HackerLangs
TopNewTrendsCommentsPastAskShowJobs

8organicbits

7,137 karmajoined 6 anni fa
Hello!

https://alexsci.com/blog/

https://indieweb.social/@robalex

Feel free to reach out on email if our interests align: robert [at] robalexdev (dot) com

Statements are my own and do not represent the positions or opinions of my employer/client.

Submissions

Assess the security of email communication between providers

mecsa.jrc.ec.europa.eu
2 points·by 8organicbits·24 giorni fa·0 comments

The Shift in Peering Threatening the Internet's Foundations

internetsociety.org
10 points·by 8organicbits·mese scorso·0 comments

Virtual Precision Clock

mitxela.com
2 points·by 8organicbits·mese scorso·0 comments

Acme CAA Extensions to Become Mandatory

feistyduck.com
3 points·by 8organicbits·mese scorso·0 comments

Authoritative DNS over encrypted transport at OARC 45

blog.apnic.net
2 points·by 8organicbits·2 mesi fa·1 comments

A "Photonic" Guitar

dallasnews.com
1 points·by 8organicbits·2 mesi fa·0 comments

SDLC is a power tool, not a compliance document

blog.robbowley.net
3 points·by 8organicbits·2 mesi fa·1 comments

[untitled]

1 points·by 8organicbits·2 mesi fa·0 comments

GitHub Action Runner Alternatives

binhong.me
1 points·by 8organicbits·2 mesi fa·0 comments

DigiCert: Misissued Code Signing Certificates

bugzilla.mozilla.org
1 points·by 8organicbits·2 mesi fa·0 comments

Mousetrapped

mousetrappedcomic.blog
3 points·by 8organicbits·2 mesi fa·2 comments

A Sum of Errors

lyonhe.art
3 points·by 8organicbits·2 mesi fa·1 comments

Netlify Database is now available

netlify.com
1 points·by 8organicbits·2 mesi fa·0 comments

Forge: CLI for Multiple Git Forges

nesbitt.io
4 points·by 8organicbits·3 mesi fa·0 comments

Strengthening your network security with APNIC's products and tools

blog.apnic.net
1 points·by 8organicbits·3 mesi fa·0 comments

Installing a Let's Encrypt TLS certificate on a Brother printer with Certbot

owltec.ca
246 points·by 8organicbits·4 mesi fa·53 comments

Text-scale should be the default

lkhrs.com
3 points·by 8organicbits·4 mesi fa·0 comments

RSS Creator on Bluesky and at Proto

zeldman.com
4 points·by 8organicbits·4 mesi fa·0 comments

Email Providers of Dutch Municipalities

mxmap.nl
2 points·by 8organicbits·4 mesi fa·0 comments

I haven't thought about software patents in a long time

alexschroeder.ch
3 points·by 8organicbits·4 mesi fa·0 comments

comments

8organicbits
·l’altro ieri·discuss
Forgejo is mention in the article, it powers Codeberg. I agree it doesn't have high adoption, but the news is that it is growing.
8organicbits
·6 giorni fa·discuss
I may complain that I don't like the way a sleezy con man talks, and I may be able to detect his communication patterns, but that doesn't mean I want the con man to speak in a different way I can't detect as sleezy. I don't want to talk to the con man.

Obfuscating LLM output to trick the reader into thinking it wasn't LLM output is not respectful.
8organicbits
·6 giorni fa·discuss
> respecting the reader

When people say LLM slop is disrespecting the reader, I don't think they are complaining about style.
8organicbits
·12 giorni fa·discuss
I'm seeing a ton of restricted mode escapes documented online, like https://0xffsec.com/handbook/shells/restricted-shells/ so I'm not so sure. When basic utilities like less, man, and awk can run subshells it's quite a mess.

Bash restricted mode needing a chroot may suggest that Claude also needs a chroot (or restricted file permissions, jail, etc).
8organicbits
·13 giorni fa·discuss
Does that work? I've never seen it used. It seems easy to escape.

The docs seem to suggest using alternate approaches.

> Modern systems provide more secure ways to implement a restricted environment, such as jails, zones, or containers.

https://www.gnu.org/software/bash/manual/html_node/The-Restr...
8organicbits
·28 giorni fa·discuss
Cool tool, I'm also surprised by how different the startup stacks are from the general Internet.

