Is there anyone on here who can explain the differences between #Meshtastic and #MeshCore and explain their relative merits? My sis @kazooloon and I are interested in getting started with one or the other.
I have a radio friend who went to Defcon and kind of saw the meshtastic / meshcore controversy happening in real time.
Basically, some furries out that the security model of meshtastic is similar to using SSH where you always assume that the server certificate is correct and you never check it. In other words, as soon as someone starts trying to man in the middle and lie about what the server certificate is, then the security of the entire system crumbles and it might as well be plain text from the perspective of the attacker.
These furries were motivated by the way that the meschtastic project has become more and more proprietary and started lashing out open source developers that were building anything which would be compatible with their proprietary stuff. So this proof of concept to DEFCON and were able to take over the entire meshtastic network that was present at DEFCON.
How much this security issue matters in practice is up for debate... But just like with SSH, properly tracking all of the known host keys and never accepting any of them automatically has a serious burden on the usability.
For example, a lot of quote-unquote enterprise grade tools like Terraform have the same exact vulnerability. By default and without warning they always accept whatever host key the SSH server provides.
Anyways, my friend would probably recommend Meshcore because it's developed in the open by furry hackers who are not trying to gatekeep and make money from it. But that said, it's obviously much more of a "some assembly required" type scenario. You won't be able to connect to anyone else until you add their key.
That might seem extremely detrimental, but honestly, in my opinion, these radio mesh networks are kind of jank and don't really make sense compared to a hub and spoke radio network architecture. Maybe that's because I'm having a different idea about where the usage of these networks is going....
Oh, yeah, one last little tidbit about meshtastic.
I've heard from the same friend that a lot of meshtastic products which you can buy are based on microcontrollers. The bandwidth that these things have is so limited that it's trivial to completely DOS all of them with just a single Linux computer that's running on a real CPU and sending packets. Sometimes, with enough of them in a network, they can even DOS themselves. And then you have to bring in a faster computer with a real CPU into the network to handle all of the packets and send acknowledgements and stuff, otherwise it'll stay stuck forever.
@forestjohnson MT and MC use the same hardware so are equally limited in that regard. MC also has its own premium software and is arguably more proprietary and commercialized (started by some guy trying to sell his mesh tech not just furries making FOSS). The Defcon demos were all valid but the particular trust attack targets security claims MT doesn’t really make, the other issues have mostly been fixed since. MT has lots of technical and governance issues but MC has its share as well.
@monkeyborg @kazooloon
Also, I definitely should have put a disclaimer that I know almost nothing about this. This is telephone between multiple people and so a lot of this information is probably inaccurate.