Readit News logoReadit News
DecoPerson commented on Emailing a one-time code is worse than passwords   blog.danielh.cc/blog/pass... · Posted by u/max__dev
DecoPerson · 18 days ago
The attack pattern is:

1) User goes to BAD website and signs up.

2) BAD website says “We’ve sent you an email, please enter the 6-digit code! The email will come from GOOD, as they are our sign-in partner.”

3) BAD’s bots start a “Sign in with email one-time code” flow on the GOOD website using the user’s email.

4) GOOD sends a one-time login code email to the user’s email address.

5) The user is very likely to trust this email, because it’s from GOOD, and why would GOOD send it if it’s not a proper login?

6) User enters code into BAD’s website.

7) BAD uses code to login to GOOD’s website as the user. BAD now has full access to the user’s GOOD account.

This is why “email me a one-time code” is one of the worst authentication flows for phishing. It’s just so hard to stop users from making this mistake.

“Click a link in the email” is a tiny bit better because it takes the user straight to the GOOD website, and passing that link to BAD is more tedious and therefore more suspicious. However, if some popular email service suddenly decides your login emails or the login link within should be blocked, then suddenly many of your users cannot login.

Passkeys is the way to go. Password manager support for passkeys is getting really good. And I assure you, all passkeys being lost when a user loses their phone is far, far better than what’s been happening with passwords. I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.

DecoPerson commented on SQLite Date and Time Functions (2007)   www2.sqlite.org/cvstrac/w... · Posted by u/1vuio0pswjnm7
DecoPerson · 2 months ago
One huge benefit of using SQLite over a traditional server/client DBMS is the ability to easily add SQL functions that call into your host language and memory-space.

For example, we’re using better-sqlite3 which has a convenient API for adding SQL functions [1], and we have dozens of helper methods for dealing with time using the temporal-polyfill module.

We have custom JSON-based serialisation formats for PlainDate, PlainTime, PlainDateTime, ZonedDateTome, etc. Then in SQL we can call ‘isDate_Between__(a, b, c)`.

a, b, and c are deserialised by the JS (TS) function, the logic is run, and the result is returned to SQLite. We’ve had no performance issues with this approach, though we’re only dealing with simple CRUD stuff. No big data.

You can even use these functions with generated columns and indexes, but I haven’t found a proper use for this yet in my work.

[1] https://github.com/WiseLibs/better-sqlite3/blob/HEAD/docs/ap...

DecoPerson commented on Ask HN: Selling software to company I work for as an employee    · Posted by u/apohak
williamdclt · 3 months ago
Why would the company say yes? Seems to me they’d say “no, but that’s a good idea we’re going to have you do that as part of your employment”
DecoPerson · 3 months ago
If it’s outside your job description, you’re not obliged to do anything.

You’re not a slave. You can say no to your boss. You’re on equal footing (though your boss generally has more power/wealth so can bully/manipulate you). It’s up to your boss as to what they do when you say no. If you’re a good employee when it comes to your usual responsibilities, then they’ll keep you.

If your boss tells you to write software as part of your job and you’re not a software engineer, you can tell them to get stuffed (or sign the contract and both parties benefit!).

Edit: I just re-read the original post and saw that the OP is a software engineer. Ignore everything I said. This sounds like a terrible idea. You’ll burn all your bridges if you pursue this avenue.

DecoPerson commented on Ask HN: Selling software to company I work for as an employee    · Posted by u/apohak
DecoPerson · 3 months ago
Just write a clear and concise summary of a contract.

“You get: [these features]”

“I get: [money and the IP]”

“We measure success and payment milestones are triggered by: [Clear KPIs and deadlines]”

Make sure the 1-2 page doc has your name on it, and ask your boss for permission to drop a paper version on the desks of the higher ups.

You can be employed and enter into a separate contract.

Edit: I just re-read the original post and saw that the OP is a software engineer. Ignore everything I said. This sounds like a terrible idea. You’ll burn all your bridges if you pursue this avenue.

DecoPerson commented on Chrome Origin Trial: Device Bound Session Credentials   developer.chrome.com/blog... · Posted by u/pabs3
DecoPerson · 4 months ago
User asks (human) Assistant to login to their online banking and make a transfer. No problem. No digital security system can stop this (bar requiring true biometrics on every sign-in, which isn’t happening soon).

User asks Company (with human staff) to login and do the same thing. Perhaps the company is an accounting firm, a legal firm, or a “manage my company for me” kind of firm. No problem.

User asks Company which makes self-hosted business management tools to login to their online banking. Oh shit!!! This is a violation of the ToS! The Company that makes this tool is violating the bank’s rights! The user doesn’t understand how they’re letting themselves get hacked!! Block block block! (Also some banks realise that can charge a fee for such access!)

