Conversation

Notices

1. Embed this notice
   Lorenzo Ancora :verified: (lorenzoancora@ieji.de)'s status on Tuesday, 09-Sep-2025 21:41:01 JST Lorenzo Ancora :verified:

   • 翠星石
   • Ténno Seremél’
   • LisPi
   • Yuchen Pei
   • a bean
   • Alexandre Oliva

   @coolbean public APIs existed for many websites, but were disabled years ago due to widespread (and extremely harmful) abuse by humans and bots alike.

   Online banking apps are compulsory in the European Union, because hard-to-predict 2FA algorithms and system analysis are required by law. The standalone hardware key generators were banned years ago.

   Online banking APIs exist, but are not public and reserved to corporate customers.

   @Suiseiseki @tennoseremel @quasi @lxo @lispi314

   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 09-Sep-2025 21:41:00 JST 翠星石

     in reply to

     • Ténno Seremél’
     • LisPi
     • Yuchen Pei
     • a bean
     • Alexandre Oliva
     @LorenzoAncora @coolbean @tennoseremel @quasi @lxo @lispi314 >were disabled years ago due to widespread (and extremely harmful) abuse by humans and bots alike.
     I am extremely doubtful of that claim.
     
     Such sites do in fact still have an API - an undocumented JavaScript one. Sure using it is annoying enough to make security researchers give up - but why would attackers give up?
     
     Obviously you would make the API for a bank account require the bank account's login details to be able to do anything.
     
     >Online banking apps are compulsory in the European Union
     Please, can someone wipe the entire EU off the face of the planet?
     
     >because hard-to-predict 2FA algorithms and system analysis are required by law.
     What is such braindead requirement?
     
     If you want to do 2FA - you just use one of the many TOTP implementations.
     
     Rolling your own 2FA algorithm means that you'll introduce a weakless
     
     >The standalone hardware key generators were banned years ago.
     That is a totally braindead requirement?
     
     Sure the RSA tokens were all backdoored, but a hardware token that contained a clock and ran free software that would show the current TOTP code on pressing a button would be quite secure - but that's not allowed, as it doesn't involve an insecure demon rectangle!
     
     >Online banking APIs exist, but are not public and reserved to corporate customers.
     Yes, only corporates get any respect.
   • Embed this notice
     LisPi (lispi314@udongein.xyz)'s status on Tuesday, 09-Sep-2025 21:41:15 JST LisPi

     in reply to

     • 翠星石
     • Ténno Seremél’
     • Yuchen Pei
     • a bean
     • Alexandre Oliva
     @LorenzoAncora @coolbean @Suiseiseki @tennoseremel @quasi @lxo The law and regulations are then obviously broken and abusive of the users.
     翠星石 likes this.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 09-Sep-2025 21:56:23 JST 翠星石

     in reply to

     • 翠星石
     • Ténno Seremél’
     • LisPi
     • Yuchen Pei
     • a bean
     • Alexandre Oliva
     @LorenzoAncora @coolbean @lispi314 @lxo @quasi @tennoseremel *Rolling your own 2FA algorithm means that you'll likely write a biased counter with only a limited amount of possible outputs.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 09-Sep-2025 22:03:28 JST 翠星石

     in reply to

     • Ténno Seremél’
     • Zergling_man
     • LisPi
     • Yuchen Pei
     • a bean
     • Alexandre Oliva
     @Zergling_man @LorenzoAncora @coolbean @tennoseremel @quasi @lxo @lispi314 If you want to understand how those work - read gnuTLS and GnuPG.
     
     There's no need to write yet another TLS or GPG implementation when you can check the existing free implementations for correctness.
   • Embed this notice
     Zergling_man (zergling_man@sacred.harpy.faith)'s status on Tuesday, 09-Sep-2025 22:03:30 JST Zergling_man

     in reply to

     • 翠星石
     • Ténno Seremél’
     • LisPi
     • Yuchen Pei
     • a bean
     • Alexandre Oliva
     @Suiseiseki @lispi314 @lxo @quasi @tennoseremel @coolbean @LorenzoAncora But at the same time, cryptography is too important to leave up to someone you don't trust.
     I really need to do my own implementations of things like TLS, PGP, etc. just so I can understand how they work, and can then go check that the things I'm using actually do work as they claim.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 09-Sep-2025 22:05:49 JST 翠星石

