This seems to presuppose that service providers using reCAPTCHA are either clueless idiots or actively expending resources and lowering their conversion rates to support the supposed Google/Apple duopoly. That does not strike me as a plausible claim.

> Overpayment interest for the 2020–2023 disaster period.

and refers to the interest that the IRS will pay you if they owe you money (a refund) that they don't manage to return to you in a timely manner.

(All of this is explained on the main IRS website: https://www.irs.gov/payments/interest)

[1] https://github.com/bloomberg/crane/wiki/Design-Principles

Comments URL: https://news.ycombinator.com/item?id=46734516

Points: 1

# Comments: 0

Comments URL: https://news.ycombinator.com/item?id=46542446

Points: 1

# Comments: 0

> How would you digitally sign a Json document and embed the signature in the document?

You would not, because that's exactly how you get these bugs. Fortunately serialization mechanisms, whether JSON or Protobuf or XML or anything else, turn structured data into strings of bytes, and signature schemes operate on strings of bytes, so you'll have a great time signing data _after_ serializing it.

If you examine the statement of benefits for your plan, you will find that it says something similar to this:

> Emergency Services are covered at the in-network cost-sharing level as required by applicable state or federal law if services are received from a non participating (out-of-network) provider.

> The member is responsible for applicable in-network cost-sharing amounts (any deductible, copay or coinsurance). The member is not responsible for any charges that may be made in excess of the allowable amount.

It reminded me of the Wii U Street View app and the interview with its developers (at https://iwataasks.nintendo.com/interviews/wiiu/wii-street-u/...). They were going for the same sort of a vibe, though it's unclear to me how many people actually ended up having that much fun with it.

DBSC is intended to be deployed opportunistically alongside regular cookies, so users on devices without TPMs just won't benefit from the additional protections that DBSC provides.

One thing that would worry me when deploying this in the Proxy mode is that you'll likely end up with two different XML parsers in play: xmldom in samlshield and then whatever the actual application is using. As we saw with CVE-2025-25292, it may be possible to exploit different parser behavior to construct a document that will be interpreted differently between the two applications, potentially bypassing the checks in samlshield.

Because credential stuffing is highly lucrative, even when no individual account is particularly high value, and is the most common way accounts are compromised on most services. There are other things a _user_ might do to prevent credential stuffing, like using unique passwords, but 2FA has the benefit of actually being visible/verifiable for you as a service provider.

Duolingo is the most popular language-learning application in the world, with over 500 million users and over half a billion exercises completed daily. Beyond our core learning product, we have also entered into literacy with Duolingo ABC and English proficiency testing with the Duolingo English Test. Our mission at Duolingo is to develop the best education in the world and make it universally available.

Our security team is growing and we are looking for engineers with experience in AppSec and CloudSec. We are running a microservice architecture on AWS and GCP, managed with Terraform, which supports our multiple web applications, mobile apps on Android and iOS, and a desktop Electron app.

Apply here: https://boards.greenhouse.io/duolingo/jobs/5392230002

Duolingo is the most popular language-learning application in the world, with over 500 million users and over half a billion exercises completed daily. Beyond our core learning product, we have also entered into literacy with Duolingo ABC and English proficiency testing with the Duolingo English Test. Our mission at Duolingo is to develop the best education in the world and make it universally available.

Our security team is growing and we are looking for engineers with experience in AppSec and CloudSec. We are running a microservice architecture on AWS and GCP, managed with Terraform, which supports our multiple web applications, mobile apps on Android and iOS, and a desktop Electron app.

Apply here: https://boards.greenhouse.io/duolingo/jobs/5392230002

Duolingo is the most popular language-learning application in the world, with over 500 million users and over half a billion exercises completed daily. Beyond our core learning product, we have also entered into literacy with Duolingo ABC and English proficiency testing with the Duolingo English Test. Our mission at Duolingo is to develop the best education in the world and make it universally available.

Our security team is growing and we are looking for engineers with experience in AppSec and CloudSec. We are running a microservice architecture on AWS and GCP, managed with Terraform, which supports our multiple web applications, mobile apps on Android and iOS, and a desktop Electron app.

Apply here: https://boards.greenhouse.io/duolingo/jobs/5392230002