Hacker News: vengefulduck

New comment by vengefulduck in "Egg prices are soaring. Are backyard chickens the answer?"

vengefulduck — Thu, 20 Feb 2025 16:14:38 +0000

I think the problem with this argument is the assumption that nature is inherently good. Nature is cruel and uncaring. Moving beyond it is a good thing imo. We’re just lucky that as a species by the roll of the dice we were given the power by nature to usurp it.

New comment by vengefulduck in "Even Microsoft Notepad is getting AI text editing now"

vengefulduck — Thu, 07 Nov 2024 20:25:54 +0000

Have you used VLC on MacOS tho? Full screen video looks very slick and is tough to differentiate from native quicktime other than having support for more codecs and features.

The non full screen UI is a little more crusty but still looks better than the windows version imo.

New comment by vengefulduck in "What is an SBAT and why does everyone suddenly care"

vengefulduck — Thu, 22 Aug 2024 15:09:21 +0000

Browsers enforce that certificates are signed by two independent CT logs. The public keys of which is shipped by the browser. So a MITM would need to compromise a trusted CA and two CT logs to be able to pull off an attack undetected. Maybe not impossible but much more difficult than just a single CA compromise.

New comment by vengefulduck in "Dutch Students Delay Graduation Due to Housing Shortages"

vengefulduck — Thu, 02 May 2024 21:10:55 +0000

Assuming that living with your parents is a safe option which for many, especially LGBT people it isn’t.

New comment by vengefulduck in "Tesla recalls all cybertrucks for faulty accelerator pedals"

vengefulduck — Fri, 19 Apr 2024 17:39:21 +0000

Of course, this is the only explanation. No one can just make stuff up on the internet. That’s impossible.

New comment by vengefulduck in "Opera becomes the first major browser with built-in access to local AI models"

vengefulduck — Wed, 03 Apr 2024 17:32:10 +0000

Browsers are just mini OSs at this point. It’s probably best just to accept it. Honestly in some respects (security, isolation, resource management) they do a better job than the operating system they run on top of.

New comment by vengefulduck in "Cracking Meta's Messenger Certificate Pinning on macOS"

vengefulduck — Wed, 06 Mar 2024 01:55:45 +0000

Even as a user I don’t there’s a good reason to love cert pinning. If you’re going up against adversaries that can compromise web pki they also probably have some other exploits up their sleeve to pwn you.

Cert pinning pretty much serves to protect companies from people reversing their protocols and little else imo.

New comment by vengefulduck in "Blocking Visual Studio Code embedded reverse shell before it's too late"

vengefulduck — Sat, 23 Sep 2023 18:57:28 +0000

Write access to .bashrc is plenty to very sneakily get sudo access tho.

  alias sudo='./.my-evil-sudo-binary'

And wait till the next time the user authenticates, they wont see anything amiss and you just silently delete the alias after you’ve got the sudo password.

Also even without root dumping .ssh and the browser’s cookie jar is probably plenty to achieve lateral movement and you don’t need root for that.

New comment by vengefulduck in "Linux has achieved a 3% desktop market share"

vengefulduck — Wed, 12 Jul 2023 01:24:40 +0000

Installable web apps would give you a workaround for that wouldn’t it?

New comment by vengefulduck in "Microsoft is testing a built-in cryptocurrency wallet for the Edge web browser"

vengefulduck — Sun, 19 Mar 2023 14:59:18 +0000

Hahahahaha. Yeah, sure cryptocurrency never comes crashing down. It certainly would never lose 60% of its value in 6 months. That would never happen. What a perfect store of value. /s

New comment by vengefulduck in "Password protect a static HTML page"

vengefulduck — Sun, 19 Feb 2023 06:16:17 +0000

The math used in AES (Rijndael) utilize operations in GF(2^8) tho, so you're doing operations using Galois fields whether your utilizing GCM or CBC. I don't really see how adding the GCM mode utilizing GF(2^128) on top is significantly more difficult or error prone than implementing the AES block cipher itself. You should still be familiar with operations over Galois fields regardless if you've for some reason (foolishly imo) decided you want to implement AES cryptographic primitives on your own.

Regardless there's no good reason not to use a vetted open source implementation instead, preferably with an even higher level of abstraction so your not having to worry about ciphers or modes of operation at all[1].

