Hacker News: catalypso

New comment by catalypso in "Privacy Pass Authentication for Kagi Search"

catalypso — Sat, 15 Feb 2025 23:53:52 +0000

> the tokens are actually generated by the user and the server never sees them (unblinded) before their first usage

Here is how I see it:

  1. The user generates a token/nonce => T

  2. The user blinds the token with secret blinding factor b => Blinded token TB = T*b

  3. The user sends the blinded token for signing. The server signs it and returns it to the user => Signed blinded token TBS = Sign(TB)

  4. The user unblinds the token (this does not break the signature) => Signed Unblinded token TS = TBS/b

  5. The user sends TS for its search query.

The server signed TB, then received TS. Even if it logged that TB = user, it cannot link TS to TB, because it does not know the blinding factor b. Thus, it cannot link the search query with TS to the user.

New comment by catalypso in "Things we learned about LLMs in 2024"

catalypso — Wed, 01 Jan 2025 19:08:35 +0000

I just tried it and I'm actually surprised with how well they work even with base64 encoded inputs.

This is assuming they don't call an external pre-processing decoding tool.

New comment by catalypso in "OpenAI O3 breakthrough high score on ARC-AGI-PUB"

catalypso — Sun, 22 Dec 2024 15:07:00 +0000

Just a clarification, they tuned on the public training dataset, not the semi-private one. The 87.5% score was on the semi-private eval, which means the model was still able to generalize well.

That being said, the fact that this is not a "raw" base model, but one tuned on the ARC-AGI tests distribution takes away from the impressiveness of the result — How much ? — I'm not sure, we'd need the un-tuned base o3 model score for that.

In the meantime, comparing this tuned o3 model to other un-tuned base models is unfair (apples-to-oranges kind of comparison).

New comment by catalypso in "Show HN: Hacker News frontpage as a print newspaper that you can personalize"

catalypso — Fri, 08 Nov 2024 16:43:36 +0000

This looks cool!

I now almost exclusively get my HN feed through a simple script I wrote to get desc sorted posts by score or trend (score/time): https://github.com/faroukfaiz10/hackernews-homepage

The result looks something like this ({score/time} - {score} - {link} - {comments link}):

  59 - 1478 - Passport Photos - https://maxsiedentopf.com/passport-photos/ - https://news.ycombinator.com/item?id=42069646

  16 - 790 - Useful built-in macOS command-line utilities - https://weiyen.net/articles/useful-macos-cmd-line-utilities- https://news.ycombinator.com/item?id=42057431

  ...

New comment by catalypso in "Magic Wormhole: get things from one computer to another, safely"

catalypso — Mon, 19 Aug 2024 22:44:51 +0000

Not magic-wormhole compatible, but saw these shared on other comments:

- https://wormhole.app

- https://sendfiles.dev

- https://file.pizza

- https://winden.app

New comment by catalypso in "The New Internet"

catalypso — Mon, 29 Jul 2024 22:42:52 +0000

Clickbait is BLUF with a deceptive bottom line (BL). Clickbait is bad. You can choose to write in BLUF style without that.

In my experience, I only prefer "Classical philosophical writing" when I'm already convinced of reading the content (e.g. know the author, interested by the subject).

In almost all other cases, I prefer BLUF format: i.e. "get to the point, I'll read more if I'm intrigued".

New comment by catalypso in "Anyone can access deleted and private repository data on GitHub"

catalypso — Wed, 24 Jul 2024 23:31:19 +0000

> I'll be calling "private" repos "unlisted"

That might be a bit too strict. I'd still expect my private repos (no forks involved) to be private, unless we discover another footnote in GH's docs in a few years ¯\_(ツ)_/¯

But I'll forget about using forks except for publicly contributing to public repos.

> Users should never be expected to know these gotchas for a feature called "private".

Yes, the principle of least astonishment[0] should apply to security as well.

[0] https://en.wikipedia.org/wiki/Principle_of_least_astonishmen...

New comment by catalypso in "What You Get After Running an SSH Honeypot for 30 Days"

catalypso — Sun, 16 Jun 2024 19:45:16 +0000

> People don't believe it's possible for software to be secure

Rightfully so. You'd statistically be almost always right considering a software unsecure given enough time (for the vulnerabilities to be introduced then found).

> need a secondary defense to "protect them"

Nothing wrong with that. It's called Defense in Depth and is rather advised. Once you understand that security measures are not bulletproof, stacking them proves to be an easy way to increase protection.

The case of fail2ban is not trivial: reducing log noise is a great perk, and can indirectly help with monitoring (you'd more easily notice suspicious behaviour if it's the only thing on your logs), but it comes at the small cost of setting it up, and accepting the risk of having a shared IP unwillingly blocked.

New comment by catalypso in "Ask HN: Best UI design courses for hackers?"

catalypso — Sat, 16 Dec 2023 13:05:24 +0000

Adding two resources to the mix:

1. https://growth.design: case studies + cognitive biases & principles that affect your UX

2. https://lawsofux.com/: a collection of best practices that designers can consider when building user interfaces.

New comment by catalypso in "Squeeze the hell out of the system you have"

catalypso — Sat, 12 Aug 2023 13:43:28 +0000

Thanks for the effort.

Probably nitpicking but these types of measures are usually tricky to interpret because there is a high chance your indexes (maybe even rows) are still on PostgreSQL shared buffers and OS cache and might not reflect real usage performance.

To get a more "worst-case" measure, after your inserts and indexes creation, you can restart your database server + flush OS pages cache (e.g. drop_caches for Linux), then do the measure.

Sometimes the difference is huge, although I don't suspect it will be in this case.

New comment by catalypso in "Detecting the use of “curl | bash” server side (2016)"

catalypso — Tue, 27 Dec 2022 15:27:58 +0000

That would indeed be more precise, but it would be harder to obfuscate.

If I simply curl the script (without piping to bash), I'd be less suspicious if I saw a sleep than I would be if I saw a callback to a server.

New comment by catalypso in "I worked at LastPass as an engineer"

catalypso — Sun, 25 Dec 2022 22:57:33 +0000

It seems that it was a social engineering attack. From their notice: https://blog.lastpass.com/2022/12/notice-of-recent-security-...

> some source code and technical information were stolen from our development environment and used to target another employee

New comment by catalypso in "Ask HN: Can I see your scripts?"

catalypso — Mon, 15 Aug 2022 23:22:19 +0000

I've never thought about this problem until now. Now that I see it, it makes total sense one would want to monitor those packages for changes.

What surprises me is that there seems to be no other way than hacking (cutting, grepping, etc.) each package separately. I wonder how this is handled in machines that use a lot of MISC packages (other than pulling+building every time to automatically have the latest version)?

Also, kudos on the acronym :)

New comment by catalypso in "Launch HN: Meticulous (YC S21) – Catch JavaScript errors before they hit prod"

catalypso — Mon, 02 May 2022 18:59:26 +0000

Congrats on the launch and good luck!

Reading through thus just reminded me of Datadog browser tests. It's not exactly the same, but it might be interesting to check them out.