That's a DoS attack, not "jamming". RF jamming usually relies on flooding frequencies with garbage which doesn't get interpreted as valid protocol traffic but does "crowd out" legitimate use.
The protocol-aware class of attack you describe does require some knowledge of the radio parameters being used, since LoRa runs on very narrow bands and uses both time and frequency-hopping to avoid congestion on any one virtual channel. They even apply (very basic) encryption to messages to prevent unknown senders from flooding the channel.
Unfortunately, both systems come preconfigured out of the box to use a default configuration which most users never override. So like cheap FRS/GMRS walkie talkies, all it takes is a few jerks who don't care about common use to overwhelm everyone with bogus messages. If you fire up a new device running the default Meshtastic firmware in any kind of dense urban environment, odds are it will more or less immediately get inundated with spam: "ping", "test", "hello from <neighborhood>", etc.
And since MT + MC both flood the shared channels to push messages across intermediary nodes, they pretty much self-DDoS by doing...nothing.
If you're talking about a few miles/KMs between nodes, plain old LoRaWAN might be more than sufficient, esp. for the sensor use case. The nice thing about using LoRaWAN is that's it's literally providing an IPv6 overlay so you can run e.g. MQTT or a text-based messaging protocol designed for regular TCP/IP use. UDP is preferable to avoid frequent session resets and keepalive traffic chewing up your available bandwidth.
Meshtastic and MeshCore can theoretically provide "infinite" range so long as there are peers between the nodes you want to connect. Theoretically, mobile peers can also serve as store-and-forward nodes so that reachability doesn't need to be constant, just frequent enough to handle the messaging you want to do.
I would absolutely not rely on either for a safety-critical application, though. If you want emergency comms in case something happens while you're out on the mountain, use a satellite communicator. There are a ton of these marketed for outdoor/portable use, and they have much more robust "SOS" capabilities (up to and including direct dispatch of search-and-rescue).
LoRaWAN seems interesting but the documentation and availability of is either "Crypto hobby project from Seedstudio" or "Strange telecom companies selling $900 base stations that still expect an internet connection (for licensing?)". Maybe I'm missing something but the LoRaWAN doesn't see to sell itself very well when half the vendors are behind "Contact for quote" pages.
Of course, for real emergencies I have a Garmin SOS device. It would just be "nice" to have something for local 2-5 km communication that doesn't need a clear view of sky, works partially underground, etc. GMRS is "fine" but from a physics perspective a digital signal with Chirp encoding should go further and be more reliable.
Seems like JS8Call or Packet radio might more in line with what I want. It's just surprising that something like Meshtastic hasn't replaced them.
> Of course, for real emergencies I have a Garmin SOS device.
that's why the mesh radio/LoRaWAN-type ecosystems suck. I don't mean to be rude or snarky; just to point out a very contextually-relevant example against your argument.
For the average consumer who needs this functionality seriously, there's a proprietary (and often costly) solution. Subtract those mission-critical-remote-comms devices and you're left with hobbyist needs, so you get hobbyist-quality ecosystems.
Meshtastic supports store and forward for ESP32 nodes that have a few MB of RAM, but not for the nRF52 devices that can't practically buffer much. I've only used the latter class of devices, so I don't have any experience with how well Meshtastic's store and forward works in practice.
In many cases the people deploying these cameras have no idea the feeds are being resold to Flock. It’s not like they have a consumer brand and people are saying, “oh yeah, Flock, they’re the license plate camera folks…I definitely want one of those in my locker room.”
We are opening up a wellness clinic and we were planning to use a managed service company for internet, network, and security. I was appalled by the managed services suggestions. Privacy of our patients and their data is critical, and the managed service company wants to send all of our feeds to third parties and give third parties direct access to our network.
We decided this was a privacy and security risk, and have gone in a completely different direction, but it would not surprise me if most businesses used one of these companies and just went with whatever they suggested without understanding at all what is at stake or who has access to the data.
It's "hilarious" how incompetent some companies are.
One background check firm used by a previous employer of mine sent me an email saying:
"Hi FireBeyond, doing a background check, just want to verify that all these details for you are correct:
full legal name, address, dob, full ssn, phone number, USCIS#..."
and then the kicker:
"and also want to make sure we have the correct email address for you"
Oh. You just sent all this shit to an email address and "oh, let us know if this your email address"?!?
Meanwhile, they've found my fiancee on FB and are messaging her out of the blue to "verify" she knows me (to be clear, this was meant to be a standard background check, not a security clearance or anything similar).
To their credit, that employer, when I told them all this, were as horrified as I was and fired them as their background check provider.
