The PIN is used when you're too lazy to set an alphanumeric pin or offload the backup to Apple/Google. Now sure, this is most people, but such are the foibles of E2EE - getting E2EE "right" (eg supporting account recovery) requires people to memorize a complex password.
The PIN interface is also an HSM on the backend. The HSM performs the rate limiting. So they'd need a backdoor'd HSM.
That added some context I didn’t have yet thanks. I’m not seeing yet how Meta if it was a bad actor wouldn’t be able to brute force the pin of a particular user. Of this was a black box user terminal site, Meta owns the stack here though, seems plausible that you could inject yourself easily somewhere.
If you choose an alphanumeric pin they can't brute force because of the sheer entropy (and because the key is derived from the alphanumeric PIN itself.)
However, most users can't be bothered to choose such a PIN. In this case they choose a 4 or 6 digit pin.
To mitigate the risk of brute force, the PIN is rate limited by an HSM. The HSM, if it works correctly, should delete the encryption key if too many attempts are used.
Now sure, Meta could insert itself between the client and HSM and MITM to extract the PIN.
But this isn't a Meta specific gap, it's the problem with any E2EE system that doesn't require users to memorize a master password.
I helped design E2EE systems for a big tech company and the unsatisfying answer is that there is no such thing as "user friendly" E2EE. The company can always modify the client, or insert themselves in the key discovery process, etc. There are solutions to this (decentralized app stores and open source protocols, public key servers) but none usable by the average person.
That might be a different pin? Messenger requires a pin to be able to access encrypted chat.
Every time you sign in to the web interface or resign into the app you enter it. I don’t remember an option for an alphanumeric pin or to offload it to a third party.
The ultimate way of installing windows least bloated is chosing Region "English (World)" - as usually the bloatware is country specific. Avoid US, UK, etc. That's where the Candy Crush comes with.
I fail to understand how you can measure keystroke latency coming from a KVM. Everything behind the KVM is invisible to you, assuming that it is spoofing a legitimate logitech dongle and emulating a legitimate screen edid.
The KVM uses buffering and queues the keystrokes. So the net time between them is the same as if I would type them locally.
What you could measure is the fingerprint of USB initialization and enumeration of keyboard, mouse etc when connecting and starting up.
It's actually the buffering in this case that will get you dinged. The stated 110ms "lag" is probably the minimum time between keystrokes ever. If you have ever recorded data on the mean time between keystrokes you get a nice even distribution but for someone on a KVM it will look very skewed with most being under 110ms and zero below 110ms which is impossible for a normal human at a machine to replicate
Furthermore, there are a number of other side channel attacks here you could use to make things really inconvenient. Something super powerful would-be having a fido2 key such as a YubiKey and recording the mean time to human press keypress. Your average person who is present at the machine will touch the button in a number of seconds. A remote operator in NK will have to summon the homeowner which could take significantly longer.
Another technique you could use is look at the mouse movement data. You would also see the same truncated. distribution, I think a few people have put together a PoC for detecting cheaters in games based on mouse movements.
I do wonder also if the KVM devices they are using support HDCP. Showing media over HDCP on the screen that instructs the user to write an email or make a phone call instantly would be pretty cool.
PLM, which OP has expertise in, is usually tied to the IT infrastructure in the digital engineering in the manufacturing industry. That's not going away anywhere soon. We are still far away from a full automation / digitalization in these areas.
Absolutely. There are many areas where SW is focused on function and does well. It is unclear to me how AI will impact those areas. Question mark for those who have thoughts?
My point was that there is massive opportunity in areas that have not and will not be explored with the "track user" business model. Or have been abandoned. Good reads, good movies, or Groups.
I run a small consulting shop in Germany, also specialising on PLM (and IoT) - I never landed a gig in the US. The problem with PLM is that more often than not you operate in high tech / defense and because of export control regulations you need residency.
For getting projects in Europe, what worked for me is cold outreach on linkedin. However not directly for the end client (that really never worked) - but there are a lot of companies in between - medium size consulting shops / service integrators. Also digital strategy consulting shops sometimes realize in the middle of a project that they should better own the implementation themselves(because some other partner has been identified as unreliable or too expensive)
A big aspect is being consistent and send a few messages per day.
What also worked was applying to jobs, and after making the first contact breaking it to them that I actually run my own company but that I could solve the issue that they were trying to fix by hiring me.
At last but not least - send me your CV to daniel a teide d tech - if you have experience with PTC's Windchill PLM there is a chance that I have work for you in the future. But also if not, it's always good to extend the network. I have worked in the past with freelancers from India, usually setting up legal/contractual aspects through deel.com
That is in principle correct, but since OP is using a throwaway and a know anonymous domain service. As long as he burns bridges after himself (eg. not making it into a adressable business later), there is not individual to deliver a letter to.
Might work for a while, but a dangerous game to play...
It’s a bit more nuanced, you don’t need a Impressum for purely personal websites without financial background. Evaluating a business idea would probably count as financial motive though, even if it isn’t currently monetized.
The economics don't matter, everything that is regularly updated or offers a service needs an Impressum. The exception for "purely personal or familial" use clearly doesn't apply here because a service is being provided actively.
It mandates a Impressum for „ geschäftsmäßige, in der Regel gegen Entgelt angebotene Telemedien“. If it’s not geschäftsmäßig (Business-Like?), you don’t need an Impressum. If you do it for free without any intention to make money now or later, it’s not geschäftsmäßig.
If I have a blog that I update regularly but don’t have any ads from or take donations for, I don’t need an Impressum.
Impressumspflicht only applies for commercial interests. If you are a company informing or even selling something, if you are an influencer making money of yourself, or even if you just have ads on your Pokemon-fanpage, then it counts as commercial interest.
But I don't see any direct monetary value on this site at the moment. There is not even a reputation-gain, as there is no personal information. So Impressumspflicht would not apply.
A lot of companies do not want to deal with GbR / freelancers anymore as it quickly gets them on the hook for evading social security taxes (Scheinselbstständigkeit) - in my experience having a limited is helpful for landing projects with big corps
This is wrong. The UG offers the same protection as the GmbH. It's probably less trusted.
Funfact: you should always use the full title, Companyname UG (haftungsbeschränkt) on all communications and contracts. Emitting the 'haftungsbeschränkt' or shortening it 'haftungsb.' may make you as a CEO personally liable for damages occured.
reply