Hacker News: frogsRnice

New comment by frogsRnice in "Why I no longer have an old-school cert on my HTTPS site"

frogsRnice — Fri, 23 May 2025 12:06:43 +0000

Sure - but people are still free to decide where they draw the line.

Each extra bit of software is an additional attack surface after all

New comment by frogsRnice in "Making PyPI's test suite faster"

frogsRnice — Mon, 12 May 2025 20:11:52 +0000

You all do amazing work, hope I can boast the same someday - or even 50% of it ;)

Seriously, you are my heroes!

New comment by frogsRnice in "Making PyPI's test suite faster"

frogsRnice — Mon, 12 May 2025 20:10:35 +0000

Imo its not just crypto- a lot of their reports are enlightening to read

New comment by frogsRnice in "Everything wrong with MCP"

frogsRnice — Mon, 14 Apr 2025 03:19:51 +0000

It absolutely does

New comment by frogsRnice in "Anyone can push updates to the doge.gov website"

frogsRnice — Sat, 15 Feb 2025 05:43:14 +0000

It could be pulling these resources over http ;)

Edit: Whoops sorry, morning fog

New comment by frogsRnice in "Beej's Guide to Git"

frogsRnice — Thu, 06 Feb 2025 04:48:00 +0000

Unrelated; I just wanted to say that I learned programming from your socket tutorials when I was a kid. Everything was so well written that I used it from highschool, to varsity to my day2day job.

Without your tutorials I’m not even sure if I would have chosen the carreer I did- thank you for all the love and effort you put into your posts; Im sure that there are many other people who you’ve touched in a similar way

New comment by frogsRnice in "Httptap: View HTTP/HTTPS requests made by any Linux program"

frogsRnice — Tue, 04 Feb 2025 11:44:29 +0000

At some point someone needs to take responsibility for allowing modification of environment variables via something dumb like http. Debugging interfaces are fine- we should expect more from developers.

New comment by frogsRnice in "What's OAuth2, anyway?"

frogsRnice — Wed, 29 Jan 2025 11:55:02 +0000

No you misunderstand- it is super simple to pay some other company a small amount to do this for you. No complexity to worry about what so ever.

And if things require even a slim amount of thought and planning - chuck it to your favourite LLM and call it a day.

Just in case the sarcasm wasn’t clear I want to personally assure you that nobody ever will confuse an access token for an ID token. :p

New comment by frogsRnice in "Using AI for Coding: My Journey with Cline and LLMs"

frogsRnice — Tue, 28 Jan 2025 14:53:50 +0000

Yeah I agree- I think the time spent verifying should vary based on the complexity and sensitivity of what you are looking at, but you never really get away from it.

I think my issue with LLMs is moreso aimed at people who wouldn’t have ever done the bare minimum verification anyway.

New comment by frogsRnice in "Using AI for Coding: My Journey with Cline and LLMs"

frogsRnice — Tue, 28 Jan 2025 04:37:18 +0000

As opposed to wondering if the llm is hallucinating?

You have to expend a mental effort to think about your solutions anyway; I guess it’s pick your poison really.

New comment by frogsRnice in "0-click deanonymization attack targeting Signal, Discord, other platforms"

frogsRnice — Wed, 22 Jan 2025 05:42:38 +0000

My main gripe is that if someone finds a vulnerability that gives you a list of urls the model falls apart. I’ve seen this happen in organisations :/

But agree with your statement here and others about the lifetime of the data - if something is sensitive or secret you want proper access controls applied, not just openssl rand -hex 8

New comment by frogsRnice in "Reverse engineering Call of Duty anti-cheat"

frogsRnice — Tue, 21 Jan 2025 09:58:03 +0000

I guess were talking about optimising tail recursion. Would there be any reason to refer to a tail call other than that optimisation?

I’ll do some reading on the latter part of your post, thank you!

New comment by frogsRnice in "Reverse engineering Call of Duty anti-cheat"

frogsRnice — Tue, 21 Jan 2025 03:36:55 +0000

Would you not have to use a jump instead of call for it to be a tail call at all- ie otherwise a new frame is created on each call

New comment by frogsRnice in "Extracting AI models from mobile apps"

frogsRnice — Sun, 05 Jan 2025 21:09:14 +0000

frida is an amazing tool - it has empowered me to do things that would have otherwise took weeks or even months. This video is a little old, but the creator is also cracked https://www.youtube.com/watch?v=CLpW1tZCblo

It's supposed to be "free-IDA" and the work put in by the developers and maintainers is truly phenomenal.

EDIT: This isn't really an attack imo. If you are going to take "secrets" and shove it into a mobile app, they can't really be considered secret. I suppose it's a tradeoff - if you want to do this kind of thing client-side - the secret sauce isn't so secret.

New comment by frogsRnice in "A Tour of WebAuthn"

frogsRnice — Thu, 26 Dec 2024 21:19:49 +0000

I work in the security space and fell victim to an internal campaign as they sent a very enticing looking email at a point where I was on leave and my grandfather just passed.

You simply cannot know what mindset youll be in when you get phished :)

Edit: To clarify i was itching to work because it helps distract me from the reality that someone so dear to me was gone forever. I didnt want to cancel leave though because my output would have been absolutely turdy

New comment by frogsRnice in "Microsoft Confirms Password Deletion for 1B Users"

frogsRnice — Fri, 20 Dec 2024 14:03:53 +0000

Fair enough on the device compromise point, that said the implementation is still terrible and illustrates what I would be worried about-

Maybe more succinctly put, how a credential is initially enrolled, managed and finally removed is an implementation detail which leaves room for funky implementations like the above.

I do agree that it is an improvement over passwords though. Furthermore I guess the same applies to password based logins where everybody just kind of wings it anyway.

New comment by frogsRnice in "Microsoft Confirms Password Deletion for 1B Users"

frogsRnice — Wed, 18 Dec 2024 17:11:04 +0000

Ive also seen some pretty terrible implementations that don’t even allow end users to manage enrolled devices; so if someone steals your authenticator they have access to your account indefinitely.

Personally I like the benefits passkeys offer but some work still needs to be done around management of enrolled devices

New comment by frogsRnice in "Upcoming Hardening in PHP"

frogsRnice — Fri, 15 Nov 2024 16:27:25 +0000

Making a website about it benefits other people; finding the vulnerability helps other people; even if its 10%, why can’t someone else do it?

Surely someone doing all this would already have submitted a patch if they felt comfortable.

New comment by frogsRnice in "Upcoming Hardening in PHP"

frogsRnice — Fri, 15 Nov 2024 16:19:09 +0000

Don’t necessarily agree that selling hacks is ethical, but if I already spent time figuring out how to exploit a system - reporting it to the relevant place is charity. Ill do that, but Im definitely not spending time trying to fix the code if the solution isn’t immediately obvious. ++ so if you have to fight to get the bug recognised in the first place

New comment by frogsRnice in "Ask HN: Dangers of Unsecured WiFi?"

frogsRnice — Thu, 26 Sep 2024 10:26:39 +0000

A vpn (that you trust) would certainly help a little, but in the above case the connection can still be mitmed from the vpn server to the application backend

Edit: I would for my personal devices, unless I knew the app did something horrendous in advance- but I guess the core problem is you really have no way of knowing unless you check the app yourself or there is a known and reported vulnerability.