than a rock. It raises no suspicion and leaves no trace. Maybe it doesn’t matter for burglary, as you’re probably going to take things anyway, but if you want access anyone knowing you were there this is gold.

In fairness I think that these "locked doors" are to keep the homeless/drug users out or kids starting fires not really burglars.

In a lot of modern buildings the elevator will not let you up to any floor unless you've been admitted, so the rock won't do you much good unless you also use it to smash the lock on the elevator control panel and override the security there.

They unlocked a lot more power than simply getting into buildings.

I was a rebellious teen. I'm not proud of it now.

Breaking the rules so bad that the ability to even interact with the thing the rule was made for was taken away?

The author contacted the current and former vendors, got a flippant answer, asked again, and was ghosted for two weeks.

I see here a desire for a random person to accept a staggering amount of your personal responsibility. Anyone under long-term active threat without defense-in-depth redundancy isn't someone I can save by waiting longer before disclosure. I am frankly amazed you expect so much from a stranger for so little benefit.

It is fucking chilling -- that the publisher would do this, in the first place, and blow him off now, too.

Why don't YOU pick up what you said, and start contacting apartment buildings and police? How many of those half-dozen ways you mentioned will YOU act upon?

> But they should face consequences if they were irresponsible, regardless of intention.

Intention is important.

If their intention is to highlight that a problem exists, then sure. They should be forced to participate in resolution (at the very minimum). As for liability? No, that definitely belongs on the owners of the insecure devices.

If their intention is to show to "the bad guys" where the spots are vulnerable? Then yes, they are partly culpable.

Again, being a good samaritan (showing that a problem exists) should NOT make you liable for the problems that already existed.

> you also should wait for as long as you reasonably can

That word, "reasonably", is loaded. I think waiting a couple of months is perfectly reasonable when being stonewalled by other parties, especially the owner.

> that means waiting more than 2 months over a holiday season

Yup, sure, because thieves definitely don't operate during holiday season. And please ask Russia and the US to hold off on their nuclear war. It's called Nuclear Winter, but that doesn't mean it has to happen during Winter, right?

> This is fucking chilling.

The problem existed before the announcement was made. You think it was chilling before? Just imagine that nobody who was capable of fixing it didn't know about the problem. So it could be abused without anyone being the wiser. That is fucking chilling. It's chilling that people would be more upset about the announcement and less upset about the apartment building owners not fixing the problem in the first place. That is fucking chilling.

[flagged]

So change it afterwards. Good defaults are important. If someone doesn't change it, it's important that they be on the right path instead of...this one.

(See also: opt-in versus opt-out for retirement plans, organ donation...heck, even this from yesterday: https://news.ycombinator.com/item?id=43144611)

You can always change the passwords. I was bringing this up as a solution to the default passwords issue. You don't want to have a static default password used by everyone, so you need the initial password to be randomized. People are dumb so you need to print it on the device. There is no need to default to cloud-based authentication to close the default password security hole.

If it's too hard for a guest to type in a password, you can also have them join by scanning a QR code. Obviously this works better for phones and tablets with QR scanning built into the camera, but that's what guests are frequently using.

https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F...

Wifi password != admin password. The admin password should be random and then you can change it when you take ownership of the device.

> I don't want some complicated random password.

It doesn't have to be complicated. A random passphrase can be much simpler and include significantly more entropy: four to six words plus a six-digit number. Any password generator worth a damn can generate something like this.

No device comes off the shelf with OpenWRT. If you're the type of person that's aware of OpenWRT and then install it, it's not that far of a stretch to think you'd also be the type to know to check the password.