I don't think that's the case, because otherwise how did they leak this key that the backend uses, that presumably stayed in the backend, by reverse-engineering the rabbit android application?
I think the devices all just have hardcoded keys to the APIs themselves.
Thanks for the explainer, but that's not what I meant.
For example: If I, an ISP in Beijing went to BEIJING CERTIFICATE AUTHORITY Co., Ltd. which is on the list, and had my cert issued by them for foobar.com that listed them as the root trust, wouldn't that work? Because the service operating there currently is illegal and I need to take it down, i don't see how or why they could refuse. If they can't do this for ISPs, then certainly law enforcement should be able to force them to comply, I would assume.
If I then went to abuse that cert and spread malware on my fake cloned site, then what are the affected users going to do, call the cops and tell them the illegal seedbox is down?
This is the only way I can see governments being able to display blocked website notices, takedown notices and other MITM insertions demonstrably happening in all sorts of countries without triggering a "back to safety" warning in most browsers.
This has to be possible, because otherwise the observable results don't make any sense.
I'm not necessarily saying they did the attack this way instead of just simply spreading malicious torrents which is far easier, but I don't see why they wouldn't be able to do this.
A cassette on one of those small kid stereos, later it was my mom reading me stuff. I don't know if I could listen to music falling asleep but nowadays I have YT videos on and lots of white noise to drown out the crackhead neighbours upstairs.
or has access to a trusted CA's key, as per above.
I don't see why they wouldn't, or couldn't do this if they wanted to if they were also willing to straight up resort to spreading malware, which idk about SK but that's illegal anywhere in the west under very broad laws.
EDIT: They could also do a redirect to a different URL with a valid cert I guess, though I'm sure browsers block that too. Well I'm out of ideas then, I feel bad for cybercriminals these days.
EDIT2: Wait a sec, how does government censorship work then? Like e.g. https://ttrpg.network/post/7634428
How is the government able to MITM this person? The website is HTTPS and they're using a VPN, but presumably locked to the DNS of the ISP. How are they able to block websites at all in this case with anything other than a termination of a connection (i.e. displaying a banner)?
Even without a VPN by your logic if the ISP can't present a foobar.com cert then they couldn't block it via just DNS. How do FBI takedown notices work? Shouldn't all of these throw up SSL errors and "back to safety" prompts?
Then wouldn't it be just one API key to the rabbit backend instead? The researchers are suggesting it's several keys though. Or are you suggesting every device has the same key to Elvenlabs that it sends over to the rabbit backend which passes that through to the request? That's also very silly if they did that.
What I don't understand is why the TTS key could even delete voices or read past responses from other devices, ideally each device should have its own properly scoped API key that only lets it access the immediately necessary functionality and no more.
Webhard is Web Hard Drives - SK torrenting scene is very different from the west, to simplify from how I understand it (English info seems scarce) basically everyone uses seedboxes or "web hard drives" in SK to download stuff.
While I can't seem to find out anything about what "The Grid system" is, if the whole thing is an online portal or software.
If ISP routers are anything like the west that means they control the DNS servers and the ones on router cannot be changed, and likely it blocks 1.1.1.1 and 8.8.8.8 and so on, as Virgin Media does (along with blocking secure DNS) in the UK for example, which definitely opens up a massive attack vector for an ISP to spin up its own website with a verified cert and malware and have the DNS resolve to that when users try to access it to either download the software needed to access this Grid System or if it's a web portal - the portal itself.
I don't think this included any attacks on the BitTorrent protocol at all, because as others said, it's pretty secure, but another possibility is simply malicious torrents being distributed, which rights holders definitely done before (read decoying part in https://arstechnica.com/tech-policy/2007/03/mediadefender/)
Even by your analogy, yes I'd rather have a wooden cart compared to carrying things in my hands.
That said your analogy doesn't apply to tech. "It just doesn't okay" isn't a very satisfying answer from a logic standpoint, but as the other user pointed out almost all corporate software is built upon, or massively, and I mean massively relies upon the efforts of Open Source software.
I can't really think of any other industry like this or an analogy for this, but that is how it works. Example: GNU/Linux is FOSS, and is the go-to for server software for businesses, and it's starting to creep into end user products too, from Dell laptops to Raspberry Pi to the Steam Deck (if you're familiar with that - Proton is also open source).
RIAA is evil. AI is good for us plebs while it's still legal for us to own and operate our own local open source LLMs away from the corpos, in the same way the internet is a net good because it's free and open and gives us power to practice communism (information sharing, hacking (classic meaning) and open source).
All regulation will be aimed squarely at destroying that, concentrating power in the hands of the few away from just any old proletariat tom dick and harry.
Corpos will pay any fees and fines as a cost of doing business and acquire all licenses and reach private agreements with publishers out of reach for the common man or small business, all the while passing the cost of all this onto the consumer eventually just to invest in tech that will make the line go up for a few more quarters.
IP law does not benefit you and you will never truly benefit from it.
Don't simp for corpos.
P.S.: Imagine the next LLM, 10-20 years from now is truly groundbreaking and useful, it's a new tool, and without that tool, you're no longer competitive for work, and all of said tool is owned by 1-2 multinational predatory conglomerates jacking up prices, because you have no choice but to pay up to live. It's cyberpunk, just boring and without the implants, price-gouging a necessity just as they do now with housing or insulin.
We need to preserve the power to do this freely, fairly, without profit and without licensing works.
Is there a way to do reverse tunnels, or something like it, so not opening any ports at all on the network, without cloudflare?
Closest to that XP I got was generating VPN keys and distributing them to close friends, running DDNS (no-ip) on my Pi with a pivpn server and then accessing JellyFin that way.