HackerLangs
TopNewTrendsCommentsPastAskShowJobs

KomoD

4,289 karmajoined 4 years ago
Svealand

Submissions

Google Earth Pro Desktop downloads will be unavailable starting June 2027

support.google.com
20 points·by KomoD·3 days ago·1 comments

The worst API ever made (2014)

caseymuratori.com
2 points·by KomoD·10 days ago·0 comments

The Nature of Code

natureofcode.com
4 points·by KomoD·25 days ago·0 comments

[untitled]

1 points·by KomoD·3 months ago·0 comments

NativeRest – Native REST API Client

nativesoft.com
1 points·by KomoD·3 months ago·0 comments

Telnyx Python SDK: Supply Chain Security Notice

telnyx.com
17 points·by KomoD·4 months ago·1 comments

Homeless people used as mobile Wi-Fi hotspots (2012)

nbcnews.com
24 points·by KomoD·7 months ago·3 comments

Where's Putin? How the Kremlin Hides Him with Three Nearly Identical Offices

rferl.org
6 points·by KomoD·7 months ago·2 comments

Iconography of the X Window System: The Boot Stipple (2024)

matttproud.com
4 points·by KomoD·8 months ago·0 comments

comments

KomoD
·17 hours ago·discuss
A bot will have no problem with the current captchas either. They're trivial to solve.
KomoD
·yesterday·discuss
> Are they shutting down the free model of 100 connections, or the entire business?

I thought it was pretty clear from this part:

> Customers on paid plans will not be billed for any future periods.

It reads very much like it's not just about removing the free tier.
KomoD
·3 days ago·discuss
I can't even access that link with an account.
KomoD
·3 days ago·discuss
Seems like a trend with your business, though:

https://news.ycombinator.com/item?id=36566783

https://news.ycombinator.com/item?id=44364090

Banned from Google Maps, banned from Instagram...
KomoD
·3 days ago·discuss
Though if you like StreetComplete and want aerial/satellite, there's SCEE, a fork of StreetComplete. I tried both Vespucci and EveryDoor, but neither is nearly as easy to use in my opinion.

https://wiki.openstreetmap.org/wiki/SCEE
KomoD
·4 days ago·discuss
> make app barely eat any battery

> But for now Organic Maps is totally fine and many people like me see no reason to move from it anywhere.

In my experience OM drained my battery like crazy (I used it for KML tracks) and after consistently seeing that, I gave up on OM..

I can't speak for CoMaps, as I have never tried it.
KomoD
·5 days ago·discuss
Yeah, I don't have much more to say than that's very reasonable and I agree.
KomoD
·7 days ago·discuss
I don't know about "totally dismantled" but it definitely had some impact.

> As a result of these developments, the Company is currently experiencing disruptions to a portion of its services. If these disruptions continue for an extended period, they are likely to have a material adverse effect on the Company's operations, financial results and its ability to provide certain services to its customers.

https://www.globenewswire.com/news-release/2026/07/03/332182...
KomoD
·7 days ago·discuss
> I wonder if people with a streaming box run into tor-exit-node type problems.

Some definitely do.

One of my family members had a mobile app installed that turned their device into a resi proxy, and I started to get super frequent CAPTCHAs, which I thought was odd. I found out what was happening when our IP got banned from Wikipedia with the reason "believed to be a residential proxy"
KomoD
·7 days ago·discuss
Except you still don't get hardware transcoding (or the mobile app... IIRC?), there are some workarounds, last I checked, but I suggest using Jellyfin instead.

Jellyfin works really well in my experience, but there are definitely some things Plex does better.
KomoD
·7 days ago·discuss
> The details are interesting! How did you find all of this out? Did you download the tool in a VM and disasm it?

I downloaded the installer, opened it with 7zip, and extracted the app.asar file from resources/app.asar. All Electron apps have this, it's where the app code really lives.

Then I used asar to extract it. That gives you a few folders, including dist, which contains 5 .jsc files. Nearly everything related to fetching is in a file called engine.jsc. The jsc files are bytecode instead of raw JS because he didn't want anyone to reverse it, but with a little work you can figure it out (or you can just dump the strings and see that imapflow is in there)

Didn't need to run it at all.

> However, from what you said here, it's a bit less sophisticated than that?

