Road with a guy to visit a friend in a gated community. We didn't know the access code for the gate but the guy I was with is an Amazon delivery driver.
"Let's see if I can't get us in," he said. He got out of the car, walked over to the access panel and looked on top, bottom and sides. Then he punched in some numbers and the gate opened.
Turns out, so many people in gated communities and apartment complexes order things from Amazon, and other delivery services, and want front door delivery but don't give them any way to get in. Eventually, some frustrated driver who gets the code will write it on the side of the access panel to help everyone out.
"Apartments are awful," he said. "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
> "College campuses are the bane of our existence. You would think that college kids would be smart about these things but they are the absolute worst."
This is a huge misconception about GenZ. Unlike Millennials and GenX who had to hack around on PC's to figure out how to torrent, run games, build our own lans for local multiplayer, and generally avoid our parent's prying eyes. GenZ has grown up on devices. You don't modify the OS on devices. You don't hack around on devices; Apps tend to just work with little configuration. GenZ is entering the workforce with lower baseline computer / computer security skills than people think they have.
Same I just was talking with my daughter (16) about this because she hated her intro programming class in high school. No biggie if it isn't for her, slightly disappointing that I can't share knowledge, but she should pursue what she enjoys.
What irked me was she claimed "I just hate being on the computer", but her screen time on the phone easily crests 8 hours daily. Maybe we are just entering a similar phase to auto mechanics. In the 1950s anyone who owned a car was at least somewhat proficient in its inner workings, now many people need to consult the manual to figure out how to pop their hood.
There's a reason for that. I ran across a video recently that talked about how his dad would replace an engine over the weekend. But then he showed what the old cars looked like under the hood (very simple with lots of empty space) and new cars (very complicated). More importantly, he showed the manuals that came with the car. The old car's manual showed how the engine was put together and explained what everything did, and how to rebuild it. The new manual was only full of warnings and told you to take it to the dealer for everything.
Think about how I (and probably you) learned computers. My IBM PC has a manual that has a page just to show where the power switch is and how to use your hand to flip it. It has a diagram for what the keyboard cable looks like when it's plugged in correctly. It continues on and on and tells you how to open it and what the dip switch settings do. People always thought I was a computer wiz kid when I all I ever did was read the manuals and try out what they said.
The empty space in older cars is definitely a big contributer to how much simpler it was to work on them. Plenty of project cars I owned or worked on that had more than enough room in the engine bay to actually STAND inside between the frame and engine with the engine / wiring / hoses still present and both feet planted on the ground.
Much less daunting and convenient to work on an engine or replace a part when you don't have to take off (and potentially break) a million other parts to get at what you want to replace and you actually have the room to see what you're doing instead of blindly groping around for something vaguely shaped like something you've only seen a picture of.
That and the absolute sheer amount of electronics in modern cars. Older cars had the absolute bear minimal amount of wiring to the point that it was entirely plausible to more or less keep the wiring schematic in your head and even (speaking from experience) redo the entire wiring harness front to back on your own with a few different colored rolls of wire from a hardware store yourself.
I can't imagine how people getting into the hobby now with newer cars feel looking at the unholy mess of endless amounts of wiring, sensors, mechanical parts all jammed together in tightly packed space efficient layouts probably designed by someone purely working on them in a digital space. On the bright side at least they have youtube and better resources on the Internet to look up how to actually do something though.
I think a lot of the older cars either came with or were easier to buy the shop manuals. Those will tell you how to do basically everything. You can still get them for modern cars, but they're $100-250. Even then, many procedures require specialized equipment that most individuals do not have.
Same. I learned to code as a kid by reading the manual that came with my brother's TRS-80 Model 100 "laptop". The manual contained a complete documentation of the BASIC language that came on the computer. The computer itself, other than a couple simple built-in note-taking and calendar programs, was mainly designed for you to write your own programs for your own use. I remember the first time when I was 8 years old that I got past IF and GOTO and figured out what an array was. Suddenly all kinds of things were possible.
I think the crucial missing thing is being locked into undivided boredom. My mom would be getting her afternoon nap and I couldn't go anywhere so I just walked around the house, opened drawers and cabinets and boxes with old parts, magnets and whatnot and experimented with them. With zero distractions, no internet, no mobile phone, nothing. So either read a book (I read mine many times over) or tinker away. And I am still tinkering, just with software instead, while getting paid for it.
That's a fun analogy to think about. One side of it holds up: People don't know how to pop their hood now because they don't need to.
But on the other hand, cars before the 1990s were infinitely simpler to grok and to fix than modern vehicles. The learning curve was much gentler, and really no specialized knowledge was required. Changing the timing on your engine was easier than putting together an Ikea cabinet. Now it requires specialized equipment.
The opposite is true of computers. It has never been easier to snap together a cross-platform app to do almost anything than it is today. Friendly scripting languages, APIs for access to every kind of sensor and data imaginable, and devices fast enough to run terrible code at reasonable speeds. Almost everything you would have had to do from scratch hand in the 1980s has been done for you; a huge amount of coding now is just plug and play. And basically everyone in the first world has access to the necessary equipment to write their own code.
