Readit News logoReadit News
CBMPET2001 commented on Reverse engineering a $1B Legal AI tool exposed 100k+ confidential files   alexschapiro.com/security... · Posted by u/bearsyankees
culanuchachamim · 18 days ago
-The Filevine team was responsive, professional, and took the findings seriously throughout the disclosure process. They acknowledged the severity, worked to remediate the issues, allowed responsible disclosure, and maintained clear communication. This is another great example of how organizations should handle security disclosures.

In the same tenure I think that a professional etical hacker or a curious fellow that is poking around with no harm intent, shouldn't disclose the name of the company that had a security issue if they resolve it professionally.

You can write the same blog post without mentioning that it was Filevine.

If they didn't take care of the incident that's a different story...

CBMPET2001 · 18 days ago
Eh, with something this horrendously egregious I think their customers have a right to know how carelessly their data was handled, regardless of the remediation steps taken after disclosure; that aside, who knows how many other AI SaaS vendors might stumble across this article and realize they've made a similarly boneheaded error, and save both themselves and their customers a huge amount of pain . . .
CBMPET2001 commented on The Swift SDK for Android   swift.org/blog/nightly-sw... · Posted by u/gok
timsneath · 2 months ago
Ha! But that's not semantically meaningful Swift code in any normal context, nor is it idiomatic. `self` is equivalent to `this` in C++, and is never normally null.

You use this construct for unwrapping nullable fields, for example something like this:

guard let httpResult else { return }

Note that you don't need to assign the value to itself in modern Swift. This line takes an optional (httpResult?) and returns early if null. If not, you can use it with strong guarantees that it's not nullable, so no need for ? or ! to unwrap it later in the scope.

CBMPET2001 · 2 months ago
I've seen that exact pattern used to safely unwrap a weakly captured 'self' within a closure (to avoid retain cycles)

Deleted Comment

CBMPET2001 commented on Investigating a Forged PDF   mjg59.dreamwidth.org/7331... · Posted by u/teddyh
mjg59 · 3 months ago
No, the modified copy included the same certificate page simply because it was a modified copy of the PDF with the certificate page. There's no actual way I've determined to verify the signed checksum field.
CBMPET2001 · 3 months ago
Ah, so the 'signed checksum' field isn't actually the checksum of the signed document? How odd . . . but yeah, now that I think about it, they couldn't know the hash of a document before they generate it, but they would need to in order to include it in the document, hence an impossible cycle; they must have overlooked that . . .
CBMPET2001 commented on Investigating a Forged PDF   mjg59.dreamwidth.org/7331... · Posted by u/teddyh
Hackbraten · 3 months ago
The signed hash matches the original version of the document (sans tenant's signature, sans fraudulent addition). The hash doesn't match any other version of the document.
CBMPET2001 · 3 months ago
I think they're referring to the 'signed checksum' field on the document, and this line from the article

> Interestingly, the certificate page was identical in both documents, including the checksums, despite the content being different.

I think they took this to mean that the signed copy and the copy with the fraudulent addendum both hashed to the same checksum, but I'm not sure that's what was meant; based on the article it's not obvious to me that OP was able to check the signed checksum, though I can't imagine they didn't try. It's the 'original checksum' field that matched the base.pdf clean document without signature or addendum.

CBMPET2001 commented on Investigating a Forged PDF   mjg59.dreamwidth.org/7331... · Posted by u/teddyh
NathanaelRea · 3 months ago
Wouldn't a sha256 collision be impractical? Like wouldn't it be more compute than the couple grand a security deposit would be? SHAttered was in 2017 with SHA-1 and took 110 years of GPU equivalent compute.

It feels like just a mistake or an error with RightSignature? Like they uploaded the wrong doc, clicked the wrong button, and were confused on their side because the version they meant to send was at the top of the page?

CBMPET2001 · 3 months ago
OP mentions in the article that the draft was uploaded on 9/22/25, so it can't have been a simple mix up where the version with the addendum was the one they had originally intended to have signed, since it didn't exist yet.

If you just mean that they had the second version in their system but never intended to send it at all, then I'm not sure what possible innocent explanation there would be for uploading a newly modified version of an already signed lease that's run its course.

Deleted Comment

CBMPET2001 commented on Romhack.ing's Internet Archive Mirror No Longer Available   romhack.ing/database/news... · Posted by u/pharrington
derefr · 4 months ago
It's especially bizarre that ROMhacks would be suppressed from IA, when IA has played host to plain-old 100%-infringing ROMs for years now, with nobody seeming to care.

(I will not directly link to these collections, for the fates are cruel. I'll just say that these IA collections are 'complete' per-console ROM collection archives created by "GoodMerge", a ROM collection validation and repacking tool — and are named very intuitively given that.)

CBMPET2001 · 4 months ago
Per the post, the takedowns are due to false positive malware flags, not because of copyright takedowns. So I guess the unmodified, 100% genuine ROMs don't trip the malware detection, whereas the mods do?
CBMPET2001 commented on Popular Japanese smartphone games have introduced external payment systems   english.kyodonews.net/art... · Posted by u/anigbrowl
ronsor · 4 months ago
Yes, gacha games are always seeking the most optimal path from the player's wallet to the corporate checking account.
CBMPET2001 · 4 months ago
True, but Apple and Google were never any impediment to that beyond just skimming some off the top.
CBMPET2001 commented on Spanish police arrest five over $542M crypto investment scheme   therecord.media/spain-eur... · Posted by u/PaulHoule
crote · 5 months ago
That is going to depend on the details, isn't it?

See for example the practice of civil forfeiture in the US, where the police is able to seize your property until you prove that it wasn't gained through crime. The proceeds go directly to the police department. So the more passers-by they harass, the sooner the "pennies from heaven" will fund their margarita machine! [0]

[0]: https://pulitzercenter.org/stories/phelps-county-seizing-sus...

CBMPET2001 · 5 months ago
I'm not sure how Spanish criminal law works, but even if it does work like in the US, the press release doesn't actually mention any seized funds or property at all
C

u/CBMPET2001

KarmaCake day43June 7, 2025
About
Student and software engineer
View Original