Hacker News: Arrowmaster

New comment by Arrowmaster in "Flathub prohibits AI-generated code"

Arrowmaster — Fri, 29 May 2026 16:35:22 +0000

This has been their policy but now it's more explicitly defined. Go look through the submissions on https://github.com/flathub/flathub/pulls?q=is%3Apr to understand how bad the problem they are dealing with is.

New comment by Arrowmaster in "Goodbye Visa and Mastercard: 130M Europeans switching to sovereign payment"

Arrowmaster — Thu, 28 May 2026 01:20:45 +0000

I went back and checked. It was not Plaid but Trustly. I've never heard of either before but Trustly's name makes me want to trust it even less than Plaid. And I'm more concerned about all of my personal information such as my transaction history for the past 90 days being siphoned up by yet another commercial entity that can probably profit more from it than the transaction fee they would have collected.

New comment by Arrowmaster in "Exit IP VPN servers mitigation rollout"

Arrowmaster — Mon, 25 May 2026 20:48:55 +0000

That blog post is a perfect example of when RFC5737 should be used.

https://datatracker.ietf.org/doc/rfc5737/

New comment by Arrowmaster in "Goodbye Visa and Mastercard: 130M Europeans switching to sovereign payment"

Arrowmaster — Wed, 20 May 2026 15:59:33 +0000

Yesterday I was renewing my vehicle registration through my US states website. They offered a range of payment options using embedded options on the site. The direct bank account option had the lowest fee but when I tried it I was immediately scared of the security. They used a 3rd party bank account transfer provider that asked me what bank I used and looked like it was going to prompt me for my login info before it errored out and I moved on.

Why can't the US have sane banking standards instead of this mess where you have to agree to a new 3rd party TOS and EULA for every purchase you want to make.

New comment by Arrowmaster in "Cisco CPO predicts AI will have built majority of their products by end of 2027"

Arrowmaster — Tue, 12 May 2026 07:08:09 +0000

What products? Cisco hasn't built a product in decades, they only acquire companies and throw their name in front of the existing product. Do they mean they will only be purchasing AI built products by the end of 2027?

New comment by Arrowmaster in "Stop MitM on the first SSH connection, on any VPS or cloud provider"

Arrowmaster — Mon, 11 May 2026 19:43:00 +0000

If they MITMed the console then they have probably MITMed the entire deployment process and now have the one time use key already.

New comment by Arrowmaster in "Debian must ship reproducible packages"

Arrowmaster — Sun, 10 May 2026 16:40:39 +0000

What exactly are you talking about? Those don't seem related.

New comment by Arrowmaster in "Why is IPv6 so complicated?"

Arrowmaster — Sun, 19 Apr 2026 19:27:01 +0000

20 some years ago when cable broadband was new, you connected a computer and got public IP. For this example let's just assume it was a public/24. Back then there was no firewall built into Windows, it didn't ask you if you were connecting to a public or private network.

For some ISPs you could connect a switch or hub (they still existed with cable came out, 1gbps switches were expensive) and connect multiple computers and they would all get different public IPs.

Back then a lot of network applications like windows filesharing heavily used the local subnet broadcast IP to announce themselves to other local computers on the network. Yes this meant when you opened up windows file sharing you might see the share from Dave's computer across town. I don't recall if the hidden always on shares like $c where widely know about at this time.

ISPs fixed this by blocking most of the traffic to and from the subnet broadcast address at the modem/headend level but for some time after I could still run a packet capture and see all the ARP packets and some other broadcasts from other models on my node, but it wasn't enough to be able to interfere with them anymore.

New comment by Arrowmaster in "Keycard – inject API keys into subprocesses, never touch shell env"

Arrowmaster — Thu, 16 Apr 2026 19:54:08 +0000

Yes. Every clone of this idea does the same thing and a new one pops up every week. When I try to point out that the secrets should be exposed through file namespaces instead of ENV vars, the amount of hostility is shocking.

New comment by Arrowmaster in "Glassworm is back: A new wave of invisible Unicode attacks hits repositories"

Arrowmaster — Mon, 16 Mar 2026 18:06:12 +0000

Honestly I was expecting more. There are many languages that support Unicode in variable or function names and I expected it to be used there.

