HackerTrans
TopNewTrendsCommentsPastAskShowJobs

frogsRnice

no profile record

comments

frogsRnice
·vorig jaar·discuss
Sure - but people are still free to decide where they draw the line.

Each extra bit of software is an additional attack surface after all
frogsRnice
·vorig jaar·discuss
You all do amazing work, hope I can boast the same someday - or even 50% of it ;)

Seriously, you are my heroes!
frogsRnice
·vorig jaar·discuss
Imo its not just crypto- a lot of their reports are enlightening to read
frogsRnice
·vorig jaar·discuss
It absolutely does
frogsRnice
·vorig jaar·discuss
It could be pulling these resources over http ;)

Edit: Whoops sorry, morning fog
frogsRnice
·vorig jaar·discuss
Unrelated; I just wanted to say that I learned programming from your socket tutorials when I was a kid. Everything was so well written that I used it from highschool, to varsity to my day2day job.

Without your tutorials I’m not even sure if I would have chosen the carreer I did- thank you for all the love and effort you put into your posts; Im sure that there are many other people who you’ve touched in a similar way
frogsRnice
·vorig jaar·discuss
At some point someone needs to take responsibility for allowing modification of environment variables via something dumb like http. Debugging interfaces are fine- we should expect more from developers.
frogsRnice
·vorig jaar·discuss
No you misunderstand- it is super simple to pay some other company a small amount to do this for you. No complexity to worry about what so ever.

And if things require even a slim amount of thought and planning - chuck it to your favourite LLM and call it a day.

Just in case the sarcasm wasn’t clear I want to personally assure you that nobody ever will confuse an access token for an ID token. :p
frogsRnice
·vorig jaar·discuss
Yeah I agree- I think the time spent verifying should vary based on the complexity and sensitivity of what you are looking at, but you never really get away from it.

I think my issue with LLMs is moreso aimed at people who wouldn’t have ever done the bare minimum verification anyway.
frogsRnice
·vorig jaar·discuss
As opposed to wondering if the llm is hallucinating?

You have to expend a mental effort to think about your solutions anyway; I guess it’s pick your poison really.
frogsRnice
·vorig jaar·discuss
My main gripe is that if someone finds a vulnerability that gives you a list of urls the model falls apart. I’ve seen this happen in organisations :/

But agree with your statement here and others about the lifetime of the data - if something is sensitive or secret you want proper access controls applied, not just openssl rand -hex 8
frogsRnice
·vorig jaar·discuss
I guess were talking about optimising tail recursion. Would there be any reason to refer to a tail call other than that optimisation?

I’ll do some reading on the latter part of your post, thank you!
frogsRnice
·vorig jaar·discuss
Would you not have to use a jump instead of call for it to be a tail call at all- ie otherwise a new frame is created on each call
frogsRnice
·2 jaar geleden·discuss
frida is an amazing tool - it has empowered me to do things that would have otherwise took weeks or even months. This video is a little old, but the creator is also cracked https://www.youtube.com/watch?v=CLpW1tZCblo

It's supposed to be "free-IDA" and the work put in by the developers and maintainers is truly phenomenal.

EDIT: This isn't really an attack imo. If you are going to take "secrets" and shove it into a mobile app, they can't really be considered secret. I suppose it's a tradeoff - if you want to do this kind of thing client-side - the secret sauce isn't so secret.
frogsRnice
·2 jaar geleden·discuss
I work in the security space and fell victim to an internal campaign as they sent a very enticing looking email at a point where I was on leave and my grandfather just passed.

You simply cannot know what mindset youll be in when you get phished :)

Edit: To clarify i was itching to work because it helps distract me from the reality that someone so dear to me was gone forever. I didnt want to cancel leave though because my output would have been absolutely turdy
frogsRnice
·2 jaar geleden·discuss
Fair enough on the device compromise point, that said the implementation is still terrible and illustrates what I would be worried about-

Maybe more succinctly put, how a credential is initially enrolled, managed and finally removed is an implementation detail which leaves room for funky implementations like the above.

I do agree that it is an improvement over passwords though. Furthermore I guess the same applies to password based logins where everybody just kind of wings it anyway.
frogsRnice
·2 jaar geleden·discuss
Ive also seen some pretty terrible implementations that don’t even allow end users to manage enrolled devices; so if someone steals your authenticator they have access to your account indefinitely.

Personally I like the benefits passkeys offer but some work still needs to be done around management of enrolled devices
frogsRnice
·2 jaar geleden·discuss
Making a website about it benefits other people; finding the vulnerability helps other people; even if its 10%, why can’t someone else do it?

Surely someone doing all this would already have submitted a patch if they felt comfortable.
frogsRnice
·2 jaar geleden·discuss
Don’t necessarily agree that selling hacks is ethical, but if I already spent time figuring out how to exploit a system - reporting it to the relevant place is charity. Ill do that, but Im definitely not spending time trying to fix the code if the solution isn’t immediately obvious. ++ so if you have to fight to get the bug recognised in the first place
frogsRnice
·2 jaar geleden·discuss
A vpn (that you trust) would certainly help a little, but in the above case the connection can still be mitmed from the vpn server to the application backend

Edit: I would for my personal devices, unless I knew the app did something horrendous in advance- but I guess the core problem is you really have no way of knowing unless you check the app yourself or there is a known and reported vulnerability.