Hacker News: ev1

New comment by ev1 in "New two-factor authenticator: Commodore 64"

ev1 — Sat, 26 Nov 2022 01:35:24 +0000

So far I haven't seen a single major company doing phone based (insecure) 2fa not use the number for marketing, data abuse, etc.

Non-standards based "authenticator" dedicated apps phone home and spy on you. Intentionally trying to break or block actual TOTP.

New comment by ev1 in "“Invalid Username or Password”: a useless security measure (2014)"

ev1 — Wed, 23 Nov 2022 18:40:57 +0000

> Side note: the McDonald's app is nice in not requiring (or apparently even allowing) passwords to log in. However, there's a problem with its state transition, where the user needs to exit from the dialog that sends the sign-in link before they go to their email and click on the sign-in link, otherwise the user gets dumped to the next step without having actually signed in.

The mcdonalds app loads several dozen data collection sdks, pihole practically had a meltdown when it launched

New comment by ev1 in "Barclays using TeamViewer font to warn customers"

ev1 — Tue, 22 Nov 2022 21:13:55 +0000

I have encountered numerous sites that port scan localhost via websocket/img onerror/etc.

New comment by ev1 in "Ask HN: Maximize Uber/Lyft Driver Profits"

ev1 — Tue, 22 Nov 2022 21:10:59 +0000

The answer is generally "move" unfortunately. Surge pricing for things like club and concert nights runs orders of magnitude higher than normal rides for the same wear and tear. These don't really happen in small towns, and in larger places it's multiple times a night nearly every night.

New comment by ev1 in "Why Twitter didn’t go down: From a real Twitter SRE"

ev1 — Tue, 22 Nov 2022 18:44:07 +0000

> children with his executives,

Why do people do this? I mean in any industry. Just why? Is there something I don't understand about executives or C-levels or something?

New comment by ev1 in "CVE-2022-41924 – tailscaled can be used to remotely execute code on Windows"

ev1 — Mon, 21 Nov 2022 20:10:58 +0000

The biggest shock to me here is "aarch64 Windows doesn't have calc.exe"

New comment by ev1 in "How does Windows decide whether your computer has full Internet access?"

ev1 — Sat, 19 Nov 2022 08:13:42 +0000

No, your browser converts it before access

New comment by ev1 in "Infosys leaked FullAdminAccess AWS keys on PyPI for over a year"

ev1 — Thu, 17 Nov 2022 05:22:56 +0000

> Infosys will ban all OSS contributions from their developers.

Sounds... good to me?

New comment by ev1 in "Europe faces ‘cancer epidemic’ 1M cases missed during Covid Lockdowns"

ev1 — Wed, 16 Nov 2022 18:23:11 +0000

To be entirely neutral on this reply, it's not part of the title on the linked article and against guidelines to add it like that.

New comment by ev1 in "“When we all have pocket telephones”"

ev1 — Tue, 15 Nov 2022 22:10:16 +0000

I have not installed the TM app - you can add a ticket to Apple Wallet from the website, and every order I've seen has "don't have a phone? go to the box office for tickets when you arrive" somewhere

New comment by ev1 in "Amazon Clinic"

ev1 — Tue, 15 Nov 2022 19:44:33 +0000

Why are the 5 star reviews all for a nonstick frying pan?

New comment by ev1 in "Elon Musk doesn't understand GraphQL & blames 1000s of poorly-batched RPCs"

ev1 — Sun, 13 Nov 2022 22:42:04 +0000

I see entire massive threads requested and responded in a single compressed call to /api/graphql/xxx/TweetDetail

Loading an entire next page is also a single call to the same endpoint. There is nowhere remotely that I see the mobile client even making a hundred gql calls for tweets.

Is there something I'm missing or is he misusing "app" when he means backend service to service GQL calls?

New comment by ev1 in "Tell HN: GitHub banned me permanently"

ev1 — Sun, 13 Nov 2022 08:10:17 +0000

Reddit fingerprints you very aggressively. Cookies are not used here. Every single pageload, they scan all your fonts, plugins, etc.

They also exfiltrate this data back in ways to prevent blocking, by completely randomizing the API endpoint used to submit it and also not use a dedicated endpoint. For example on each pageload it might send to /submit, or /register, or /friend, it'll just pick a random valid endpoint and "front" that

They also continue to do this while you are logged out to tie your IP to the fingerprint.

    hxxps://www.redditstatic.com/reddit-init.en.4-tSxFR4sOk.js

^F "Arial"

Commonly spoofed fingerprints will result in a permanent ban automatically.

New comment by ev1 in "The Lie That Facebook Sold You"

ev1 — Tue, 08 Nov 2022 18:27:48 +0000

Amusingly, some of my friends that use it for Marketplace express a desire for Craigslist to be popular again, if not only for the absolutely insane people on Marketplace that demand to pay $20 for an item listed at $300 and then start spamming you and making public posts about how you're a thief and scammer for trying to rip off a single parent who just wanted to get their kid a present for $20, linking your profile the entire time.

New comment by ev1 in "The most unethical thing I was asked to build while working at Twitter in 2015"

ev1 — Mon, 07 Nov 2022 23:23:47 +0000

CFA app loads a bunch of rather fucked up surveillance SDKs under the guise of anti coupon fraud or something. Probably related to that.

New comment by ev1 in "Ask HN: Ideas to have fun poisoning data collection by trackers/data brokers?"

ev1 — Fri, 04 Nov 2022 03:40:10 +0000

Yeah all of these listed still require an equivalent to SSN.

New comment by ev1 in "Ask HN: Ideas to have fun poisoning data collection by trackers/data brokers?"

ev1 — Thu, 03 Nov 2022 20:31:32 +0000

Reloadables require SSN verification, afaik.

New comment by ev1 in "Ask HN: Have you noticed any side-effects from 100% work-from-home?"

ev1 — Wed, 02 Nov 2022 18:54:18 +0000

> It makes the days going back to the office feel more refreshing, like I have more oxygen

For some reason, every time I'm in a conference room I inevitably pass out. Even if I'm not tired and perfectly energetic on the way in, I can count on one hand the number of times I haven't just mentally gone while in one. Wonder why.

New comment by ev1 in "Ask HN: Why are ringtones not interesting anymore?"

ev1 — Tue, 01 Nov 2022 22:38:15 +0000

For younger group, you don't generally know or give out your number in the first place for person to person communication, which means that for the rare chances you are expecting, say, a medical call once a quarter or less, it's a scam. I don't know my best friend of 10+ years phone number but I can reach them in multiple ways.

If you're older the ratio probably tips it further into the "likely to be a valid call" I'm guessing.

I receive something on the order of one legitimate call every 5-8 months, everything else is spam/scam. There is absolutely no point in me accepting a call.

A formal phone call is generally synchronous, not asynchronous. It is extremely blocking behaviour and I hate it. Joining a group call with a few friends or even just 1-2 other people on discord or whatever else that you can drop out at any time without notice is a different type of "mood" and completely different set of standards. You can drop in and out in seconds, pop in to say hi and leave while you have your airpods in on while riding bart, , or spend hours just discussing dumb shit, etc.

New comment by ev1 in "Ask HN: Why are ringtones not interesting anymore?"

ev1 — Tue, 01 Nov 2022 21:54:35 +0000

I don't know how well this generalises, but in my sample size most people including myself don't even know our own phone number if asked. You don't exchange phone numbers. You might hold out your phone for the other person to scan your Snapchat QR or tell them @hn2022 and a platform like instagram. If you say hn#2022 people know automatically which platform that is. A sizable amount don't even have phone numbers and opt for data plan only for cost savings if paying for their own plan.