Hacker News: shellcromancer

New comment by shellcromancer in "OpenAI unveils its first custom chip, built by Broadcom"

shellcromancer — Wed, 24 Jun 2026 14:36:31 +0000

Probably obvious but still omitted in the OpenAI post: chips are being made by TSMC [1]. Wasn't sure if Intel got it.

1. https://www.investing.com/news/stock-market-news/openai-unve...

New comment by shellcromancer in "Notepad++ hijacked by state-sponsored actors"

shellcromancer — Mon, 02 Feb 2026 04:47:55 +0000

> Additionally, the XML returned by the update server is now singed (XMLDSig)

The latest and greatest cryptography powering everyone’s favorite SAML-based single-sign on.

Credential Exchange Format publishes version 1.0

shellcromancer — Sat, 23 Aug 2025 18:56:55 +0000

Article URL: https://fidoalliance.org/specs/cx/cxf-v1.0-ps-20250814.html

Comments URL: https://news.ycombinator.com/item?id=44998186

Points: 3

# Comments: 0

New comment by shellcromancer in "The cryptography behind passkeys"

shellcromancer — Wed, 14 May 2025 19:32:51 +0000

The FIDO Alliance (who wrote the WebAuthn spec with the W3C) has a draft specification for a format (Credential Exchange Format) and protocol (Credential Exchange Protocol) for migrating passkeys and other credentials [1]. I don't think this is implemented by any providers yet, but it's being worked on.

[1] https://fidoalliance.org/specifications-credential-exchange-...

New comment by shellcromancer in "Sign in as anyone: Bypassing SAML SSO authentication with parser differentials"

shellcromancer — Sat, 15 Mar 2025 21:22:21 +0000

Security Cryptography Whatever’s take on this week SAML non-sense will be fun.

Passkey Central

shellcromancer — Tue, 15 Oct 2024 02:51:15 +0000

Article URL: https://www.passkeycentral.org/home/

Comments URL: https://news.ycombinator.com/item?id=41844465

Points: 3

# Comments: 0

New comment by shellcromancer in "EUCLEAK Side-Channel Attack on the YubiKey 5 Series"

shellcromancer — Tue, 03 Sep 2024 19:48:16 +0000

Fantastic research by NinjaLab. One of the most interesting parts to me from Yubico's advisory is that the Webauthn protocols attestation [1] is also defeated by this local cloning. Could the protocol have been better designed to resist this local cloning attack?

> An attacker could exploit this issue to create a fraudulent YubiKey using the recovered attestation key. This would produce a valid FIDO attestation statement during the make credential resulting in a bypass of an organization’s authenticator model preference controls for affected YubiKey versions.

1. https://www.w3.org/TR/webauthn-2/#attestation

New comment by shellcromancer in "Pql, a pipelined query language that compiles to SQL"

shellcromancer — Thu, 29 Feb 2024 16:16:42 +0000

> The where operator will validate that the syntax is valid, but it will pass unknown function calls through to the underlying database. In RunReveal's case, we use Clickhouse under the hood, so if we wanted to do a case-insensitive match we could still use Clickhouse's lower function.

From the release blog [1] they mention that unknown functions are passed through to the underlying SQL engine -- this let's them target anything from mysql, Postgres, ClickHouse or proprietary engines like Snowflake.

1. https://blog.runreveal.com/introducing-pql/

New comment by shellcromancer in "Show HN: Skip the SSO Tax, access your user data with OSS"

shellcromancer — Tue, 11 Apr 2023 18:12:39 +0000

Shameless self-plug for an alternative tax that affects operational security and reliability teams: https://audit-logs.tax

Understanding how your breach impacts me, or detecting how the abuse of your tools are used to impact our organizations shouldn't cost additional money or be gated to only enterprise contracts.

Happy to take PRs for other vendors logs being added: https://github.com/shellcromancer/audit-log-wall-of-shame

Coinbase disrupts social engineering attack

shellcromancer — Sat, 18 Feb 2023 03:39:02 +0000

Article URL: https://www.coinbase.com/blog/social-engineering-a-coinbase-case-study

Comments URL: https://news.ycombinator.com/item?id=34843625

Points: 1

# Comments: 0

New comment by shellcromancer in "AirDrop is now limited to 10 minutes"

shellcromancer — Mon, 28 Nov 2022 20:41:01 +0000

Regardless of where it's rolled out first, this is a good example of reducing the attack surface from remote exploits (which China is known to have and use at contests like Tianfu Cup). Seems in line with changes they made with "Lockdown Mode" that users can opt into.