frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

Show HN: I built an encrypted BLE dongle for pasting stuff to air-gapped devices

https://github.com/Brisk4t/ToothPaste
5•Brisk4t•6h ago
Definitely one of those "20 minute adventure gone wrong" projects where all I wanted initially was a quick wireless rubber ducky for bitlocker keys and the like and then I kept adding stuff like AES-256.....

Currently working on adding WebAuthn/FIDO support because the hardware is already there and scope creep is a lifestyle at this point.

Would love feedback, especially on the security side. Repo and PCB files are fully open source.

Comments

fernando-ram•6h ago
This is a visualization of it. Very cool https://app.principal-ade.com/Brisk4t/ToothPaste
cryptoalex•1h ago
Love the idea! Here are few things that might be worth a closer look:

1) "... if someone can dump the indexdb data stored in your browser they can access your AES Key and impersonate the device ..." - I was surprised to read that index DB stores the AES key. Is that a "Shared Secret Session Key" negotiated via ECDH? If so, it should not be stored. Only the Public Key of the ToothPaste device (obtained during the "Pairing" process) should be stored in the browser's indexdb, preferably HMAC'ed or otherwise authenticated (via password-derived local client-only symmetric key which you already seem to be using)

2) "... ToothPaste allows encrypting this local data, along with saved Macros and Duckyscript scripts, using a Password + Argon2 derived encryption key ..." - make sure you are using random salt here, and deriving from (password+salt), not just (password). The salt should be stored in the plain text in the indexdb. Also, since this derivation runs in the browser (not in the MCU), try using Argon2id flavor of Argon to also make it memory-hard, not just compute-hard

3) from the animated gif demo, it looks like the BLE packets are being sent on every key stroke as you type. At the very least, you may leak your BitLocker password length. I would rather send the whole thing once user finished typing and pressed enter, or took more steps to obfuscate by padding with random dummy data and sending every 0.3 seconds

4) you never mention what MODE of AES are you using. I think you should be fine with GCM mode with random nonce, using "Message Number" as Associated Data (see next point)

5) you probably need a protection from "Replay" attack, i.e. encrypted BLE packet "replayed" by attacker. Could be done by ever increasing Message Number on a sender side, and receiver keeping track of the "last Message Number" and only accepting messages with higher number than "last Message Number" - for both directions you need 2 independent numbers. Also, Message Number is a good thing to put into Associated Data if you use AES GCM mode

6) every session should start from ECDH negotiating a brand new AES key - this way you dont have to deal with a long-living AES key, do not need to store it anywhere, and do not have a risk of using the same AES GCM key for too many messages or too much data

Show HN: Local MCP – Claude/ChatGPT read your iMessage, Teams, files on-device

https://www.local-mcp.com/en
2•lanchuske•1h ago•0 comments

Show HN: Minesweeper.free – Play minesweeper online free

https://minesweeper.free/
2•nadermx•1h ago•0 comments

Show HN: Inches to MM converter for manufacturing and hardware checks

https://inches-to-mm.com
3•robot1996•2h ago•3 comments

Show HN: Two-tier-memory – queryable long-term memory for AI coding agents

https://github.com/tadelstein9/two-tier-memory
2•tadelstein•2h ago•0 comments

Show HN: Mise – A keyboard-driven Python/Qt6 browser built for fanless laptops

https://github.com/Rakosn1cek/Mise
5•Rakosn1cek•6h ago•0 comments

Show HN: Bramble – Local-first password manager

https://github.com/flythenimbus/bramble
132•MegagramEnjoyer•2d ago•38 comments

Show HN: Grade your code's post-quantum crypto exposure A–F, free, in-browser

https://throndar.ai/cbom
3•algo26•7h ago•0 comments

Show HN: Classify mechanical faults using Contrastive Language-Audio Pretraining

https://github.com/adam-s/car-diagnosis
34•dataviz1000•3d ago•3 comments

Show HN: Isthistechdead.com got a full UI revamp

https://isthistechdead.com/
2•jobehi•5h ago•0 comments

Show HN: A statically typed, cross-platform, easily bootstrappable build system

https://github.com/rochus-keller/BUSY/
45•Rochus•4d ago•15 comments

Show HN: Apple Foundation Model in Xcode-Beta

https://gist.github.com/voxels/b6ea737dd127745f9af009ebd038ded4
2•edgcumbe•6h ago•0 comments

Show HN: Desunofier – Removing shimmer from Suno songs

https://www.instasong.co/tools/desunofier
3•stanyy•6h ago•0 comments

Show HN: Markdown to PDF CLI Tool

https://github.com/leonardosalasd/doc-engine-cli
5•leonardosalasd•6h ago•1 comments

Show HN: Seize the means of production from our agentic overlords

https://github.com/Xophmeister/wean
3•Xophmeister•6h ago•0 comments

Show HN: I built an encrypted BLE dongle for pasting stuff to air-gapped devices

https://github.com/Brisk4t/ToothPaste
5•Brisk4t•6h ago•2 comments

Show HN: Mcpsnoop – Wireshark for MCP (transparent proxy and live TUI)

https://github.com/kerlenton/mcpsnoop
62•kerlenton•1d ago•21 comments

Show HN: TeXposit – LaTeX and Markdown Editor

https://texposit.com/
2•danielszabo•7h ago•0 comments

Show HN: Infra Commits – Conventional Commits but for infrastructure/operations

https://codeberg.org/devopsguy/infra-commits
3•ohelm•8h ago•1 comments

Show HN: Clipart.free – Public-Domain Clipart

https://clipart.free/
2•nadermx•8h ago•0 comments

Show HN: Typocalypse – An Arcade Typing Roguelike

https://typocalypse.florianrudaj.com/
4•florianrudaj•8h ago•1 comments

Show HN: Cute Music App

2•bOZbfU4YdRnJQ•9h ago•0 comments

Show HN: AI-powered code review tool

https://github.com/Kirill89/reviewcerberus
3•k1r111•10h ago•0 comments

Show HN: A home for short stories generated from 5 random emojis

https://www.moon-zine.net/
3•riedhes•10h ago•0 comments

Show HN: Inkwell – An RSS reader for e-ink devices

https://kendal.codeberg.page/inkwell/
76•imkendal•2d ago•11 comments

Show HN: CLI that helps AI agents avoid vulnerable dependencies

https://github.com/clidey/deptrust
26•modelorona•3d ago•4 comments

Show HN: zkGolf – Competitive optimization of formally verified circuits

https://zk.golf/
69•rot256•2d ago•12 comments

Show HN: AI Interview Coach – practice with honest hiring-manager-grade feedback

https://aiinterviewcoaches.com
2•Aldasams•11h ago•0 comments

Show HN: ctx – Search the coding agent history already on your machine

https://github.com/ctxrs/ctx
65•luca-ctx•2d ago•42 comments

Show HN: Gemma 3 inference in pure C++ with Metal acceleration

https://github.com/ybubnov/metalchat
3•ybubnov•12h ago•2 comments

Show HN: Pieces – Social network for people

https://try.piecesof.me/
61•domo__knows•3d ago•59 comments