Hacker News: 8organicbits

New comment by 8organicbits in "The Website Specification"

8organicbits — Sun, 31 May 2026 16:14:15 +0000

If someone enters a username that doesn't exist in the system then you randomly prompt for password or alternate method, so it looks like an account may exist.

Username enumeration isn't usually considered a vulnerability, but it does make other attacks, like credential stuffing, easier. I.E. you can focus attack resources on usernames that have active accounts.

It's very low on my list of concerns though, usually there's much worse problems when I pentest.

New comment by 8organicbits in "Parallel Reconstruction of Lawful TLS Wiretapping"

8organicbits — Sun, 31 May 2026 00:12:36 +0000

I have it partially right. The extensions are not yet mandatory.

https://www.feistyduck.com/newsletter/issue_137_acme_caa__ex...

New comment by 8organicbits in "Parallel Reconstruction of Lawful TLS Wiretapping"

8organicbits — Sat, 30 May 2026 23:16:59 +0000

One suggestion for anyone concerned about this weakness. You can use the CAA record to pin the domain to a specific certificate authority, issuance method, and account. This is imperfect, as CAA record validation (edit: of CAA extensions) is not mandatory yet. But by March 2027 all the CAs a supposed to have support.

Sprinkle some DNSSEC on the CAA record too, if you'd like.

Acme CAA Extensions to Become Mandatory

8organicbits — Fri, 29 May 2026 00:07:09 +0000

Article URL: https://www.feistyduck.com/newsletter/issue_137_acme_caa__extensions_to_become_mandatory

Comments URL: https://news.ycombinator.com/item?id=48317275

Points: 3

# Comments: 0

New comment by 8organicbits in "You can issue a 15-year SSL certificate today. Why almost nobody does"

8organicbits — Sat, 23 May 2026 02:26:20 +0000

Cloudflare origin CA is a private CA, so the CABF doesn't apply.

Authoritative DNS over encrypted transport at OARC 45

8organicbits — Sat, 23 May 2026 02:12:25 +0000

Article URL: https://blog.apnic.net/2026/05/20/authoritative-dns-over-encrypted-transport-at-oarc-45/

Comments URL: https://news.ycombinator.com/item?id=48243876

Points: 2

# Comments: 1

A "Photonic" Guitar

8organicbits — Sun, 17 May 2026 20:27:06 +0000

Article URL: https://www.dallasnews.com/arts-entertainment/visual-arts/2025/08/01/science-or-art-this-former-ut-dallas-physicists-work-blurs-the-line/

Comments URL: https://news.ycombinator.com/item?id=48172914

Points: 1

# Comments: 0

New comment by 8organicbits in "New arXiv policy: 1-year ban for hallucinated references"

8organicbits — Fri, 15 May 2026 12:08:09 +0000

If the goal is to review every citation fully with 100% accuracy, then, sure, exhaustive human review is needed. But I suspect human review of a random sample would add value, catching some fraud, missing others, but having zero false positives (or as close to zero as human review can get).

An LLM could replace the random sampling. It doesn't need to be particularly good for the approach to provide value. I would worry about LLM bias though.

Another thing to consider is that readers can detect fake citations after publication, report to arXiv, and the author gets banned.

New comment by 8organicbits in "Leaving GitHub for Forgejo"

8organicbits — Wed, 13 May 2026 15:25:41 +0000

How much utilization do you have? For low scale, it's hard to beat GitHub Actions as they offer free runners for public repos and include a bunch of free hours for private repos.

Once you start paying for it, GitHub Actions runners are very expensive. I've used both Jenkins and GitLab before to self-host CI/CD, and you save so much using on-demand (or at higher scale, reserved) cloud instances. I do freelance DevOps work and I've helped clients with these sorts of challenges.

New comment by 8organicbits in "Show HN: An index of indie web/blog indexes"

8organicbits — Mon, 11 May 2026 00:52:05 +0000

Good idea, I added a list to the indieweb wiki: https://indieweb.org/indieweb_directory#Directories_of_direc...

