Hacker News: iancarroll

New comment by iancarroll in "Gov.uk has replaced Stripe with Dutch provider Adyen"

iancarroll — Sat, 06 Jun 2026 10:07:12 +0000

0.5% is a pretty incredibly low interchange rate in any case. But if you are saying that half of it is going to scheme fees, I doubt it is funding rewards programs for consumers.

New comment by iancarroll in "Cloudflare Flagship"

iancarroll — Wed, 27 May 2026 15:52:29 +0000

Well, OpenAI already sold it (but kept the team), so it’s in someone else’s hands now.

New comment by iancarroll in "Cal.com is going closed source"

iancarroll — Wed, 15 Apr 2026 15:59:07 +0000

I know plenty of security researchers who exclusively use Claude Code and other tools for blackbox testing against sites they don’t have the source code for. It seems like shutting down the entire product is the only safe decision here!

New comment by iancarroll in "ChatGPT won't let you type until Cloudflare reads your React state"

iancarroll — Mon, 30 Mar 2026 04:33:52 +0000

It’s pretty interesting to me that Cloudflare is collecting additional client-side data for individual customers. This is not widely done by most anti-bot solutions.

New comment by iancarroll in "I decompiled the White House's new app"

iancarroll — Sat, 28 Mar 2026 16:48:59 +0000

A bit skeptical of how this article is written as it seems to be mostly written by AI. Out of curiosity, I downloaded the app and it doesn't request location permissions anywhere, despite the claims in the article.

I've noticed Claude Code is happy to decompile APKs for you but isn't very good at doing reachability analysis or figuring out complex control flows. It will treat completely dead code as important as a commonly invoked function.

New comment by iancarroll in "Verizon imposes new roadblock on users trying to unlock paid-off phones"

iancarroll — Sat, 14 Feb 2026 22:33:46 +0000

Verizon did manage to convince the FCC that this was enough a problem to change their settlement agreement[0] requiring more frequent unlocks. If you believe their numbers, they lost 700,000 phones to fraud in 2023, although a lot of those were probably any unlocked phone that defaulted on its payments.

[0] https://www.reuters.com/business/media-telecom/fcc-revises-v...

New comment by iancarroll in "6-Day and IP Address Certificates Are Generally Available"

iancarroll — Fri, 16 Jan 2026 19:52:43 +0000

That is a very old article that seems to be outdated now.

New comment by iancarroll in "Flock Hardcoded the Password for America's Surveillance Infrastructure 53 Times"

iancarroll — Fri, 09 Jan 2026 23:31:52 +0000

Although I don’t like Flock, I’m a bit skeptical of the claims in the article. Most screenshots appear to be client-side JavaScript snippets, not API responses from this key.

In the bug bounty community, Google Maps API key leaks are a common false positive, because they are only used for billing purposes and don’t actually control access to any data. The article doesn’t really prove ArcGIS is any different.

New comment by iancarroll in "Chase to become new issuer of Apple Card"

iancarroll — Thu, 08 Jan 2026 05:37:37 +0000

Chase issues cards on both the Visa and Mastercard network (i.e. certain cobrands and the Freedom Flex), so I doubt this was a serious consideration.

New comment by iancarroll in "India orders smartphone makers to preload state-owned cyber safety app"

iancarroll — Mon, 01 Dec 2025 19:13:27 +0000

The GFW is certainly looking for traffic to block, but it is not really going to invade much privacy, as it cannot decrypt anything using HTTPS/TLS.

New comment by iancarroll in "India orders smartphone makers to preload state-owned cyber safety app"

iancarroll — Mon, 01 Dec 2025 18:59:55 +0000

I don't think there is any reason to assume they would allow forced code execution just because they allow data residency for mainland accounts. And unfortunately, China is likely a much larger and more profitable consumer market than India - presumably they can still export phones produced inside India without this.

New comment by iancarroll in "India orders smartphone makers to preload state-owned cyber safety app"

iancarroll — Mon, 01 Dec 2025 18:40:37 +0000

Even in mainland China, where iOS does have a large amount of changes to comply with local regulations, Apple does not pre-install any apps from anyone.

New comment by iancarroll in "Show HN: Wealthfolio 2.0- Open source investment tracker. Now Mobile and Docker"

iancarroll — Sat, 22 Nov 2025 19:12:51 +0000

It’s great that you have coverage across multiple countries. I’ve noticed most budget apps cannot handle multiple currencies at all, much less automated sync across multiple countries.

New comment by iancarroll in "Open Source Implementation of Apple's Private Compute Cloud"

iancarroll — Thu, 06 Nov 2025 16:15:37 +0000

Aren’t they both hardware backed, just changing the X in “trust X”?

New comment by iancarroll in "The cryptography behind electronic passports"

iancarroll — Sat, 01 Nov 2025 14:32:29 +0000

Not an expert but my understanding is that active authentication only occurs after the basic “I can see the MRZ data” authentication passes first. You can’t skip proving you can read the MRZ in any scenario.

New comment by iancarroll in "Accessing Max Verstappen's passport and PII through FIA bugs"

iancarroll — Thu, 23 Oct 2025 00:59:59 +0000

Good-faith security research[0] is the only way this industry will move forward, for better or worse. It is clear that most companies do not want to invest in anything further like VDPs.

[0] https://www.justice.gov/archives/opa/pr/department-justice-a...

New comment by iancarroll in "Accessing Max Verstappen's passport and PII through FIA bugs"

iancarroll — Wed, 22 Oct 2025 20:30:15 +0000

Actual legal threats are uncommon but I have seen some companies try to offer a bribe disguised as a retroactive bug bounty program, in exchange for not publishing. Obviously it is important to decline that.

New comment by iancarroll in "Compare Single Board Computers"

iancarroll — Sun, 19 Oct 2025 20:57:32 +0000

That’s a nice list, thanks!

New comment by iancarroll in "Compare Single Board Computers"

iancarroll — Sun, 19 Oct 2025 20:31:51 +0000

Clicking on “ARM” only seems to show Raspberry Pi’s and not the other ARM boards listed on the site.

New comment by iancarroll in "Chess.com regional pricing: A case study"

iancarroll — Wed, 08 Oct 2025 05:10:41 +0000

Many cards in the US do not charge any foreign transaction fees, and Alipay/WeChat waive their fees on small ticket items as well.