Everyone on HN sees how that last case — the most useful given how great automation is these days — should be permitted.

I wish the governing layers of society could also see how useful such automation is.

These Device-Bound Session Credentials could result in the death of many good automation solutions.

The last hope is TPM emulation, but I’m sure that TPM attestation will become a part of this spec, and attestation prevents useful emulation. In this future, Microsoft and others will be able to charge the banks a great deal of money to help “protect their customers” via TPM attestation licensing fees, involving rotation, distribution, and verification of keys.

I’m guessing the protocol will somehow prevent one TPM being used for too many different user accounts with one entity (bank), preventing cloud-TPM-as—a-service being a solution to this. If you have 5,000 users that want to let your app connect to their Bobby's Bank online banking, then you’ll need 5,000 different TPMs. Also Microsoft (or whoever) could detect and blacklist “shared” TPMs entirely to kill TPMaaS entirely.

Robotic Process Automation on the user’s desktop, perhaps in a hidden Puppeteer browser, could still work. But that’s obviously a great deal harder to implement than just “install this Chrome extension and press this button to give me your cookies.”

Goodbye web freedom, and my software product :(

DecoPerson commented on Attacking My Landlord's Boiler   blog.videah.net/attacking... · Posted by u/ericvolp12
DecoPerson · 4 months ago
The Flipper Zero is great, and could handle all of the hacking/investigation part by installing custom firmware.

The original product understandably arrives with heavily-restricted firmware (I imagine to reduce the amount of flak the company receives). However, it is incredibly easy to install Flipper Unleashed or similar, which removes all said restrictions and adds a lot of additional functionality.

Possessing the tools that could be used to commit a crime is not necessarily a crime in and of itself! Just be careful with what you do or, depending on what country you’re in, you might find some men in suits knocking at your door.

Personally, I wanted to replay “encrypted” 433MHz signals for my own devices (electric gate, roller door, roller shutters, …) and this was disabled with the Flipper’s region set to Australia.

DecoPerson commented on React for Two Computers   overreacted.io/react-for-... · Posted by u/abraham
DecoPerson · 5 months ago
Author invents a programming language where the code is server-side JSX tags ("Early World") and the runtime evaluation is divided into as multiple lazily-evaluated stages ("Late World") in the browser.

Author unfortunately fails to justify or provide a demonstration that justifies the increased complexity over current methodology.

Interesting exploration of an unexplored space, but should be more concise (and use either better or no attempts at humour).

> In the Early world, you dissolve all the Early Components with interpret. This gives you a string that represents how to finish the computation in the Late world: [code]

> In the Late world, you parse that string, load the references, and then dissolve the Late Components with interpret. That leaves you with a tree of Primitives: [code]

> Finally, those Primitives are ready to be turned into DOM or some other format: [code]

DecoPerson commented on Why can we not use AI to audit agent systems instead of human in the loop?    · Posted by u/jit-it
DecoPerson · 6 months ago
You can this. This is currently being done, but not talked about much.

Results vary, so it’s not one of the main courses of interest at the moment.

DecoPerson commented on Car tires shed a quarter of all microplastics in the environment   phys.org/news/2024-11-car... · Posted by u/geox
bix6 · 9 months ago
We need to start making manufacturers pay for their negative externalities.
DecoPerson · 9 months ago
Manufacture in country A and sell in country B. Or vice versa.

But never manufacture and sell in the same country, or the government might try to get you to pay for your negative externalities!

And now, there’s this annoying predicament where as you introduce more laws and more enforcement, you only cripple your own economy and rarely cause any significant improvement along the lines of what you hope. Look at Australia — we have all these appliance safety laws, but all of the appliances are made overseas and there’s no good point for the government to inspect and enforce compliance with those laws. I just bought a generic vacuum sealer from an online shop the other day. It was cheaper than buying at a brick & mortar store, even with delivery, and it definitely does not comply with Australia safety standards.

We’ve killed our local industry, and our economy is suffering for it. I don’t think the answer is to remove the safety/etc laws, but instead to tax all imports enormously. Be aggressive and unfair so that local industry is immediately viable. It’ll be painful, but it’s what most countries need. Comparative advantage turned out to be a terrible basis for international trade.

DecoPerson commented on SQLiteStudio: Create, edit, browse SQLite databases   sqlitestudio.pl/... · Posted by u/thunderbong
DecoPerson · 9 months ago
Be very careful using this over Samba, even with WAL mode enabled. I corrupted an important testing DB this way. Thankfully .recover came to the rescue and only a small amount of data was lost (but the test team had to wait a couple hours for me to bring the test environment back online).
D

u/DecoPerson

KarmaCake day1277June 28, 2013
About
Ex-game designer
View Original