> now many people need to consult the manual to figure out how to pop their hood.
Sorry to be the bearer of bad news, but auto manuals haven't included such technical information for close to two decades.
Are you sure on your timing?
Just asking coz whenever I try to talk about what computers could already do or when something was invented in the 1960s or 1970s I tend to start with "well 40 years ago..." and then I look at the calendar and notice that it's 2025 and I'm officially old now and 40 years ago was more like 60 years ago.
And my car in 2005 definitely had no such thing and it wasn't a 2005 model.
I saw someone joke that there's only one generation in the history of mankind that knows how to set the time on a microwave. Our parents couldn't do it. And now our children can't do it.
GenZ also grew up in an era where doing anything mildly interesting on a computer risks getting expelled and having the feds called. The shit I did to learn my trade as a kid would absolutely not fly today.
Yikes – this GenXer remembers being told the tools found in my account were grounds for expulsion but the meeting ended with employment.
Definitely. I recently taught a class with a practical computer component and many undergraduates seemed to have a hard time understanding where their files were saved -- even at a GUI level, not talking about the command line. But it makes sense if their primary tech experience was with phones and tablets. The idea of a file system may never have occurred to them (even if most phones and tablets really run a UNIX-derived OS behind the scenes).
So true. Fortunately I had my kids (well one of them anyway) recently complain to me about how their teachers "don't know anything about computers" and how they "cheated" by using actual computer software that was much better than the "mandatory to use" software on the school tablets.
Not all hope is lost.
Huh never knew that. Kinda good for me.
I noticed that even the generation that came after me (I was born in the 70s) produced IT engineers with a bit less skills because they've never had to mess stuff. People these days are afraid to mess with the windows registry even. I used to manually patch blocks together when I deleted a file by mistake.
These skills are getting less and less useful though now that everyone is happy to give up their privacy to big tech in return for something that 'just works' :(
[Millennial take] When older generations say "the kids these days are so good with computers", it's because they are incorrectly inferring competence from confidence. In a way, the kids are more capable, but mainly because of attitudes rather than knowledge.
The devices the (grand-)kids are using are much more explorable and idiot-proofed. Nobody is going to make a single "dd" typo and erase their drive.
"with lower baseline computer / computer security skills than people think they have."
I fear this is true with most life skills. Things are easier and it seems kids today are just handed more stuff. The freedoms and expectations in many areas are lower. Kids don't grow up due to age, they grow up due to experience. It seems we are pushing that farther down the road with each generation.
Well - kind of. PC gaming is bigger than ever before, and PC gaming was how a lot of my generation got into computers.
My nephew for a while was very much one of those "grew up on devices" kind of kids - until he got off of gaming on phones and tablets, and got a gaming PC. Now he's reading about technology and tinkering and stuff.
Its not the same. Nowadays you press a button in steam and the game is installed for you and just works. It does not provide an entrance into technical layers like configuring the soundblaster irq in config.sys did.
It's not the same, but I don't know if it's worse.
My IRQ conflict resolution skills or knowledge about himem.sys aren't really useful these days.
But I've seen genz kids do incredible things with Minecraft mods and the like that make me reminisce about quake modding.
The masses are just blindly using devices, but the masses didn't even have a PC at home 30 years ago.
> My IRQ conflict resolution skills or knowledge about himem.sys aren't really useful these days.
Your ability to meticulously solve a problem using a systematic troubleshooting approach is always useful. You just happened to hone the skill w/ IRQ conflicts and himem.sys.
Agreed. And while what we did to get into the details and discover are different some kids still do.
Heck I did the same. Dip switches galore. Did I know what an IRQ actually is on the OS level while solving IRQ conflicts as a kid? Heck no! Only years later when I no longer needed to did I understand what those actually are/were.
The today equivalent of learning about autoexec.bat and config.sys to not load the cdrom driver because else this one game wouldn't start because it did not have enough memory is figuring out what's behind the Steam "Start" button and where the games "live" and how you can get what you want instead of doing everything through steam.
The kids that are the today equivalent of us in the old days do exist.
(Smile) 30 years ago was 1995, when most people did. You're thinking 1985. Forty years ago.
In 1995 around 1 in 3 US homes had a computer.
It used to be that if you wanted to do gaming on a PC you started by building the PC.
I dunno... My C64 required very little assembly.
That hasn't changed. Of course there are pre builts but there were twenty years ago, too. I should know -- I had one. I built my third gaming PC myself.
There were pre builts many years before your 20 years ago too. I used to build my computers myself as well 30 years ago and my dad did 40 years ago ;)
I don't know if it's a "uses tech" issue or just not realizing the steps needed. Even we knew you had to go to the campus gate to meet Dominos after dark (when the gate would be automatically closed).
There was no fancy intercom ability to remotely open it.
