Hacker News: gavingmiller

New comment by gavingmiller in "1 bug, $50k in bounties, a Zendesk backdoor"

gavingmiller — Sat, 12 Oct 2024 21:27:33 +0000

It’s a good callout, shouldn’t have editorialized like that.

New comment by gavingmiller in "1 bug, $50k in bounties, a Zendesk backdoor"

gavingmiller — Sat, 12 Oct 2024 17:36:10 +0000

Not even close to the point I was making: If you want to get taken seriously, write to audience.

New comment by gavingmiller in "1 bug, $50k in bounties, a Zendesk backdoor"

gavingmiller — Sat, 12 Oct 2024 14:25:45 +0000

The piece the author is missing, and why zendesk likely ignored this is impact, and it's something I continually see submissions lacking. As a researcher, if you can't demonstrate impact of your vulnerability, then it looks like just another bug. A public program like zendesk is going to be swamped with reports, and they're using hackerone triagers to augment that volume. The triage system reads through a lot of reports - without clear impact, lots of vulnerabilities look like "just another bug". Notice that Zendesk took notice once mondev was able to escalate to an ATO[1]. That's impact, and that gets noticed!

[1] https://gist.github.com/hackermondev/68ec8ed145fcee49d2f5e2b...

New comment by gavingmiller in "1 bug, $50k in bounties, a Zendesk backdoor"

gavingmiller — Sat, 12 Oct 2024 14:20:38 +0000

zendesk is 6k employees, they have general council on staff

New comment by gavingmiller in "Include diagrams in your Markdown files with Mermaid"

gavingmiller — Mon, 14 Feb 2022 21:17:16 +0000

3 is hardly a sea shanty of vulnerabilities for a 7 year old library. I think you're conflating releases with vulns.

New comment by gavingmiller in "SolarWinds CEO blames intern for password leak"

gavingmiller — Sat, 27 Feb 2021 15:09:06 +0000

In no way is this an interns fault. If your entire infrastructure relies on the secure password of ...

checks notes

... a single intern! then you're doing it wrong.

New comment by gavingmiller in "Slack account takeovers using HTTP Request Smuggling"

gavingmiller — Fri, 13 Mar 2020 16:43:39 +0000

Anyone know if the `smuggler` tool used is available online? Can't find any reference to it in github or elsewhere, and I'm not familiar with it.

Edit: Found it here: https://github.com/gwen001/pentest-tools/blob/master/smuggle...

Clarifying ProtonMail and Huawei

gavingmiller — Mon, 09 Sep 2019 01:50:49 +0000

Article URL: https://protonmail.com/blog/clarifying-protonmail-and-huawei/

Comments URL: https://news.ycombinator.com/item?id=20914585

Points: 210

# Comments: 64

New comment by gavingmiller in "Thank u, next"

gavingmiller — Mon, 07 Jan 2019 15:59:21 +0000

> Why’d he quit? ... he told me this: at each stage of a company’s growth, they have different needs. Those needs generally require different skills. What he enjoyed, and what he had the skills to do, was to take a tiny company and make it medium sized. Once a company was at that stage of growth, he was less interested and less good at taking them from there.

This is an aspect that gets overlooked in many businesses & careers. I've heard it phrased that companies go through 3 stages: Startup, Scale Up, Optimize. The above quote is a sub-stage of Scale Up. Some people are built for just a single stage and knowing how and where your skillset fits in is crucial to career happiness. As well as knowing when to encourage employees to move on.

Great post and I wish @steveklabnik continued success in his career!

New comment by gavingmiller in "The Devil's Hair Dryer: Hell is other people, with leaf blowers (2016)"

gavingmiller — Sun, 25 Nov 2018 04:15:38 +0000

> TVs blaring in waiting rooms when you'd prefer to just sit in silence.

When I can, I turn the TVs off. No one has complained yet.

New comment by gavingmiller in "Losing 100 pounds in 276 days"

gavingmiller — Mon, 25 Jun 2018 14:43:39 +0000

> Getting motivated to lift 2x a week is another issue...

Was in the same boat until I started doing group classes. Used that to build accountability, motivation, and a "vocabulary" of how the gym works. Now I could spend hours at the gym by myself and love it. Find what works for you, cuz lifting is a blast!

New comment by gavingmiller in "Ask HN: What mistakes in your experience does management keep making?"

gavingmiller — Thu, 17 Aug 2017 15:14:13 +0000

Not training managers on how to manage.

When devs are promoted into management or team lead positions they are not given adequate training on what it means to manage / lead. Thus devs don't learn what good management is, and the stereotype of the bad manager perpetuates.

New comment by gavingmiller in "Cisco's Talos team analysis of WannaCry worm"

gavingmiller — Sat, 13 May 2017 14:07:24 +0000

Password protected zip. And/or wrap in another zip is usually enough to thwart Gmail

New comment by gavingmiller in "List of Sites Affected by Cloudflare's HTTPS Traffic Leak"

gavingmiller — Sun, 26 Feb 2017 16:02:35 +0000

As a happy customer of 1Password, it would be great to see you connect with Have I been pwned?[1] for watchtower notifications.

[1] https://haveibeenpwned.com/

New comment by gavingmiller in "DHH answers: What makes Rails a framework worth learning in 2017?"

gavingmiller — Tue, 24 Jan 2017 21:52:08 +0000

corrected - thanks

DHH answers: What makes Rails a framework worth learning in 2017?

gavingmiller — Tue, 24 Jan 2017 20:35:20 +0000

Article URL: https://www.quora.com/What-makes-Rails-a-framework-worth-learning-in-2017/answer/David-Heinemeier-Hansson?srid=tfS&share=1

Comments URL: https://news.ycombinator.com/item?id=13475215

Points: 200

# Comments: 130

New comment by gavingmiller in "Rails 5.0.1 has been released"

gavingmiller — Wed, 21 Dec 2016 14:41:06 +0000

I'd love to DM you with some questions about Toronto. Can you ping me via my profile info?

New comment by gavingmiller in "An insider's look at what he gave up to create a classic game"

gavingmiller — Thu, 02 Jun 2016 01:42:54 +0000

> 'progressive' practices such as unlimited vacation

Unlimited vacation is not progressive and it is also unhealthy.

It causes feelings of guilt while on vacation. Often there's an unspoken obligated to check-in (email & chat) when on vacation. And leads to taking fewer vacation days not more. When leaving a company, they have no obligation to pay out accrued vacation days since there is none defined (this may be a Canadian thing). Additionally, it can also come with the unspoken culture of overtime, since it can easily be made up with "more time off".

Having worked with unlimited vacation, if I am ever offered it again, I will decline and negotiate defined vacation into my employment agreement.

New comment by gavingmiller in "A Tale of Security Gone Wrong"

gavingmiller — Thu, 07 Apr 2016 22:56:26 +0000

Your solution of mapping to a grading system A,B,C,D; or terrible, crap, better, best was mentioned in another thread about this article. It's a common thought, however it's incorrect because you're still leaking substantial information about passwords. By storing entropy of any kind: whole number, graded, > threshold, etc you are weakening your password hash. This is completely unnecessary where better solutions exist: TFA

New comment by gavingmiller in "A Tale of Security Gone Wrong"

gavingmiller — Thu, 07 Apr 2016 22:49:54 +0000

It's an assumption on my part, and anecdotally a correct one. Having included this entropy example in a number of talks and asking the audience what's wrong, the majority of the technical audience did not know, nor did they have an appropriate guess.