Hacker News: ylk

New comment by ylk in "I found a vulnerability. they found a lawyer"

ylk — Fri, 20 Feb 2026 22:25:29 +0000

This is not how CVEs work at all. You can be pretty vague when registering it. In fact they’re usually annoyingly so and some companies are known for copy and pasting random text into the fields that completely lead you astray when trying to patch diff.

Additionally, MITRE doesn’t coordinate a release date with you. They can be slow to respond sometimes but in the end you just tell them to set the CVE to public at some date and they’ll do it. You’re also free to publish information on the vulnerability before MITRE assigned a CVE.

New comment by ylk in "GrapheneOS – Break Free from Google and Apple"

ylk — Tue, 17 Feb 2026 12:24:08 +0000

> The baseband can do a lot, it has dma

There's an IOMMU:

> Is the baseband isolated? > Yes, the baseband is isolated on all of the officially supported devices. Memory access is partitioned by the IOMMU and limited to internal memory and memory shared by the driver implementations. [...]

https://grapheneos.org/faq#baseband-isolation

> GrapheneOS cannot really influence this, but hardened_malloc could conceivably help.

They can and do, see above. But I don't see how hardened_malloc is related to the baseband doing DMA.

New comment by ylk in "RediShell: Critical remote code execution vulnerability in Redis"

ylk — Tue, 07 Oct 2025 09:20:16 +0000

fwiw, they're using CVSSv3. In CVSSv4, it's probably an 8.7: https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L...

New comment by ylk in "Google: 'Your $1000 phone needs our permission to install apps now' [video]"

ylk — Sun, 31 Aug 2025 14:39:22 +0000

> Android 16 no longer provides device trees for Pixels as part of the Android Open Source Project. It's important to note it doesn't provide those for any other devices. There are no other OEMs providing similar AOSP support. [...]

by strcat, Graphene OS founder https://news.ycombinator.com/item?id=44679100

New comment by ylk in "Blurry rendering of games on Mac"

ylk — Fri, 15 Aug 2025 08:37:57 +0000

The screen is a 16:10 screen with some extra pixels added next to the notch. By default, the system uses a resolution of 1512x982 (14"), which you can change to 1512x945 (16:10) to move the menu bar below the notch and end up with black pixels next to the notch.

New comment by ylk in "Containerization is a Swift package for running Linux containers on macOS"

ylk — Tue, 10 Jun 2025 13:09:30 +0000

You don’t have to assume, the docs in the repo tell you that it does run a Linux kernel in each VM. It’s one container per VM.

New comment by ylk in "Quarkdown: A modern Markdown-based typesetting system"

ylk — Tue, 03 Jun 2025 18:43:01 +0000

Not trying to argue that this happens regularly, but some recent (last 6 months or so) minted update contained breaking changes.

New comment by ylk in "Homomorphic encryption in iOS 18"

ylk — Wed, 15 Jan 2025 14:07:27 +0000

> a feature that can only be appreciated by a subculture of people (privacy advocates)

Just because it can’t be “appreciated” by all users doesn’t mean it’s only “for” a small sub-group.

It seems to me they’re just trying to minimise the data they have access to — similar to private cloud compute — while keeping up with the features competitors provide in a less privacy-respecting way. Them not asking for permission makes it even more obvious to me that it’s not built for any small super privacy-conscious group of people but the vast majority of their customers instead.

New comment by ylk in "A mole infiltrated the highest ranks of American militias"

ylk — Sat, 04 Jan 2025 20:35:13 +0000

What you write sounds plausible at first, but then there’s this example from the German KSK:

„In 2018, the German Federal Criminal Police Office uncovered a plot involving unknown KSK soldiers to murder prominent German politicians such as Claudia Roth, Heiko Maas and Joachim Gauck among others, and carry out attacks against immigrants living in Germany.[7] Also, earlier that same year in a separate investigation, the State prosecutors in the city of Tübingen investigated whether neo-Nazi symbols were used at a "farewell" event involving members of KSK.[8][9]

In June 2020, German defence minister Annegret Kramp-Karrenbauer announced that the unit would be partially disbanded due to growing far-right extremism within the ranks.[10] The KSK had become partially independent from the chain of command, with a toxic leadership culture. One of the force's four companies where extremism is said to be the most rife was to be dissolved and not replaced.[11]“

https://en.m.wikipedia.org/wiki/Kommando_Spezialkr%C3%A4fte

New comment by ylk in "Passkey technology is elegant, but it's most definitely not usable security"

ylk — Mon, 30 Dec 2024 17:06:55 +0000

It’s recommended to have at least two anyway, to still have access to your accounts in case one is lost. That means you can keep one key at your desktop and you’d only need to go up to get your keys when adding them to an account.

