More

arewethereyeta · 2025-12-20T01:52:28 1766195548

what's your problem?

arewethereyeta · 2025-11-17T13:23:28 1763385808

one may be closer to Donald Trump than the other.

arewethereyeta · 2025-11-10T03:53:01 1762746781

Open source outreach / email campaign software: https://outreachstud.io

arewethereyeta · 2025-11-03T20:11:59 1762200719

titanium has a low tensile strength compared to steel. I wouldnt recommend it even on a bike handlebar

hinkley · 2025-11-03T20:21:22 1762201282

Oh but they do. People have been making titanium replacement bolt kits for bicycles since at least 1993.

Doesn’t change the fact that those are tiny bolt holes for holding a 750 kw motor. How are they affixing it to a vehicle?

arewethereyeta · 2025-10-13T08:02:31 1760342551

Open source app for email outreach: https://www.outreachstud.io/

arewethereyeta · 2025-09-17T05:30:09 1758087009

every 6 months. They also rotate on you to have a reason for calling again, out of the blue

arewethereyeta · 2025-09-17T05:27:53 1758086873

Greece is 20 years behind Romania with that scam

arewethereyeta · 2025-09-16T20:03:24 1758053004

Zenfone 10 is pretty cool if you chase the form factor

alpaca128 · 2025-09-16T20:31:38 1758054698

Zenfone 10 also isn't available anymore and its software support will end long before the iPhone's, if it hasn't already.

arewethereyeta · 2025-09-14T20:06:50 1757880410

isn't this basically what flutter does?

chrismorgan · 2025-09-15T02:49:13 1757904553

No.

SVG is a proper part of the browser. You get native text rendering, real links, real text selection, stuff like that.

Flutter is pure-canvas. You get no accessibility (unless you duplicate everything, in which case why even bother?), fake links which don’t behave properly, incorrect text rendering, megabytes of overhead, slow startup, &c.

arewethereyeta · 2025-09-09T10:56:03 1757415363

> An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions

How can anyone publish their packages?

OtherShrezzing · 2025-09-09T11:14:29 1757416469

The attacker emailed a maintainer from a legitimate looking email address. The maintainer clicked the link and reset their credentials on a legitimate looking website. The attacker then signs into the legitimate duckdb account and publishes their new package.

This is the second high-profile instance of the technique this week.

arewethereyeta · 2025-09-09T11:23:29 1757417009

2FA for such high profile packages should be enforced

jsheard · 2025-09-09T11:33:54 1757417634

It is, if your packages are popular enough then npm will force you to enable 2FA. They started doing that a few years ago. It clearly doesn't stop everything though, the big attack yesterday went through 2FA by tricking the author into doing a "2FA reset".

diggan · 2025-09-09T12:34:39 1757421279

> It is, if your packages are popular enough then npm will force you to enable 2FA.

Are they actively forcing it? I've received the "Remember to enable 2FA" email notifications from NPM since 2022 I think, but haven't bothered since I'm not longer publishing packages/updates.

Besides, the email conveniently mentions their "automation" tokens as well, which when used for publishing updates, bypasses 2FA fully.

jsheard · 2025-09-09T12:38:47 1757421527

Did you ever get this email?

https://old.reddit.com/r/node/comments/xftu7i/comment/iooabn...

frizlab · 2025-09-09T11:43:33 1757418213

Passkeys should be enforced

smw · 2025-09-09T16:10:44 1757434244

Parent is exactly right! For critical infrastructure an un-phishable 2fa mechanism like passkeys or hardware token (FIDO2/yubikey) should be required! It would remove this category of attack completely.

frizlab · 2025-09-09T13:56:37 1757426197

I take the downvote but I’d like to know why?

Passkeys are effectively and objectively a better security solution than password+2FA. Among other things, they are completely unfishable.

cesarb · 2025-09-09T15:59:41 1757433581

> Among other things, they are completely unfishable.

From what I've heard, they're also unbackupable, and tied to the ecosystem used to create them (so if you started with an Apple desktop, you can't later migrate the passkeys to a Windows desktop, you have to go to every single site you've ever used and create new ones).

smw · 2025-09-09T16:12:53 1757434373

You can't really backup hardware tokens, either? It's quite possible to use something like bitwarden/vaultwarden/1password as a password manager, and you can "backup" tokens quite easily without being tied to a particular mobile/desktop ecosystem.

yawaramin · 2025-09-10T01:42:15 1757468535

You can just create a new passkey on the new device after logging in. It's a non-issue.

3eb7988a1663 · 2025-09-10T03:05:38 1757473538

It is not a given that multiple services let you enroll multiple keys. How many year did it take before Amazon allowed multiple Yubikeys? Which means you are in a real pickle if you ever lose your one hardware device with keys (lost, stolen, bricked, whatever).

yawaramin · 2025-09-10T16:24:15 1757521455

It's an incorrect implementation, the same as when eg an account provider truncates a long password to 8 characters.

frizlab · 2025-09-09T21:03:34 1757451814

That’s not true anymore; you can migrate passkeys to another password manager now.

skeeter2020 · 2025-09-09T12:08:38 1757419718

for popular packages - and in this case - they are. This attack (and yesterday's) are relay attacks, with the attacker in the middle between npm and the target.

koakuma-chan · 2025-09-09T11:34:24 1757417664

He would have entered 2FA too

pneff · 2025-09-09T11:01:45 1757415705

There is a detailed postmortem in the linked ticket explaining exactly how this happened.

masfuerte · 2025-09-09T11:10:28 1757416228

This is the same phishing attack that hit junon yesterday.

https://news.ycombinator.com/item?id=45169657