Indeed. And re the image fingerprinting, it just checks the file names of "message parts", not content-type or content-disposition (even though imapflow exposes those)
KomoD
·7 days ago·discuss
Okay, not bad at all then. I've never left it on for long, so I wasn't really sure.
KomoD
·7 days ago·discuss
> We attempted responsible disclosure by emailing [email protected] multiple times on July 3 and 4, 2026, but received no response.

SponsorBlock is run by one guy. I consider this very irresponsible. You barely waited, and accessing (what you consider to be) the private data of 82k users is not at all necessary to prove a vulnerability. Luckily, most of these aren't really vulnerabilities.

But I'll go over the claims:

> This allowed us to enumerate and download almost the entire user database.

No. Sponsorblock says it has 13 million users, so 82k is not anywhere near "the entire user database".

> 8NpFUCMr2Gq4cy4UrUJPBfGBbRQudhJ8zzex8Gq44RYDywLt3UtbbfDap3KPDbcS

This is not a YouTube api key. It's an api key for a SponsorBlock API route that acts as a proxy to fetch information about a YouTube video.

> AIzaSyA8eiZmM1FaDVjRy-df2KTyQ_vz_yYM39w

This is an api key accessing some internal YouTube APIs. It's documented in many places and belongs to YouTube Android.

> PostgreSQL connection: postgresql://sponsorblock:[email protected]:5432/sponsorTimes

You believe these are real creds?

> Admin password hash, global salt, Patreon integration keys, webhook secrets were exposed in repository files

From the CI and test configs...?

> High - Public Grafana Dashboard

Why do you consider this "High" or "Critical"?

> POST /api/skipSegments and POST /api/voteOnSponsorTime endpoints accepted submissions without proper user verification

This is intentional. The extension generates a UUID and uses that as a user ID.

> Batch queries revealed additional sensitive fields including userAgent.

What is sensitive about these fields? https://github.com/ajayyy/SponsorBlockServer/blob/1dd7a32092...

Sorry to say, but prompting some AI model and forwarding the results does not make you a security researcher.
KomoD
·8 days ago·discuss
I was suspicious too, but it does seem legitimate. They're making fun of the PlayStation going digital-only for games thing. https://x.com/github/status/2072801888525840476

https://blog.playstation.com/2026/07/01/physical-disc-produc...
KomoD
·8 days ago·discuss
Could impact battery usage, possibly?

But the way I do access Immich externally is not with Tailscale directly on my phone but involves exposing a caddy instance, running on a $1 VPS, to the internet.

If requests include a specific very long header (which I randomly made up), it then forwards those requests to my real Immich instance, which runs on my NAS. Headers can be configured within the mobile app. It has worked really well for me so far.
KomoD
·8 days ago·discuss
Looks like they might retrieve the body.

> The Indo-Tibetan Border Police is soliciting bids from high altitude recovery agencies for a mission to retrieve the remains of a climber long known only as "Green Boots" from the mountain's northern slope

https://www.cbsnews.com/news/mount-everest-green-boots-body-...
KomoD
·8 days ago·discuss
> breaking through the 15 gb free tier and forcing them to buy a Google One subscription

Which is like... $2 for 100GB and you can cancel immediately after, or if you get the same offer I got: $0.50.

$27 in savings and 100GB of storage, sounds like a good deal to me!
KomoD
·8 days ago·discuss
> 98% of my time went into wrestling with IMAP parsing architectures, optimizing memory, and code-signing certificates instead of designing custom CSS layouts from scratch

You're just using imapflow and their Gmail search method. Why are you making things up? https://imapflow.com/docs/guides/fetching-messages#gmail-spe...

You call that function with this query over and over again:

filename:(jpg OR jpeg OR png OR gif OR webp OR heic OR tif) after:${year}/01/01 before:${year + 1}/01/01

And then you call their download method: https://imapflow.com/docs/guides/fetching-messages#downloadi...

All you did was throw together a frontend, package it into Electron, paywall it, and try to obfuscate the code.

What part of that is "wrestling IMAP parsing architectures"?
KomoD
·9 days ago·discuss
> How much does it cost to be able to sign a binary so you can deploy it on Windows without a UAC popup?

You can get a cert for $130-300/yr, and then you can use signtool to sign it.
KomoD
·9 days ago·discuss
Or you can just use Google Takeout: https://takeout.google.com

Deselect everything, select "Mail", create export, wait until it's done, and then download the zip.