Hacker News: jorge_leria

New comment by jorge_leria in "The vocal effects of Daft Punk"

jorge_leria — Mon, 05 May 2025 12:52:06 +0000

Same!

14-year-old Instagram account stolen and why it was an inside job

jorge_leria — Mon, 28 Oct 2024 22:30:39 +0000

Article URL: https://twitter.com/javier/status/1850950335625388186

Comments URL: https://news.ycombinator.com/item?id=41977199

Points: 4

# Comments: 0

New comment by jorge_leria in "Stealing OAuth tokens of Microsoft accounts via open redirect in Harvest App"

jorge_leria — Mon, 23 Oct 2023 13:00:22 +0000

Hey, I got into more details in my internal discussion with the researcher and previous post, but around the time we determined we couldn't replicate it, we got a similar report leading me to believe this was already closed. I didn't believe there was something the whole time. It was a mix-up on my side, and I'm sorry about it.

New comment by jorge_leria in "Stealing OAuth tokens of Microsoft accounts via open redirect in Harvest App"

jorge_leria — Mon, 23 Oct 2023 05:32:39 +0000

Hey 0xcrypto, I'm very sorry if I gave the impression that we weren't open to discussing anything further on the original issue. After my message, we only received a short comment from you. The issue actually will be still open for a short while just in case you want to discuss further details. Let's continue the conversation there.

New comment by jorge_leria in "Stealing OAuth tokens of Microsoft accounts via open redirect in Harvest App"

jorge_leria — Sun, 22 Oct 2023 23:05:23 +0000

Thank you for your kind words. I can confirm that our support team is stellar. Despite being a small team, we approach every matter very seriously and I was personally involved in the investigation you referenced. The miscommunication with the reporter on this thread was entirely my oversight (I explained it on the top response) and I'll make sure it won't happen again.

New comment by jorge_leria in "Stealing OAuth tokens of Microsoft accounts via open redirect in Harvest App"

jorge_leria — Sun, 22 Oct 2023 22:54:02 +0000

Thank you for your feedback. While my main focus is on Data and Security, I'll ensure that your issues are heard by the team responsible for our mobile app. I'm aware that we're constantly working on improving the iOS app experience.

New comment by jorge_leria in "Stealing OAuth tokens of Microsoft accounts via open redirect in Harvest App"

jorge_leria — Sun, 22 Oct 2023 21:14:17 +0000

Hey! I'm part of Harvest Security Team. We'll be changing the way we do this, but by the time this happened I triaged the report after reading it because it really looked legit. The reality is that we were never able to reproduce and there was no explicit fix.

The issue stayed on Triage state and I missed the reporter updates. I talked to the author of the post and I believe we are in good terms now.

The security and privacy of our customers is extremely important to us, everything we say in our security page is true and I've been working on this for years.

New comment by jorge_leria in "Stealing OAuth tokens of Microsoft accounts via open redirect in Harvest App"

jorge_leria — Sun, 22 Oct 2023 20:56:49 +0000

Harvest Security Team here. I addressed this on another comment, but basically we were never able to reproduce and there was no explicit fix, but it stayed on Triage state when it should've been Closed, due to a human error on my side.

New comment by jorge_leria in "Stealing OAuth tokens of Microsoft accounts via open redirect in Harvest App"

jorge_leria — Sun, 22 Oct 2023 20:26:43 +0000

The fact that we kept it in triage means that we believed there was something. Also the reporter gave a really good explanation.

By the time the report was originally sent the feature was just released, and while we never deployed a code change to directly address it, it wouldn't be the first time that we receive something that I believe it was genuinely a security issue and stopped being reproducible due to an seemingly unrelated change around the same time.

New comment by jorge_leria in "Stealing OAuth tokens of Microsoft accounts via open redirect in Harvest App"

jorge_leria — Sun, 22 Oct 2023 19:41:37 +0000

Hi! I'm the person in charge of managing the bug bounty program, and I'd like to shed light on what happened from our end. I already apologized and explained this to @0xcrypto internally, but I believe that I should say something here to clarify what happened.

