HackerTrans
TopNewTrendsCommentsPastAskShowJobs

8organicbits

7,137 karmajoined 6 лет назад
Hello!

https://alexsci.com/blog/

https://indieweb.social/@robalex

Feel free to reach out on email if our interests align: robert [at] robalexdev (dot) com

Statements are my own and do not represent the positions or opinions of my employer/client.

Submissions

Assess the security of email communication between providers

mecsa.jrc.ec.europa.eu
2 points·by 8organicbits·25 дней назад·0 comments

The Shift in Peering Threatening the Internet's Foundations

internetsociety.org
10 points·by 8organicbits·в прошлом месяце·0 comments

Virtual Precision Clock

mitxela.com
2 points·by 8organicbits·в прошлом месяце·0 comments

Acme CAA Extensions to Become Mandatory

feistyduck.com
3 points·by 8organicbits·в прошлом месяце·0 comments

Authoritative DNS over encrypted transport at OARC 45

blog.apnic.net
2 points·by 8organicbits·2 месяца назад·1 comments

A "Photonic" Guitar

dallasnews.com
1 points·by 8organicbits·2 месяца назад·0 comments

SDLC is a power tool, not a compliance document

blog.robbowley.net
3 points·by 8organicbits·2 месяца назад·1 comments

[untitled]

1 points·by 8organicbits·2 месяца назад·0 comments

GitHub Action Runner Alternatives

binhong.me
1 points·by 8organicbits·2 месяца назад·0 comments

DigiCert: Misissued Code Signing Certificates

bugzilla.mozilla.org
1 points·by 8organicbits·2 месяца назад·0 comments

Mousetrapped

mousetrappedcomic.blog
3 points·by 8organicbits·2 месяца назад·2 comments

A Sum of Errors

lyonhe.art
3 points·by 8organicbits·2 месяца назад·1 comments

Netlify Database is now available

netlify.com
1 points·by 8organicbits·2 месяца назад·0 comments

Forge: CLI for Multiple Git Forges

nesbitt.io
4 points·by 8organicbits·3 месяца назад·0 comments

Strengthening your network security with APNIC's products and tools

blog.apnic.net
1 points·by 8organicbits·3 месяца назад·0 comments

Installing a Let's Encrypt TLS certificate on a Brother printer with Certbot

owltec.ca
246 points·by 8organicbits·4 месяца назад·53 comments

Text-scale should be the default

lkhrs.com
3 points·by 8organicbits·4 месяца назад·0 comments

RSS Creator on Bluesky and at Proto

zeldman.com
4 points·by 8organicbits·4 месяца назад·0 comments

Email Providers of Dutch Municipalities

mxmap.nl
2 points·by 8organicbits·4 месяца назад·0 comments

I haven't thought about software patents in a long time

alexschroeder.ch
3 points·by 8organicbits·4 месяца назад·0 comments

comments

8organicbits
·позавчера·discuss
Forgejo is mention in the article, it powers Codeberg. I agree it doesn't have high adoption, but the news is that it is growing.
8organicbits
·6 дней назад·discuss
I may complain that I don't like the way a sleezy con man talks, and I may be able to detect his communication patterns, but that doesn't mean I want the con man to speak in a different way I can't detect as sleezy. I don't want to talk to the con man.

Obfuscating LLM output to trick the reader into thinking it wasn't LLM output is not respectful.
8organicbits
·6 дней назад·discuss
> respecting the reader

When people say LLM slop is disrespecting the reader, I don't think they are complaining about style.
8organicbits
·12 дней назад·discuss
I'm seeing a ton of restricted mode escapes documented online, like https://0xffsec.com/handbook/shells/restricted-shells/ so I'm not so sure. When basic utilities like less, man, and awk can run subshells it's quite a mess.

Bash restricted mode needing a chroot may suggest that Claude also needs a chroot (or restricted file permissions, jail, etc).
8organicbits
·13 дней назад·discuss
Does that work? I've never seen it used. It seems easy to escape.

The docs seem to suggest using alternate approaches.

> Modern systems provide more secure ways to implement a restricted environment, such as jails, zones, or containers.

https://www.gnu.org/software/bash/manual/html_node/The-Restr...
8organicbits
·28 дней назад·discuss
Cool tool, I'm also surprised by how different the startup stacks are from the general Internet.

