HackerTrans
TopNewTrendsCommentsPastAskShowJobs

paddybyers

no profile record

comments

paddybyers
·vor 21 Tagen·discuss
I've run a disclosure program for ~7 years, which is an open paid program. However, over that time we've developed relationships with the most active and successful contributors, to the point that we'll now give them early access to new features to try out (all still paid for on the basis of rewards for problems found). This is proving especially valuable now in triaging the new deluge of noise from impactful issues.
paddybyers
·vor 21 Tagen·discuss
I wrote about this this morning [1]:

> We're keeping our vulnerability disclosure program open - because even though they are rare, the genuine critical reports we receive, in amongst the noise, are still highly valuable. I don't think we're at the stage yet where finding those issues is a purely mechanical process; persistent, imaginative researchers still make a contribution to the process by finding things that LLMs by themselves, so far, haven't.

[1] https://www.linkedin.com/feed/update/urn:li:activity:7475447...
paddybyers
·vor 2 Monaten·discuss
> I did get to the stage (not by conscious memorisation) of being able to assemble and disassemble Z80 code in my head, with some accuracy.

Same here.

I never got any fluency using EXX and the shadow registers - there were so few situations it was worth the effort. I always felt like I must be missing something.
paddybyers
·vor 4 Monaten·discuss
I remember Jim Woodcock as really inspirational - he was working with my PhD supervisor in 1987. We were working on a variant of Z for specifying what, today, we would call CRDTs. I was also lucky enough to meet Tony Hoare the same year and discuss those concepts.
paddybyers
·vor 4 Monaten·discuss
Who remembers the Occam folding editor (1983)? This was the first time I saw this kind of outline-based navigation for code: https://www.transputer.net/tn/03/tn03.html#x1-30002
paddybyers
·vor 2 Jahren·discuss
Yes it's true. At Ably we support websockets, SSE and comet fallbacks (simple long-polling and streamed long-polling). It's less and less common but there are firewalls that fail to handle websockets correctly, or simply block them. I can't name specific companies/examples, but call centers are one example - the network and desktop environments are fully locked down.

We also see in these cases that streamed HTTP can also be broken by the firewall - for example a chunked response can be held back by the firewall and only forwarded to the client when the request ends, as a fixed-length response. Obviously that breaks SSE and means you can't just use streamed comet as a fallback when websockets don't work.
paddybyers
·vor 5 Jahren·discuss
This ^ is my favourite writeup on the question of how you implement SOC2. I wish I had read that before we started - after going through the Type 1 and Type 2 process, we've ended up with the same conclusions. I've lost count of the number of times I've recommended that. Our experience (global b2b customers, heavily skewed to NA) is that SOC2 Type 2 is the most frequently requested/expected standard, and if you have that, not having ISO is very rarely a dealbreaker. Neither makes the security questionnaires go away; they continue to be mandatory, require expert input, and are a significant drain on time. However, having SOC2 and/or ISO does mean that you've already thought of the answers to the questions and you'll have a defensible position, backed up by a track record of independent audits, when your particular approach doesn't meet the "gold" standard implied by the questionnaire. (Edit: typo)