People who fly FPV order these cameras all the time.

This one is about $8 https://www.banggood.com/600TVL-8_0MP-14-2_8mm-CMOS-FPV-170-...

How about this one for $22 with a 5.8GHz transmitter https://www.banggood.com/Eachine-TX01S-NTSC-Mini-5_8G-40CH-2...

His Hololens Super Mario is awesome as well https://www.youtube.com/watch?v=QN95nNDtxjo

For those not wanting to click through that site, here is the youtube video.

https://www.youtube.com/watch?v=ObZDipKRH0c

That is an awesome looking watch, thankyou

Huh? I submitted this 23 hours ago with the exact same url, glad to see som discussion though.

It happens, at one point there were 9 submissions round the Yahoo story.

I just order my ESP8266 bare bones from Banggood, about $3, free shipping and if you order them in bulk you save even more.

The ESP8266 works great as a standalone device and you can even flash it with the Arduino firmware, though I prefer NodeMCU.

Logitech Cordless Optical TrackMan

I have no idea why they made it wireless, it ate batteries like crazy, but its still the best trackball I've ever owned.

Having the ball at your middle and ring finger gave better control than the thumb driven ones.

You can still get it on places like amazon, but at a ridiculous price, 10-20 times what it originally retailed for.

I'm not sure why that happens, but for me the language gives me 2 extra bits of information.

1. Cool, it'll run anywhere i need it to (presumably) without dependencies.

2. Cool, I love that language, I wonder how they did it.

For many other languages, the checkbox for 2 will be ticked as well though.

I wouldn't call this a serious privacy breach, you could just use a private repository.

The software claims to be usable without private repositories¹. If it can't do that, it is a serious bug.

¹ From the readme: "it assumes your remote git repository may be malicious"

From the context, malicious means either "tampers with your data" or "will attempt to decrypt your data", not "may find your outdated MySpace profile"

In that sense it certainly is usable without private repositories.

Unencrypted, unauthenticated metadata allow tampering with your data: http://www.6nelweb.com/bio/papers/pwvault-ESORICS12-ext.pdf

Ok, just to make things clear, and to make sure I understand, an attack could look like this;

1. I trick you into using my GitEvil Repository Service (GERS™).

2. After you upload your data, I swap target site information (in this case name) with the name for GERS™.

3. Next time you log in to GERS™, you accidentally send the login information for target site instead.

4. Profit

In that case, keeping with the wish to keep the manager searchable without the master password, would it be possible to mitigate this by HMAC'ing the encrypted password with, for instance, the site name?

As should be obvious from the above, I'm no crypto expert.

Yes, if you don't care about GERS™ knowing which sites you use, when you add accounts to them, when you chance passwords, and all the other sensitive information that can be extracted from metadata.

> would it be possible to mitigate this by HMAC'ing the encrypted password with, for instance, the site name?

In that case you duplicate the metadata: You keep one datum in plain text for search purposes, and a second for MAC/verification purposes. That's a somewhat awkward construction, and you can accidentally create new security holes in your application (by using the MAC'd metadata at point A and the plain metadata at point B – there's a bunch of high-profile CVEs created this way).

Alternatively, you can MAC the metadata separately from the password. However, (H)MAC involves a secret key that must not be shared in plain text. So you'd need encryption anyway to be able to verify the MAC key.

In either case you still allow a few attacks: Attackers can delete entries (DoS), attackers can selectively replace entries with older versions (DoS or information leakage if the password still works), and probably a few others.

Using the password AEAD to encrypt the whole database, not just passwords, not just individual entries, is not just safer, but also reduces complexity.

Thankyou for the clarification

Is the above and the replies by the author really so unworthy of discussion that they require a downvote? Or is someone just disagreeing?

Yay a password manager I might actually use, very impressed so far.

If you don't mind me asking, what's the features you're interested in that other managers don't have?

I've been tinkering away on my own password manager for a while, but since it's not made in a hype language, it gets zero exposure on HN.

Off the top of my head it should:

- Work offline

- Work on multiple platforms

- Encrypt the passwords

- Backups/distribution should not be dependent on a single provider

- Ease of use (command line is fine, great even, but for the love of god make it simple)

- Not require me to remember to copy around an encryption key

- Open source is a great bonus

Hm, seems my solution ticks all checkboxes except multi-platform availability (python in e.g. Windows is… not fun). I'll keep that in mind for the inevitable rewrite, thanks for the feedback.