HackerLangs
TopNewTrendsCommentsPastAskShowJobs

8organicbits

7,137 karmajoined 6 yıl önce
Hello!

https://alexsci.com/blog/

https://indieweb.social/@robalex

Feel free to reach out on email if our interests align: robert [at] robalexdev (dot) com

Statements are my own and do not represent the positions or opinions of my employer/client.

Submissions

Assess the security of email communication between providers

mecsa.jrc.ec.europa.eu
2 points·by 8organicbits·24 gün önce·0 comments

The Shift in Peering Threatening the Internet's Foundations

internetsociety.org
10 points·by 8organicbits·geçen ay·0 comments

Virtual Precision Clock

mitxela.com
2 points·by 8organicbits·geçen ay·0 comments

Acme CAA Extensions to Become Mandatory

feistyduck.com
3 points·by 8organicbits·geçen ay·0 comments

Authoritative DNS over encrypted transport at OARC 45

blog.apnic.net
2 points·by 8organicbits·2 ay önce·1 comments

A "Photonic" Guitar

dallasnews.com
1 points·by 8organicbits·2 ay önce·0 comments

SDLC is a power tool, not a compliance document

blog.robbowley.net
3 points·by 8organicbits·2 ay önce·1 comments

[untitled]

1 points·by 8organicbits·2 ay önce·0 comments

GitHub Action Runner Alternatives

binhong.me
1 points·by 8organicbits·2 ay önce·0 comments

DigiCert: Misissued Code Signing Certificates

bugzilla.mozilla.org
1 points·by 8organicbits·2 ay önce·0 comments

Mousetrapped

mousetrappedcomic.blog
3 points·by 8organicbits·2 ay önce·2 comments

A Sum of Errors

lyonhe.art
3 points·by 8organicbits·2 ay önce·1 comments

Netlify Database is now available

netlify.com
1 points·by 8organicbits·2 ay önce·0 comments

Forge: CLI for Multiple Git Forges

nesbitt.io
4 points·by 8organicbits·3 ay önce·0 comments

Strengthening your network security with APNIC's products and tools

blog.apnic.net
1 points·by 8organicbits·3 ay önce·0 comments

Installing a Let's Encrypt TLS certificate on a Brother printer with Certbot

owltec.ca
246 points·by 8organicbits·4 ay önce·53 comments

Text-scale should be the default

lkhrs.com
3 points·by 8organicbits·4 ay önce·0 comments

RSS Creator on Bluesky and at Proto

zeldman.com
4 points·by 8organicbits·4 ay önce·0 comments

Email Providers of Dutch Municipalities

mxmap.nl
2 points·by 8organicbits·4 ay önce·0 comments

I haven't thought about software patents in a long time

alexschroeder.ch
3 points·by 8organicbits·4 ay önce·0 comments

comments

8organicbits
·evvelsi gün·discuss
Forgejo is mention in the article, it powers Codeberg. I agree it doesn't have high adoption, but the news is that it is growing.
8organicbits
·5 gün önce·discuss
I may complain that I don't like the way a sleezy con man talks, and I may be able to detect his communication patterns, but that doesn't mean I want the con man to speak in a different way I can't detect as sleezy. I don't want to talk to the con man.

Obfuscating LLM output to trick the reader into thinking it wasn't LLM output is not respectful.
8organicbits
·6 gün önce·discuss
> respecting the reader

When people say LLM slop is disrespecting the reader, I don't think they are complaining about style.
8organicbits
·12 gün önce·discuss
I'm seeing a ton of restricted mode escapes documented online, like https://0xffsec.com/handbook/shells/restricted-shells/ so I'm not so sure. When basic utilities like less, man, and awk can run subshells it's quite a mess.

Bash restricted mode needing a chroot may suggest that Claude also needs a chroot (or restricted file permissions, jail, etc).
8organicbits
·13 gün önce·discuss
Does that work? I've never seen it used. It seems easy to escape.

The docs seem to suggest using alternate approaches.

> Modern systems provide more secure ways to implement a restricted environment, such as jails, zones, or containers.

https://www.gnu.org/software/bash/manual/html_node/The-Restr...
8organicbits
·28 gün önce·discuss
Cool tool, I'm also surprised by how different the startup stacks are from the general Internet.