New comment by ylk in "A Tour of WebAuthn"

ylk — Thu, 26 Dec 2024 23:24:33 +0000

I agree that it's annoying that there's now a limit on the amount of credentials you can store on hardware keys. But while older Yubikeys only support 25 resident keys, models with firmware 5.7 onwards support 100. That probably makes it feasible to exclusively store passkeys in hardware. https://www.yubico.com/blog/empowering-enterprise-security-a...

However, I don't know whether it's possible to delete only a single resident key you no longer need.

New comment by ylk in "A Tour of WebAuthn"

ylk — Thu, 26 Dec 2024 23:07:42 +0000

Just use a password manager that doesn't sync by itself then

https://keepassxc.org/docs/KeePassXC_UserGuide#_passkeys

New comment by ylk in "Microsoft Confirms Password Deletion for 1B Users"

ylk — Wed, 18 Dec 2024 08:29:54 +0000

I’m saying most people who do phishing likely don’t care to implement passkey detection to display a relevant error message to the user, as it’s not worth the effort, as of now

New comment by ylk in "Microsoft Confirms Password Deletion for 1B Users"

ylk — Wed, 18 Dec 2024 08:28:56 +0000

There are syncable and hardware-bound passkeys and you are free to use a password manager that syncs your passkeys. iPhones don’t even let you create a passkey with the built in password manager if you have synchronisation disabled. I don’t know for sure if Google does the same but I expect them to.

If you’re remembering all your passwords there’s a good chance they’re terrible, you frequently re-use them or both. That really helps attackers e.g. when they use leaked passwords to run credential stuffing attacks on your employer.

You just wrote two comments bashing a technology you admit you didn’t properly educate yourself about.

New comment by ylk in "Microsoft Confirms Password Deletion for 1B Users"

ylk — Tue, 17 Dec 2024 23:05:28 +0000

Register a passkey on a different device or get a hardware key or whatever. Or call Microsoft support and complain to them. This doesn’t feeling like an honest discussion anymore.

New comment by ylk in "Microsoft Confirms Password Deletion for 1B Users"

ylk — Tue, 17 Dec 2024 22:56:20 +0000

Honestly don’t care to spend time on looking up the various states of 2fa proxies. But I’ve learnt so far that attackers don’t build/use the most advanced tooling you can think of at all times. They often use the simplest thing that gets the job done. If it’s not targeted, it’s fine to not get the credentials of people with a passkey. Up until a significant portion of targets use passkeys, which I highly doubt to be the case as of now.

Additionally, “the kind of person who's prone to non-targeted phishing attacks” is actually everyone — including infosec professionals spending lots of time on phishing campaigns for red team engagements. You just need to be lucky enough to reach them at the right (emotional, stressful, …) moment. Getting grammar and spelling correct and even potentially even slightly customising each email is made much easier by AI. Knowledgeable users might, however, stop once their passkey doesn’t work and try to understand why.

New comment by ylk in "Microsoft Confirms Password Deletion for 1B Users"

ylk — Tue, 17 Dec 2024 20:47:32 +0000

Find your phone: https://www.icloud.com/find/

Scanning a QR code: https://support.apple.com/en-us/102680

The time investment could even be worth it, since "Signing in with a passkey is three times faster than using a traditional password and eight times faster than a password and traditional MFA", according to the article.

New comment by ylk in "Microsoft Confirms Password Deletion for 1B Users"

ylk — Tue, 17 Dec 2024 19:40:02 +0000

> In the case of those services you mention, passkeys are nothing but convenience; they provide no extra security.

They do provide extra security, in that they ensure that you're on the correct domain instead of a phishing site.

Security Audit of Backstage

ylk — Mon, 16 Dec 2024 17:29:01 +0000

Article URL: https://x41-dsec.de/security/research/job/news/2024/12/16/backstage-review-2024/

Comments URL: https://news.ycombinator.com/item?id=42433155

Points: 1

# Comments: 0

New comment by ylk in "Review of Mullvad VPN"

ylk — Thu, 12 Dec 2024 15:04:52 +0000

That’s for accessing the website, not for sending your traffic via TOR to Mullvad. I don’t think they have a built-in way to send traffic to them via TOR without going through an exit node.