Yeah, I know someone who works in a high school and the average skill level is "struggles to figure out how to save a document on a USB stick". Kids know how to press the power button on an Xbox or tap an icon on their iPhone. The staff member I know is aware of ONE kid in the entire school who has used Linux. When I was a kid, basically every single kid who had a computer at home (and actually used it) knew how to defrag the hard drive (and probably install Windows lol), set IRQ values for their sound card, all that kind of stuff -- because you had to know this to even use it. My friends and I went on BBSes and later stuff like IRC and Hotline, ran Linux or pre-release versions of our respective OSes, set up our own bedroom LANs and personal game/web servers, etc. etc..
Indeed, as you say, I learned a lot about computers simply by wanting to circumvent the limitations that school admins put on the computers (especially as I wanted to utilize the full power the computers provided, as opposed to some sheltered/limited experience -- "At Ease" -- surprisingly reminiscent of smartphones/tablets today)... I went to great lengths to regain net access when my parents repeatedly revoked my access, again another huge learning opportunity.
Yeah, younger generations have no clue how to use computers. They just know how to consume content. The level of IT literacy is at all times low.
Ahh, the modern verson of the written note under the keyboard...
In my area, there is a universal access key (physical) for postal service and newspaper delivery people. So if you want access to a random building, all you need to do is apply as a newspaper delivery guy, or, find one that is willing to give you that master key. To add insult to injury, that type of job is extremely low paying, so much room for abuse.
Fact is, locks and closed doors are there to make the owners feel cozy and safe. If you ever needed a locksmith service and watched them do their job, you know your appartment door is just a prop.
When I lived in town, on a street that was somewhat common for people to walk down, twice (that I know of) someone had walked up, tried to open my door, then walked off after finding it locked. The amount of work to break into that house was quite minimal, but apparently a locked door did help.
Modern apartment building. Low rise. Full visibility of courtyard. Cycle gone missing with a baby seat attached. Nothing anyone can do about it. How did they get the key, who let them in, how did they manage to pry open the lock in full visibility? I was seething for a week. But somehow I knew this wasn’t really that big a security challenge for the thief.
That's not true. They raise the bar above the bare minimum. Lots of crimes are ones of opportunity. A gate is the difference between 0 effort and some effort. It makes it a bit harder for a petty thief to cruise through and find low hanging fruit.
It's far simpler than that. Ever gated community I've ever visited, press any digit 4 times. You're in. The only exception is community with a security guard. The guy obviously isn't just going to let some guy not on the guest list in
Gated communities around me have 2 lanes, one with a sensor activated gate for residents and a guest lane next to the guard hut
If it's busy and you pull up in a nice enough car and just wait in front of the sensor gate looking annoyed, the guard will eventually just let you in
I bet you could examine the keypad for wear. The worn keys (or the shiny ones) are the ones for the code.
In the days before cell phones, a burglar alarm would dial the alarm company. The phone company likes to install the phone box on the outside of the building. The alarm is defeated by an axe to the cable going in the box.
I had a fight with the phone company at my house, as I wanted the box on the inside rather than the outside. They finally agreed on the condition that I maintain the wire to the box.
These days, of course, the alarms use wifi or a cell phone to call the alarm company.
That only works if there's a single code? I would think many keypad systems assign a code to each apartment (so the one written on the side is not a master key, just Joe in #303).
I've definitely worked somewhere they tell all the users they have individual codes, not to share them, and if there is unauthorized access it can be traced who leaked their code. Everyone gets told the same story and given the same code.
Do your alarms not have an actual - you know - alarm? Or won't the alarm go off if it can't phone home first?!
Here in the UK the alarms make a noise as the absolute minimum. Getting one that is "monitored" by a call center is not standard, especially one that calls the cops if it goes off or a panic button is pressed.
You can get those of course, but it costs extra. I pay something like £40-50 a month for the panic button service that will summon the police, but even then the police won't be summoned if just the alarm goes off without a panic button getting pressed (you can get that, but it is even more expensive)
> These days, of course, the alarms use...
And the crooks use RF jammers instead of axes.
There's enough bandwidth to go around nowadays that alarms can send regular keepalives (which doesn't mean all of them do).
If the keepalives stop coming without a proper disarm signal, a fault is raised.
Some old alarms had a weaker version of this, where they would dial the security company whenever the door was opened, and then again when the alarm was disarmed. If the second call didn't come in time, the company would instantly know that something was up.
This protected against thieves that would enter the house and smash the alarm before it had time to activate.
These days, alarms use quantum entanglement. Beat that :)
I set the Fires of Gondor.
In a similar vein, 0911 or 9111 will often work too for communities in the US. EMS and other first responders run into the same issue with automated calls or panicked people, so they’ll try that first while waiting for dispatch.
That code was also used at our (EMS) depots to secure the controlled drugs as well, as if none of us could have guessed it.
There's a door at work I regularly need to access. It used to be used for another purpose but now is just an extension of the work area. It's got a badge reader and simplex lock but I can't get badge access because I don't actually belong to that work area yet I'm there everyday anyway. However, someone wrote the simplex lock code on a sign in very small numbers for this exact purpose. Other simplex locks in the building use the default code you can find online. The whole building is secure so you'd never be able to walk up to these doors without proper credentials, they are mostly just there to keep out the curious or someone looking to borrow tools that they shouldnt.
> The whole building is secure
Given what you just said and the article you're commenting under, are you sure?
