xianb | 3 years ago | on: Ask HN: Does Uber Eats take a loss when they offer their coupons?
xianb's comments
xianb | 6 years ago | on: Auth0 JWT Auth Bypass: Case-Sensitive Blacklisting Is Harmful
It's fascinating how Auth0 actually had a blog post about finding and fixing a handful of JWT vulnerabilities years ago (one of them is more advanced to exploit than this). Just another example of why you always have to be vigilant and that properly implementing encryption/security is hard
https://auth0.com/blog/critical-vulnerabilities-in-json-web-...
xianb | 7 years ago | on: U.K. Lawmakers accuse Facebook's CEO of leadership failure
probably need to be fined billions to get them to take it seriously
xianb | 7 years ago | on: Gmail spam-filters PayPal security messages
Houzz and Nest security emails also got filtered
xianb | 7 years ago | on: Google has quietly dropped ban on personally identifiable web tracking (2016)
I think it's not just the journalists though...pretty sure some of the concerns with FB were published years ago but fell on mostly deaf ears. But now you have a public that cares more due to some "big revelations" and also a press he'll-bent on furthering the anti-SV tracking narrative
xianb | 7 years ago | on: I exploited TLS-SNI-01 issuing Let's Encrypt SSL-certs for any domain (2018)
> Why would LE send the SNI in the first place? I thought the purpose was to prove you own the domain, not cohabit an environment where the domain is hosted?
The assumption was that you controlled the domain if you could return the self-signed cert with subjectAlt=foo.bar.acme.invalid when the SNI request for foo.bar.acme.invalid is made to the server your are requesting a cert for. Unfortunately the assumption didn't hold up because hosting providers shared the same routing server across domains and subdomains and those routing servers did not have controls around the subjectAlt domains used for TLS-SNI-01.
> Also, what do host headers have to do with this? Presumably this is just a tls handshake test? They don't have anything to do with the weakness. It's mentioned to make the distinction that SNI is used for the cert retrieval to establish the connection and Host-header is used separately to route to the proper backend
xianb | 7 years ago | on: Hacking of artificial intelligence is an emerging security crisis
For ETH the big one is the DAO where they had to fork it to recover
There's also other smaller bugs like coinbase and parity wallet
xianb | 7 years ago | on: PagerDuty Files Confidentially for IPO
Perhaps this might be a poor setup on my company's part, but it's awful navigating between teams and finding escalation policies and schedules in PD
xianb | 7 years ago | on: Button offers instant gratification for those plagued by airplane noise
> The green lines are flight paths from before the implementation of the new technology (January 2013). The red lines are flight paths from after the implementation of the new technology (January 2015).
xianb | 7 years ago | on: Amazon is selling stolen art, fake products and is infringing copyrights
sounds like a nice generic company value/principle
xianb | 7 years ago | on: Amazon’s Grocery Push Keeps Stumbling After Whole Foods Purchase
is it really different from the data collection of other grocery store shopper cards though?
xianb | 7 years ago | on: Chat app fined for plaintext passwords under GDPR
if you store plaintext password on the client, you'd be one XSS attack away from potentially having a lot of passwords stolen - best practice is to have password in plaintext for a little as possible (there's some research on not transmitting the password at all but I don't think there's anything widely accepted like bcrypt is for password hashing https://en.wikipedia.org/wiki/Zero-knowledge_password_proof)
xianb | 7 years ago | on: Chat app fined for plaintext passwords under GDPR
anything that makes computation less intensive for you also makes it less intensive for a potential malefactor - it's just an inherent tradeoff.
Rather than scan for password being contained in the message, something more reasonable to try would be to check if the whole message is the password since you can just plug that into the normal password hasher and run just one slower hash op
xianb | 7 years ago | on: LinkedIn violated data protection by using 18M email addresses of non-members
accurate description of LinkedIn by Blake Lively and Anna Kendrick https://youtu.be/xmo8-Bh98fw?t=270
xianb | 7 years ago | on: Blue Apron lays off more workers
but you can also choose to withhold stock for taxes
basically would have just been a losing gamble to have withheld money instead instead of it being something forced upon them
xianb | 7 years ago | on: Former Groupon CEO Andrew Mason on what the roller-coaster ride felt like
xianb | 7 years ago | on: Sales engagement startup Apollo says its massive contacts database was stolen
yeah, if you're absolutely inept and have insufficient logging/monitoring, you can't even tell how bad you'd been screwed. kinda like a Dunning Kruger effect of sorts
xianb | 7 years ago | on: Facebook Network Breach Impacts Up to 50M Users
sounded like the video stuff was added after view as was added so it probably didn't go through the same level of scrutiny
xianb | 7 years ago | on: A Cardiologists Concerns with the New Apple Watch
sounds similar to this https://en.wikipedia.org/wiki/False_positive_paradox
xianb | 7 years ago | on: Google’s first all-hands after 2016 election [video]
https://www.youtube.com/watch?v=E5gPdrlyc84
people have, but who knows how long it'll last
page 1
https://twitter.com/grubhub/status/611320394256109568?lang=e...