HackerTrans
TopNewTrendsCommentsPastAskShowJobs

apgwoz

7,297 karmajoined 19 yıl önce
Personal: - http://sigusr2.net/ - My topcolor is #ccff66

Email: - [email protected]

Elsewhere: - https://github.com/apg

[ my public key: https://keybase.io/apg; my proof: https://keybase.io/apg/sigs/FVP39qxp7ptdAG2Nfeigd5-mN2nceMwWnPl2-EIhP4I ]

comments

apgwoz
·16 gün önce·discuss
16MB requirement! I wish all stuff was lightweight, like this! We’ve lost our way…
apgwoz
·16 gün önce·discuss
So sad. :(

Om was off my radar for the last 10 years or so, and then I recently encountered an article he wrote (https://om.co/2023/02/05/why-modern-leica-m-is-a-great-lands...) about his adoption of Leica M cameras. He had a wonderful eye: https://www.photosbyom.com/
apgwoz
·2 ay önce·discuss
How many layoffs does a company have to do before realizing it’s in their best interest to start asking other companies to take the employees they don’t want to employ anymore?

Also, 75% placement seems wildly successful. Why isn’t Cisco also a head hunting firm?!
apgwoz
·3 ay önce·discuss
It’s absolute baseline, but yes, it relies entirely on the platform’s permissions model, the administrator who assigns permissions, and the application authors to not create vectors for env var dumps. :)

But honestly, if you’re in the container, and the application running in the container can get secrets, so can a shell user.

_Maybe_ there’s a model where the platform exposes a Unix domain socket and checks the PID, user, group of the connection, and delivers secrets that way? This has its problems, too, like it being non-standard, only possible in some scenarios and otherwise fallible… but better than nothing? If you reap the container when that process dies, you can’t race for the same PID, at least. I dunno
apgwoz
·3 ay önce·discuss
The Ed Zitron rant will be phenomenal.
apgwoz
·3 ay önce·discuss
Ah. The article has since been updated to point out that it’s not plaintext, but encrypted at rest (which would be expected). OK.
apgwoz
·3 ay önce·discuss
You’re thinking too much. When you run the app, the system decrypts the secrets and makes them available as env vars (or some other mechanism).

In an admin ui, you list the names of secrets only, and provide a “reveal” or a “replace” on each one. They are never decrypted unless explicitly asked for.

Is this perfect? Absolutely not. The key is controlled by the company, but it can be derived in a manner that doesn’t allow for the dump of everything if it’s leaked.
apgwoz
·3 ay önce·discuss
Not at all. I was simply making a joke on the parallel exploration of states.
apgwoz
·3 ay önce·discuss
You pretty much have to assume someone is going to put sensitive data in an input like this. Encryption by default is the only sensible choice.
apgwoz
·3 ay önce·discuss
Yeah, but… what if?
apgwoz
·3 ay önce·discuss
And his successor John Turnip.
apgwoz
·3 ay önce·discuss
Yes! I’ve been trying (and failing!) to get people to understand this. Build the high leverage tools while the tokens are cheap. Unfortunately, I haven’t figured out the right set of high leverage tools. :)
apgwoz
·3 ay önce·discuss
As another data point, I pay for Pro for a personal account, and use no skills, do nothing fancy, use the default settings, and am out of tokens, with one terminal, after an hour. This is typically working on a < 5,000 line code base, sometimes in C, sometimes in Go. Not doing incredibly complicated things.
apgwoz
·3 ay önce·discuss
It takes longer, but a spade is better than bare hands. The goal is to speed up finding valid vulnerabilities, and be faster than humans can do it.
apgwoz
·3 ay önce·discuss
I use the models to look for vulnerabilities all the time. I find stuff often. Have I tried to do build a new harness, or develop more sophisticated techniques? No. I suspect there are some spending lots of tokens developing more sophisticated strategies, in the same way software engineers are seeking magical one-shot harnesses.
apgwoz
·3 ay önce·discuss
Why? They claim this small model found a bug given some context. I assume the context wasn’t “hey! There’s a very specific type of bug sitting in this function when certain conditions are met.”

We keep assuming that the models need to get bigger and better, and the reality is we’ve not exhausted the ways in which to use the smaller models. It’s like the Playstation 2 games that came out 10 years later. Well now all the tricks were found, and everything improved.
apgwoz
·3 ay önce·discuss
The benefit here is reducing the time to find vulnerabilities; faster than humans, right? So if you can rig a harness for each function in the system, by first finding where it’s used, its expected input, etc, and doing that for all functions, does it discover vulnerabilities faster than humans?

Doesn’t matter that they isolated one thing. It matters that the context they provided was discoverable by the model.
apgwoz
·3 ay önce·discuss
There’s no doubt that stuff is print making. My point is that there are multiple ways of doing (within each of these): relief, Intaglio, lithography, screen printing, offset.

So if you say, “I’m a print maker,” it describes basically nothing. :)

This is just a general statement, not directed at you. Sorry it felt that way.
apgwoz
·3 ay önce·discuss
I like your stuff! I’ve been coveting a plotter for a while, but I’m pretty sure it won’t get used enough to justify the expense. :/

I do find the term “printmaking” hilarious because there’s just sooo many ways to make prints. I tried to get into linocut fairly recently, but the battleship grey linoleum I had wasn’t very good. It cracked and crumbled pretty easily. I did get some of pink Speedball “blocks,” but it gets expensive pretty quickly. I guess more to the point is the feeling that I lack much to say. But, that’s an excuse. :)
apgwoz
·3 ay önce·discuss
You _can_ do trampolines, but that is kind of infectious, or needs to be very explicit with extra code, etc.