HackerLangs
TopNewTrendsCommentsPastAskShowJobs

8organicbits

7,137 karmajoined 6 năm trước
Hello!

https://alexsci.com/blog/

https://indieweb.social/@robalex

Feel free to reach out on email if our interests align: robert [at] robalexdev (dot) com

Statements are my own and do not represent the positions or opinions of my employer/client.

Submissions

Assess the security of email communication between providers

mecsa.jrc.ec.europa.eu
2 points·by 8organicbits·24 ngày trước·0 comments

The Shift in Peering Threatening the Internet's Foundations

internetsociety.org
10 points·by 8organicbits·tháng trước·0 comments

Virtual Precision Clock

mitxela.com
2 points·by 8organicbits·tháng trước·0 comments

Acme CAA Extensions to Become Mandatory

feistyduck.com
3 points·by 8organicbits·tháng trước·0 comments

Authoritative DNS over encrypted transport at OARC 45

blog.apnic.net
2 points·by 8organicbits·2 tháng trước·1 comments

A "Photonic" Guitar

dallasnews.com
1 points·by 8organicbits·2 tháng trước·0 comments

SDLC is a power tool, not a compliance document

blog.robbowley.net
3 points·by 8organicbits·2 tháng trước·1 comments

[untitled]

1 points·by 8organicbits·2 tháng trước·0 comments

GitHub Action Runner Alternatives

binhong.me
1 points·by 8organicbits·2 tháng trước·0 comments

DigiCert: Misissued Code Signing Certificates

bugzilla.mozilla.org
1 points·by 8organicbits·2 tháng trước·0 comments

Mousetrapped

mousetrappedcomic.blog
3 points·by 8organicbits·2 tháng trước·2 comments

A Sum of Errors

lyonhe.art
3 points·by 8organicbits·2 tháng trước·1 comments

Netlify Database is now available

netlify.com
1 points·by 8organicbits·2 tháng trước·0 comments

Forge: CLI for Multiple Git Forges

nesbitt.io
4 points·by 8organicbits·3 tháng trước·0 comments

Strengthening your network security with APNIC's products and tools

blog.apnic.net
1 points·by 8organicbits·3 tháng trước·0 comments

Installing a Let's Encrypt TLS certificate on a Brother printer with Certbot

owltec.ca
246 points·by 8organicbits·4 tháng trước·53 comments

Text-scale should be the default

lkhrs.com
3 points·by 8organicbits·4 tháng trước·0 comments

RSS Creator on Bluesky and at Proto

zeldman.com
4 points·by 8organicbits·4 tháng trước·0 comments

Email Providers of Dutch Municipalities

mxmap.nl
2 points·by 8organicbits·4 tháng trước·0 comments

I haven't thought about software patents in a long time

alexschroeder.ch
3 points·by 8organicbits·4 tháng trước·0 comments

comments

8organicbits
·Hôm kia·discuss
Forgejo is mention in the article, it powers Codeberg. I agree it doesn't have high adoption, but the news is that it is growing.
8organicbits
·5 ngày trước·discuss
I may complain that I don't like the way a sleezy con man talks, and I may be able to detect his communication patterns, but that doesn't mean I want the con man to speak in a different way I can't detect as sleezy. I don't want to talk to the con man.

Obfuscating LLM output to trick the reader into thinking it wasn't LLM output is not respectful.
8organicbits
·6 ngày trước·discuss
> respecting the reader

When people say LLM slop is disrespecting the reader, I don't think they are complaining about style.
8organicbits
·12 ngày trước·discuss
I'm seeing a ton of restricted mode escapes documented online, like https://0xffsec.com/handbook/shells/restricted-shells/ so I'm not so sure. When basic utilities like less, man, and awk can run subshells it's quite a mess.

Bash restricted mode needing a chroot may suggest that Claude also needs a chroot (or restricted file permissions, jail, etc).
8organicbits
·13 ngày trước·discuss
Does that work? I've never seen it used. It seems easy to escape.

The docs seem to suggest using alternate approaches.

> Modern systems provide more secure ways to implement a restricted environment, such as jails, zones, or containers.

https://www.gnu.org/software/bash/manual/html_node/The-Restr...
8organicbits
·28 ngày trước·discuss
Cool tool, I'm also surprised by how different the startup stacks are from the general Internet.

