Tho85's comments

This always reminds me of the 2007 incident on Czech TV, where someone hijacked a weather panorama broadcast: https://www.youtube.com/watch?v=ea4eft_3p-I

IIRC the panorama cam was connected to the Internet and had been hacked, so no microwave magic there. Good execution nonetheless...

It's been a while since I looked at it, but here's what I remember:

In the UI, you can choose if the device should communicate to Chinese or US servers. Both of them are available under the boox.com domain, so I assume they are both controlled by the Chinese manufacturer. The device uses this to check for firmware upgrades, to sync notes, for their own book store and IIRC to send some basic usage statistics. As per firmware version 3.0 (v3.1 is current), this traffic was only partly encrypted.

Besides this, the software seems to include some kind of Tencent SDK, which tries to contact Chinese servers quite aggressively, regardless of which setting you choose in the UI. The traffic is encrypted, so I couldn't figure out what it does. The servers seem to belong to Tencent's QQ service [1], so they supposedly use it for their on-device support feature. However, because the device tries to contact the servers immediately after startup, I assume it does some kind of analytics tracking as well. Blocking the service's domains on the DNS level doesn't work though, as the SDK will start to contact fixed IP addresses if DNS resolution fails.

Luckily, all of this traffic can be blocked after rooting and installing a firewall (see my post above), since all of this is implemented under Android user ID 1000, which makes it easy to block in AFWall+.

[1] https://en.wikipedia.org/wiki/Tencent_QQ

I use Syncthing [1] to do all the syncing, works like a charm. I have a folder synchronized between my reader, my PC and my phone, and whenever I need to send a document to the reader or from the reader to my PC, I just put it into that folder.

[1] https://syncthing.net/

I bought the Onyx Boox Note Air some months ago, and I must say that I'm really happy with it. Screen refresh is good, there's almost no ghosting in default mode, and refresh rates are acceptable.

There are only two downsides about it: The vendor does not respect FOSS and does not publish the sources for their modified Linux kernel, and the device constantly phones home to China. However, the device can be rooted easily [1], and you can install a firewall to stop the preloaded apps from phoning home (verified it with Wireshark).

[1]: https://blog.tho.ms/hacks/2021/03/27/hacking-onyx-boox-note-...

Nice! I run a similar service at https://ip6.name/. The service also supports empty groups, e.g. 2001.db8.8000.x.1.ip6.name resolves to 2001:db8:8000::1, as well as 2001.db8.8000.0.0.0.0.1.ip6.name.

A neat one is x.ip6.name, which resolves to ::, e.g. localhost...

Thanks for the feedback, I somehow missed that mistake. As a quick fix the server now returns NOERROR for both unknown records and names. That's still not 100% correct, but better than nothing.

Announcement: https://blog.tho.ms/network/2017/02/25/ip6-name-dns-record-a...

I had the idea when I needed a TLS certificate for a system without a global DNS record. I recalled that http://xip.io/ exists for IPv4, but didn't find something similar for IPv6. So I had to do it myself :-)

For all those who can't upgrade to the latest versions of Rails: Zweitag (my employer) maintains a Rails fork with security fixes applied to all Rails releases since 3.1.0.

https://github.com/zweitag/rails/branches

EncFS allows to deactivate some of these features at the price of reduced security. The EncFS manpage [1] has a good explanation of all the tunables. If you want to use Boxcryptor, you're even advised to deactivate most of these features [2].

[1] http://linux.die.net/man/1/encfs

[2] https://boxcryptor.desk.com/customer/portal/articles/565934

I used that combination before, it works really nice. But at some point I hit the storage limit and had to come up with a self-hosted solution.

Good point, I fixed that.

What do you mean by 'vulnerable'? All encryption is done on your computer/notebook, so a chroot on the server doesn't decrypt the files.

They use some kind of heuristic to make change detection faster, see their documentation: http://www.cis.upenn.edu/~bcpierce/unison/download/releases/...

Maybe that's the root cause of your issues?

Theoretically, it should be possible to have a web UI running on the server itself. You just need a decent AES implementation in Javascript to do client-side decoding of filenames and files. Any volunteers? :-)

Edit: Looks like someone is already working on it: http://stackoverflow.com/questions/10909500/use-encfs-with-j...

The underlying sync software (Unison) has been around for years now and is regarded as stable. So syncing should work just fine, although you should keep a backup of your files just in case.

You can also use Dropbox and Encbox together if you're unsure: Point your Dropbox installation to ~/Encbox and have Dropbox sync your (then decrypted) files. So you can be sure to have backups, file sharing features, etc. and see if Encbox is stable enough for you.

You don't have to if you use EncFS. All encryption is done client-side.

The only thing your VPS provider could do is delete your files, but Unison's backup feature should protect you from losing your files (in a way).

You're right! Thanks for the hint, I updated the blog post accordingly.

Was a pleasure!

With love :-) Thomas

Some details on how this can be exploited:

http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to-ma...