b3_k1nd_rw1nd's recent activity

  1. What is your opinion whenever you see news/opinion that tech companies are relying more on chatbots rather than junior developers/interns?

    ~tech Ask (survey)
    I see that in the headline from time to time. Not really sure how prevalent it is and it's pretty disappointing news. but I also can't help but think: the news articles are probably overblowing it...

    I see that in the headline from time to time. Not really sure how prevalent it is and it's pretty disappointing news.

    but I also can't help but think:

    1. the news articles are probably overblowing it and it's not probably not as prevalent as it's being portrayed
    2. that any tech company doing that is shooting themselves in the foot. in total, I was an intern at various companies for a little under 3 years. I don't doubt that the work I did for the majority of the my co-ops were all things that could have been done by a chatBot. writing unit tests and small scripts and etc. but they were invaluable to me (1) understanding what is expected of me in a professional environment and (2) gave me a basic idea of how to code in a professional environment (2) gave me alot of perspective on what technologies and tools I should spend spare time learning cause my university very much focused on dinosaur-era languages, for the classes that did teach any coding related skills. same for the friends I went to uni with. So all I think is maybe in the short term, they are saving money on not hiring interns/co-ops/junior devs to do work that can be done by a bot but I feel like in the long terms that will reduce the number of intermediate/senior devs on the market which means they'll be in higher demand and cost more money.
    23 votes

  2. Comment on I've always found the common approach that websites take to changing the email associated with an account iffy but I am not sure if I am wrong in ~tech

    b3_k1nd_rw1nd
    Link Parent
    I never said losing access to non-email address accounts is as bad as losing account to email address accounts. I just said the workflow for non-email address accounts is basically not secure at...

    I never said losing access to non-email address accounts is as bad as losing account to email address accounts.

    I just said the workflow for non-email address accounts is basically not secure at all imo.

    1 vote

  3. Comment on I've always found the common approach that websites take to changing the email associated with an account iffy but I am not sure if I am wrong in ~tech

  4. Comment on Why is Cloudflare trusted with encryption? in ~tech

    b3_k1nd_rw1nd
    Link Parent
    The implication being that if they are going to serve cached content on your behalf, it needs to be delivered in the encrypted format that the browser is expecting given it's an HTTPS connection...

    In order to do anything useful, a CDN has to terminate the ssl connection.

    The implication being that if they are going to serve cached content on your behalf, it needs to be delivered in the encrypted format that the browser is expecting given it's an HTTPS connection which means cloudflare needs to encrypt it before sending it on behalf of your reverse proxy?

    And because the cloudflare tunnel feature is utilizing the already existing CDN network, it's a lot less hassle for them (and the developer) to just rely on cloudflare to do what it does best and serve content it itself encrypts?

  5. I've always found the common approach that websites take to changing the email associated with an account iffy but I am not sure if I am wrong

    ~tech Ask
    I have changed my email more than once, just as part of customizing my online identity and all that. and that obviously required me to login into any accounts I had and updating the email...

    I have changed my email more than once, just as part of customizing my online identity and all that.

    and that obviously required me to login into any accounts I had and updating the email associated with them.

    the most common workflow I have found is
    login -> navigate to settings page -> edit the email field to the new email -> go to the inbox for the new email -> click confirm on confirmation email

    then you can go to that website and do the forgot password, provide your email and change the password and get complete control.

    I have always found that workflow weird cause it's the most prevalent one I have come across and seems so susceptible to tampering.

    if someone leaves their laptop unattended for 3-4 minutes in public while visiting a bathroom (which happened often in the library of my university), there was nothing preventing me from going to their Facebook or whatever account they had open on their computer, changing the email to my own email and then clicking confirm on my inbox once I am back at my desk.

    and most people don't have 2FA so that would effectively give me control of their account.
    Hell, my university once had a potential data breach and they were 99.999% sure the data was not actually accessed by a malicious actor but still sent a mass email saying that they were advising everyone to change their passwords. a classmate of mine in the software systems program's attitude was basically "oh well, who cares?" and I just facepalmed internally.

    there are maybe 3 websites I have come across that instead first send a confirmation email to your current inbox and after you confirm on that, then you get a confirmation email on the new email inbox. which isn't perfect but I feel like it's a bit more sensical and the best you can do without involving 2FA.

    even then, that's also susceptible to the situation I described above if the user is always logged into their email.

    I find it odd that websites don't prompt for a password as part of the email update process (or better yet 2FA with an app as even prompting for a password isn't a guarantee if the user has the password manager as an extension in their browser and they recently unlocked it before leaving their session unattended) to ensure that email changes are always done by the account owner.

    15 votes

  6. Comment on Question about REST APIS and encryption in ~tech

    b3_k1nd_rw1nd
    Link Parent
    oh I know, I was just curious how they do it. I have no delusions that my server will never be as secure as what google has nor is there a point to making it as secure. My website will never be as...

