HackerTrans
TopNewTrendsCommentsPastAskShowJobs

80x25

no profile record

Submissions

Grit

grit.io
1 points·by 80x25·قبل 3 سنوات·0 comments

CSRFing VS Code's Debug Adapter Protocol

mcnulty.blog
2 points·by 80x25·قبل 3 سنوات·0 comments

The excellent Arc browser is now available for anyone to download

theverge.com
6 points·by 80x25·قبل 3 سنوات·2 comments

Hacking Auto-GPT and escaping its Docker container

positive.security
2 points·by 80x25·قبل 3 سنوات·0 comments

Mark Zuckerberg: “VR / AR strategy” (2015)

techemails.com
1 points·by 80x25·قبل 3 سنوات·0 comments

Bill Gates Tries to Install Movie Maker

techemails.com
8 points·by 80x25·قبل 3 سنوات·1 comments

Do Users Write More Insecure Code with AI Assistants?

arxiv.org
1 points·by 80x25·قبل 4 سنوات·0 comments

Forming a W3C Solid Work Group

lists.w3.org
2 points·by 80x25·قبل 4 سنوات·0 comments

The Arc browser is the Chrome replacement I’ve been waiting for

theverge.com
3 points·by 80x25·قبل 4 سنوات·1 comments

Learn to Read the Source, Luke (2012)

blog.codinghorror.com
1 points·by 80x25·قبل 4 سنوات·1 comments

Dancing in the Debugger – A Waltz with LLDB (2014)

objc.io
1 points·by 80x25·قبل 4 سنوات·0 comments

comments

80x25
·قبل 3 سنوات·discuss
https://www.mcnulty.blog/

Posts about the Web and the software that powers it. Light on content right now but will hopefully change that soon.
80x25
·قبل 3 سنوات·discuss
Interesting idea. I signed up.

I noticed that the email confirmation links are using http:// vs. https://. Chrome has started to flag http:// links with a full-page speed bump, saying it is insecure. Perhaps those links should use https://?

I did try manually switching to https:// in the URL but Chrome didn't like the cert there either.
80x25
·قبل 4 سنوات·discuss
Here's the researcher's write-up of the issue with more details: https://spyclub.tech/2022/12/14/unusual-cache-poisoning-akam...

Interesting research and super useful write-up!

My observations:

- The characters that enable the Host header field forgery aren't unicode characters. They are a subset of separator characters from ASCII. My guess is that the Akamai parser is trimming the Host header field name and not enforcing the requirements from https://www.rfc-editor.org/rfc/rfc7230#section-5.4 after this trim, specifically:

   A server MUST respond with a 400 (Bad Request) status code to any
   HTTP/1.1 request message that lacks a Host header field and to any
   request message that contains more than one Host header field or a
   Host header field with an invalid field-value.
Even worse, the last Host header field appears to "win" and be the selected Host header field in the request forwarded to the origin.

- The OP does mention that Akamai intends to enable stricter header field parsing in 2023 but that response leaves a lot to be desired. They could probably provide a proactive analysis of a customer's traffic to inform them that they can turn on RFC compliant parsing without impact. Punting this decision to their customers requires their customers to be HTTP experts. If I were an Akamai customer, I would expect them to be my HTTP experts for me.
80x25
·قبل 4 سنوات·discuss
This is spot on. I'm very glad to see this post mention the "No Silver Bullet" essay. Despite being written in 1986, it continues to provide a relevant, skeptical view on the impact of these LMMs on software. It even has a section addressing whether AI can provide the "silver bullet", which is drawn upon by the OP.

My immediate response to all the rightly-deserved excitement for ChatGPT is to reread that essay and reflect on whether this new tool will provide me more than marginal gains in my productivity. Experimenting with it a bit over the last day, my initial answer is, no, this doesn't provide more than marginal gains outside toy examples.

These tools may very well factor into my workflow in the future, but I don't see them fundamentally changing the way I construct, support, debug, and maintain software.
80x25
·قبل 4 سنوات·discuss
I find myself returning to this blog post about once a year. It think it has aged pretty well in the decade since it was written.

One thing that definitely did not pan out is being able to understand the source of a website/web app because it is written in JavaScript. Transpiling/minification/etc. without the corresponding source maps makes that near impossible for any app of a reasonable size.
80x25
·قبل 4 سنوات·discuss
"Use OSS" is very close to if not the same as "Build".

To adopt an OSS approach for SSO, the startup still needs to dedicate resources to researching the OSS options, deploying the OSS, integrating it, and most importantly, operating it.

Once the startup gets into the weeds of integrating SSO functionality with customer's IdPs, in the limit, the cost of the effort will start to approach "Build".
80x25
·قبل 4 سنوات·discuss
This post seems to suggest that a SaaS startup would consider creating their own SAML implementation. If a SaaS startup is considering creating a homebrew SAML implementation, they are doing it wrong.

When it comes to SSO, "buy" instead of "build", and focus on the core value proposition of the service with that saved time and resources.