For HSTS, don't forget to check the preload list. Domains under .dev are all preloaded, for example, so they don't need to set the header for HSTS to apply.
8organicbits
·в прошлом месяце·discuss
> How can you check other people's certs?

There are red flags you can look for, but you need to confirm with the domain owner to be sure. CAA records can tell you what CAs are supposed to issue a certificate. Many companies always use the same CA, so a change to a different one could be suspect.

For the wiretapping scenario, domain verified certificates do not protect against that scenario. If the wiretap has full control of your server's network, then it can issue a certificate of its own. No need to compromise a CA.
8organicbits
·в прошлом месяце·discuss
Is there a detection component here too? Sandboxing development is great, but the next step is to deploy to production. How do you know if something malicious happened in the sandbox, such that you don't deploy the malware further?
8organicbits
·в прошлом месяце·discuss
> money will shift to those funds that do better

I'm not disagreeing that people invest this way, but I'd like to point out that past performance does not imply future performance, and that investors should consider factors other than just past returns.
8organicbits
·в прошлом месяце·discuss
Of course plugins that do this already exist. Save your tokens.
8organicbits
·в прошлом месяце·discuss
They probably meant it hyperbolically, but RSS was on a downward slope during that period. The recent uptick is fascinating.

https://trends.google.com/explore?q=%2Fm%2F0n5tx&date=all&ge...
8organicbits
·в прошлом месяце·discuss
Anyone know the best practices for keeping AI crawlers off your RSS feeds? I know robots.txt works for the well-behaved bots. Other tools like interstitial captchas don't as the feed readers break if you send them anything but XML.

Putting just the post intro in the feed and linking to the website feels like a safer approach, assume you have bot protections on the website, but that's a poor experience for people who want to read in their feed reader.
8organicbits
·в прошлом месяце·discuss
These approaches are obviously great if your goal is to force marketing down people's throats, but it kills the integrity of the platform.

I don't get why people would continue using Google search (other than familiarity/momentum). As a site owner I'm questioning whether I even want to be indexed by Google.
8organicbits
·в прошлом месяце·discuss
If someone enters a username that doesn't exist in the system then you randomly prompt for password or alternate method, so it looks like an account may exist.

Username enumeration isn't usually considered a vulnerability, but it does make other attacks, like credential stuffing, easier. I.E. you can focus attack resources on usernames that have active accounts.

It's very low on my list of concerns though, usually there's much worse problems when I pentest.
8organicbits
·в прошлом месяце·discuss
I have it partially right. The extensions are not yet mandatory.

https://www.feistyduck.com/newsletter/issue_137_acme_caa__ex...
8organicbits
·в прошлом месяце·discuss
One suggestion for anyone concerned about this weakness. You can use the CAA record to pin the domain to a specific certificate authority, issuance method, and account. This is imperfect, as CAA record validation (edit: of CAA extensions) is not mandatory yet. But by March 2027 all the CAs a supposed to have support.

Sprinkle some DNSSEC on the CAA record too, if you'd like.
8organicbits
·2 месяца назад·discuss
Cloudflare origin CA is a private CA, so the CABF doesn't apply.
8organicbits
·2 месяца назад·discuss
If the goal is to review every citation fully with 100% accuracy, then, sure, exhaustive human review is needed. But I suspect human review of a random sample would add value, catching some fraud, missing others, but having zero false positives (or as close to zero as human review can get).

An LLM could replace the random sampling. It doesn't need to be particularly good for the approach to provide value. I would worry about LLM bias though.

Another thing to consider is that readers can detect fake citations after publication, report to arXiv, and the author gets banned.
8organicbits
·2 месяца назад·discuss
How much utilization do you have? For low scale, it's hard to beat GitHub Actions as they offer free runners for public repos and include a bunch of free hours for private repos.

Once you start paying for it, GitHub Actions runners are very expensive. I've used both Jenkins and GitLab before to self-host CI/CD, and you save so much using on-demand (or at higher scale, reserved) cloud instances. I do freelance DevOps work and I've helped clients with these sorts of challenges.
8organicbits
·2 месяца назад·discuss
Good idea, I added a list to the indieweb wiki: https://indieweb.org/indieweb_directory#Directories_of_direc...

I've added three :)