Hacker News: zemnmez

New comment by zemnmez in "Debugging an Undebuggable App"

zemnmez — Mon, 17 Feb 2025 20:54:14 +0000

a few of my writeups discuss ways of doing this:

appleid https://zemnmez.medium.com/how-to-hack-apple-id-f3cc9b483a41 steam https://hackerone.com/reports/409850

New comment by zemnmez in "Leaking the email of any YouTube user for $10,000"

zemnmez — Wed, 12 Feb 2025 16:34:09 +0000

i think what's being conflated here is that there are reasonably buyers for this kind of vulnerability but there's no market in the truest sense. I think a correctly connected individual could well sell this vuln to a state actor or a contractor to one; but the ecosystem of bug sales to these parties has no aggregate appetite for them, thus, there is nothing driving the price up. People in the market for cyberweapons want point and shoot vulns that have broad usage beyond a specific server for a specific company or parts for them, and ones that will last beyond a single corporation patching something. They are willing to pay such big $$$ for this that the whole market is optimized for it. The power players here would much rather buy a gun and shoot the lock off a door than a specialised set of picks that work for that lock in that building.

New comment by zemnmez in "All clocks are 30 seconds late"

zemnmez — Tue, 07 Jan 2025 06:10:02 +0000

I apologise for my "but, actually...":

Analogue clocks like the face of big ben are not like digital displays, and whether they "show seconds" in the context of the meaning of this article is not, like digital displays, down to whether there is a dedicated hand.

Unlike digital displays, the largest denomination hand on an analogue clock display contains all of the information that the smaller hands do (depending on the movement in some cases).

The easiest way to realise this is to imagine a clock without the minute hand. Can you tell when it's half-past the hour? You can. The hour hand is half way between the two hours.

Again, it depends on the movement, but it is not out of the question that your minute hand is moving once every second, and not every minute. It is down to the number of beats per unit time for an analogue display as to what the minimum display resolution is (regardless of if the movement is analogue or digital itself).

New comment by zemnmez in "Grammarly's OAuth Mistakes"

zemnmez — Fri, 27 Oct 2023 17:40:27 +0000

OIDC+OAuth is what most people actually want when they think of OAuth imo. The main issue here is that OAuth was not designed as an authentication protocol.

New comment by zemnmez in "Ask HN: Is anyone using cloud dev environments (e.g. Codespaces/Replit) at work?"

zemnmez — Thu, 19 Oct 2023 00:46:33 +0000

No, Google actually runs a remote web IDE called Cider. The latest version is derived from VSCode.

New comment by zemnmez in "North Korean campaign targeting security researchers"

zemnmez — Thu, 07 Sep 2023 20:34:01 +0000

check the zerodium pricelist for a general guide: https://zerodium.com/program.html

New comment by zemnmez in "North Korean campaign targeting security researchers"

zemnmez — Thu, 07 Sep 2023 19:32:38 +0000

This is absolutely because NK doesn't want to pay market rate for 0days.

New comment by zemnmez in "Tax prep companies: $90M lobbying against free tax-filing"

zemnmez — Sat, 02 Sep 2023 20:01:58 +0000

in the uk, most pay tax by an even simpler method, Pay as You Earn (PAYE). the taxes are all filed by the employer, and the online website allows taxpayers to add anything else

New comment by zemnmez in "Google open-sources Rust crate audits"

zemnmez — Wed, 24 May 2023 07:58:50 +0000

Before the layoffs I worked on a security checks team (“ISE Hardening”) at Google. Google requires for almost all projects that code is physically imported into the SCS; when this code touches anything at all, extremely stringent security checks run at build-time.

These checks often don’t attempt to detect actual exploit paths, but for usage of APIs that simply may lead to vulnerability. These checks can only be disabled per file or per symbol and per check by a member of the security team via an allowlist change that has to be in the same commit.

This is not perfect but is by far the most stringent third party policy I’ve seen or worked with. The cost of bringing 3p code into the fold is high.

The flipside of this is that Google tech ends up with an insular and conservative outlook. I’d describe the Googl stack as ‘retro-futuristic’. It is still extremely mature and effective.

