Hacker News: awirth

New comment by awirth in "Strong earthquake hits northern Japan, tsunami warning issued"

awirth — Mon, 08 Dec 2025 19:51:35 +0000

I have a 60L fish tank in my Tokyo apartment on around the 10th floor. It's sitting on stand that is not bolted to the wall. I have several friends with similar setups.

In the last 6 years there have been two or three earthquakes that caused enough water to slosh on to the floor.

Of those only the 2021 Fukushima earthquake caused any fish to slosh out - perhaps 10 medaka if I recall correctly. Luckily I was home and I was able to save all the fish, however there was one adult red cherry shrimp that didn't make it because I had trouble picking it up off the floor. I cleaned up the water with some paper towels and it didn't seem to cause any lasting damage.

I think if I had a 600 lb (270L?) tank or expensive fish though I would probably have a different perspective.

New comment by awirth in "[dead]"

awirth — Mon, 08 Sep 2025 07:30:07 +0000

It's been a year. Has it been disclosed what tool had this misconfiguration?

New comment by awirth in "Show HN: I'm making an open-source platform for learning Japanese"

awirth — Sun, 07 Sep 2025 01:20:11 +0000

I also got a lot of value out of wanikani even without completing it.

I tried and failed several times to get started with Anki before having success with Wanikani. The key diffentiator for me was the learning step. Anki is great for remembering things you were taught or learned outside of it, but using Anki to learn new things is very much a learned skill that Wanikani holds your hand through.

I have N2 and am working on N1 now, and feel I still have a very long way to go before getting to CEFR C1. Now I only use Anki with the yomitan and takoboto integrations to quickly add any words I look up, which seems to be working well.

New comment by awirth in "Malicious versions of Nx and some supporting plugins were published"

awirth — Thu, 28 Aug 2025 01:54:04 +0000

These tokens never expire, and there is no way for organization administrators to get them to expire (or revoke them, only the user can do that), and they are also excluded from some audit logs. This applies not just to gh cli, but also several other first party apps.

See this page for more details: https://docs.github.com/en/apps/using-github-apps/privileged...

After discussing our concerns about these tokens with our account team, we concluded the only reasonable way to enforce session lengths we're comfortable with on GitHub cloud is to require an IP allowlist with access through a VPN we control that requires SSO.

https://github.com/cli/cli/issues/5924 is a related open feature request

New comment by awirth in "Copilot broke audit logs, but Microsoft won't tell customers"

awirth — Wed, 20 Aug 2025 13:07:50 +0000

What you're describing is a specific case of a confused deputy problem: https://en.wikipedia.org/wiki/Confused_deputy_problem

This is captured in the OWASP LLM Top 10 "LLM02:2025 Sensitive Information Disclosure" risk: https://genai.owasp.org/llmrisk/llm022025-sensitive-informat... although in some cases the "LLM06:2025 Excessive Agency" risk is also applicable.

I believe that some enterprise RAG solutions create a per user index to solve this problem when there are lots of complex ACLs involved. How vendors manage this problem is an important question to ask when analyzing RAG solutions.

At my current company at least we call this "権限混同" in Japanese - Literally "authorization confusion" which I think is a more fun name

New comment by awirth in "Voting from Antarctica"

awirth — Fri, 11 Nov 2022 09:58:12 +0000

Now, I've done it by email! (although still using the convenience store for print/scan)

Unfortunately, https://www.sec.state.ma.us/ is geo-blocked for all of Japan (and several other countries AFAICT) "due to cybersecurity reasons", so I can no longer check/update my registration to vote without a VPN. I tried contacting different parts of the MA state government to get it unblocked several times over the past few years, but had no success. I have no idea what the other MA-voting residents of Japan do.

Last time I contacted the secretary of state's office via my state representative, they were kind enough to temporarily unblock my home IP address for one week though!

New comment by awirth in "Kurt Vonnegut at 100"

awirth — Thu, 10 Nov 2022 10:10:01 +0000

That's interesting, I've always reveled in the absurdity, but perhaps I'll re-read it with an eye to take each chapter in as a discrete unit. Thanks!

New comment by awirth in "Kurt Vonnegut at 100"

awirth — Thu, 10 Nov 2022 03:09:35 +0000

Cat's Cradle is one of my favorite books, but to be honest, I've never found it that funny - at least not in the sense that it makes me laugh much. What do you find so funny about it?

New comment by awirth in "Spring Core on JDK9 is vulnerable to remote code execution"

awirth — Thu, 31 Mar 2022 01:25:02 +0000

If you can access the classloader that's pretty bad, it's likely people will find other gadgets.

It's insane to me though that class.* isn't completely disallowed. What is the legitimate use case for deserializing allowing web requests to call setters in the reflection API?