Anyone wearing a maintenance uniform and carrying a step-ladder could surely find a way in via an overly helpful victim.
Look like you belong and act confident and you can get nearly anywhere. Props help-- wear a high-vis vest and a hard hat, carry a tablet / folio / clipboard around an office, etc.
Confidence is the key, though.
You also have to fit a certain expected demographic.
Sadly, yes-- that's true. It's a game of playing to stereotypes, for sure.
Here in our building they just ring the doorbell, there's always someone letting them in without even checking.
Unfortunately that caused several burglaries too including in my flat :( my alarm scared them off but still..
The point isn't really for these communities to be Fort Knox. It is understood that if someone really wants to get in they will get in, similar to how if someone really wants to break into your house they will do it regardless of what brand of lock you have on your front door.
People live in gated communities because of what the gate represents – a very clear sign telling you and everyone else passing by that you don't belong here.
My parents live in a very upscale country club community down in Florida and their gate security is laughable. They assign every household a 4 digit code to enter the community. Given how many homes are in this community, entering any 4 digit code > 1000 and < 2000 will work.
My girlfriend lives in an upscale, gated community. Her HOA has done the exact opposite. They change the gate code weekly as way to "protect" themselves from this situation. However, it's kinda had the opposite effect - tailgating has become totally acceptable, even the norm, as people can't keep up with the gate code changes. Amazon drivers usually just sit outside for a minute or two, then tailgate into the neighborhood.
The only gated community / apartment complex's I've ever seen where that was not normal are a subset of the ones that have an on-duty guard - specifically the subset with guards who recognize all the occupants and take the information of anyone they don't recognize.
Her community is not guard-gated, but it's extremely snooty/snobby. A number of years ago, before the weekly gate-code changes, the HOA started doing annual code changes on Halloween. Why Halloween, you might ask? Because the service staff of the community (landscapers, house cleaners, etc.) had the audacity to bring their children/grand-children to the neighborhood to trick-or-treat. Residents felt the service staff was just trying to guilt them into giving candy. Keep in mind, all these residents are multi-millionaires, mostly retirees, and they were bitching about having to spend 5 bucks in candy to make children happy.
Isn’t that usually how the rich stay rich? Does this really seem too surprising?
In my experience, and I’m generalizing a lot, the less people have the more generous they tend to be.
My townhouse HOA decided it was totally worth money to replace our fob system with a system that's deliberately incompatible with Homelink. They claimed without evidence that used car sales were a severe security risk.
Nevermind that you can wave any conductor under the gate to trigger the egress wire loop sensor, or just wait a minute or two for someone else to go through. From 6AM to 10PM the other gate is simply open, too.
Now I have to pay more for crappier fobs with worse range. It's deeply disappointing.
They're doing a great job of "protecting" themselves from feeling anxious about Bad Things somehow happening.
For an all-too-large fraction of humanity, that's the "protection" which actually matters.
I was under the impression that delivery drivers had a book or something with these codes.
Like, the HOA just like calls the delivery companies and says "hey, here's a code to get in"
Missed the stories about these guys shitting in the backs of the trucks and vans for lack of time to do their jobs, eh?!
A route book or note is already an assumption drivers need to have some method to quickly get through gates. Where it missed out was there are even more efficient solutions to the problem. That's because of not knowing all of the options, not because of assuming drivers just have a lot of spare time to kill so must like the slower and more complicated option.
> Hirsch replies stating that these vulnerable systems are not following manufacturers’ recommendations to change the default password
These manufacturers’ recommendations are not acceptable. They should mandate a non-default secure password before allowing the system to be used.
Even my parents & grandparents modems/routers each have a unique password printed on the bottom! There's just no excuse for this.
Their routers only have this feature because the internet providers who sell those routers pay for bandwidth themselves lol. If residential internet plans sold on a pay-per-byte basis you can bet routers’d still ship with non-unique passwords.
Oddly enough, these default unique passwords usually are in the format of word+word+digit+digit+digit. If you look up the model, it won't take long to find the word list they use and can trivially bruteforce it.
So even then, I'd recommend changing it, or push for these companies to provide generated passwords with a much larger key space.
German fritzbox routers (the most common non-isp routers here, and actually very capable) have a fully random password
Idk in Romania routers come with random passwords.
function generatePassword() { // comply with Romanian regulations return "gaGc52eP" }
This function doesn’t evaluate, something something expected expression of }, premature end of file.
I know you're making a joke but it's just HN formatting not respecting single line breaks in comments.
That's usually the wifi password, not the admin password.
Oh speaking of which. A lot of places i rented on holidays had internet access with that default unique password. Which is a pain to type on your phone and laptop when you get there.
Did anyone think to at least try to add OCR-ing those labels on our phones to automatically enter the wifi password?
>Did anyone think to at least try to add OCR-ing those labels on our phones to automatically enter the wifi password?
You can do that easily on iOS, I'd be surprised if Android didn't allow it as well...
Tap in the password field, tap Autofill from the popup, and tap Scan Text.
Slightly off topic, but sharing WiFi passwords on iOS is so very user friendly.
