odensc (u/odensc) - Readit News

odensc commented on We pwned X, Vercel, Cursor, and Discord through a supply-chain attack gist.github.com/hackermon... · Posted by u/hackermondev

bri3d · 10 days ago

Proxying from the "hot" domain (with user credentials) to a third party service is always going to be an awful idea. Why not just CNAME Mintlify to dev-docs.discord.com or something?

This is also why an `app.` or even better `tenant.` subdomain is always a good idea; it limits the blast radius of mistakes like this.

odensc · 10 days ago

Yep - this is the core issue that made the vulnerability so bad. And if you use a subdomain for a third-party service, make sure your main app auth cookies are scoped to host-only. Better yet, use a completely different domain like you would for user-generated content (e.g. discorddocs.com).

odensc commented on Find SF parking cops walzr.com/sf-parking/... · Posted by u/alazsengul

jonahx · 3 months ago

What's funny is secure IDs could have easily prevented this but, even if the city discovers it and wants to shut it down now, I'd bet actually fixing the system would be too costly (IDs tend to couple to everything).

odensc · 3 months ago

Pretty simple fix: require more data to look up a citation, like the number, issue date and plate/VIN (this is how my city does it). Technically doesn't make the scraping impossible if you wanna try every permutation of a license plate, but makes it mostly infeasible.

Currently it just requires the sequential citation number [1], which is how the data is being scraped so easily.

[1]: https://wmq.etimspayments.com/pbw/include/sanfrancisco/input...

odensc commented on · Posted by u/chinmaygarg

odensc · 7 months ago

Google is down because Google Cloud is down, Antrophic is down because Google Cloud is down, and OpenAI isn't down but some of their SSO providers are down because Google Cloud is down.

So, not a coincidence.

odensc commented on Show HN: Visit the front page of Hacker News on a random day randomhackernews.com/... · Posted by u/nickipedia

hk__2 · 2 years ago

> I was surprised that there wasn't a feature here that lets you go back in time to the front page of Hacker News on a random day

May I ask why were you surprised? Which other website has this feature?

odensc · 2 years ago

Not exactly the same, but in the same vein, Reddit has a "Random" button that takes you to a random subreddit. Google has "I'm Feeling Lucky" which gives you a random search. A "random" button seems like a relatively common little easter egg.

odensc commented on FedEx launches new e-commerce platform theverge.com/2024/1/14/24... · Posted by u/jollofricepeas

Marsymars · 2 years ago

> Costco is still quick, just not as quick, and their website / app is trash to use compared to Amazon.

Really? I feel like Amazon is always trying to trick me into a) signing up for prime, b) buying sponsored products, c) buying cheap Chinese junk or d) buying stuff in the wrong currency and getting hit with unfavourable foreign exchange rates.

Whereas the Costco website just works.

The Home Depot website is also a pile of junk. Just yesterday I probably spent 5x longer on the Home Depot site than on a competitor’s (Canadian Tire) website because of the jankiness of filtering for an extension cord. If you search for something with a lot of results (e.g. light fixtures) the result set is basically unusable because of poor filtering functionality. A few months ago the entire search functionality broke because of some ad domain that I was blocking. They harvest emails that you punch in for email receipts at checkout for marketing purposes. etc. etc.

odensc · 2 years ago

> They harvest emails that you punch in for email receipts at checkout for marketing purposes. etc. etc.

Really? I've been using a unique email (i.e. homedepot@my.domain) at checkout for the last 2 years and haven't received any emails at that inbox except for my receipts.

odensc commented on Clicks – Physical keyboard for iPhone clicks.tech/... · Posted by u/guyinblackshirt

tw04 · 2 years ago

Wonder how they’re getting around patent encumbrance. Ryan Seacrest already tried this a decade ago.

https://www.pcmag.com/news/ryan-seacrest-invests-in-typo-iph...

https://www.cnet.com/tech/mobile/typos-hardware-keyboard-for...

odensc · 2 years ago

Visually, it looks a lot less like a copy of a BlackBerry keyboard, so that helps.

The first patent quoted in that lawsuit article has expired [1]. The second patent is still active [2], but is related to a "ramped-key keyboard" (essentially curved), which this new product is not AFAICT.

The third, a design patent [3], is still active, but would appear to only apply to a complete handheld device that includes an attached keyboard, not a separate accessory... Not a lawyer or patent expert by any means though.

I guess we'll see - none of that stops anyone from suing them.

[1]: https://patents.google.com/patent/US7629964B2/en?oq=7%2c629%...

[2]: https://patents.google.com/patent/US8162552B2/en?oq=8%2c162%...

[3]: https://patents.google.com/patent/USD685775S1/en?oq=D685%2c7...

odensc commented on Sit. sonnet.io/posts/sit/... · Posted by u/rpastuszak

JoshTriplett · 2 years ago

Browsers allow entering fullscreen as long as it's in response to user input, such as clicking a button. When entering fullscreen, browsers emit a prompt about exiting fullscreen, partly to make sure people know how to exit and partly to make sure entering fullscreen doesn't go unnoticed. So, it'd be hard to pull off such an attack.

odensc · 2 years ago

> So, it'd be hard to pull off such an attack.

That's what you'd think, but people rarely pay that much attention. The fullscreen prompt only shows up for a few seconds.

For example, recently a family member clicked on a fake YouTube link from an ad in Google's search results. Clicked the search bar and it immediately turned their whole screen into a "call apple support" popup.

They called me up because they thought it was a virus, but really it was just a fullscreen webpage, and being not very technologically inclined, they didn't even try Esc, Cmd+Tab, Cmd+Q, etc.

odensc commented on My rude-ass car neverbeclever.org/blog/my... · Posted by u/isoprophlex

oneepic · 2 years ago

also I suck with car knowledge, but I believe the hot tire pressure is different from when they're cold. Perhaps the car's software doesn't take that into account?

odensc · 2 years ago

Some cars use "indirect TPMS," which means instead of a sensor in the tire's valve stem, it measures the speed of each wheel and uses some fancy math to determine if the pressure is low.

I'm not sure if the Kia Ceed is one of such cars, but if it is, there may be some wackiness in their indirect TPMS system. Especially considering the OP says it only happens after prolonged driving at high speeds.

odensc commented on iPhone 15 and iPhone 15 Plus apple.com/newsroom/2023/0... · Posted by u/mikece

the_other · 2 years ago

> It comes with one USB-C to USB-C charging cable - not sure if it is a data cable, also.

This is why USB-C is a user-hostile spec.

odensc · 2 years ago

It's not an issue specific to USB-C. There are also plenty of USB-A/Micro-USB cables that don't have the data pins connected. Typically this is only an issue with super cheap electronics that only use USB-C as a connector for power and don't really follow the spec.

I haven't heard of a phone coming with a charge-only cable. Especially because that cable is usually used for syncing to a computer (iOS)/transferring data from an old phone (Android).

odensc commented on We Call on FOSS Contributors to “Exit Zoom” sfconservancy.org/news/20... · Posted by u/thedeepself

karaterobot · 2 years ago

> A recent analysis showed that it could take up to 30 hours just to read the entirety of Zoom's terms and conditions

I wonder whether there's a single human being on Earth who has read the entire T&C word for word. I assume multiple authors drafted and edited specific chunks, so it may even be the case that even the lawyers who wrote it haven't read the full thing, yet users are expected to have done it in some vague but legally binding way.

odensc · 2 years ago

They didn't even quote that analysis correctly. It shows that it would take 30 minutes for the average person... big difference there.