Hacker News: JoshBlythe

New comment by JoshBlythe in "Reverse engineering Gemini's SynthID detection"

JoshBlythe — Fri, 10 Apr 2026 09:03:23 +0000

The dual-watermark theory makes alot of sense for defensive engineering. You always assume your outer layer will be broken and so keep a second layer that isn't publicly testable. Same as defence in depth anywhere else. I'm curious - as new models are being built constantly and they're naturally non-deterministic, do you think it's possible for end users to prove that?

New comment by JoshBlythe in "Max severity Flowise RCE vulnerability now exploited in attacks"

JoshBlythe — Thu, 09 Apr 2026 13:46:04 +0000

In app builders using LLM's you would expect proper prompt injection procedures to be in place - but surprise surprise, it's not usually the case. AI tools tend to ship fast and security is alwasy an aferthought.

I see this pattern constantly in my day job (I work in cyber for a FTSE 100 bank). I keep seeing tools that just prioritise developer experience over actual input validation, then act surprised when someone exploits it.

I've also been building a drop in solution for this exact issue outside of work. Happy to see this stuff (in the best way possible) as it acts as affirmation that what I'm doing is valuable.

New comment by JoshBlythe in "AWS S3 now includes NFS 4.1 support via Mount-Points"

JoshBlythe — Thu, 09 Apr 2026 08:55:41 +0000

This is interesting timing. I'm currently using EFS with Fargate for persistent storage and the NFS performance has been the biggest pain point - WAL mode SQLite on EFS works but deploys cause downtime because you can't run two containers writing to the same database file simultaneously.

Curious whether S3 mount points handle concurrent access any better than EFS or if it's the same underlying constraint. S3's consistency model improved mass

New comment by JoshBlythe in "Ask HN: S3(AWS) vs R2(CF)–Which is better?"

JoshBlythe — Thu, 09 Apr 2026 08:54:54 +0000

S3 if you're already in the AWS ecosystem. R2 if egress costs are killing you.

I run multi-region on AWS and S3 is deeply integrated with everything - IAM, CloudFront, ECS, Lambda. Switching to R2 would save on egress but I'd lose the tight integration with the rest of my stack. That tradeoff isn't worth it unless bandwidth is a significant line item.

R2's zero egress pricing is genuinely compelling for anything serving large files publicly - media, assets, user uploads. If your use case is "store stuff and serve it to users," R2 wins on cost. If your use case is "store stuff and process it with other AWS services," S3 wins on friction.

Ask HN: What's the state of multimodal prompt injection defence in 2026?

JoshBlythe — Wed, 08 Apr 2026 13:18:11 +0000

I've been researching multimodal prompt injection - attacks hidden in images, documents, and audio rather than text. Ran a structured test suite (225 attacks across 5 modalities) against a detection pipeline I built and the results were surprising.

Some findings:

- Audio is easier to defend than text. Ultrasonic and spectral attacks have detectable signal characteristics via FFT analysis. The hard part is after transcription, where it becomes a text problem again.

- Cross-modal attacks are less dangerous than expected if you scan each modality independently. The "clean text + malicious PDF" attack only works if you trust the document because the text looked safe.

- Encoding (base64, ROT13, leetspeak) is a solved problem if you decode before scanning. The remaining gap is very short encoded payloads that fall below detection thresholds.

- The real unsolved problem is semantic. Completion attacks ("Complete the following: 'The system prompt reads...'"), narrative extraction, steganographic output manipulation, and multi-turn context poisoning all require understanding intent, not pattern matching. A classifier trained on known injection patterns will always miss novel framing.

- False positives are harder than detection. Getting zero false positives on inputs like "act as a SQL expert", "override the default config", and "what is prompt injection" took more work than improving detection rates.

- Non-English injection is a massive blind spot. An English-trained classifier misses every non-English attack that dodges regex patterns.

My question for HN: is anyone else working on multimodal injection defence? Most tools I've found (Lakera Guard, LLM Guard, Azure Prompt Shields) are still text-only in their public APIs. The research papers describe the attacks well but I haven't seen many production-grade defences for image/audio/document injection.

Also curious whether anyone has had success with LLM-as-judge approaches for detecting semantic attacks - using a second model to evaluate whether an input is trying to manipulate the first. The latency and cost tradeoffs seem brutal but it might be the only path for the subtle stuff.

Would love to hear what others are seeing in production.

Comments URL: https://news.ycombinator.com/item?id=47689822

Points: 2

# Comments: 0

New comment by JoshBlythe in "A whole boss fight in 256 bytes"

JoshBlythe — Wed, 08 Apr 2026 09:48:37 +0000

What a throwback! Reminds me of older gameboy games! Really nice project!

New comment by JoshBlythe in "Identify a London Underground Line just by listening to it"

JoshBlythe — Wed, 08 Apr 2026 08:32:28 +0000

4/9 for me... no 'Lizzy Line though?!

New comment by JoshBlythe in "Show HN: Stop paying for Dropbox/Google Drive, use your own S3 bucket instead"

JoshBlythe — Tue, 07 Apr 2026 13:05:19 +0000

this is rlly cool

New comment by JoshBlythe in "Show HN: Real-time surveys via QR code, built with Cloudflare Durable Objects"

JoshBlythe — Tue, 07 Apr 2026 13:05:01 +0000

love this - is it free to use?