Thank you for sharing the original. I was clearly mistaken.
Seeing the image uncropped and in full resolution makes a big difference.
Thank you for sharing the original. I was clearly mistaken.
Seeing the image uncropped and in full resolution makes a big difference.
I’m not sure what the “it” is supposed to be, and I don’t understand how this has anything to do with Alan Watts, but this image has so many oddities that I think it might be AI generated.
Top to bottom:


HTTP is like a conversation with someone wearing a “Hello my name is X” sticker at a public party, HTTPS is like a conversation with someone proving their identity with a government issued passport in a private room. Anyone can write anything they want on the former, and anyone happening to listen to the conversation can overhear everything. On the other hand, the latter requires basic identity verification and can’t be easily overheard.
With that being said, anyone can also obtain a passport. That means you can be sure that you are interacting with a John Doe, but that doesn’t necessarily mean that you are interacting with the John Doe you were expecting. For example, John A Doe (e.g. Google.com) is different, but maybe difficult to notice from John E Doe (e.g. Goggle.com), especially at a glance.
I hope that helps.


“You’re the vulnerability”


I don’t understand how this can still happen with a well known brand in 2026. Personally the microphone is the least concerning aspect of this finding, since a Bluetooth connection would still be required. With more dedicated research, the BadUSB aspect is far more concerning in my book. Plug the speaker into a computer, even once and only to charge, and the computer is pwned? Preventing any future patching? I don’t know how I could ever trust one of these devices going forward.


I suppose that depends on your definition of a cybersecurity risk. Unfortunately it likely won’t matter to them unless it starts affecting their bottom line.


I don’t understand the purpose of your comment. That word exclusively appears twice in the twelfth paragraph, and makes complete sense in context. I think the write up is incredibly detailed but also easy to understand.


Awesome write up.
Allowing arbitrary firmware updates without any signature validation, over Bluetooth, even unpaired and in sleep mode, and without any authentication is absolutely wild and should be criminal negligence.
It took Creative nearly two months to respond to SingCERT. Unfortunately, their response was that “they do not consider this to be a vulnerability, as it does not present a cybersecurity risk”
What a foolish response. The guy wasn’t asking for money and gave them everything they would need to make a patched firmware.


Agreed.
I don’t mind paying a reasonable price for access to SSO, especially if the service is fully provided by third-party infrastructure. For something that is fully self hosted on the other hand, a recurring cost for what should be a basic (or at most a one time reasonable fee) feature feels egregious.


Yes I already do so, but this dashboard requires an enterprise license to also use OIDC.


This looks really cool, but I wish that OIDC wasn’t tied to an enterprise license that doesn’t show a price (just a contact us form and email address) and requires annual renewal.
I’d be willing to pay a reasonable one time fee to unlock OIDC support, and I understand why they charge a recurring fee for the other enterprise license features, but as it currently stands this doesn’t really make sense for a home lab.


“Do I look like I know what a one drive is? I just want my pictures on my god dang hard drive!”
Edit: For anyone who might not be familiar with the scene in question.


That looks like a way more involved and complex project that requires an app to function. This is just a single static HTML page.
Sender and receiver visit the same page, select the appropriate tab, sender selects the file and clicks play, receiver starts the camera and points at sender’s screen.
I do wish it had a mechanism to download the generated images/video without needing to grab each frame individually, but overall it works surprisingly well for something so simple.


Here’s a screenshot from the receiver camera pointing at the sender’s screen so you can see both ends.



I suppose that’s true lol.
Yes, it plays a video with an adjustable speed, or you can have it show a specific frame. The receiver has a grid that fills in as the data is received, making it easy to tell what data was or wasn’t successfully received.


Well yes, but also no.
The data is all contained in the QR codes, but it’s also contained in the cache of the sender (which is how any chunk can be arbitrarily retransmitted), and also in the cache of the receiver (which is how the data is validated).


Based on my brief browsing of the code, it looks like it’s all in the browser cache itself. The bytes are split into numbered chunks, converted to b64, and then a sequence of QR codes are generated from the b64. At the end the received data is crc32 checked for validation. There are adjustable parameters and a progress bar, making it easy to retransmit any chunk that wasn’t properly received.
The code is incredibly easy to read, everything is in a single HTML file with zero obfuscation (unless you count the two minified QR code dependencies that also include links to the un-minified versions).


I’m sorry you didn’t enjoy them. I don’t feel like there is much similarity between DCC and Ready Player One personally. I didn’t care for the protagonist in Ready Player One, and the whole story revolved around pop culture references. DCC has likable main characters in my opinion, and any pop culture references are very few and far between and have no impact on the story.
I was serious, but I was clearly mistaken. I still don’t understand the connection to Alan Watts, but I wouldn’t be surprised if the connection is obvious and over my head.