Hacker News: rubendev

New comment by rubendev in "Claude Code Found a Linux Vulnerability Hidden for 23 Years"

rubendev — Sat, 04 Apr 2026 18:03:35 +0000

With a capable static analyzer that is not true. In many common cases they can deduce the possible ranges of values based on branching checks along the data flow path, and if that range falls within the buffer then it does not report it.

New comment by rubendev in "Why the EU's AI Act is about to become enterprises' biggest compliance challenge"

rubendev — Mon, 23 Feb 2026 18:21:32 +0000

If you say you need the data for security reasons that’s all well and good, but then you can only use the data for that specific purpose. So you cannot suddenly start using it for targeted advertising just because you already have the data.

New comment by rubendev in "Evaluating Argon2 adoption and effectiveness in real-world software"

rubendev — Fri, 24 Oct 2025 17:35:02 +0000

Please elaborate why you believe that? The ability to easily rotate encryption keys is considered an anti pattern?

New comment by rubendev in "Evaluating Argon2 adoption and effectiveness in real-world software"

rubendev — Wed, 22 Oct 2025 19:49:40 +0000

Also, I gave the link to the appendix because there was a specific question about Argon2 parameters. For general developer audiences, they need to look at the standard itself which is a lot more high level about how to properly implement cryptography in software: https://github.com/OWASP/ASVS/blob/master/5.0/en/0x20-V11-Cr...

For the most common use-cases of cryptography like authentication and secure communication there is more specific, but still high level guidance that is useful for developers as well:

- https://github.com/OWASP/ASVS/blob/master/5.0/en/0x21-V12-Se...

- https://github.com/OWASP/ASVS/blob/master/5.0/en/0x18-V9-Sel...

- https://github.com/OWASP/ASVS/blob/master/5.0/en/0x15-V6-Aut...

New comment by rubendev in "Evaluating Argon2 adoption and effectiveness in real-world software"

rubendev — Wed, 22 Oct 2025 17:39:23 +0000

Which one would you recommend instead? Referring dev teams to NIST standards or the like doesn’t work well in my experience.

New comment by rubendev in "Evaluating Argon2 adoption and effectiveness in real-world software"

rubendev — Wed, 22 Oct 2025 17:07:53 +0000

Yes it’s an audit checklist for when you need to know specifically what to use and with which parameters.

It’s unfortunate if there are mistakes in there. The people at OWASP would be very happy to receive feedback on their GitHub I’m sure.

New comment by rubendev in "Evaluating Argon2 adoption and effectiveness in real-world software"

rubendev — Wed, 22 Oct 2025 17:01:27 +0000

Can you give some examples of such commonly used libraries for languages like Java / C# / C++?

In my experience there are not many libraries like Google Tink around, and they are not in widespread use at all. Most applications doing encryption manually for specific purposes still have the words AES, CBC, GCM, IV etc hardcoded in their source code.

If you review such code, it’s still useful to have resources that show industry best practices, but I agree that the gold standard is to not have these details in your own code at all.

New comment by rubendev in "Evaluating Argon2 adoption and effectiveness in real-world software"

rubendev — Wed, 22 Oct 2025 16:42:00 +0000

Yes I fully agree. I’m a big fan of libraries like Google Tink that make you pick a use case and use the best implementation for that use case with built in crypto agility.

Most crypto libraries are not built like that however. They just give you a big pile of primitives/algorithms to choose from. Then frameworks get built on top of that, not always taking into account best practices, and leave people that are serious about security the job of making sure the implementation is secure. This is the point where you need something like ASVS.

New comment by rubendev in "Evaluating Argon2 adoption and effectiveness in real-world software"

rubendev — Wed, 22 Oct 2025 16:26:30 +0000

The OWASP ASVS appendix on Cryptography is one of the best and concise resources I know for this kind of thing: https://github.com/OWASP/ASVS/blob/master/5.0/en/0x92-Append...

New comment by rubendev in "Show HN: I built website for sharing Drum Patterns"

rubendev — Mon, 24 Mar 2025 06:17:33 +0000

If you only secure the login you will be sending your session cookies unencrypted for the other pages and they can be intercepted and used to impersonate you.

New comment by rubendev in "Hacking 700M Electronic Arts Accounts"

rubendev — Tue, 05 Nov 2024 18:18:49 +0000

If the program has access to the credential, and the program is running on your computer, you also have access to the credential no matter how they try to obfuscate it.

What the game dev is supposed to do is have an account system on their backend, and ask the player to enter their credentials in the game. The game can then identify itself as this player to the backend servers. That way any actions on the backend can be attributed to a particular player and you have a good basis to make security decisions on.

New comment by rubendev in "Password protect a static HTML page, decrypted in-browser in JavaScript"

rubendev — Sun, 01 Sep 2024 10:25:45 +0000

You can set a CSP in the HTML head section using a meta http-equiv tag. It has similar functionality to X-frame-options IIRC.

New comment by rubendev in "Ask HN: Do you think Hacker News is missing any features?"

rubendev — Mon, 25 Jul 2022 20:11:01 +0000

A dark mode would be nice.