HackerTrans
TopNewTrendsCommentsPastAskShowJobs

rosndo

no profile record

comments

rosndo
·4 năm trước·discuss
It’s been mandatory since 2018. Browsers will reject certificates which have not been publicly logged.

Perhaps next you’ll wonder if it’s as simple as compromising a CA and a CT log? Nope, as browsers require cryptographic attestations from multiple CT logs. If you’re using Chrome, one of those logs has to be the one operated by Google.

Also such collusion will soon be defeated by SCT auditing https://www.hardenize.com/blog/certificate-transparency-sct-...

https://docs.google.com/document/d/16G-Q7iN3kB46GSW5b-sfH5MO...
rosndo
·4 năm trước·discuss
> but it does work all across europe, in every shop I went.

That’s because deep inside it’s secretly something like a mastercard maestro, no?

Why don’t you just get a “normal” card from N26 or similar?

I used to have one of these weird not-visa not-mastercard debit cards, trying to use it internationally was just asking for trouble.
rosndo
·4 năm trước·discuss
By choosing to only have an EC card you’re making a deliberate choice to make your life difficult by using an incredibly obscure method of payment, no?

You can hardly expect those to work even in other EU countries, much less with an US based online business.

Almost everybody else in the world has a visa or a mastercard (or unionpay)
rosndo
·4 năm trước·discuss
I don’t get it. How are my friends morally bankrupt for selling NFTs to people like Will Smith or Dubai royalty? Same people who are buying their art to hang on their walls.

It’s not like NFTs brought them a whole new audience, it’s just that their existing audience wanted NFTs.

You might think NFTs are worthless, but the exact same argument goes for easily reproduced physical works of art.
rosndo
·4 năm trước·discuss
>IMO if you encounter any non-technical artist "excited" about NFTs, tell them to stay the hell away, or risk being seen a bad friend.

Fuck that, despite me being incredibly skeptical of NFTs I’m perfectly willing to acknowledge the fact that some of my non-technical artist friends have earned 6-7 figure amounts selling NFTs.
rosndo
·4 năm trước·discuss
I think the “planet-killing scam” is very HN-sphere thinking. Most people have no idea. Most non-technical artists I interact with seem very excited about NFTs, often asking me to help them create their own (unfortunately I’m not interested).

And what about when ETH2 goes live in some months and the main NFT chain moves to proof-of-stake? The “planet-killing” problem is already solved, that tech is going live this year. Seems like a fairly fragile criticism.
rosndo
·4 năm trước·discuss
While I largely share your feelings about NFTs, I think the general population outside of HN sphere does not.

I’d hedge my bets on this one, I’ve interacted extensively with the massive art market and NFTs really seem like a natural fit.
rosndo
·4 năm trước·discuss
Actually not really, I’ve switched banks used by my UK based business a couple of times. It has never been difficult.

I would certainly want to switch banks if I started hearing complaints about me using Stripe.
rosndo
·4 năm trước·discuss
My European debit card number worked just fine (as it basically always does when someone asks for a “credit card”)
rosndo
·4 năm trước·discuss
Thanks to certificate transparency the CA system is really not a huge risk.
rosndo
·4 năm trước·discuss
I agree about securedrop, but the blog post seems to discuss “platforms such as Facebook, the BBC or NYT”.

Also in the case of securedrop it might make sense to have that separate from the rest of your infrastructure, so the “hidden” part of “hidden services” suddenly becomes useful.
rosndo
·4 năm trước·discuss
> This is counterbalanced by higher phishing risks

I would argue that this is the much bigger footgun for users. Just look at how much money darknet users are losing to the big industry of .onion phishing pages.
rosndo
·4 năm trước·discuss
> you are guaranteed to be connected to what you expect — or not at all.

Exactly the same guarantees are also achieved by putting your clearnet address on HSTS Preload lists, or by writing https:// in front of the url on the users side.
rosndo
·4 năm trước·discuss
What real attacks would that enable?
rosndo
·4 năm trước·discuss
Most of the technical points listed here are pretty much entirely mitigated by TLS. Exit nodes can of course deny access to specific sites, but hidden services suffer from comparable (or worse) issues.

There are no other practical attacks that malicious exit nodes could execute against sites using TLS and HSTS preload lists. If you’re a website administrator, fixing those things should be your priority before implementing onion addresses.

Onion addresses also come with slight drawbacks. They’re difficult for users and more vulnerable to phishing. Hidden services are also extremely vulnerable to CPU-based DoS attacks.
rosndo
·4 năm trước·discuss
Laughable to think that NATO expansion alone would’ve been sufficient for the cost-benefit calculation here.

Putin wants his name in history books.
rosndo
·4 năm trước·discuss
> For one, Putin seems to want to reassemble the USSR as a vanity project

Putin has almost exclusively bad things to say about the USSR, it is the Russian Empire he wants to restore.
rosndo
·4 năm trước·discuss
Only way we’re going to see another exploit pack like blackhole is if it’s targeting Android devices which aren’t receiving security updates.
rosndo
·4 năm trước·discuss
But then most exploits that involve sending links would also be zero-click, just not deployed in that manner.

I think this just goes to show how silly this new terminology is.
rosndo
·4 năm trước·discuss
> A non zero click vulnerability can be mitigated by being cautious. A zero click vulnerability cannot.

No amount of caution will save you when the exploit is injected into a major website.

Why bother with such meaningless distinction? Does your browser never hit any http:// resources?