Also, agree it is impressive to me how much bad information I've seen.

New comment by awirth in "Americans seeking to renounce their citizenship are stuck with it for now"

awirth — Fri, 31 Dec 2021 22:17:07 +0000

I've been able to vote abroad in state/presidential elections from my last address in the US. I do it by email.

My only major hiccup is that the MA secretary of state's website www.sec.state.ma.us (which has the info about upcoming elections, the tool to check your registration, and the instructions for voting overseas) is blocked in Japan "for cybersecurity reasons". I've tried contacting the department of state and my state representative about this, but nothing's come of it.

The government of Cambridge on the other hand has been quite pleasant to deal with.

New comment by awirth in "But What's Up with That ¥?"

awirth — Fri, 12 Nov 2021 02:09:06 +0000

Now that I live in Japan, I've come to learn that for Japanese Windows users, seeing the ¥ symbol as a path separator is normal, it isn't a quirk or a bug. In fact, IIRC the copy machine in the closest convenience store shows a ¥ as the path separator when browsing a USB drive, even though I'm almost certain it's not running Windows.

A few years back, I wrote a CTF challenge around this quirk of SHIFT_JIS. It used a python MySQLdb connection set to SHIFT_JIS mode and a custom naïve mysql escape function. The trick was to use a yen symbol and have it get interpreted as an unescaped backslash, leading to a SQL injection. Also it was all over websockets just to be annoying.

There's a few nice writeups from it:

https://www.kernelpicnic.net/2016/03/06/BKPCTF-Wonderland-Go...

https://0day.work/boston-key-party-ctf-2016-writeups/

https://security.szurek.pl/en/boston-key-party-ctf-2016-good... (this one has the original challenge source)

New comment by awirth in "Netflix intensifies VPN ban and targets residential IP addresses"

awirth — Thu, 12 Aug 2021 03:13:51 +0000

I live in Japan and have the same problem with the Massachusetts department of state website (which contains voting information). I contacted my state representative (who does represent me, as I voted for him) and unfortunately he couldn't do much for me other than forward my inquiry.

New comment by awirth in "How I bypassed Cloudflare's SQL Injection filter"

awirth — Fri, 18 Sep 2020 23:23:23 +0000

Years ago helped handle a support request from a man named "fread" who had a similar issue.

Show HN: Don't Webpack Untrusted Code

awirth — Wed, 15 Jul 2020 01:03:22 +0000

Article URL: https://gist.github.com/allanlw/9df6a260d689500c7e25cb9a56bdd54d

Comments URL: https://news.ycombinator.com/item?id=23840070

Points: 1

# Comments: 0

New comment by awirth in "Hacking with environment variables"

awirth — Tue, 14 Jul 2020 06:30:08 +0000

Yes. This is why running without `env_reset` is considered inherently insecure and the typo fix wasn't considered a security fix by the sudo maintainers.

The list is still relevant to this discussion though as a nice "greatest hits" cheat-sheet of fun environment variables to play with here.

New comment by awirth in "Hacking with environment variables"

awirth — Tue, 14 Jul 2020 03:23:43 +0000

See also the sudo bad environment variable list[1], which I recently found a 15 year old typo in.[2]

[1]: https://github.com/sudo-project/sudo/blob/master/plugins/sud... [2]: https://www.sudo.ws/repos/sudo/rev/bdf9c9e7f455

New comment by awirth in "Sat solver on top of regex matcher"

awirth — Tue, 23 Jun 2020 02:49:36 +0000

Too late to edit, but out of curiosity I re-implemented this to use the PCRE JIT (in PHP) to see what kind of speedup it would provide: https://gist.github.com/allanlw/69df509519335b88db886d48503a...

Timings for fred.cnf on my machine:

python: 0m53.744s

PHP (no PCRE JIT): (hits backtrack limit in 1m15.994s)

PHP (PCRE JIT): 0m20.109s

New comment by awirth in "Show HN: Web3Torrent – Adding Ethereum Micropayments to WebTorrent"

awirth — Tue, 23 Jun 2020 00:17:46 +0000

Is there a BEP to make this work for native torrents too?

Also I don't understand the name "Web3torrent", is it intended to indicate a new version?

New comment by awirth in "Sat solver on top of regex matcher"

awirth — Mon, 22 Jun 2020 14:30:26 +0000

Interesting, I wasn't aware of the history.

Personally I make the distinction, but I've noticed many many people do not, hence the question.

New comment by awirth in "Sat solver on top of regex matcher"

awirth — Mon, 22 Jun 2020 06:30:33 +0000

This reduction is really cool. I love reductions like this.

Is there a general consensus to use "regular expression" to refer to the actual regular ones and "regex" to refer to the non-regular variants?