← Back to context

Comment by denysvitali

7 hours ago

Disclaimer: This comment is not intended to be political - I don't care about the specific party she's part of.

Out of all the people I would trust on the matter, Kamala Harris doesn't certainly end up at the top of my list, for reasons such as this one: https://youtu.be/O2SLyBL2kdM?si=Zq-EN8zxj4Y_UCwI

You also don't need to be in classified meetings to understand that Bluetooth/ BLE (and specifically the way most vendors implement the spec) is not as secure as other more battle-tested technologies

11 comments

denysvitali

Reply
ahoef  7 hours ago

What she says isn't necessary untrue, now is it? She just skips a lot of steps most people have no clue about.

I had files in a cabinet, now they are digital. And most often also on a cloud drive, which is metaphysical in some sense. For most it is indistinguishable from magic.

dijit  7 hours ago

I think many people would be justified in making the argument that bluetooth has existed for at least 20 years and thus is the established battle tested protocol.

  • denysvitali  7 hours ago

    Yeah, but Bluetooth spec changed a lot over the years (3000+ pages) and the certification price is rather expensive.

    There's an interesting article from Wired [1] about this, although some interesting comments from the engineers working on BT stacks are far more interesting. It seems like most of the manufacturers do not create spec-compliant devices, and that the tests from the certification are just poor.

    I'd love to hear more from an expert on the topic, but this looks to be the consensus.

    [1]: https://archive.ph/6201V

    • balou23  4 hours ago

      I'm by no means an expert, but I've recently implemented a small BLE based IoT device, and had a look at the security/privacy of a medical BLE device.

      Some points:

      * there's a real lack of quality, up-to-date documentation. I would have thought that at least on Linux you'd find some documentation, but most of it seems to be "RTFS".

      * BLE is in general very unfamiliar to most developers. There's no client and server, there's central and peripheral. GATT profiles are a mix between TCP connections and binary REST-ish interface.

      * Encryption/authentication is possible, but depending on the manufacturer's API/quality of documentation it's not really apparent a. how to select a secure connection method b. how to even check if and which authentication/encryption was chosen

      * Coming from the previous point, many BLE devices have the same generic GATT profiles, sometimes with the same sample data. This looks like a lot of BLE devices just copy&pasted sample code from the manufacturer and added the minimal changes "to make it work"

      * It's probably really easy to do passive/active fingerprinting to find out the manufacturer and/or chip version used in a device. Default services, ordering of advertising options etc

      * Many BLE devices are not conformant. Uninitialised name fields with garbage in them ("Device Name: WHOOP\020��=u5״\023n"), manufacturers using random identifiers that clearly don't belong to them

      * when doing passive BLE sniffing: the biggest obstacle isn't getting data. It's how to filter it. One of the most useful filters of the nRF Connect app for android is to filter out all advertisement packages for apple and ms devices, to cut down the overwhelming amount of such devices

  • IshKebab  6 hours ago

    I think people are generally aware of how low quality the Bluetooth protocol suite is though so maybe they'd guess that extends to security too.

    I definitely remember lots of folk security advice to keep bluetooth off on your phone back when smartphones were new (nobody does that now though, and Android auto-enables it these days).

quesera  6 hours ago

> doesn't certainly end up at the top of my list

There hasn't been a POTUS or VPOTUS with a technical background in the last 45 years (Jimmy Carter was a nuclear engineer). So obviously none of them would be authoritative on such topics.

However the individual in question is not delusional or conspiratorial, and we know for sure that they are receiving advice or restrictions from extremely well-informed sources, so there's every reason to believe they are (lo-fi) repeating that.

  • astura  2 hours ago

    >There hasn't been a POTUS or VPOTUS with a technical background in the last 45 years (Jimmy Carter was a nuclear engineer). So obviously none of them would be authoritative on such topics.

    Jimmy Carter was a very smart guy, but he was not a nuclear engineer.

    https://atomicinsights.com/jimmy-carter-never-served-nuclear...

    • quesera  2 hours ago

      Interesting, it looks more complicated than I realized. "Nuclear engineer" might be too colloqualized, a la "software engineer". (perish the thought!)

      But he was an engineer who was trained to operate nuclear facilities on subs. With a few more months of service he would have qualified for the label "nuclear engineer" without any asterisks.

      And what even was a "nuclear engineer" in the early 1950s? The field was new enough that the titles were probably not well settled.

      Tha National Academy of Engineering says:

      > A graduate of the U.S. Naval Academy and a trained nuclear engineer

      https://www.nae.edu/19579/31222/20054/327746/331204/Jimmy-Ca...

      US Navy history says:

      > He served as executive officer, engineering officer, and electronics repair officer on the submarine SSK-1. When Admiral Hyman G. Rickover (then a captain) started his program to create nuclear-powered submarines, Carter wanted to join the program and was interviewed and selected by Rickover. Carter was promoted to lieutenant and from 3 November 1952 to 1 March 1953, he served on temporary duty with the Naval Reactors Branch, U.S. Atomic Energy Commission, Washington, D.C., to assist "in the design and development of nuclear propulsion plants for naval vessels."

      > From 1 March to 8 October 1953, Carter was preparing to become the engineering officer for USS Seawolf (SSN-575), one of the first submarines to operate on atomic power. However, when his father died in July 1953, Carter resigned from the Navy and returned to Georgia to manage his family interests.

      https://www.history.navy.mil/browse-by-topic/people/presiden...

ycombinary  6 hours ago

It's essentially a statement about the view of gov security, not about the view of an individual.