Liberty : 1776 - 2026

Does the coin read like a tombstone, or is that just me?

Do people just forget that tact is a thing that exists?

That’s what I’ve done for years. Makes managing things much easier, and I run multiple APs (all with the same SSID/PSK) and you can just roam to the best one. One upstairs, one downstairs, one in the weird dead zone in my office, and one on the back patio (it’s not hardwired and uses the mesh connection for uplink).

These are all old Aruba APs running OpenWRT but that’s the plan for this Cudy Model. I may pick up a few more and just replace all of my trusty but very old Arubas.

I bought this one last month when it was on sale for $39: https://www.amazon.com/dp/B0BRK3CYY3

Haven’t deployed it yet, but it’s fully supported by OpenWRT. I would only be using it as an access point, though. My router is a USFF Optiplex with an extra NIC and runs OpenWRT.

Only if the USB Implementation Forum doesn’t get a chance to name it. Otherwise, it’d be something like DNA 3 2.0 Super Speed

I’m just now realizing that’s probably my resting face.

Chuck Norris never dies. He just waits.

You definitely want the batteries in a conditioned space. You didn’t say what type of batteries, but I’m assuming LiFePO4. You can store them at a fairly wide range (my hybrid battery does fine all winter parked outside) but charging/discharging them has much more restrictions if you want your batteries to remain healthy and happy.

• Discharging Range: Typically from -20°C to 60°C (-4°F to 140°F). This is the widest and most permissive operational range.
• Charging Range: A much stricter range, typically from 0°C to 45°C (32°F to 113°F). Respecting this range is critical for battery health.
• Storage Range: The ideal range for long-term health is between 10°C and 35°C (50°F to 95°F).

– https://www.anernstore.com/blogs/anern-solar-insights/lifepo4-battery-temperature-range-guide

Those are “absolute” limits but there’s a table on the linked page with the recommended temperature limits and they’re quite a bit more narrow.

Whether it makes more sense to condition the shed or run your PV output 30 meters from the shed depends on the amperage and voltage from the PV. The higher the voltage, the less amperage and thus smaller conductors can be used and less loss along the way. Not sure what your charge controller accepts, so you’ll have to check.

Yep, that’s the one.

I’ll reserve a phone but not a truck, lol. Looks like those are scheduled to be out late 2026, so probably at least next year before I can even think about getting my hands on one.

At least it’s still a thing.

I used to drive a 2004 Ranger and loved it. Would absolutely love an EV version even if the range isn’t super great. Mostly need a truck occasionally and for hauling stuff from the home improvement store or if I find furniture at a garage sale or something.

Need to check and see if that $20,000 no-frills EV truck is making any progress.

Absolutely.

It’s nowhere near this level of effort, but I have a 60’s wall-mount rotary phone wired to a Bluetooth=>POTS adapter. So not only do I have a retro phone in my house, but it actually works.

The saddest part of the video, in meme format:

And the auto-submitting TOTP entry form where you’re apparently not allowed to make a typo. And obscuring the TOTP number like it’s a password or state secret.

TIL and nice bit of trivia!

Lol, exactly that.

Lol, I was about to reply to the main post and make the same joke.

🤚totally guilty there.

I wish there was a way to mute or turn off replies, and I might post more. Sometimes / often I’ll want to post something but definitely do not want to be bombarded with the comments it would generate. Other times, I’ll like the community but not be involved enough in whatever hobby to post anything but still enjoy seeing other people’s work (e.g. HAM radio, sewing, etc).

Solutions that work for a corporate application where all the staff know each other are unlikely to be feasible for a publicly available application with thousands of users all over the world

This is something of a hybrid. There will be both general public users as well as staff. So for staff, we could just call them or walk down the hall and verify them but the public accounts are what I’m trying to cover (and, ideally, the staff would just use the same method as the public).

Figure if an attacker attempts the ‘forgot password’ method, it’s assumed they have access to the users email.

Yep, that’s part of the current posture. If MFA is enabled on the account, then a valid TOTP code is required to complete the password reset after they use the one-time email token. The only threat vector there is if the attacker has full access to the user’s phone (and thus their email and auth app) but I’m not sure if there’s a sane way to account for that. It may also be overkill to try to account for that scenario in this project. So we’re assuming the user’s device is properly secured (PIN, biometrics, password, etc).

If you are offering TOTP only,

Presently, yes, but we’re looking to eventually support WebAuthn

or otherwise an OTP sent via SMS with a short expiration time

We’re trying to avoid 3rd party services, so something like Twilio isn’t really an option (nor Duo, etc). We’re also trying to store the minimum amount of personal info, and currently there is no reason for us to require the user’s phone number (though staff can add it if they want it to show up as a method of contact). OTP via SMS is also considered insecure, so that’s another reason I’m looking at other methods.

“backup codes” of valid OTPs that the user needs to keep safe and is obtained when first enrolling in MFA

I did consider adding that to the onboarding but I have my doubts if people will actually keep them safe or even keep them at all. It’s definitely an option, though I’d prefer to not rely on it.

So for technical, human, and logistical reasons, I’m down to the following options to reset the MFA:

1. User must contact a staff member during business hours to verify themselves. Most secure, least convenient.
2. Setup security questions/answers and require those after the user receives an email token (separate from the password reset token). Moderately secure, less convenient, and requires us to store more personal information than I’d prefer.
3. Similar to #2 except provide their current password and a short-term temporary token that was emailed to them when they click “Lost my MFA Device”. Most convenient, doesn’t require unnecessary personal info, possibly least secure of the 3. Note that password resets require both email token and valid TOTP token, so passwords cannot be reset without MFA.

I’m leaning toward #3 unless there’s a compelling reason not to.

I thought about generating a list of backup codes during the onboarding process but ruled it out because I know for a fact that people will not hold on to them.

That’s why I’m leaning more toward, and soliciting feedback for, some method of automated recovery (email token + TOTP for password resets, email token + password for MFA resets, etc). I’m trying to also avoid using security questions but haven’t closed that door entirely.