    You don't need the same level of security Google has.

    oh I know, I was just curious how they do it. I have no delusions that my server will never be as secure as what google has nor is there a point to making it as secure. My website will never be as enticing to hackers as Google :P

  7. Comment on Question about REST APIS and encryption in ~tech

    b3_k1nd_rw1nd
    Link Parent
    Good Lord! I both feel amazed by what they have setup and also weirdly feel disappointed I am not embarking on an original idea :sweat_smile:. I think I figured no one else would want to invest...

    Good Lord! I both feel amazed by what they have setup and also weirdly feel disappointed I am not embarking on an original idea :sweat_smile:.

    I think I figured no one else would want to invest time in an open-source e2ee encrypted budgeting software when banks have the budgeting software market cornered.

    Nevertheless, thanks for the link

    1 vote

  8. Comment on Question about REST APIS and encryption in ~tech

  9. Comment on Why is Cloudflare trusted with encryption? in ~tech

    b3_k1nd_rw1nd
    Link Parent
    so these seem to be the relevant snippets describing the technical harms From...

    so these seem to be the relevant snippets describing the technical harms
    From https://web.archive.org/web/20151205093315/https://digital.report/experts-concerned-kazakhstan-plans-to-monitor-users-encrypted-traffic/

    Committee for Communications, Informatization, and Information at the Ministry of Investment and Development, [...] would be introducing the national security certificate as of 1 January 2016.
    the users must install the national certificate on all devices used to access the internet, including mobile ones. The national operator will publish step-by-step installation instructions on its website by the end of 2015 (see the cached Google page of the Kazakhtelecom press release).

    It seems that the certificate will be used not only for HTTPS connections but also for other TLS encrypted connections, including FTPS, IMAP and SMTP with TLS”, states habrahabr.ru. Technically speaking, the new certificate, when installed by a user, would replace the security certificates already installed on websites, with the national certificate ‘acting’ as an intermediary between a user and a site. This is precisely what encryption technologies were intended to eliminate.

    the intelligence services could conduct unlimited MITM attacks and decode any encrypted data. Securitylab analysts believe that the initiative is intended to **intercept all SSL traffic in the region. **

    From https://www.theregister.com/2015/12/03/kazakhstan_to_maninthemiddle_all_internet_traffic/

    This spying will be made possible by insisting everyone installs a "national security certificate" on their computers and mobile gadgets – most likely a root CA certificate just like the ones found in Lenovo's Superfish and Dell's Superfish 2.0 scandals.

    This cert will trick web browsers and other apps into trusting the telco's systems that masquerade as legit websites, such as Google.com or Facebook.com. Rather than connect directly to those sites, browsers will really be talking to malicious man-in-the-middle servers.

    The implication being that they can intercept all the SSL traffic in a region by taking control of the ISP data-links and thanks to the bad server cert, they can pretend to be a website they are not.

    However, MITM would necessarily mean they are also forwarding those requests to the legitimate site no? Cause otherwise, technically speaking, they're not "in the middle", they're actually doing the responding themselves too.

    1 vote

  10. Comment on Question about REST APIS and encryption in ~tech

    b3_k1nd_rw1nd
    Link Parent
    Actually, the more I think about it. Given that my machine is publicly accessible only via Cloudfalre Tunnel, I doubt I even need to do any hardening. I gotta imagine any local configurations I...

    It's worth it to spend a little time learning to harden your server so that you don't have to write the whole application to run in browser. But don't stress too much, talented hackers aren't wasting time on random servers so mostly all you have to protect against are low effort bots hitting common ports and endpoints and common software (i.e. Worpress). The most important thing is to stay on top of patches.

    Actually, the more I think about it. Given that my machine is publicly accessible only via Cloudfalre Tunnel, I doubt I even need to do any hardening. I gotta imagine any local configurations I make are meaningless compared to what Cloudflare does to secure its connections.

  11. Comment on Why is Cloudflare trusted with encryption? in ~tech

    b3_k1nd_rw1nd
    Link Parent
    How is that a MITM attack? My understanding of MITM is both the sender and receiver are legitimate participants in a conversation, they just don't know their communication is being read. but what...

    However, a trusted CA can be used to perform man-in-the-middle attacks if it handles the traffic.

    The attacker intercepts all client traffic, specifically feeding it a bad server cert. Client thinks they're using their bank's cert, but it's using the attacker's. The attacker then proxies all of the client's requests, decrypting from client, then re-encrypts with real cert to forward to website, repeat in reverse.

    How is that a MITM attack? My understanding of MITM is both the sender and receiver are legitimate participants in a conversation, they just don't know their communication is being read.

    but what you are describing is a malicious website (which I guess in this example is the receiver) that the user interacts, not knowing its malicious.

    1 vote

  12. Comment on Question about REST APIS and encryption in ~tech

    b3_k1nd_rw1nd
    Link Parent
    something I remembered, until Tailscale Funnel is publicly available, I am stuck with Cloudflare Tunnel and they handle the packet decryption. So if I want my data to be protected from Cloudflare...

    something I remembered, until Tailscale Funnel is publicly available, I am stuck with Cloudflare Tunnel and they handle the packet decryption. So if I want my data to be protected from Cloudflare (just cause I don't like that they technically can see all my data), I have to encrypt myself before sending it to my server.