[1] https://doc.libsodium.org/secret-key_cryptography/secretbox

New comment by vengefulduck in "Blink virtual machine now supports running GUI programs"

vengefulduck — Fri, 03 Feb 2023 16:38:25 +0000

The fact that any Xorg client can become a key logger without any user input or authentication is a pretty big security hole imo.

By design Xorg has no isolation between clients so they can all read each others input, control others windows, and inject keystrokes into other applications. That’s unacceptable in the modern age and makes any attempt at sandboxing or separation of privileges for GUI applications completely pointless.

New comment by vengefulduck in "Hard truths I learned when I got laid off from my SWE job"

vengefulduck — Wed, 28 Dec 2022 19:26:01 +0000

Even when applying to companies that are LGBTQ friendly? I sometimes self identify on applications if the company has a good reputation with that kind of thing because I’d expect It would give me some diversity points. But maybe that’s not the best idea.

New comment by vengefulduck in "Convergent Encryption and Why No One Uses It (2020)"

vengefulduck — Wed, 07 Dec 2022 20:57:43 +0000

I submitted this in light of the recent iCloud end to end encryption announcement which seems to indicate they're using Convergent Encryption here:

https://support.apple.com/en-ca/guide/security/sec973254c5f/...

Convergent Encryption and Why No One Uses It (2020)

vengefulduck — Wed, 07 Dec 2022 20:55:52 +0000

Article URL: https://smarx.com/posts/2020/09/convergent-encryption-and-why-no-one-uses-it/

Comments URL: https://news.ycombinator.com/item?id=33900098

Points: 11

# Comments: 3

New comment by vengefulduck in "Apple introduces end-to-end encryption for backups"

vengefulduck — Wed, 07 Dec 2022 20:53:56 +0000

Looking into the details it seems like they're using Convergent Encryption [1][2] in order to enable deduplication in iCloud drive and photos. Which would imply it is possible for an attacker to determine if your account is storing a file for which they know the plaintext. It's still a lot better than the status quo but that's a pretty big asterisk in my mind.

[1]https://support.apple.com/en-ca/guide/security/sec973254c5f/...

[2] https://smarx.com/posts/2020/09/convergent-encryption-and-wh...

New comment by vengefulduck in "Tumblr to Add Support for ActivityPub"

vengefulduck — Fri, 25 Nov 2022 00:38:29 +0000

Your kidding right? Anything IO bound like an server isn’t going to be remotely affected by the speed of underlying language. There’s almost no compute required for a mastodon server just take HTTP requests and store and retrieve data from a database. The CPU is going to be active for a fraction of a millisecond before it becomes blocked on either the database or network.

New comment by vengefulduck in "Bouncer – Private SMS Blocker"

vengefulduck — Sat, 10 Sep 2022 15:03:05 +0000

I’m not so sure that’s true reading through the privacy notice when enabling SMS filtering it reads “You can install and use third-party SMS filters. If you do, the filter provider can access all of the text and content included in incoming SMS and MMS messages that you receive from unknown senders.”

That doesn’t sound like the same thing as the content blocker api it sounds like it provides plaintext access to sms messages. And it’s enough of a risk that I decided not to install it.

New comment by vengefulduck in "Post-quantum encryption contender is taken out by single-core PC and 1 hour"

vengefulduck — Wed, 03 Aug 2022 15:37:20 +0000

I don’t think you need to be from the west coast to understand people saying SIKE. It’s a pretty common phrase across the US. I’m from Colorado and I heard that a fair amount growing up. Agree on the appropriate name though it was my first thought reading that it had been broken.

New comment by vengefulduck in "Ask HN: Why do you use a VPN?"

vengefulduck — Wed, 06 Jul 2022 04:35:47 +0000

They can usually still see Domain names. DNS traffic is normally sent in the clear and in the event it’s not the SNI field in TLS (https) is unencrypted. So your ISP can know which domains you visit but not the individual sites on those domains you visit. (i.e they would know you visited google.com but not that you requested the page: google.com/q=your+question) Which depending on the site might not be all that sensitive but I’m sure you can think of a few examples of sites you wouldn’t want anyone to knowing you went to even if they couldn’t see which page.