HackerTrans
TopNewTrendsCommentsPastAskShowJobs

8organicbits

7,137 karmajoined قبل 6 سنوات
Hello!

https://alexsci.com/blog/

https://indieweb.social/@robalex

Feel free to reach out on email if our interests align: robert [at] robalexdev (dot) com

Statements are my own and do not represent the positions or opinions of my employer/client.

Submissions

Assess the security of email communication between providers

mecsa.jrc.ec.europa.eu
2 points·by 8organicbits·قبل 25 يومًا·0 comments

The Shift in Peering Threatening the Internet's Foundations

internetsociety.org
10 points·by 8organicbits·الشهر الماضي·0 comments

Virtual Precision Clock

mitxela.com
2 points·by 8organicbits·الشهر الماضي·0 comments

Acme CAA Extensions to Become Mandatory

feistyduck.com
3 points·by 8organicbits·الشهر الماضي·0 comments

Authoritative DNS over encrypted transport at OARC 45

blog.apnic.net
2 points·by 8organicbits·قبل شهرين·1 comments

A "Photonic" Guitar

dallasnews.com
1 points·by 8organicbits·قبل شهرين·0 comments

SDLC is a power tool, not a compliance document

blog.robbowley.net
3 points·by 8organicbits·قبل شهرين·1 comments

[untitled]

1 points·by 8organicbits·قبل شهرين·0 comments

GitHub Action Runner Alternatives

binhong.me
1 points·by 8organicbits·قبل شهرين·0 comments

DigiCert: Misissued Code Signing Certificates

bugzilla.mozilla.org
1 points·by 8organicbits·قبل شهرين·0 comments

Mousetrapped

mousetrappedcomic.blog
3 points·by 8organicbits·قبل شهرين·2 comments

A Sum of Errors

lyonhe.art
3 points·by 8organicbits·قبل شهرين·1 comments

Netlify Database is now available

netlify.com
1 points·by 8organicbits·قبل شهرين·0 comments

Forge: CLI for Multiple Git Forges

nesbitt.io
4 points·by 8organicbits·قبل 3 أشهر·0 comments

Strengthening your network security with APNIC's products and tools

blog.apnic.net
1 points·by 8organicbits·قبل 3 أشهر·0 comments

Installing a Let's Encrypt TLS certificate on a Brother printer with Certbot

owltec.ca
246 points·by 8organicbits·قبل 4 أشهر·53 comments

Text-scale should be the default

lkhrs.com
3 points·by 8organicbits·قبل 4 أشهر·0 comments

RSS Creator on Bluesky and at Proto

zeldman.com
4 points·by 8organicbits·قبل 4 أشهر·0 comments

Email Providers of Dutch Municipalities

mxmap.nl
2 points·by 8organicbits·قبل 4 أشهر·0 comments

I haven't thought about software patents in a long time

alexschroeder.ch
3 points·by 8organicbits·قبل 4 أشهر·0 comments

comments

8organicbits
·أول أمس·discuss
Forgejo is mention in the article, it powers Codeberg. I agree it doesn't have high adoption, but the news is that it is growing.
8organicbits
·قبل 6 أيام·discuss
I may complain that I don't like the way a sleezy con man talks, and I may be able to detect his communication patterns, but that doesn't mean I want the con man to speak in a different way I can't detect as sleezy. I don't want to talk to the con man.

Obfuscating LLM output to trick the reader into thinking it wasn't LLM output is not respectful.
8organicbits
·قبل 6 أيام·discuss
> respecting the reader

When people say LLM slop is disrespecting the reader, I don't think they are complaining about style.
8organicbits
·قبل 12 يومًا·discuss
I'm seeing a ton of restricted mode escapes documented online, like https://0xffsec.com/handbook/shells/restricted-shells/ so I'm not so sure. When basic utilities like less, man, and awk can run subshells it's quite a mess.

Bash restricted mode needing a chroot may suggest that Claude also needs a chroot (or restricted file permissions, jail, etc).
8organicbits
·قبل 13 يومًا·discuss
Does that work? I've never seen it used. It seems easy to escape.

The docs seem to suggest using alternate approaches.

> Modern systems provide more secure ways to implement a restricted environment, such as jails, zones, or containers.

https://www.gnu.org/software/bash/manual/html_node/The-Restr...
8organicbits
·قبل 28 يومًا·discuss
Cool tool, I'm also surprised by how different the startup stacks are from the general Internet.