How does it work in iOS?
On Android User A taps on the wifi they are connected to and gets a QR code, and User B taps on the icon for scanning wifi QR codes, so one tap each once you are in your wifi settings.
On iOS, the guest attempts to connect and anyone with them in their contacts list is prompted to share. The common use case of a friend visiting is very simple. If you want to share a different network, there's a similar flow to the Android one:
* Go to Wi-Fi in the Passwords app
* Select the Wi-Fi network you want to share
* Share Network QR Code
So they know when you're trying to access a wifi network?
If you are near them, yes.
A lot of inns and B&Bs in tiny towns etc. have these complicated passwords that seem like overkill. You're probably right that they're some sort of default. Even if they're not 12345, it seems as if they could be something pretty simple and that would be fine.
You can generate and print a QR code. It's quite a nice solution
google lenses works for this as an OCR copy & paste
QR codes?
> QR codes?
How do you change the label on the router that got installed 8 years ago and is working fine? Especially since the owner of the cabin in the woods that you just rented for the weekend is into ... renting cabins in the woods, not geekery.
> have these complicated passwords that seem like overkill. You're probably right that they're some sort of default.
It is the default. If you find their router you'll find that overkill password printed on a label on the bottom. More enlightened ISPs give you extra stickers with the same info that you can put on the fridge or somewhere like that.
There is a wifi credentials QR code standard that can be used to pass the network name, and authentication details. Anyone can generate one, here's a generator app: https://www.qr-code-generator.com/solutions/wifi-qr-code/
Most modern phones recognize the standard and can be used through the native camera app.
We used this for our guests at home.
Oh pretty. Now I just need to tell all the hosts in my future holidays about those :)
I have a framed wifi QR code in my house. It's great. Looks like a photo on the wall.
I should cross-stitch one.
Yes I saw it literally few days ago when visiting relative (not even airbnb just her home), so easy to do yet it never occured to me.
The manual clearly says you need to press the "do not explode" button if you don't want the car to explode. It is conveniently located under the rear seats.
There was a time where somebody in SF has figured admin access code to older apartment intercoms (I believe they were manufactured by Linear and maybe other companies too). These intercoms would call the programmed in phone number whenever you type in the apartment access code at the door.
So what they did is add a new fake tenant with a premium 1-900 number and used the intercom to call it, earning themseleves a bit of cash. Naturally, landlords had to foot the bill.
I did something similar to my highschool in the 90s. They had a free student phone in the office. It had long distance blocked on it, but I learned you could circumvent the block using those 1010-321 and other long distance prefixes. Some of them had $5 access fees, billed once, in addition to the per minute rate. I called several of these and prided myself on getting the phone removed from the office for a few months.
The Polish spin on this were unsecured office landlines that used radio for some reason, I don't remember if that was for cordless handsets or just an access technology.
People would walk around big cities, usually on Friday evenings, radio scanner out, trying to find one of these. They would then dial a premium-rate number, preferably on more than one line. In most cases nobody would realize that something was up until Monday morning, and if they had a way to disconnect the calls before then, not until the bill came.
You could do similar shenanigans with unsecured PBXs or insecure answering machines that had a "call my mobile if somebody leaves a message" feature.
Can you elaborate on why having the phone removed was itself a source of pride?
I do appreciate the hacking around aspect, particularly with respect to old phone systems, but having a free student phone removed seems like it would be a bad thing for everyone, no?
I was a rebellious teen. I'm not proud of it now.
Breaking the rules so bad that the ability to even interact with the thing the rule was made for was taken away?
Viscount has hilariously bad security. I used to live in a building in Toronto that used Viscount infrared fobs for access control. They were no more secure than TV remotes; no rolling codes, no encryption, nothing. An attacker could easily sit nearby with an IR receiver and collect everyone's fob codes at a distance, allowing access to all floors.
Needless to say, I moved.
This was 30 years ago, so I'm sure a lot has changed since then. I was a missionary and the way we got into buildings in Toronto to knock on doors was to just pick the last name with the most letters from the directory, buzz them, and when they answered, we would just say "pizza delivery" and 95% of the time they buzzed the door open.
It'd be nice if missionaries weren't such hypocrites. Claiming to be the pizza guy when you're actually selling magic underwear is bearing false witness.
Technically it depends on the interpretation of "עֵ֥ד" and "בְרֵעֲךָ֖" whether that commandment is admonishing against telling any lie, just lies in court when making a legal accusation against another person, or somewhere in between.
Even if we accepted the premise that one book should be the basis of all morality, this one contains within itself contradictions, satire, sarcasm, and a community context we no longer have: with individual quotes I can make anyone look like a hypocrite.
To my mind the more interesting question is, does a singular community condemn a behavior in out-group members that they tolerate or even praise in in-group members?
Leviticus 19:11 bypasses the whole "עֵ֥ד" vs. "בְרֵעֲךָ֖" shenanigans.
New International Version (NIV): "Do not steal. Do not lie. Do not deceive one another"
King James: "Ye shall not steal, neither deal falsely, neither lie one to another."