Most often the business hires a security contractor to take care of it, and signs the contract without understanding the terms. You should be able to trust your suppliers enough that you can do the above, they are the experts in the thing (cameras in this thing, but could be things like plumbing or accounting) and you have your own business to run. "Should" is key though, all too often someone doesn't do right by their clients.
>Most often the business hires a security contractor to take care of it, and signs the contract without understanding the terms.
The bulk of the responsibility here would lie on whoever signed I think. It's one thing to click "I agree" when you are making a SaaS account for downloading cat videos. But at a job, you are getting paid to read these things and to make informed decisions.
> Or are you just saying the person placing the cameras is decoupled from the person making the decision to aggregate them all.
That's exactly what's happening.
People are buying webcams which are cheap and have in their ToS something to the effect of "we get to sell everything the camera can see". Which, in turn, allows them to partner with Flock and sell video footage directly to them.
Consider the fact that at one point, Amazon partnered with Flock to sell their ring camera footage to Flock. [1] It only got botched because of the creepy superbowl commercial selling the spying as "finding lost puppies".
Fingerprinting devices once you’re installed on them isn’t much harder than doing so in a web browser.
Have Instagram installed on your phone? Great, now every Meta-owned app _or advertiser running on their platform_ has a pretty good shot at identifying you based on IP, location, app usage, etc.
There is a ton of signal about identity available just by virtue of running alongside other apps. Screen size, OS version, and IP are pretty good proxies for unique identity, especially if all you care about is _probable_ matches.
My understanding was that it's very difficult to reliably fingerprint iOS devices. Apple limits access to identifiers and specifically disallows fingerprinting. For this application of tracking people, you'd need decent reliability or you'd just get noise.
And no, I don't have any Meta published apps on my phone for exactly the reason you outline. I'm very aware of how IDFV and IDFA work.
But we’re not taking about a 80-year gap here (“blaming modern Germans”); we’re talking about people who are in the global top 5% of income and prestige choosing _today_ to contribute to these organizations.
If you believe that your labor is worth something — which I’m pretty sure this crowd does — by working for a given firm, you’re voting with the value of your time in support of what your employer does.
Which, to be clear, is 100% your choice! I’m not going to accuse anyone of being a “bad person” because they decide that stable, high-paying employment is more important than taking a particular ethical (or political) stand at work.
But it _is_ a choice that you make every day by showing up for work.
In my view this is even more relevant for tech workers who receive equity. If you’re a shareholder in addition to being an employee, you’re now voting _twice_ in favor of what management is doing, and benefitting directly from both pay and ownership.
fair point, and i do agree with you. i guess ive seen too many politicians recently with agenda's doing the moral high ground thing and im beginning to see that sort of conduct everywhere. thanks for your reasoned comment. it seems to be a growing problem or maybe im just more aware of it
"Justifying lower insurance rates" is just algorithmic bias described from the perspective of someone it doesn't (currently) harm. See also: credit scoring, insurance claim acceptance, job applications, etc., etc.
You only get offered a discount if most other customers are being compelled to pay full (or even increased) prices for the same offering. Otherwise revenue goes down and company leadership finds itself finding other ways to cut costs and increase profits.
Likewise interested in the authoritative answer, but: if I needed to write a decent chunk of code that had to run as close to wire/CPU limits as possible and run across popular mobile and desktop platforms I would 100% reach for Rust.
Go has a lot of strengths, but embedding performance-critical code as a shared library in a mobile app isn't among them.
I think that any kind of “modern ops” necessarily includes coding, even if there isn’t a ton of Python or Rust being generated as part of the workflow.
Kubernetes deployment configurations and Ansible playbooks are code. PromQL is code. Dockerfiles and cloud-init scripts are code. Terraform HCL is code.
It’s all code I personally hate writing, but that doesn’t make it less valid “software development” than (say) writing React code.
I think you have it backwards. Systems engineering is the big picture discipline of designing & managing complex systems while config management is a specific process within that.
The protocol-aware class of attack you describe does require some knowledge of the radio parameters being used, since LoRa runs on very narrow bands and uses both time and frequency-hopping to avoid congestion on any one virtual channel. They even apply (very basic) encryption to messages to prevent unknown senders from flooding the channel.
Unfortunately, both systems come preconfigured out of the box to use a default configuration which most users never override. So like cheap FRS/GMRS walkie talkies, all it takes is a few jerks who don't care about common use to overwhelm everyone with bogus messages. If you fire up a new device running the default Meshtastic firmware in any kind of dense urban environment, odds are it will more or less immediately get inundated with spam: "ping", "test", "hello from <neighborhood>", etc.
And since MT + MC both flood the shared channels to push messages across intermediary nodes, they pretty much self-DDoS by doing...nothing.
reply