It's painful, but I've grown distrustful enough of the ecosystem that I disable updates on every IDE plugin not maintained by a company with known-adequate security controls and review the source code of plugin changes before installing updates, typically opting out unless something is broken.
It's unclear to me if the code linked on the plugin's description page is in amy way guaranteed to be the code that the IDE downloads.
The status quo in software distribution is simultaneously convenient, extraordinarily useful, and inescapably fucked.
They exist. Services treat control of the number as equivalent to control of the account, and expect you to maintain that control.
Throwaway phone numbers are not a viable low cost or no cost alternative in most normal user signup scenarios, and they're implemented as a privacy invasive form of spam prevention for that exact reason.
> It’s surprising how something that seems harmless, like a simple recovery page, can actually hide some pretty serious security risks.
This is something you should include in any personal security checkup. Attempt account recovery using every allowed mechanism. The rules for recovery change over time in a way that classical login doesn't.
If the dongle acts as a wifi AP with a DHCP server, it could give the iPhone an ip address but no gateway upon connection. This will cause the iPhone to talk directly to the dongle via the WiFi interface, but talk to the rest of the internet via the cellular connection.
You can determine this by checking the WiFi network's properties after the connection is established. If there's no value in the "Router" field, that's how it works.
Once you load the firmware update page, JavaScript on the page instructs the browser to fetch the firmware payload from a server on the public Internet, then relays that data to the dongle's web server to execute the firmware update process.
As the other reply mentioned, this can be tricky, as CORS likes to prevent this kind of data transfer for security reasons, the right configuration on the web server will make it work.
It's a fairly clever setup.
If you want a low-tech way of confirming this design, try running the firmware update with a device that doesn't have two network connections, like a laptop, instead of a cell phone. If it doesn't work from such a device, the scenario I described above is probably how it works.
This is almost certainly the answer and clever as hell. You just have to make sure the server storing the firmware (which you control) has the right CORS headers (as you mention) and you are in business.
This means that the CarPlay device has no "internet" (spoiler: it never had real internet access) unless you are on that page interacting with it.
I'm not sure how these devices work, I mean I know they broadcast themselves as a CarPlay head unit then "somehow" pass that to the car via a wired connection (pretending to be a phone connecting via USB). "somehow" being the important part. Does it hand along an encrypted stream that it can't decode or does it decode/re-encode?
Either way I'd bet these devices are pretty safe to use. The phone sends a video feed, not raw "data" so the MitM (again, if that's how it works) would need to OCR the video to get anything useful since the raw video would be too large to store and too heavy to transfer over cellular (via it's own hidden radio, again, worst-case-scenario).
If the device decodes the stream in the middle then the worst case I can think of is it could be doing on-device OCR and cellular radio to exfiltrate the text but I feel confident that you could spot the cellular radio (or someone who did a teardown). Without the radio it has no way to get data off the device which means the best it could do it sneak some out while you were on that update screen. Though I think that's all pretty far-fetched.
EDIT: I went looking for some way to act as a CarPlay receiver and get the raw video feed and it looks like it's possible [0] so yeah, a malicious device could proxy the connect, OCR the result, and send data via its own cellular connection but that would be relatively easy to detect and not worth it unless you are the target of a nation state which, at that point, you have bigger problems.
If you want to capture what's going on, you don't need 120fps video. Take a low-res snapshot every 5-10 minutes and send it off. It doesn't need OCR or anything fancy. That's still a ton of information, with very little bandwidth.
To keep with that analogy, customers expect the SaaS company to respond to the HTTP requests for free, but you still have for-profit factories producing servers...
No. I used both of them when migrating from LastPass, and found that Bitwarden only supports four or five types of entries, which ultimately drove me away from the product.
The rich entry types from 1P and LP are nearly all converted to Notes in Bitwarden. Great product otherwise.
Oligarchy. Kleptocracy. Morons cheering because they're deluded enough to believe that the definition of "pork" is when the government transfers money directly to lower and middle class via paychecks.
Congress will authorize contractors to do these jobs instead. We get back privatized versions of the old government services at a higher price, and the money goes into the bank accounts of the rich.
I'd like to read the CBO report on what this shit will actually cost over ten years.
It's unclear to me if the code linked on the plugin's description page is in amy way guaranteed to be the code that the IDE downloads.
The status quo in software distribution is simultaneously convenient, extraordinarily useful, and inescapably fucked.
reply