HackerTrans
TopNewTrendsCommentsPastAskShowJobs

NotPractical

no profile record

Submissions

iTorrent App Restored to AltStore in the EU

github.com
3 points·by NotPractical·قبل 8 أشهر·1 comments

Redbox left PII on decommissioned machines

digipres.club
294 points·by NotPractical·قبل سنتين·162 comments

comments

NotPractical
·قبل 10 أيام·discuss
> A next version of the Technical Specifications for Age Verification Solutions will include as an experimental feature the Zero-Knowledge Proof (ZKP) solution

From: https://ageverification.dev/av-doc-technical-specification/d...

The EU reference implementation is adding ZKP.
NotPractical
·قبل 10 أيام·discuss
Except that within days of this service going live there's going to be a freeageverification.com that instantly generates an attestation proof for anyone for free. I fail to see how this is not untenable. You can compare it to geoblocks that can be circumvented using VPNs, but at least VPNs are costly to run and are usually paid services. With the implementation of verification (ZKP) described in the article, there is no cost to generate attestation proofs nor any limit on the number of proofs nor any way to stop a known-but-anonymous abuser from generating new proofs.

Maybe the EU knows it's untenable and is still moving forward because they will be able to demonstrate to the public that privacy enables abuse, creating pretext to make the system not private anymore after it's already been implemented.
NotPractical
·قبل 11 يومًا·discuss
Not to mention self-signed custom builds of GrapheneOS.
NotPractical
·قبل 29 يومًا·discuss
> I think it would be nice if we could run unsigned apps on iOS

Apple enforces those restrictions via the permanently locked bootloader. The main benefit of unlocking the bootloader on an iPhone would be to run a modified version of iOS that allows for the installation of unsigned apps. Apple wouldn't like it and might even get litigious over it, but still.

> (in the US)

Apps intended for release onto alternative app stores in the EU, Japan, and Brazil still need to be approved and signed by Apple. These laws were nearly useless.
NotPractical
·قبل 29 يومًا·discuss
...it's still large enough to comfortably read without zooming in, which is not the case for Gruber's website.
NotPractical
·قبل 30 يومًا·discuss
Nope, HN's CSS accommodates smaller screen sizes [1]:

    /* mobile device */
    @media only screen
    and (min-width : 300px)
    and (max-width : 750px) {
      #hnmain { width: 100%; min-width: 0; }
      body { padding: 0; margin: 0; width: 100%; }
      td { height: inherit !important; }
      .title, .comment { font-size: inherit;  }
      span.pagetop { display: block; margin: 3px 5px; font-size: 12px; line-height: normal }
Not perfect by any means but at least there's an attempt.

[1] https://news.ycombinator.com/news.css
NotPractical
·الشهر الماضي·discuss
Was this program available to independent security researchers or just established organizations? The docs you linked aren't very clear on this.
NotPractical
·الشهر الماضي·discuss
> No upstream open source developer takes that on

The key words here are "open source", right? Some problems can't be solved without cooperation with the developer.
NotPractical
·الشهر الماضي·discuss
There is a difference between mandating that your customers use one specific Linux distro which is maintained by a controversial company, and supporting all Linux distros through an imperfect-but-fully-working method.

Sure, you'll still get a few complaints from ideological purists, but there's no avoiding that regardless of what you do.
NotPractical
·الشهر الماضي·discuss
Won't they just ban your account for using this?
NotPractical
·الشهر الماضي·discuss
No, because a malicious AI agent could just replace the sudo binary in your path with one that collects your password and uses it to execute arbitrary code as root. Nothing short of sandboxing everything or just never using AI agents or proprietary software will prevent this.
NotPractical
·قبل شهرين·discuss
[dead]
NotPractical
·قبل شهرين·discuss
Does anyone have a citation for this that wasn't written by Claude? It wouldn't surprise me, but I refuse to look through AI slop to check the accuracy of the report.
NotPractical
·قبل شهرين·discuss
> Other than enriching apple, there’s been no direct or apparent harm to the end user from the walled garden.

https://www.reuters.com/sustainability/society-equity/apple-...

I don't want to hear about how this isn't Apple's fault. This isn't the big bad orange man forcing Apple to act against its will; it's a business arrangement between Apple and the president. He gets censorship, they get a weaker EU.

https://www.whitehouse.gov/presidential-actions/2025/02/defe...
NotPractical
·قبل شهرين·discuss
No, they were correct in their understanding of what I meant. I should've said "capable of passing Play Integrity's device attestation checks". I replied to them with more context.
NotPractical
·قبل شهرين·discuss
It indeed runs on modified versions of Android, but this is not supported by Google and never has been.

When Apple says "Apple Pay is supported on iOS >= $VERSION" they don't explicitly mention that it won't work on jailbroken iPhones, because they don't expect you to make modifications to your device and then try and use their services as normal. This is unsupported and discouraged, just like trying to manually install Google Play services on an OS that didn't ship with it.

The only way to get Google Mobile Services officially is to buy an Android device with it pre-installed while leaving the stock OS untouched. And the only way for an OEM to ship GMS with their device is to certify it with Google. And one of the requirements for certification is to use device attestation keys signed by the Google Hardware Attestation Root certificate [1], thus Play Integrity will pass on all such devices.

[1] https://developer.android.com/privacy-and-security/security-...
NotPractical
·قبل شهرين·discuss
> No mention of device integrity verification yet

If Google Play services is listed as a requirement, that implies that a "certified Android" device capable of Play Integrity attestation is required, since that's the only officially supported way to obtain Google Play services. On consumer-facing support articles like this, they don't tend to get into the nitty gritty details like what APIs are being used. If MEETS_DEVICE_INTEGRITY is required, that would probably not be explicitly listed here.

E.g. the consumer documentation for Google Pay just says you need a "certified" Android device and a screen lock set up: https://support.google.com/wallet/answer/12200245

(Yes, if you go deep into the FAQ at the end it eventually states that if you rooted your phone, you can't use tap to pay, but that requirement is implied by the certification requirement [1].)

In Google's eyes, and in the eyes of the law due to trademarks filed by Google, Android == Google Android.

This feature would make little sense if it's not using device attestation because otherwise it would be easy to spoof. I expect that it will initially not use it, and they will start A/B testing device attestation in the coming years.

[1] Expand "What to do if you see device is not certified" -> "Reset device to fix issue" https://support.google.com/android/answer/7165974
NotPractical
·قبل شهرين·discuss
Minecraft Legacy Console Edition apparently leaked on 4chan recently, too: https://github.com/MCLCE/MinecraftConsoles

Almost no coverage on HN or mainstream media though. Surprising, considering the popularity of this game.
NotPractical
·قبل 3 أشهر·discuss
Here's the technical measures that are being worked around: https://blog.mozilla.org/en/firefox/fingerprinting-protectio...

> IMO you need to actually work around a technical measure intended to stop you for it to qualify as an exploit.

Even well-known vulnerabilities like SQL injection don't qualify under this definition?
NotPractical
·قبل 3 أشهر·discuss
Most tech businesses exist because problems exist. Tailscale delivers a solution that's available today. The only alternative is to sit and wait for IPv6. I don't imagine Tailscale is against IPv6 any more than security professionals are against memory-safe programming languages.