I've added three :)

New comment by 8organicbits in "Show HN: An index of indie web/blog indexes"

8organicbits — Mon, 11 May 2026 00:33:04 +0000

Another index-of-indexes is https://brisray.com/web/webring-list.htm, which tracks 648 webrings!

And https://brisray.com/web/indiedirs.htm, which has some other great indieweb indexes

New comment by 8organicbits in "Show HN: An index of indie web/blog indexes"

8organicbits — Sun, 10 May 2026 23:40:38 +0000

I maintain a similar index-of-indexes but it's intentionally non-curated, restricted to indexes that use the OPML format, and uses autodiscovery to expand the list. The site needs some work, but it's up to 356 indexes.

https://blogroll-network.alexsci.com/blogrolls/

I'd recommend looking at anything with "planet" in the name, there are a bunch of tech communities that manage community feeds and they are high quality. There are also a ton of personal blogroll recommendations via micro.blog too.

New comment by 8organicbits in "AWS North Virginia data center outage – recovery to take hours"

8organicbits — Sat, 09 May 2026 01:00:30 +0000

One of the SRE tricks is to reserve your capacity so when the cloud runs out of capacity you're still covered. It's expensive, but you don't want to get stuck without a server when the on-demand dries up.

New comment by 8organicbits in "Ask HN: We just had an actual UUID v4 collision..."

8organicbits — Fri, 08 May 2026 20:55:13 +0000

I wrote about real world collisions, including that particular library last year (https://alexsci.com/blog/uuid-oops/).

There are a bunch of constraints that must be strictly held for UUIDs to be collision resistant, I'd guess there is a problem with your random number generator.

SDLC is a power tool, not a compliance document

8organicbits — Fri, 08 May 2026 02:27:38 +0000

Article URL: https://blog.robbowley.net/2026/05/07/your-sdlc-is-a-power-tool-not-a-compliance-document/

Comments URL: https://news.ycombinator.com/item?id=48057762

Points: 3

# Comments: 1

New comment by 8organicbits in "DNSSEC disruption affecting .de domains – Resolved"

8organicbits — Wed, 06 May 2026 00:05:42 +0000

There's a good index of major DNSSEC outages here, https://ianix.com/pub/dnssec-outages.html

GitHub Action Runner Alternatives

8organicbits — Tue, 05 May 2026 17:55:35 +0000

Article URL: https://binhong.me/blog/github-action-runner-alternatives/

Comments URL: https://news.ycombinator.com/item?id=48026072

Points: 1

# Comments: 0

New comment by 8organicbits in "Incident with Actions – Resolved"

8organicbits — Tue, 05 May 2026 17:53:14 +0000

One challenge is that they have a ton of usage under their free tier, especially by free and open source projects which have near zero budgets. Its an artificial economy of projects that cannot pay for their own usage.

Another challenge is that the GitHub Actions paid tier is already very expensive, the quality of service is poor, and they have major security challenges. They could load shed by raising prices, driving customers to other platforms, but they already charge 10x what others charge (https://runs-on.com/pricing/#runner-pricing, https://www.ubicloud.com/docs/about/pricing). Anyone using GitHub Actions at scale would be somewhat price insensitive already.

New comment by 8organicbits in "Incident with Actions"

8organicbits — Tue, 05 May 2026 16:26:25 +0000

I'm a DevOps freelancer and I've moved projects off GitHub Actions in prior years (cost and security driven). Everyone uses GitHub a little differently, so there isn't a single migration path. It seems like all parts of GitHub are on fire now, but I'd generally recommend moving in stages.

For my personal work I did a hard cutover to GitLab last month. The issues import is the most complex part as the default import messes up issue authors.

New comment by 8organicbits in "It's official: Utah is the U.S. state closest to banning VPNs"

8organicbits — Tue, 05 May 2026 15:48:38 +0000

> 'ba*s'

Is this balls? You can curse here.