For HSTS, don't forget to check the preload list. Domains under .dev are all preloaded, for example, so they don't need to set the header for HSTS to apply.
8organicbits
·tháng trước·discuss
> How can you check other people's certs?

There are red flags you can look for, but you need to confirm with the domain owner to be sure. CAA records can tell you what CAs are supposed to issue a certificate. Many companies always use the same CA, so a change to a different one could be suspect.

For the wiretapping scenario, domain verified certificates do not protect against that scenario. If the wiretap has full control of your server's network, then it can issue a certificate of its own. No need to compromise a CA.
8organicbits
·tháng trước·discuss
Is there a detection component here too? Sandboxing development is great, but the next step is to deploy to production. How do you know if something malicious happened in the sandbox, such that you don't deploy the malware further?
8organicbits
·tháng trước·discuss
> money will shift to those funds that do better

I'm not disagreeing that people invest this way, but I'd like to point out that past performance does not imply future performance, and that investors should consider factors other than just past returns.
8organicbits
·tháng trước·discuss
Of course plugins that do this already exist. Save your tokens.
8organicbits
·tháng trước·discuss
They probably meant it hyperbolically, but RSS was on a downward slope during that period. The recent uptick is fascinating.

https://trends.google.com/explore?q=%2Fm%2F0n5tx&date=all&ge...
8organicbits
·tháng trước·discuss
Anyone know the best practices for keeping AI crawlers off your RSS feeds? I know robots.txt works for the well-behaved bots. Other tools like interstitial captchas don't as the feed readers break if you send them anything but XML.

Putting just the post intro in the feed and linking to the website feels like a safer approach, assume you have bot protections on the website, but that's a poor experience for people who want to read in their feed reader.
8organicbits
·tháng trước·discuss
These approaches are obviously great if your goal is to force marketing down people's throats, but it kills the integrity of the platform.

I don't get why people would continue using Google search (other than familiarity/momentum). As a site owner I'm questioning whether I even want to be indexed by Google.
8organicbits
·tháng trước·discuss
If someone enters a username that doesn't exist in the system then you randomly prompt for password or alternate method, so it looks like an account may exist.

Username enumeration isn't usually considered a vulnerability, but it does make other attacks, like credential stuffing, easier. I.E. you can focus attack resources on usernames that have active accounts.

It's very low on my list of concerns though, usually there's much worse problems when I pentest.
8organicbits
·tháng trước·discuss
I have it partially right. The extensions are not yet mandatory.

https://www.feistyduck.com/newsletter/issue_137_acme_caa__ex...
8organicbits
·tháng trước·discuss
One suggestion for anyone concerned about this weakness. You can use the CAA record to pin the domain to a specific certificate authority, issuance method, and account. This is imperfect, as CAA record validation (edit: of CAA extensions) is not mandatory yet. But by March 2027 all the CAs a supposed to have support.

Sprinkle some DNSSEC on the CAA record too, if you'd like.
8organicbits
·2 tháng trước·discuss
Cloudflare origin CA is a private CA, so the CABF doesn't apply.
8organicbits
·2 tháng trước·discuss
If the goal is to review every citation fully with 100% accuracy, then, sure, exhaustive human review is needed. But I suspect human review of a random sample would add value, catching some fraud, missing others, but having zero false positives (or as close to zero as human review can get).

An LLM could replace the random sampling. It doesn't need to be particularly good for the approach to provide value. I would worry about LLM bias though.

Another thing to consider is that readers can detect fake citations after publication, report to arXiv, and the author gets banned.
8organicbits
·2 tháng trước·discuss
How much utilization do you have? For low scale, it's hard to beat GitHub Actions as they offer free runners for public repos and include a bunch of free hours for private repos.

Once you start paying for it, GitHub Actions runners are very expensive. I've used both Jenkins and GitLab before to self-host CI/CD, and you save so much using on-demand (or at higher scale, reserved) cloud instances. I do freelance DevOps work and I've helped clients with these sorts of challenges.
8organicbits
·2 tháng trước·discuss
Good idea, I added a list to the indieweb wiki: https://indieweb.org/indieweb_directory#Directories_of_direc...

I've added three :)