HackerTrans
TopNewTrendsCommentsPastAskShowJobs

CER10TY

67 karmajoined 7 ปีที่แล้ว

comments

CER10TY
·2 ชั่วโมงที่ผ่านมา·discuss
Cookies also don't work on mobile, so you inevitably have to maintain 2 different login flows.

But they're still the superior choice for authN on the web, because if you want to, you CAN configure cookies to be secure. Yes, attackers can ride the session, but it's dependent on the user being on the tab and you being able to consistently execute JS. Client-side compromise (ie attacker controls the entire browser) is not feasible to defend against anyway.

The main issue with JWT+localStorage is you can actually execute one-off JS, exfiltrate the token and come back later. I've _never_ seen a well-executed JWT+localStorage implementation in 10 or so years, because teams inevitably realise they can't reliably revoke sessions (another advantage of cookies) and then start giving out long-lived access tokens but adding them to the database. Or some variation of that.
CER10TY
·3 เดือนที่ผ่านมา·discuss
They use Persona for their new "Trusted Access for Cyber": https://chatgpt.com/cyber, at least according to the FAQ
CER10TY
·5 เดือนที่ผ่านมา·discuss
IIRC the creator specifically said he's not reviewing any of the submissions and users should just be careful and vet skills themselves. Not sure who OpenClaw/Clawhub/Moltbook/Clawdbot/(anything I missed) was marketed at, but I assume most people won't bother looking at the source code of skills.
CER10TY
·5 เดือนที่ผ่านมา·discuss
It swings both ways though. I've seen plenty of older engineers dismiss the "new guys" effort and claim that everything had to be custom written, because there's no way a common framework like Django could cover their use case. The same type of engineer has never once worked with a common framework though, so they don't know what's included nowadays.

Turns out it's a lot easier to build on top of a common framework than do everything from scratch.
CER10TY
·7 เดือนที่ผ่านมา·discuss
Only for public repos though - if you're in an org with private repositories you don't get access to them (yet).
CER10TY
·7 เดือนที่ผ่านมา·discuss
Personally, I'd just use common sense and good judgment. At the end of the day, would you want someone to hand your address, and other private data to OpenAI just like that? Probably not. So don't paste customer data into it if you can avoid it.

On the other hand, minified code is literally published by the company. Everyone can see it and do with it as they please. So handing that over to an AI to un-minify is not really your problem, since you're not the developer working on the tool internally.
CER10TY
·7 เดือนที่ผ่านมา·discuss
Presumably they'll threaten to sue you and/or file a criminal complaint, which can be pretty hard to deal with depending on the jurisdiction. At that point you'll probably start asking yourself if it's worth publishing a blog post for some internet points.
CER10TY
·11 เดือนที่ผ่านมา·discuss
That's a good catch. I knew these flags existed, but I figured they'd require at least a human in the loop to verify, similar to how Claude Code currently asks for permission to run code in the current directory.
CER10TY
·11 เดือนที่ผ่านมา·discuss
Personally, I'd expect Claude Code not to have such far-reaching access across my filesystem if it only asks me for permission to work and run things within a given project.