More

Dumble · on Nov 6, 2024

I think by "successful" the instructor meant actually restarting the heart and reviving the patient, which is very unlikely. Keeping blood moving und preventing/delaying neurological damage is the thing the patient will benefit from.

Dumble · on Oct 10, 2024

If your i.e. server process kills itself when validating data, that's not the Problem of ZOD. The violation failing is an expected case, that is the use case for such a library.

Dumble · on March 19, 2024

I'm not the person you are replying too, but I believe that of course, the pattern holds if you keep shifting it down. I.E. using a faster CPU will speed up all programs running on it, each (already optimized) ASIC has to be optimized further individually.

Dumble · on Nov 20, 2023

Totally possible that the minifier did this, yes.

Dumble · on Nov 18, 2023

A $10 MIO investment seems like nothing in that area.

Dumble · on Nov 8, 2023

The government would be able to obtain a certificate identical to the one of the a website owner (the real one), enabling the mitm attack (for example with the help of ISPs etc).

landgenoot · on Nov 8, 2023

Yes, but you will see that the certificate authority suddenly switches to the Hungarian government, while reading an article.

Urd- · on Nov 8, 2023

How would they get the private key? Or would this CA only allow using certs with private keys they generated instead of using CSRs?

ulrikrasmussen · on Nov 8, 2023

Wouldn't Certificate Transparency make it very visible and obvious if they did that?

Avamander · on Nov 8, 2023

CT would not be allowed if ETSI does not allow it. Neither would distrusting that mis-issuing CA be allowed.

Dumble · on Jan 13, 2022

https://www.youtube.com/watch?v=2Vrhk5OjBP8

Dumble · on Dec 9, 2021

> The Prime label makes it easier to sell to the more than 7 million most loyal and high-spending consumers members of Amazon’s loyalty program.

Who are the 7 Million? In Italy? I only find figures between 1million and 1.5million. Can't be europe either, several coutries in the region have more. Very confusing.

Dumble · on Dec 12, 2020

I find the paragraph where the author described the exploit hard to read.

Basically, he triggered the "Password Reset" process and then guessed the reset token?

vasuki · on Dec 12, 2020

> I sent random requests using intruder with a CSRF token and random emails with a new password to this endpoint /savepassword

So this endpoint simply allowed setting up a new password with a POST request for the specified email address and he was able to guess the email .. ¯\_(ツ)_/¯

zaroth · on Dec 12, 2020

That’s how I read it as well, almost too absurd to believe.

SetPassword and the parameters to the function are just username and newPassword.

I guess they assumed there was authentication happening before the request would even be served (pre-existing session).

loa_in_ · on Dec 12, 2020

A good example of how security by obscurity can fail. Just because there's no url to an endpoint exposed doesn't mean it shouldn't be hardened

judge2020 · on Dec 13, 2020

I think they assumed it was already hardened by requiring authentication, but didn't do any testing (or were unaware of this endpoint being a thing in the software they use).

Dumble · on March 1, 2019

Youtube has this functionality:

https://support.google.com/youtube/answer/7284070?hl=en