New Living Translation (NLT): "Do not steal. Do not deceive or cheat one another"
New Century Version (NCV): "You must not steal. You must not cheat people, and you must not lie to each other"
The Holman Christian Standard Bible (HCSB): "You must not steal. You must not act deceptively or lie to one another"
devil worship is a hell of a drug
Does anyone ever actually get converted by a door knocking missionary?
Yes. I'm no longer a Mormon, but I baptized around a dozen people on my mission and they were all found from knocking on doors. But this was also thirty years ago, before the internet was a thing for most people.
It's not for the benefit of the potential convertees, it's for the benefit of the ones doing the converting.
Yes. The inevitable rejection is the point. It reinforces the otherness of the outside world, creating more separation from non-believers and stronger connection and devotion to the cult.
What’s does the letters in their name have to do with it?
Less likely to speak English in my experience.
I hope you are doing better!
I'm not going to especially defend but you have a way more sophisticated model of how most burglars work than is almost certainly the case.
Exactly. This article should be titled "I figured out a really obtuse way to break into apartment buildings."
A rock will get the job done in a fraction of the time.
It's like all those nobodies on HN who go through all kinds of software gymnastics to secure their phone against imaginary "threat actors," when a mugger is just going to keep twisting their arm behind their back until they enter their PIN.
In fairness I think that these "locked doors" are to keep the homeless/drug users out or kids starting fires not really burglars.
Randomly press the intercom buttons until someone buzzes you in.
Wait 5 minutes for someone to come in or out (most likely a delivery driver) and tailgate behind them.
A locked building door is the weakest possible form of security. It isn't holding anyone back, whether kids or homeless or whoever else.
They unlocked a lot more power than simply getting into buildings.
This is way better than a rock. It raises no suspicion and leaves no trace. Maybe it doesn’t matter for burglary, as you’re probably going to take things anyway, but if you want access anyone knowing you were there this is gold.
> infrared fobs
Wait, what? You have to point a powered device at an IR receiver and press a button like a TV remote? I've never seen a building entry system like that!
Exactly that, yes! IR receivers outside every exterior door to the building, and IR receivers in the elevators to control access on a floor-by-floor basis.
The fobs were visible by an IR camera (including the average smartphone) and could trivially be decoded as a short bit sequence with an IR sensor wired into a microphone jack, as the bit pattern was transmitted at ~audio rates.
That's probably because it's not so good as a building non-entry system.
> 2025-01-29: Hirsch replies stating that these vulnerable systems are not following manufacturers’ recommendations to change the default password
Ah, yes. It's the children who are wrong.
I’ve always wondered: how do all these things end up in Google? What’s submitting the link, or public thing links to it?
After watching a lot of tv series, my non techie wife has come to the conclusion that real life systems are trivial to hack : just click ‘skip password’, or ‘password override’, or just use ‘password’ as a password.
It seems she’s almost right !
Many many many years ago I worked at basically an MSP for telcos on the helpdesk. So customers would call their telco or isp for help and that would be routed to us. Anyways this one small isp with idk 10k customers had deployed their routers to customers with the default username/password and remote authentication enabled. A single script from a bad actor logged into all of the routers, changed credentials, and iirc updated dns settings so they lost internet, phone, tv. Cue 10k people calling as we had to basically walk through everyone one by one on changing the credentials and updating their config.
Was that enough pain to force some sort of change in how the things were deployed thereafter?
Breaking into an apartment building in 30 seconds without a phone:
Carry a brown paper (food delivery) bag. Stand by the intercom pretending to press buttons. When someone comes in or out, tailgate behind them and say "thanks". 9 out of 10 times they'll even hold the door open for you.
This is the kind of thing where responsible disclosure is really very important.
Let's say you're a woman. A woman who lives in one of these apartment complexes. A woman with a stalker. A stalker who has threatened to kill you, multiple times. Who has shown up at your apartment, but was rebuffed by the building security.
One day you wake up and find out that a "security researcher" found a way that anyone in the world can get into the building at any time, in addition to looking up who lives at each address. And it turns out the security researcher waited only two months (including over christmas break) to try to resolve the issue in a way that would not leave the existing buildings exposed.
If I were that woman, and something happened to me as a result of this disclosure, and assuming I was still alive, I would, at a minimum, sue the shit out of that security researcher.
i worked as an engineer in an industry that required on-site access to buildings all over manhattan, some residential. all you have to do is hit a couple random buttons on the intercom and 100% of the time one of them would just buzz the lock
This is pretty much all it takes in any western country. Some areas might require a little more effort but nothing substantial.
In fairness, the blame for this kind of enabling attitude is mostly attributable to me locking myself out of the building and having to buzz my long suffering neighbours at all kinds of ungodly hours. Proud moments.
Could you also lock out specific residents? Or get their daily home arrival patterns for the last few years? Or find unused flats to squat in? IoT still wins. :)
> Default credentials that “should” be changed, with no requirement or explanation of how to do so. Surely no building managers ever leave the defaults, right? And even if they did, they’d surely have no reason to expose this thing to the Internet, right?
