aMockTie

I’m sorry to say it but now I’m even more confused.

“You’re the vulnerability”

I don’t understand how this can still happen with a well known brand in 2026. Personally the microphone is the least concerning aspect of this finding, since a Bluetooth connection would still be required. With more dedicated research, the BadUSB aspect is far more concerning in my book. Plug the speaker into a computer, even once and only to charge, and the computer is pwned? Preventing any future patching? I don’t know how I could ever trust one of these devices going forward.

I suppose that depends on your definition of a cybersecurity risk. Unfortunately it likely won’t matter to them unless it starts affecting their bottom line.

I don’t understand the purpose of your comment. That word exclusively appears twice in the twelfth paragraph, and makes complete sense in context. I think the write up is incredibly detailed but also easy to understand.

Awesome write up.

Allowing arbitrary firmware updates without any signature validation, over Bluetooth, even unpaired and in sleep mode, and without any authentication is absolutely wild and should be criminal negligence.

It took Creative nearly two months to respond to SingCERT. Unfortunately, their response was that “they do not consider this to be a vulnerability, as it does not present a cybersecurity risk”

What a foolish response. The guy wasn’t asking for money and gave them everything they would need to make a patched firmware.

Agreed.

I don’t mind paying a reasonable price for access to SSO, especially if the service is fully provided by third-party infrastructure. For something that is fully self hosted on the other hand, a recurring cost for what should be a basic (or at most a one time reasonable fee) feature feels egregious.

Yes I already do so, but this dashboard requires an enterprise license to also use OIDC.

This looks really cool, but I wish that OIDC wasn’t tied to an enterprise license that doesn’t show a price (just a contact us form and email address) and requires annual renewal.

I’d be willing to pay a reasonable one time fee to unlock OIDC support, and I understand why they charge a recurring fee for the other enterprise license features, but as it currently stands this doesn’t really make sense for a home lab.

“Do I look like I know what a one drive is? I just want my pictures on my god dang hard drive!”

Edit: For anyone who might not be familiar with the scene in question.

Edit2: Or the meme version.

That looks like a way more involved and complex project that requires an app to function. This is just a single static HTML page.

Sender and receiver visit the same page, select the appropriate tab, sender selects the file and clicks play, receiver starts the camera and points at sender’s screen.

I do wish it had a mechanism to download the generated images/video without needing to grab each frame individually, but overall it works surprisingly well for something so simple.

Here’s a screenshot from the receiver camera pointing at the sender’s screen so you can see both ends.

I suppose that’s true lol.

Yes, it plays a video with an adjustable speed, or you can have it show a specific frame. The receiver has a grid that fills in as the data is received, making it easy to tell what data was or wasn’t successfully received.

Well yes, but also no.

The data is all contained in the QR codes, but it’s also contained in the cache of the sender (which is how any chunk can be arbitrarily retransmitted), and also in the cache of the receiver (which is how the data is validated).

Based on my brief browsing of the code, it looks like it’s all in the browser cache itself. The bytes are split into numbered chunks, converted to b64, and then a sequence of QR codes are generated from the b64. At the end the received data is crc32 checked for validation. There are adjustable parameters and a progress bar, making it easy to retransmit any chunk that wasn’t properly received.

The code is incredibly easy to read, everything is in a single HTML file with zero obfuscation (unless you count the two minified QR code dependencies that also include links to the un-minified versions).

I’m sorry you didn’t enjoy them. I don’t feel like there is much similarity between DCC and Ready Player One personally. I didn’t care for the protagonist in Ready Player One, and the whole story revolved around pop culture references. DCC has likable main characters in my opinion, and any pop culture references are very few and far between and have no impact on the story.

That’s true, but they also have Grand Champion, Breed Winner Regional, National Winner Princess Donut the Queen Anne Chonk.

Goddammit Donut!

It’s a reference to the Dungeon Crawler Carl series of books. If you haven’t read them, I can’t recommend them enough. The audiobooks are also incredibly well done.

Oh shit, you just reminded me that the new DCC book is out. I know what I’m doing on my lunch break.