For HSTS, don't forget to check the preload list. Domains under .dev are all preloaded, for example, so they don't need to set the header for HSTS to apply.
8organicbits
·الشهر الماضي·discuss
> How can you check other people's certs?

There are red flags you can look for, but you need to confirm with the domain owner to be sure. CAA records can tell you what CAs are supposed to issue a certificate. Many companies always use the same CA, so a change to a different one could be suspect.

For the wiretapping scenario, domain verified certificates do not protect against that scenario. If the wiretap has full control of your server's network, then it can issue a certificate of its own. No need to compromise a CA.
8organicbits
·الشهر الماضي·discuss
Is there a detection component here too? Sandboxing development is great, but the next step is to deploy to production. How do you know if something malicious happened in the sandbox, such that you don't deploy the malware further?
8organicbits
·الشهر الماضي·discuss
> money will shift to those funds that do better

I'm not disagreeing that people invest this way, but I'd like to point out that past performance does not imply future performance, and that investors should consider factors other than just past returns.
8organicbits
·الشهر الماضي·discuss
Of course plugins that do this already exist. Save your tokens.
8organicbits
·الشهر الماضي·discuss
They probably meant it hyperbolically, but RSS was on a downward slope during that period. The recent uptick is fascinating.

https://trends.google.com/explore?q=%2Fm%2F0n5tx&date=all&ge...
8organicbits
·الشهر الماضي·discuss
Anyone know the best practices for keeping AI crawlers off your RSS feeds? I know robots.txt works for the well-behaved bots. Other tools like interstitial captchas don't as the feed readers break if you send them anything but XML.

Putting just the post intro in the feed and linking to the website feels like a safer approach, assume you have bot protections on the website, but that's a poor experience for people who want to read in their feed reader.
8organicbits
·الشهر الماضي·discuss
These approaches are obviously great if your goal is to force marketing down people's throats, but it kills the integrity of the platform.

I don't get why people would continue using Google search (other than familiarity/momentum). As a site owner I'm questioning whether I even want to be indexed by Google.
8organicbits
·الشهر الماضي·discuss
If someone enters a username that doesn't exist in the system then you randomly prompt for password or alternate method, so it looks like an account may exist.

Username enumeration isn't usually considered a vulnerability, but it does make other attacks, like credential stuffing, easier. I.E. you can focus attack resources on usernames that have active accounts.

It's very low on my list of concerns though, usually there's much worse problems when I pentest.
8organicbits
·الشهر الماضي·discuss
I have it partially right. The extensions are not yet mandatory.

https://www.feistyduck.com/newsletter/issue_137_acme_caa__ex...
8organicbits
·الشهر الماضي·discuss
One suggestion for anyone concerned about this weakness. You can use the CAA record to pin the domain to a specific certificate authority, issuance method, and account. This is imperfect, as CAA record validation (edit: of CAA extensions) is not mandatory yet. But by March 2027 all the CAs a supposed to have support.

Sprinkle some DNSSEC on the CAA record too, if you'd like.
8organicbits
·قبل شهرين·discuss
Cloudflare origin CA is a private CA, so the CABF doesn't apply.
8organicbits
·قبل شهرين·discuss
If the goal is to review every citation fully with 100% accuracy, then, sure, exhaustive human review is needed. But I suspect human review of a random sample would add value, catching some fraud, missing others, but having zero false positives (or as close to zero as human review can get).

An LLM could replace the random sampling. It doesn't need to be particularly good for the approach to provide value. I would worry about LLM bias though.

Another thing to consider is that readers can detect fake citations after publication, report to arXiv, and the author gets banned.
8organicbits
·قبل شهرين·discuss
How much utilization do you have? For low scale, it's hard to beat GitHub Actions as they offer free runners for public repos and include a bunch of free hours for private repos.

Once you start paying for it, GitHub Actions runners are very expensive. I've used both Jenkins and GitLab before to self-host CI/CD, and you save so much using on-demand (or at higher scale, reserved) cloud instances. I do freelance DevOps work and I've helped clients with these sorts of challenges.
8organicbits
·قبل شهرين·discuss
Good idea, I added a list to the indieweb wiki: https://indieweb.org/indieweb_directory#Directories_of_direc...

I've added three :)