New comment by zemnmez in "Malicious VSCode extensions with more than 45k installs"

zemnmez — Mon, 22 May 2023 10:27:50 +0000

I think this is what WhiteSource does. (it's also apparently called Mend now)

New comment by zemnmez in "Go with PHP"

zemnmez — Thu, 11 May 2023 05:19:59 +0000

I want to second this. The top StackOverflow comment for protecting against XSS in PHP still recommends htmlspecialchars() https://stackoverflow.com/questions/1996122/how-to-prevent-x... which is a terrible and ancient approach (context-aware templates are the modern approach).

I also Googled to check CSRF protection and all the sites I can find just discuss rolling it yourself; the example uses some CSPRNG that can potentially return not cryptographically secure numbers without erroring. https://www.section.io/engineering-education/csrf-protection...

That's one thing that really drove me away from PHP. It presents an extremely simple seeming universe, in which web apps are very easy to write – but has really naïve bones, requiring a lot of extra scaffolding to be safe.

New comment by zemnmez in "Protobuffers Are Wrong (2018)"

zemnmez — Fri, 24 Mar 2023 00:30:05 +0000

I think this kind of gets to the point of what protobuf is, and what a lot of tech is like at Google in general. I spent a lot of my career believing elegance and expressiveness was so important to strive for, even if we as engineers often fall short.

But tech at Google tends to be pragmatic in the specific way that protobuf is. It's not perfect, it doesn't fit neatly into a grand ideology, but it is (at least within Google itself) simple enough, easy enough to understand, portable and fit for purpose. In a similar way to bazel, it's full of components worthy of criticism, but those fixes get made when they become the ecosystem's most pressing issues, and not before.

New comment by zemnmez in "Giving the finger is a ‘God-given right’, Canadian judge rules"

zemnmez — Fri, 24 Mar 2023 00:02:35 +0000

wanted to correct this one: I confused Barbados with Jamaica here. Barbados is a republic. I am sure its laws still use the term "the crown", but it looks like it uses the term "Public Prosecutor" instead of "Crown Prosecutor".

New comment by zemnmez in "Giving the finger is a ‘God-given right’, Canadian judge rules"

zemnmez — Sat, 11 Mar 2023 03:01:17 +0000

“the crown” is an idea stemming from english constitutional law representing “the state”, i.e. the legal entity constituting the country. It doesn’t have a lot to do with the physical monarch except in metaphor. It looks like, based on some Googling, that Jamaica, which is a republic (canada is not) still uses the term “crown” in this sense: https://www.mof.gov.jm/careers/crown-counsel-mlss-legal-serv...

New comment by zemnmez in "A pilot scheme to trail the four-day workweek in Britain deemed a success (2022)"

zemnmez — Tue, 21 Feb 2023 09:25:25 +0000

Surely this is a question of supply and demand and if a 4 day workweek is the legally cheap and good path supported by governments in the same way the 5 day workweek is, the competition for salaries will be nearly identical

New comment by zemnmez in "VSCode remote code execution advisory"

zemnmez — Wed, 07 Dec 2022 05:56:22 +0000

The logic here is somewhat sound. VSCode does sanitize by default, but Jupyter notebooks effectively need to run Python code on your machine to work. At that point (this is the meaning of trusted mode), it's not really worth protecting yourself against XSS.

New comment by zemnmez in "VSCode remote code execution advisory"

zemnmez — Wed, 07 Dec 2022 03:37:33 +0000

First-party (i.e. Google). Tricked in the sense I was asked to do a security assessment and didn't check what differential changes had been made

edit: correct!

New comment by zemnmez in "Sapling: A new source control system with Git-compatible client"

zemnmez — Wed, 16 Nov 2022 06:12:47 +0000

I have been looking for something like this for so long!

New comment by zemnmez in "UK Government scans all web servers hosted in the UK for vulnerabilities"

zemnmez — Fri, 04 Nov 2022 20:32:46 +0000

I can personally attest to the fact that yes, british citizens can assess vulnerabilities in UK government systems. This was something I worked with the UKNCSC on: https://www.ncsc.gov.uk/information/vulnerability-reporting

New comment by zemnmez in "Show HN: HiSHtory: Your shell history in context, synced, and queryable"

zemnmez — Wed, 02 Nov 2022 11:07:28 +0000

david is one of the smartest people I've ever worked with at Google. It's good to see him here :)