My theory is this is one of the reasons so many internet-of-things devices nowerdays omit any sort of offline/local network control.
No default passwords, no ports you can forward without knowing what you're doing, all the credentials sorted out on a cloud server.
Consumer routers have had this issue solved for ages: you generate a random password and put it physically on the device.
I don't want some complicated random password. At least where I live, my router password is a very modest security shim to protect against very random casual access. If I have a visitor who needs WiFi access, I want to give them an easy password to type in.
So change it afterwards. Good defaults are important. If someone doesn't change it, it's important that they be on the right path instead of...this one.
(See also: opt-in versus opt-out for retirement plans, organ donation...heck, even this from yesterday: https://news.ycombinator.com/item?id=43144611)
If it's too hard for a guest to type in a password, you can also have them join by scanning a QR code. Obviously this works better for phones and tablets with QR scanning built into the camera, but that's what guests are frequently using.
https://en.wikipedia.org/wiki/QR_code#Joining_a_Wi%E2%80%91F...
You can always change the passwords. I was bringing this up as a solution to the default passwords issue. You don't want to have a static default password used by everyone, so you need the initial password to be randomized. People are dumb so you need to print it on the device. There is no need to default to cloud-based authentication to close the default password security hole.
Wifi password != admin password. The admin password should be random and then you can change it when you take ownership of the device.
OpenWRT, the crown jewel of open source firmwares for "insecure" consumer routers, uses a blank (null) password by default with full root access.
No device comes off the shelf with OpenWRT. If you're the type of person that's aware of OpenWRT and then install it, it's not that far of a stretch to think you'd also be the type to know to check the password.
GL-inet devices come off the shelf with OpenWRT. They don't have a blank password. Every single one ships with 'goodlife' as the default password, as printed on the label on the back.
(But remote ssh login is disabled by default.)
Thanks. I was unaware of that company.
Love this stuff, reminds me of old 2600 articles
That sounds complicated and too much work. I’d prefer <https://www.youtube.com/watch?v=Rctzi66kCX4>
The sinister part is you get a log of everyone's keyswipes. You can plan a burglary, stalk someone, construct or destroy an alibi and so on.
Holy freaking crap. ALL OF THESE ARE ONLINE. "It's possible" to log in to the first result with the default password.
If anyone wants, perhaps login, change the password and make a new client as the password or something. This is going to get bad FAST.
I would say this is highly irresponsible of the researcher to expose this publicly. These are people’s homes, along with their PII and locations. The residents didn’t choose this system, their building just uses it. They don’t even know that their info is being leaked, nor that the doors to their places were just rendered neutered.
If something bad happens because of this…
I think this falls under responsible disclosure guidelines. A lot of times companies refuse to fix misconfiguration issues like these, and users/customers deserve to know. Not publishing it is security by obscurity, you're just hoping that a bad actor doesn't figure this out (or hasn't already figured this out).
This is the only recourse left when the vendor kicks and screams at the CVE disclosure process.
The only recourse for what problem? Aren't there other plausible creative ways to apply pressure and get it fixed, with less risk to the people unwittingly at mercy of this vendor's negligence?
Or are you speaking of the transactional convention, in which people can break into systems, and then are entitled to publicity for that, so long as they give the vendor advance notice?
The whole responsible disclosure convention seems an imperfect compromise, among various imperfect actors. On occasion, individuals might decide that other options are more appropriate to the specific situation, and to Perfect Tommy it.
I strongly disagree. You’re literally putting people’s lives and possessions at risk who have no knowledge of this. There are many alternative methods, from getting the government involved to giving a a very long lead time to the vendor before you disclose this, to sitting on it and never disclosing.
The information is already sitting on Google for anyone to find, vendor doesn't give a shit.
Best to get it out there, at least if you're stuck in one of these buildings you can log in and change the admin password yourself till your building management does something about it.
Software vendor and building manager are putting people's lives at risk.
Can't software coders ever take responsibility? And this is on the programmer who implemented this, too. You just not let your product manager do this, ever. It's 2025 already.
And this is a security product, wtf? Residents should be suing individual programmers here. OWASP was created 24 years ago. Default credentials is like number 1 on their IoT app security list. Only a moron would not defend against this. If your manager requires this, you just send him:
https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Pr...
And tell him no. If he still wants it, you just report him to Reddit or whatever. :D
If something bad is done by a bad actor because of this vulnerability being discussed in public, that's no worse than something bad happening because this vulnerability exists but is only discussed in secret.
This is not some highly-technical vulnerability only accessible to nation-states with genius engineers and million-dollar labs with exotic instrumentation and brute-force supercomputers compute pulling down many megawatts of power. The OP literally logged into an open Wifi SSID, searched for the text on the page, and scrolled to the default password. None of those steps are hard to do, any jealous ex or disgruntled employee or divorced parent fuming in the parking lot for 5 minutes could effortlessly accomplish the same thing.
I honestly think it's likely that bad things have already happened due to this vulnerability - but not due to this disclosure.
But because it was only discussed in secret, no one ever got to the root cause of the issue and the hazard continued to be out there. Now that it's public, hopefully something will be done, and relatively quickly.