     in reply to

     • Ténno Seremél’
     • Zergling_man
     • LisPi
     • Yuchen Pei
     • a bean
     • Alexandre Oliva
     @Zergling_man @LorenzoAncora @coolbean @tennoseremel @quasi @lxo @lispi314 If you wanted to write a backdoored encryption library, you wouldn't release it as a GNU package - as you known the GNU enjoyers are going pour over every single line.
   • Embed this notice
     Zergling_man (zergling_man@sacred.harpy.faith)'s status on Tuesday, 09-Sep-2025 22:05:50 JST Zergling_man

     in reply to

     • 翠星石
     • Ténno Seremél’
     • LisPi
     • Yuchen Pei
     • a bean
     • Alexandre Oliva
     @Suiseiseki @lispi314 @lxo @quasi @tennoseremel @coolbean @LorenzoAncora If I were trying to write a backdoored encryption library and posting the source I would carefully avoid making it obvious.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 09-Sep-2025 22:12:25 JST 翠星石

     in reply to

     • Ténno Seremél’
     • Zergling_man
     • LisPi
     • Yuchen Pei
     • a bean
     • Alexandre Oliva
     @Zergling_man @LorenzoAncora @coolbean @tennoseremel @quasi @lxo @lispi314 Unfortunately you do have to trust other people, as rolling your own crypto always results in many security vulnerabilities and side channels - there needs to be many people that actually check the implementation and fix the bugs found.
   • Embed this notice
     Zergling_man (zergling_man@sacred.harpy.faith)'s status on Tuesday, 09-Sep-2025 22:12:26 JST Zergling_man

     in reply to

     • 翠星石
     • Ténno Seremél’
     • LisPi
     • Yuchen Pei
     • a bean
     • Alexandre Oliva
     @Suiseiseki @lispi314 @lxo @quasi @tennoseremel @coolbean @LorenzoAncora Yeah, and I'm unlikely to spot anything they haven't. But, cryptography is too important to trust to anyone else.
   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Wednesday, 10-Sep-2025 18:26:39 JST 翠星石

     in reply to
     @LorenzoAncora False information?
     
     It's the truth that if a site uses JavaScript to send and fetch data to/from the server, then there is a JavaScript API - otherwise how else would the software communicate with the server?
     
     That API is undocumented and may change with no notice, meaning it is extremely difficult to solve the issue yourself and write third party clients that interface with the sever without proprietary software.
     
     >forced to block you
     Only cowards block.
   • Embed this notice
     Lorenzo Ancora :verified: (lorenzoancora@ieji.de)'s status on Wednesday, 10-Sep-2025 18:26:41 JST Lorenzo Ancora :verified:

     in reply to

     • 翠星石

     > Such sites do in fact still have an API - an undocumented JavaScript one
     > wipe the entire EU off the face of the planet

     @Suiseiseki if you keep talking about politics or intentionally sharing false information to scare the users I'll be forced to block you. This is the 3rd time I've asked you to stay on-topic. 😅

   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Wednesday, 10-Sep-2025 19:16:10 JST 翠星石

     in reply to
     @LorenzoAncora >process and answer AJAX (JavaScript background requests)
     Yes, that's called a JavaScript API.
     
     >There is little difference from standard web requests.
     Yes, a POST submission in a certain format is an API.
     
     >If there is no documentation, it means the endpoint is just ad-hoc for internal use
     Yes, the API is only internally documented.
     
     >Abusing internal endpoints may violate the ToS or even be a felony, regardless of the goal and depending on the damage caused.
     It's a felony to write a free software client that interacts withe the internal APIs as would the proprietary software client?
     
     Just because something has been implemented by a 3rd party doesn't mean there will be damage.
   • Embed this notice
     Lorenzo Ancora :verified: (lorenzoancora@ieji.de)'s status on Wednesday, 10-Sep-2025 19:16:12 JST Lorenzo Ancora :verified:

     in reply to

     • 翠星石

     @Suiseiseki no, server-side any language (PHP, Python, Perl, C, ...) can be used to process and answer AJAX (JavaScript background requests). There is little difference from standard web requests.

     If there is no documentation, it means the endpoint is just ad-hoc for internal use (Official website↔server or Official client↔server) and forbidden to 3rd party access. Abusing internal endpoints may violate the ToS or even be a felony, regardless of the goal and depending on the damage caused. 😅