    So, if I want to perform server-side validation, I'd have to first decrypt to do that anyways. Or use Homomorphic encryption as @archevel suggested (thanks for the link btw,I didn't know about that).

    So maybe I will look into that.

  13. Why is Cloudflare trusted with encryption?

    ~tech Ask
    I am a big fan of Cloudflare Tunnels, it's let me muck about with quite a few low risk apps and it's been fun. one thing that's always bothered me though is the SSL setup. According to their...

    I am a big fan of Cloudflare Tunnels, it's let me muck about with quite a few low risk apps and it's been fun.

    one thing that's always bothered me though is the SSL setup.

    According to their website, only enterprise users are allowed to manage their own TLS private keys.

    I can kinda understand the logic behind free accounts not having that perk.

    But if you are someone who really doesn't like cloudflare reading your traffic or you are a business, it seems odd to me that it's not being demanded of cloudflare that they make it more available for paid users to not expose their TLS private keys to cloudflare.

    Why are so many folks OK with cloudflare essentially being able to read all their traffic?

    or am I overestimating how many people are using the Pro and Business account? is the majority of their users just Free or Enterprise?

    24 votes

  14. Comment on Question about REST APIS and encryption in ~tech

    b3_k1nd_rw1nd
    (edited )
    Link Parent
    that's actually surprising given the stories I have come across of hackers who hack into a variety things, either for clout or money or just messing around. hackers from Russia or China really...

    Yep. They just make sure that doesn't happen.

    that's actually surprising given the stories I have come across of hackers who hack into a variety things, either for clout or money or just messing around.

    hackers from Russia or China really can't find a flaw in Google's infra that they can use to destabilize a major tech company from a hostile-ish nation? interesting.

  15. Comment on Question about REST APIS and encryption in ~tech

    b3_k1nd_rw1nd
    Link Parent
    What do you mean by that? I was just planning on utilizing well-known encryption libraries to handle that for me or is that considered "my own implementation"?

    any cybersecurity professional will advise against trying to roll your own implementation since there's way too many variables at play that can end up as vulnerabilities.

    What do you mean by that? I was just planning on utilizing well-known encryption libraries to handle that for me or is that considered "my own implementation"?

  16. Comment on Question about REST APIS and encryption in ~tech

    b3_k1nd_rw1nd
    Link Parent
    I was just made aware of that. thank God I made this post before I started actually writing Angular code.

    I recommend React or Vue (esp the former if you want to get into React Native). They support TypeScript out of the box too.

    I was just made aware of that. thank God I made this post before I started actually writing Angular code.

    2 votes

  17. Comment on Question about REST APIS and encryption in ~tech

    b3_k1nd_rw1nd
    Link Parent
    well how about that? I was led to believe that Angular is the only framework that supports TypeScript and for some reason, it didn't occur to me to investigate the veracity of that statement.

    well how about that? I was led to believe that Angular is the only framework that supports TypeScript and for some reason, it didn't occur to me to investigate the veracity of that statement.

  18. Comment on Question about REST APIS and encryption in ~tech

    b3_k1nd_rw1nd
    Link Parent
    I have 2 competing desires. be able to maybe one day make a simple mobile app but also get exposure to TypeScript via this project.

    I have 2 competing desires. be able to maybe one day make a simple mobile app but also get exposure to TypeScript via this project.

  19. Comment on Question about REST APIS and encryption in ~tech

    b3_k1nd_rw1nd
    Link Parent
    I do like that idea as I wanted this project to give me more FE and BE exposure but I am not a pro and have a fear that I will miss something in my attempts to harden the server. I am not exactly...

    Or, you can have logic in the server, but the data must come in unencrypted. You can encrypt it further if you want, but honestly I don't think it's particularly worth the effort for a simple server written just for your own personal use. Just harden the server it's hosted on.

    I do like that idea as I wanted this project to give me more FE and BE exposure but I am not a pro and have a fear that I will miss something in my attempts to harden the server. I am not exactly an expert at security hardening and not sure what are even the basics and I doubt a 20 min YouTube tutorial can cover it. Bit of an exaggeration but I think that demonstrates my anxiety with that.

    1 vote

  20. Comment on Question about REST APIS and encryption in ~tech

    b3_k1nd_rw1nd
    Link Parent
    right now? probably not. but I think I just want to challenge myself to be able to make it publicly accessible and secure. Also, a part of this is me learning Angular for the FE of the website so...

    Does it have to be a publicly-accessible web app?

    right now? probably not. but I think I just want to challenge myself to be able to make it publicly accessible and secure.

    Also, a part of this is me learning Angular for the FE of the website so I hope that one day, I can use those FE skills to make a simple react-native android app to go along with the website. Not a definite but want to keep my options open I think.