Shining a spotlight on an issue is completely different than the issue already existing.
Not shining a spotlight is worse. The important thing is providing time to address the found vulnerability, ie. responsible disclosure. For which OP has indeed provided a timeline.
The debate has long since been settled comprehensively in favor of openness.
2025-01-30: Hirsch asked for an update as to whether clients running vulnerable systems have been alerted (no response as of publication)
2025-02-14: CVE-2025-26793 assigned
2025-02-15: publication
So two weeks after they don’t respond what they’re going to do with their clients this gets published? I’d hardly call that responsible.
I second this. Just because it feels right to them as "I've reported it, It's not on me anymore...", doesn't mean he should enable bored people to revoke access cards, jam elevators, etc.
Criminals were already enabled to do that, and the people in those buildings had no way to know.
The more-responsible thing might have been to also reach out to residents of individual buildings & give them time to correct the situation, rather than relying on the company (which has a vested interest in ignoring the problem) to do the right thing. But security through obscurity is not a solution.
Reaching out to the residents leaves you open to legal risks. You processed their data without any kind of opt in.
That depends on the individual's weighing of the various factors and their personal moral position. If someone wants to prevent a bunch of easy break-ins where the method of entry won't get noticed in most cases, and they feel that the discomfort of denying access for a bit (impacting hundreds of people perhaps) outweighs the trauma of being robbed (maybe impacting just a few), than doing that might be the only morally defensible position to take. For all we know they actually are planning to hammer the open installations until they get fixed to prevent the bigger harm.
Other people will shrug and move on after trying everything they can via the proper channels.
And then of course there are the assholes who will just do it because it entertains them.
It's all very educative and makes a point until you read a news story about someone dying because ER couldn't get there in time. The road to hell is paved with good intentions hits hard here.
That too has a chance of happening associated with it. Lacking a convenient table to look up the chance of that happening (and its impact), and the chance of a break-in caused by an open admin panel causing irreparable harm, there is nothing left to do but weigh the chances as best as one can.
Many people will choose to do nothing in that case, but not everyone will accept that inaction which might lead to bigger harm is preferable to action which might lead to another possible negative outcome, but at a much smaller chance.
(It's basically that dumb trolley meme, but with undetermined outcomes.)
Every choice we make can have an adverse effect on others. Take the car today instead of walking? You just might cause an ambulance to be delayed leading to an unfortunate death. The chance of that happening is negligible of course, but not absent (it never is).
I flagged it for this reason.
Isn't logging into any system unauthorized - in practice - a violation of the Computer Fraud & Abuse Act?
The EFF has a good guide about the relevant laws: https://clinic.cyber.harvard.edu/wp-content/uploads/2020/10/...
Such ridiculous laws. The real crime here is that the software vendor lets people use the software without creating a new password. Even that is suspect, since I bet most people's password would be 1234 anyway. So really they should force people to set up passkeys to access the system. Or, cut out the setup, and just send them a couple of USB's which allow them to access the system.
This "manufacturer" is not doing its due diligence in any way, shape, or form. They are the ones who should face jail time for not implementing bare minimum security practices.
The idea that the guy revealing a complete lack of security is committing a crime is like saying a guy informing someone that they're naked is guilty of forcibly stripping that person. Or that telling someone there's a giant red button that drains the landlord's bank account is guilty of pressing it. Maybe they should remove the giant red button?! Or at least put it in a locked room?
Not in Canada. Bring that the article mentioned Vancouver. For us it'd be Section 342.1/2 of the CCC.
It is, like getting into a home with open doors without the consent of the inhabitants.
Which is keeping away only the honest and polite persons.
Jesus. The whole system seems to have been designed to maximise the damage that can be caused with minimal effort.
Why are these admin pages web findable? Why is there a public database of them? Why have they tried so hard to make it so accessible? Why is there no security? Arrrrrgggh.
Exposing a loophole in the best way. Great job
I just tried it (via Tor) and was able to get into the first 5 that duckduckgo found. Someone had been there before me and (apparently) changed names of things. (I looked but didn't touch.)
> fortran77 5 hours ago:
> I just tried it (via Tor) [...]
Opsec: Failed
Well, I still have plausible deniability if other people tried it via Tor, too.
You can get in the building with a bit of social engineering. I live in an apartment complex. Put on a DHL or Dominos cap and nobody cares. It's your front door lock that is the real barrier.
Nowadays you don't even need that. Just carry a brown paper bag. Every mid-large sized building gets a food delivery every 5 minutes, and no one looks twice.
Interesting story but a CVE for this is a bit melodramatic and why no one takes security folk seriously (cry wolf too many times).
OpenWRT ships with no password at all (!) with full root access on default install. The situation is the same: they politely suggest you change it from the default (blank) password but do not force you to do so.
By this logic every OpenWRT install (and many other softwares) dating back many years should be subject to CVE.
Yup, worth a CWE but not a CVE.
I assume you have to be on that network to access the login. I'm 95% sure it the UI/admin is not accessible to the internet by default... but also, yes that shit should be way better. Even Comcast and other ISPs have done better than this for a decade or more now.