Hacker News: stringlytyped

New comment by stringlytyped in "Show HN: A search engine for your personal network of high-quality websites"

stringlytyped — Fri, 05 May 2023 10:56:54 +0000

This looks like an amazing tool. I've always thought it would be great if I could curate my own search index. And the way results are summarized with citations is really cool.

However, I am not sure the free plan is generous enough to properly evaluate the search engine and see if I can incorporate it into my workflow. And the pricing feels steep. I would have a look at Kagi's pricing model.

New comment by stringlytyped in "Show HN: Search Engine for Blogs"

stringlytyped — Tue, 29 Mar 2022 22:25:30 +0000

You might want consider using OpenSearch [1] to make it easier to add Blog Surf to browsers as a search engine that can be accessed from the location bar. I added it manually in Firefox but it would have been handy to just be able to right-click the search field and choose "Add a Keyword for this Search".

[1] https://developer.mozilla.org/en-US/docs/Web/OpenSearch

New comment by stringlytyped in "Turning my obsession in the stock market into a side project"

stringlytyped — Wed, 15 Apr 2020 12:04:03 +0000

I'm getting an error when trying to subscribe: "Error submitting the request. Please try again later."

New comment by stringlytyped in "Show HN: Feed of current articles for science lovers shortened to bullet points"

stringlytyped — Mon, 11 Mar 2019 11:04:28 +0000

A browser extension that shows the Bullets.tech summary when you browse to an article that has been summarized would be very useful.

Chrome and Firefox Pull Stylish Add-On After Report It Logged Browser History

stringlytyped — Thu, 05 Jul 2018 07:02:13 +0000

Article URL: https://www.bleepingcomputer.com/news/software/chrome-and-firefox-pull-stylish-add-on-after-report-it-logged-browser-history/

Comments URL: https://news.ycombinator.com/item?id=17461364

Points: 1

# Comments: 1

New comment by stringlytyped in "New autoplay policy in Chrome"

stringlytyped — Mon, 07 May 2018 05:19:57 +0000

Yes! Spotlight does the exact same thing. Drives me crazy.

The end of id_rsa

stringlytyped — Tue, 25 Apr 2017 23:16:25 +0000

Article URL: https://blog.krypt.co/the-end-of-id-rsa-d8fd2951d406

Comments URL: https://news.ycombinator.com/item?id=14199092

Points: 6

# Comments: 5

New comment by stringlytyped in "Secure Account Recovery Made Simple"

stringlytyped — Sat, 24 Sep 2016 18:57:04 +0000

I been doing some reading about this in an attempt to answer my own question. It turns out, there is potential for a timing attack during the verification stage. Provided you store the plain text token in the database, an attacker can deduce a valid token by submitting various guesses to the server.

Hashing the token protects against this.

For more detail: http://blog.ircmaxell.com/2014/11/its-all-about-time.html

New comment by stringlytyped in "Secure Account Recovery Made Simple"

stringlytyped — Sat, 24 Sep 2016 18:02:45 +0000

I am probably missing something obvious, but I am not sure how a timing attack would work during the verification stage (when the emailed token is compared against the database to ensure that it is valid).

If an attacker provides an invalid token, the record wouldn't be found in the database, and the web app would return an error indicating an invalid token. When a valid token is provided, the user is authenticated. You would immediately know whether a token is valid or not—no timing requiring.

However, perhaps there is potential for a timing attack during the initial stage of the reset process, when the user is asking to enter their email address? If the email address provided exists in the database, the server has to 1) generate a token, 2) save the token in the database and 3) send out an email with the generated token. If the email address doesn't exist in the database, the server doesn't have to perform any of these functions.

Potentially, couldn't this allow an attacker to enumerate the email addresses in the web app's database? Of course, in and of itself, this wouldn't allow an attacker to access any of those accounts. And the split-token method suggested by the article wouldn't prevent this enumeration issue.

Is there further potential for a timing attack that I am missing?

EDIT: fixed a typo

New comment by stringlytyped in "USCIS Proposes Rule to Welcome International Entrepreneurs"

stringlytyped — Sat, 27 Aug 2016 06:44:01 +0000

The problem with the E-2 visa is that you never become eligible to apply for a green card.