My scooter was stolen last week. Unknown to the thief, I hid two Airtags inside it. I was able to use the Apple Find My network and UWB direction finding to recover the scooter today. Here’s how it all went down:
The theft occurred on Monday night. I went out to dinner and locked it to a grate with motorcycle handcuffs. I find them easier to use than a cable lock, but apparently I forgot to lock one cuff. It was gone after ~2 hours. amazon.com/gp/product/B00…
No fear! The most important part of IR is preparation, and I hid two Airtags inside the scooter: one “decoy” in the wheel well and a second, more subtle, one inside the stem. Covered in black duct tape, they’re hard to see.
I resolved to find it the next day but I’d be short on time: I had to catch a flight to Blackhat. I biked to where the scooter was located with an extra lock in-hand, hoping I could see it on the street and lock it to the nearest object for later retrieval.
I also had NYPD meet me at the nearest street corner but they were resistant to helping. They weren’t familiar with Airtags, thought I might be enlisting them to steal something, and refused to walk with me if I knocked on a door or into a store.
With only 1hr to hunt, I couldn’t find its precise location and left thinking it was in these apartments. I boarded my flight to Blackhat, expecting I’d never see my scooter again. Why? Apple’s anti-stalking features.
iPhone users automatically receive a push notification if an unknown Airtag has been “following” them, without its owner, for a random time between 8 and 24 hours. The Airtag itself will also start making sounds w/ a built-in speaker. macrumors.com/2021/06/03/app…
Luckily, the Airtags didn’t move for the whole week. I thought up a new game plan to recover it as soon as I got off my redeye flight this morning. First stop, the 79th Precinct to try convincing the cops to help me, again.
I immediately encountered resistance: 1) go back to where it was stolen and call 911 2) that’s not our precinct 3) we can’t help you if it’s inside a residence 4) I’m not familiar with your voodoo magic^H^H^H Airtags
I was patient, upbeat, and demonstrated with the Airtags on my keys. I reiterated I didn’t want them to do anything illegal to help me, made a joke about it only costing $800 so it’s no felony, and insisted it would get solved within an hour. It worked!
With a willing 2-man patrol and me in the backseat, we drove to the current location, I pointed out the apartments, and then it dawned on all of us… there’s an e-bike store directly next door! In we walked to survey the merchandise.
I received a UWB ping as I walked in the door. It’s 13ft away! I gestured to keep walking, it’s here. The store was unkempt with piles of scooters. There was not a single new scooter in the store, every item on sale was second-hand.
Seconds later, I walked right into it. My scooter! The employees were in disbelief: How did I know it was mine? I played sounds from an Airtag. Not good enough. I paired to it with the Ninebot iOS app. This convinced the last holdouts.
At this point, one mechanic started making excuses for the current state of it: the woman who brought it in had complained about the brakes, so he cut the power line to the handlebars and then removed them. This is not how to repair brakes:
As I further inspect the scooter, the cops start asking questions: Do you sell used e-bikes? Do you collect info from the seller? Do you ask they prove ownership? What is the contact info for the person who dropped this scooter off? No, No, No, and we don’t know.
It’s at this point that I noticed there were cameras indoors. In hushed tones, I excitedly told the cops, “Ask for video from last Tuesday at noon.” As I walked the scooter outside, I further reiterated, “they’ll delete it if you don’t get video now.”
An employee inside realizes we're investigating further. He immediately becomes agitated: I should be happy I got my scooter back and leave. It’s my fault for getting it stolen. I’m screwing up his day. This isn’t how we do things in Brooklyn. More joined in.
I move outside while one cop retrieves the evidence, but the most aggressive employee followed me. He says, “All you’re doing is making enemies.” Gets closer to me, and pantomimes shooting me. He implies I’d get murdered if he sees me again.
I do my best “How to Win Friends” and find things to agree with him on. To their credit, the employees not harassing me outside cooperated and provided the video. It’s a woman, and they claim she didn’t leave a phone number.
I filled out a report at the precinct, and my two patrolmen get a parade of high fives from their peers. No one can remember the last time they solved an e-bike crime! I teach them all how to use Airtags, then hop in a Lyft home. @NinebotGlobal agrees to RMA the scooter ♥️.
Here are a few lessons learned if you’re using Airtags for theft recovery: 1) Use an Airtag adhesive that blends in and muffles noise. It’s clear my thief was looking for them. 2) Do not turn on Lost Mode. It immediately alerts the thief they’re being tracked.
3) Act quickly, before the anti-stalking feature kicks in. Damage done to my handlebars was likely in response to the regular noises from the Airtag. 4) Limit your in-person interactions and always involve the police. Don’t try to retrieve your stolen goods until you have backup.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Everyone's been sending me the deepfake CFO article. I'm not sure if it's real, so waiting for facts to emerge. But, here's what I'd do if it's accurately reported 🧵 amp.cnn.com/cnn/2024/02/04…
Make sure you follow the four-eyes rule: Use access controls that require two (or more!) person approval for transfers above a risk threshold. Banks like @mercury and @meow make this easy.
Between certain staff (e.g., accountant -> CFO), it may make sense to share a secret passphrase to authenticate each other. If you want to get fancy, share a TOTP seed to reduce the risk further.
Here's the most correct recap of what's happening with OpenSea right now.
tl;dr The security of web3 platforms depend entirely on wallets with universally poor security UX, and there's very little the platforms can do about it.
MDM is a pain in the ass, and we’ve been looking for a new vendor since Fleetsmith was acquired by Apple (and then disabled 90% of their product). Their agent barely worked, and frequently mishandled security updates.
Fleetsmith had clearly become a burning bridge when they failed, again, to apply 10.15.6 to our machines (one of their few remaining features). We found Kandji and within 3 days, their solutions team helped us plan and execute a one-way migration to their product.
In our last meeting, Kandji provided us a custom package to remove Fleetsmith from all our machines and step-by-step instructions for migrating to theirs. Satisfied with our testing and their help, we began migrating immediately.
We're hired to provide industry-best advice @trailofbits, and that's exactly what we provided to @HegicOptions. How, then, were bugs found in their code mere hours after they deployed it to mainnet? (1/n)
In 3 days earlier this month, we identified 10 critical flaws in @HegicOptions that could harm users. We noted a lack of tests, a lack of documentation, and that the time afforded to review their code was insufficient.
Bottom line: we told them to hold off deploying.
This was the right advice, and we generally expect people listen to us when they're paying for our help.
Instead, Hegic patched the few bugs we found, made no further changes, misrepresented our 3-day code review as an "audit", then immediately deployed.
Most people are now aware that @trailofbits conducted a security review of the Bitcoin Cash client on behalf of @BitcoinSVNode. While we cannot release our report in its entirety yet, I wanted to share a few details of what we found…
First, as far as we are aware, this was the first time a professional services firm reviewed the security of a Bitcoin client. We began with a comprehensive review of the bitcoind attack surface and surveyed previous attempts to fuzz it.
Prior fuzzing efforts appeared ad-hoc, did not share their input sets or report code coverage, and referred to outdated, unworking instructions. We identified surprising gaps in coverage when compared to our attack surface modeling and set about to remedy the situation.
Google sure is good at plagiarizing my work. I released @AlgoVPN, an open-source, self-hosted VPN solution, in 2016. I find it hard to believe @Jigsaw was unaware since I’ve met their engineers more than once. wired.com/story/alphabet…
I’m proud of what we accomplished but taking @AlgoVPN to the next level requires external funding. I have been relentless in trying to obtain it. I started by recording a podcast, then bundled it with my proposals. georgianpartners.com/the-problem-wi…