The truth here is that we were never able to fully reproduce the issue from the beginning, but struggled to close it because of the fear of missing something. Shortly after when we got back to the reporter for the last time, saying that we'll find a resolution, is when we were convinced that we were not able to reproduce it. Around that time we received a similar OAuth-related report. Unfortunately, this led to an internal mix-up, making us believe that we had addressed and communicated the resolution.

Because of the way I have notifications set up, I missed the follow-ups, and the issue stayed in Triage state indefinitely without receiving updates. This is by no means an excuse about the lack of updates, about which I'm deeply sorry. I've been a bug bounty hunter for many years and understand how frustrating it is to wait for updates from companies.

Finally, I'd like to reassure y'all that the security of our customers is of the utmost importance to us, and everything we say in our security page is true.

New comment by jorge_leria in "How To Safely Store A Password (2010)"

jorge_leria — Thu, 03 Dec 2020 13:32:53 +0000

In general it is is not true that Argon2 should be recommended over bcrypt. Even even some of the people on the experts panel for the PHC (where Argon2 won) won’t recommend Argon2 over Bcrypt: https://twitter.com/TerahashCorp/status/1155129705034653698

Looks like for the typical case (~200ms calculating the hash) bcrypt beats argon2. I guess that’s what I understand from those discussions, I’m not an expert by any means. It is related with cache hardness: https://twitter.com/Sc00bzT/status/1149963675069026304

New comment by jorge_leria in "How Rainbow Tables Work"

jorge_leria — Wed, 25 Nov 2020 00:47:45 +0000

A new GPU is able to calculate ~50,000 million MD5 hashes per second, an MD5 hash is stored typically on a 32 bytes hex string. If you want to store that you'll need more than 1TB per second: https://gist.github.com/Chick3nman/bb22b28ec4ddec0cb5f59df97...

I used MD5 because that's the typical hash you find unsalted on leaks, but if you do the math with others it is almost impossible to find an example where storing beats using a GPU to crack (even an older one) for a couple of hours.

Supaplex reverse engineered, reimplemented, and ported to Switch and PS Vita

jorge_leria — Mon, 27 Apr 2020 16:27:50 +0000

Article URL: https://twitter.com/sergiou87/status/1254364851419447298

Comments URL: https://news.ycombinator.com/item?id=22997315

Points: 3

# Comments: 0

New comment by jorge_leria in "Incident Report: Inadvertent Private Repository Disclosure"

jorge_leria — Fri, 28 Oct 2016 18:14:11 +0000

Github takes security seriously, this disclosure post is a proof of that.

New comment by jorge_leria in "Making 1M requests with Python-aiohttp"

jorge_leria — Sat, 23 Apr 2016 21:17:56 +0000

The article is not about serving, but about consuming. Not the same beast.

New comment by jorge_leria in "Making 1M requests with Python-aiohttp"

jorge_leria — Sat, 23 Apr 2016 20:53:00 +0000

1M per minute it is something. Could you name those frameworks?

New comment by jorge_leria in "New Python REST API and CLI micro-framework"

jorge_leria — Fri, 19 Feb 2016 12:17:39 +0000

http://i.imgur.com/5sReybQ.gif Same image -> 333kb. There are a few tricks that you can apply to reduce the size while keeping the same visible quality: http://ezgif.com/optimize

New comment by jorge_leria in "Next-generation video encoding techniques for 360 video and VR"

jorge_leria — Thu, 21 Jan 2016 22:57:33 +0000

The challenge on 360 stereo is on the creation side. While you are able to capture decent mono 360 video with two or three cameras 360 stereo is a different beast you need at least 6-8 cameras and a lot of processing.

New comment by jorge_leria in "Peach App Token Reuse Flaw"

jorge_leria — Tue, 19 Jan 2016 13:23:05 +0000

The best tool around is MITMproxy/MITMdump: Scriptable, free software and multiplatform. http://mitmproxy.org/

New comment by jorge_leria in "Peach App Token Reuse Flaw"

jorge_leria — Tue, 19 Jan 2016 13:17:58 +0000

If you have a jailbroken iOS device you can use SSL Kill Switch [0] to disable certificate pinning and get the traffic with MITMproxy [1] or Charles.

[0] https://github.com/nabla-c0d3/ssl-kill-switch2 [1] http://mitmproxy.org/