jtdowney's comments

jtdowney | 1 year ago | on: Fly.io deleted all my apps without notifying me

It was posted after your comment, but https://news.ycombinator.com/item?id=40938025 indicates that a human was in the loop.

jtdowney | 3 years ago | on: Linus Torvalds: Rust for the Kernel Could Possibly Be Merged for Linux 5.20

> - Both async/await and the question mark operator feel like rushed implementations, neither seem like the best long term solutions for Rust and are not in line with the otherwise solid foundation of the language.

I'd disagree with both of these. They may not be to your style but that doesn't make them rushed. Both features had long debates around their adoption.

> - Open source code examples sometimes use an array of external dependencies that are unrelated to a given project and feel arbitrary. This reminds me of the JS ecosystem.

That is irrelevant to this project. You should read the rust kernel docs to see why.

> - Some projects pride themselves to not use "unsafe" code, including linking with battle tested C code, which seems like an arbitrary restriction that sounds better than it actually is. There is even an open source maintainer that got mobbed out from his own project because he used "unsafe" in places that others didn't agree with.

Also irrelevant. This may be a criticism of Rust but it in no way affects how rust may be adopted into linux.

> - Rust is fashionable. Putting "Rust" next to a HN title immediately gets clicks and upvotes. SO surveys and similar report high interest in the language. This is not an inherently bad thing, quite the opposite. But as a secondary effect it might detract from objective, technical decision making.

Linus is famous for doing fashionable things and forgoing technical decision making.

jtdowney | 6 years ago | on: Payment Request API

Looks like it has been available since September 2017: https://github.com/braintree/braintree-web/commit/b79008a51c...

jtdowney | 6 years ago | on: PayPal's Beautiful Demonstration of Extended Validation FUD

PayPal was very early in the 2FA movement, hardware security keys were available starting in ~2008 (https://systembash.com/using-the-paypal-verisign-security-ke...). If you're referring to app based TOTP that is a relatively new option.

I was prompted to change to TOTP when I logged in.

jtdowney | 8 years ago | on: Linux Bridge – How it works

Isn't it more like https://www.freebsd.org/cgi/man.cgi?if_bridge(4) ?

jtdowney | 9 years ago | on: Levchin Prizes: Joan Daemen (AES and SHA-3) and Moxie Marlinspike and Trevor Perrin

Dan went into a little more of the backstory last year during the first awarding of the Levchin prizes. If I recall correctly, he and Max had been long time acquaintances and Dan even advised Max while he was working on some of the early PayPal technology. Max told a story about Dan leaving his own birthday party to help Max debug a CSPRNG.

jtdowney | 9 years ago | on: Apple Delays iOS SSL Requirement Indefinitely

I've spent time with lawyers on specifically this topic. It is about who is distributing the crypto code. There is also an exemption for open source crypto code. On iOS you definitely do not need to register your app if it is just using the built in HTTPS functionality. Hire your own lawyers if you're really worried about it though.

jtdowney | 10 years ago | on: Stripe now supports ACH payments

I'm the Security Lead at Braintree. I am not sure what you're hearing in these circles. If someone could send details to [email protected] we'd be happy to take a look.

jtdowney | 10 years ago | on: Ask HN: Liability due to lack of SSL

Both Stripe and Braintree require you to use SSL (really TLS) on your checkout pages. They also both require you maintain PCI compliance (although you likely qualify for a reduce set of requirements).

jtdowney | 10 years ago | on: Logjam: the latest TLS vulnerability explained

To be fair, Cloudflare has no concept of how much reputation you have on HN.

jtdowney | 11 years ago | on: Accepting payments is getting harder

I agree! I submitted it as separate item because this conversation was about rewriting iframes. Although hosted fields doesn't directly address the rewriting for now, we're looking at it closely.

jtdowney | 11 years ago | on: Accepting payments is getting harder

At Braintree, we have been working on the approach you mentioned. We’ll soon update our iframe products to allow a merchant to opt-in to only ever receiving cardholder data via the Braintree iframe. With this change, we could actively block malicious JavaScript from rewriting the merchant form by rejecting data not from the Braintree iframe. Things like this aren't a panacea though which is why it’s important for merchants to use technologies like Content Security Policy and leverage as much of the browser security model as possible.

jtdowney | 11 years ago | on: Accepting payments is getting harder

Visa is slow at updating their site. MasterCard is much faster, you can find their list at http://www.mastercard.com/us/company/en/docs/SP_Post_List.pd....

jtdowney | 11 years ago | on: CVE-2014-6271: Remote code execution through bash

It is far worse in the sense that it can lead to remote code execution. However, the number of vulnerable sites is far far fewer. Like Heartblead this one will likely have a very long tail of systems remaining vulnerable. My guess is we will see this vulnerability used to compromise big targets in the next few months.

jtdowney | 11 years ago | on: Knod – A Tiny HTTP server for your current directory with writes

Ruby already has the ability to spin up a quick webserver for the current directory. This is supported through the un file in Ruby's stdlib: http://ruby-doc.org/stdlib-2.0.0/libdoc/un/rdoc/Object.html.

    ruby -run -e httpd -- --port=8080 .

jtdowney | 12 years ago | on: Why I'm going back to capturing credit cards up front

It wouldn't even need to be a poorly written component. There is a good chance they would log the card number along side the transaction in their database.

jtdowney | 12 years ago | on: Lavabit SSL Cert Revoked

The site currently negotiates for DHE-RSA-AES256-SHA, which is forward secure.

jtdowney | 12 years ago | on: Facebook vulnerability 2013

They specifically allow accounts to be created for whitehat purposes at https://www.facebook.com/whitehat/accounts/

jtdowney | 12 years ago | on: Ruby 1.8.7 retired

Debian Wheezy (current stable) ships with Ruby 1.9.3-p194 + various patches [1].

[1] http://packages.debian.org/wheezy/ruby1.9.1

jtdowney | 12 years ago | on: Auth, Capture, and two-step payment flows

It actually depends on the merchant category code (MCC) of your merchant account when it is setup. Only certain category codes, such as hotels and gas stations, are allowed to capture for more than they authorize.