HackerTrans
TopNewTrendsCommentsPastAskShowJobs

shawn

no profile record

comments

shawn
·8 ปีที่แล้ว·discuss
Socially. HN might be relevant in a hundred years, or it might not. And if it isn’t, who will be? Why?

It’s tantalizing to think it’s possible to make that site right now.
shawn
·8 ปีที่แล้ว·discuss
I’ve been thinking how to make an HN killer for several years. (I’m not sure why — I love this place — but I also love a good challenge.)

The key might be to out-compete HN in Show HNs. It’s difficult to get your own projects onto the front page, and once there, most people tend to focus on business aspects rather than raw hacker / tinkerer aspects.

If you mix in some intellectually gratifying stories to fill the downtime, then you’d end up catching the interest of makers. And that seems like a recipe for a competitor.
shawn
·8 ปีที่แล้ว·discuss
Sorry, 2AM. You're right of course.

I think the real message is that this is a new class of timing attack, and that it should be treated as such. E.g. curl itself needs to be updated to buffer its own output.
shawn
·8 ปีที่แล้ว·discuss
That's mistaken because:

  bash -c "`echo echo hi`"
note that `echo echo hi` is fully read, and then (and only then) passed to bash.

ditto for

  echo -c "`curl <your url>`"
The curl command isn't detectable as an evaluation because it's fully spliced into the string, then sent to bash. It's easy to imagine setting up a `curl <url> | sponge | bash` middleman, too.

It is impossible in general to know what the downstream user is going to do with the bytes you send. Even bash happens not to cache its input. But technically it could -- it would be entirely valid for bash to read in a buffered mode which waits for EOF before interpreting.