“We’re building an age-prediction system to estimate age based on how people use ChatGPT.” Is there something wrong with simply asking the user when they register? (volatile age not DOB).
Readit Newsconstruct0 commented on Teen safety, freedom, and privacy openai.com/index/teen-saf... · Posted by u/meetpateltech
construct0 commented on Emailing a one-time code is worse than passwords blog.danielh.cc/blog/pass... · Posted by u/max__dev
The attack pattern is:
1) User goes to BAD website and signs up.
2) BAD website says “We’ve sent you an email, please enter the 6-digit code! The email will come from GOOD, as they are our sign-in partner.”
3) BAD’s bots start a “Sign in with email one-time code” flow on the GOOD website using the user’s email.
4) GOOD sends a one-time login code email to the user’s email address.
5) The user is very likely to trust this email, because it’s from GOOD, and why would GOOD send it if it’s not a proper login?
6) User enters code into BAD’s website.
7) BAD uses code to login to GOOD’s website as the user. BAD now has full access to the user’s GOOD account.
This is why “email me a one-time code” is one of the worst authentication flows for phishing. It’s just so hard to stop users from making this mistake.
“Click a link in the email” is a tiny bit better because it takes the user straight to the GOOD website, and passing that link to BAD is more tedious and therefore more suspicious. However, if some popular email service suddenly decides your login emails or the login link within should be blocked, then suddenly many of your users cannot login.
Passkeys is the way to go. Password manager support for passkeys is getting really good. And I assure you, all passkeys being lost when a user loses their phone is far, far better than what’s been happening with passwords. I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.
It’s still possible to use a button in the email if you include a copypasteable variant in the mail itself.
Location: East-flanders, Belgium
Remote: Hybrid
Willing to relocate: Yes
Technologies: Mainly .NET, Python & React
Résumé/CV: On request
Email: benjamin@construct0.com
construct0 commented on A faster way to copy SQLite databases between computers alexwlchan.net/2025/copyi... · Posted by u/ingve
The recently released sqlite_rsync utility uses a version of the rsync algorithm optimized to work on the internal structure of a SQLite database. It compares the internal data pages efficiently, then only syncs changed or missing pages.
Nice tricks in the article, but you can more easily use the builtin utility now :)
I blogged about how it works in detail here: https://nochlin.com/blog/how-the-new-sqlite3_rsync-utility-w...
Demands increasing page size if you sync frequently (bandwidth).
construct0 commented on MitmProxy2Swagger: Automagically reverse-engineer REST APIs github.com/alufers/mitmpr... · Posted by u/AbuAssar
Yeah - does this get nullabilities right?
construct0 commented on GPT-5 is behind schedule wsj.com/tech/ai/openai-gp... · Posted by u/owenthejumper
The world is figuring out how to make this technology fit and work and somehow this is "behind" schedule. It's almost comical.
construct0 commented on The deterioration of Google baldurbjarnason.com/2024/... · Posted by u/PaulHoule
Blogs and small sites still show up when you look for obscure contents like "RS232 DTR line". So far when I had a very specific question related to hardware or software I could find it via Google.
I find that blogs and small sites do not have a chance when looking for a commercial products or when trying to find a review for a product. There is too much SEO spam and fighting for the top positions.
But if you are doing something that cannot be commercialised easily or is very niche your blog will have easy time on Google (programming is not a niche anymore).
Yeah, if you're specific about it and know what to expect it's usually workable. In any case, this blog post is an indicator of what's about to come next.
Tried example. No redirect occurred after 3 SHIFT presses, had to use both ESC and SHIFT to trigger it somehow. The irony.
construct0 commented on Is Tor still safe to use? blog.torproject.org/tor-i... · Posted by u/Sami_Lehtinen
Here is what I don't understand: Let's say I as a private individual fund 1000 tor nodes (guard and exit nodes included) and have them all log everything. This could cost less than $5000 for a month, with some time needed to get guard node status.
I want to find a certain kind of person so I look for people that access a specific hidden service or clearnet url.
Surely eventually I'm going to get a hit where all three nodes in the circuit are my nodes that are logging everything? It will take a long time, and I can't target a specific person, but eventually I can find someone who has all three bounces through tor nodes I control, no?
Yes, there aren’t that many tor nodes. It’s not the safe haven protocol or transport suite people make it out to be.
construct0 commented on Open Source Twitch for Developers github.com/algora-io/tv... · Posted by u/selvan
What's the relation with Twitch?