For HSTS, don't forget to check the preload list. Domains under .dev are all preloaded, for example, so they don't need to set the header for HSTS to apply.
8organicbits
·mese scorso·discuss
> How can you check other people's certs?

There are red flags you can look for, but you need to confirm with the domain owner to be sure. CAA records can tell you what CAs are supposed to issue a certificate. Many companies always use the same CA, so a change to a different one could be suspect.

For the wiretapping scenario, domain verified certificates do not protect against that scenario. If the wiretap has full control of your server's network, then it can issue a certificate of its own. No need to compromise a CA.
8organicbits
·mese scorso·discuss
Is there a detection component here too? Sandboxing development is great, but the next step is to deploy to production. How do you know if something malicious happened in the sandbox, such that you don't deploy the malware further?
8organicbits
·mese scorso·discuss
> money will shift to those funds that do better

I'm not disagreeing that people invest this way, but I'd like to point out that past performance does not imply future performance, and that investors should consider factors other than just past returns.
8organicbits
·mese scorso·discuss
Of course plugins that do this already exist. Save your tokens.
8organicbits
·mese scorso·discuss
They probably meant it hyperbolically, but RSS was on a downward slope during that period. The recent uptick is fascinating.

https://trends.google.com/explore?q=%2Fm%2F0n5tx&date=all&ge...
8organicbits
·mese scorso·discuss
Anyone know the best practices for keeping AI crawlers off your RSS feeds? I know robots.txt works for the well-behaved bots. Other tools like interstitial captchas don't as the feed readers break if you send them anything but XML.

Putting just the post intro in the feed and linking to the website feels like a safer approach, assume you have bot protections on the website, but that's a poor experience for people who want to read in their feed reader.
8organicbits
·mese scorso·discuss
These approaches are obviously great if your goal is to force marketing down people's throats, but it kills the integrity of the platform.

I don't get why people would continue using Google search (other than familiarity/momentum). As a site owner I'm questioning whether I even want to be indexed by Google.
8organicbits
·mese scorso·discuss
If someone enters a username that doesn't exist in the system then you randomly prompt for password or alternate method, so it looks like an account may exist.

Username enumeration isn't usually considered a vulnerability, but it does make other attacks, like credential stuffing, easier. I.E. you can focus attack resources on usernames that have active accounts.

It's very low on my list of concerns though, usually there's much worse problems when I pentest.
8organicbits
·mese scorso·discuss
I have it partially right. The extensions are not yet mandatory.

https://www.feistyduck.com/newsletter/issue_137_acme_caa__ex...
8organicbits
·mese scorso·discuss
One suggestion for anyone concerned about this weakness. You can use the CAA record to pin the domain to a specific certificate authority, issuance method, and account. This is imperfect, as CAA record validation (edit: of CAA extensions) is not mandatory yet. But by March 2027 all the CAs a supposed to have support.

Sprinkle some DNSSEC on the CAA record too, if you'd like.
8organicbits
·2 mesi fa·discuss
Cloudflare origin CA is a private CA, so the CABF doesn't apply.
8organicbits
·2 mesi fa·discuss
If the goal is to review every citation fully with 100% accuracy, then, sure, exhaustive human review is needed. But I suspect human review of a random sample would add value, catching some fraud, missing others, but having zero false positives (or as close to zero as human review can get).

An LLM could replace the random sampling. It doesn't need to be particularly good for the approach to provide value. I would worry about LLM bias though.

Another thing to consider is that readers can detect fake citations after publication, report to arXiv, and the author gets banned.
8organicbits
·2 mesi fa·discuss
How much utilization do you have? For low scale, it's hard to beat GitHub Actions as they offer free runners for public repos and include a bunch of free hours for private repos.

Once you start paying for it, GitHub Actions runners are very expensive. I've used both Jenkins and GitLab before to self-host CI/CD, and you save so much using on-demand (or at higher scale, reserved) cloud instances. I do freelance DevOps work and I've helped clients with these sorts of challenges.
8organicbits
·2 mesi fa·discuss
Good idea, I added a list to the indieweb wiki: https://indieweb.org/indieweb_directory#Directories_of_direc...

I've added three :)