For HSTS, don't forget to check the preload list. Domains under .dev are all preloaded, for example, so they don't need to set the header for HSTS to apply.
8organicbits
·geçen ay·discuss
> How can you check other people's certs?

There are red flags you can look for, but you need to confirm with the domain owner to be sure. CAA records can tell you what CAs are supposed to issue a certificate. Many companies always use the same CA, so a change to a different one could be suspect.

For the wiretapping scenario, domain verified certificates do not protect against that scenario. If the wiretap has full control of your server's network, then it can issue a certificate of its own. No need to compromise a CA.
8organicbits
·geçen ay·discuss
Is there a detection component here too? Sandboxing development is great, but the next step is to deploy to production. How do you know if something malicious happened in the sandbox, such that you don't deploy the malware further?
8organicbits
·geçen ay·discuss
> money will shift to those funds that do better

I'm not disagreeing that people invest this way, but I'd like to point out that past performance does not imply future performance, and that investors should consider factors other than just past returns.
8organicbits
·geçen ay·discuss
Of course plugins that do this already exist. Save your tokens.
8organicbits
·geçen ay·discuss
They probably meant it hyperbolically, but RSS was on a downward slope during that period. The recent uptick is fascinating.

https://trends.google.com/explore?q=%2Fm%2F0n5tx&date=all&ge...
8organicbits
·geçen ay·discuss
Anyone know the best practices for keeping AI crawlers off your RSS feeds? I know robots.txt works for the well-behaved bots. Other tools like interstitial captchas don't as the feed readers break if you send them anything but XML.

Putting just the post intro in the feed and linking to the website feels like a safer approach, assume you have bot protections on the website, but that's a poor experience for people who want to read in their feed reader.
8organicbits
·geçen ay·discuss
These approaches are obviously great if your goal is to force marketing down people's throats, but it kills the integrity of the platform.

I don't get why people would continue using Google search (other than familiarity/momentum). As a site owner I'm questioning whether I even want to be indexed by Google.
8organicbits
·geçen ay·discuss
If someone enters a username that doesn't exist in the system then you randomly prompt for password or alternate method, so it looks like an account may exist.

Username enumeration isn't usually considered a vulnerability, but it does make other attacks, like credential stuffing, easier. I.E. you can focus attack resources on usernames that have active accounts.

It's very low on my list of concerns though, usually there's much worse problems when I pentest.
8organicbits
·geçen ay·discuss
I have it partially right. The extensions are not yet mandatory.

https://www.feistyduck.com/newsletter/issue_137_acme_caa__ex...
8organicbits
·geçen ay·discuss
One suggestion for anyone concerned about this weakness. You can use the CAA record to pin the domain to a specific certificate authority, issuance method, and account. This is imperfect, as CAA record validation (edit: of CAA extensions) is not mandatory yet. But by March 2027 all the CAs a supposed to have support.

Sprinkle some DNSSEC on the CAA record too, if you'd like.
8organicbits
·2 ay önce·discuss
Cloudflare origin CA is a private CA, so the CABF doesn't apply.
8organicbits
·2 ay önce·discuss
If the goal is to review every citation fully with 100% accuracy, then, sure, exhaustive human review is needed. But I suspect human review of a random sample would add value, catching some fraud, missing others, but having zero false positives (or as close to zero as human review can get).

An LLM could replace the random sampling. It doesn't need to be particularly good for the approach to provide value. I would worry about LLM bias though.

Another thing to consider is that readers can detect fake citations after publication, report to arXiv, and the author gets banned.
8organicbits
·2 ay önce·discuss
How much utilization do you have? For low scale, it's hard to beat GitHub Actions as they offer free runners for public repos and include a bunch of free hours for private repos.

Once you start paying for it, GitHub Actions runners are very expensive. I've used both Jenkins and GitLab before to self-host CI/CD, and you save so much using on-demand (or at higher scale, reserved) cloud instances. I do freelance DevOps work and I've helped clients with these sorts of challenges.
8organicbits
·2 ay önce·discuss
Good idea, I added a list to the indieweb wiki: https://indieweb.org/indieweb_directory#Directories_of_direc...

I've added three :)