It sounds like Python only allows approved Unicode characters to start a variable name but if it allowed any you could do something like `nonprintable = lambda x: insert exploit code here`. If that was hidden in what looked like a blank line between other additions would you catch it?

I'm sure there's some other language out there that has similar syntax and lax Unicode rules this could be used in.

The solution is that this and many other Unicode formatting characters should be ignored and converted to a visible indicator in all code views when you expect plain text.

New comment by Arrowmaster in "Bucketsquatting is finally dead"

Arrowmaster — Sun, 15 Mar 2026 00:49:37 +0000

You know that QR code is just text you can read right? It's just an otpauth:// URI you can copy and paste into most password managers.

We even have these amazing things that securely share passwords or other secret data between multiple authorized users.

Seriously just scan the QR code and put it in any password manager that supports TOTP and it will start outputing codes.

New comment by Arrowmaster in "Scrt: A CLI secret manager for developers, sysadmins and DevOps"

Arrowmaster — Fri, 13 Mar 2026 09:22:39 +0000

The latest release was June 2022 and the last non dependabot commit was March 2023, until new activity 4 days ago using AI. Why should anyone use this?

New comment by Arrowmaster in "Malus – Clean Room as a Service"

Arrowmaster — Thu, 12 Mar 2026 20:53:47 +0000

Part of how the USA got that way is hilariously enough, anti-corruption policies.

New comment by Arrowmaster in "Show HN: enveil – hide your .env secrets from prAIng eyes"

Arrowmaster — Wed, 25 Feb 2026 20:59:50 +0000

Disagree, the best way to pass secrets is by using mount namespaces (systemd and docker do this under /run/secrets/) so that the can program can access the secrets as needed but they don't exist in the environment. The process is not complicated, many system already implement it. By keeping them out of ENV variables you no longer have to worry about the entire ENV getting written out during a crash or debugging and exposing the secrets.

New comment by Arrowmaster in "Never buy a .online domain"

Arrowmaster — Wed, 25 Feb 2026 19:07:46 +0000

I'm currently in the endless email loop because someone named Raymond used one of my Gmail names to register with State Farm. One of their agents even emails me directly when he gets really behind on his payments but won't do anything when I tell them it's the wrong email.

In the past when this happens I usually reset the password and change the email to some anon throwaway but I can't do that without Raymonds DOB (don't quote me on that, been a while since I tried).

New comment by Arrowmaster in "My lobster lost $450k this weekend"

Arrowmaster — Wed, 25 Feb 2026 04:22:28 +0000

Not just idiots, rich idiots that will make more from the hype and publicity than we normal people could make in a few years.

New comment by Arrowmaster in "Show HN: enveil – hide your .env secrets from prAIng eyes"

Arrowmaster — Wed, 25 Feb 2026 01:12:55 +0000

This would be perfect if it also was able to expose secrets as files scoped to the process ala /run/secrets/secret_name.

New comment by Arrowmaster in "Show HN: enveil – hide your .env secrets from prAIng eyes"

Arrowmaster — Wed, 25 Feb 2026 01:07:15 +0000

The problem isn't the .env file itself but using environment variables at all to pass secrets is insecure.

New comment by Arrowmaster in "Git's Magic Files"

Arrowmaster — Mon, 23 Feb 2026 16:58:53 +0000

While this is a good feature, I fear most people aren't aware of git archive. Of the more basic CI tools I have looked at, I didn't notice any of them using git archive. Capistrano is the first I now know of that does this. Are there any others?

There is also export-subst that is also used by git archive to create an output similar to git describe directly in a file.

New comment by Arrowmaster in "Don't create .gitkeep files, use .gitignore instead (2023)"

Arrowmaster — Sat, 21 Feb 2026 01:46:23 +0000

The author makes a very common mistake of not reading the very first line of the documentation for .gitignore.

  A gitignore file specifies intentionally untracked files that Git should ignore. Files already tracked by Git are not affected; see the NOTES below for details.

You should never be putting "!.gitignore" in .gitignore. Just do `echo "*" > .gitignore; git add -f .gitignore`. Once a file is tracked any changes to it will be tracked without needing to use --force with git add.