<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: cleverfoo</title><link>https://news.ycombinator.com/user?id=cleverfoo</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Fri, 03 Jul 2026 12:09:20 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=cleverfoo" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by cleverfoo in "Vulnerability reports are not special anymore"]]></title><description><![CDATA[
<p>It's not a horrible idea... the challenge there would be making that payment/refund flow totally transparent in order to build trust and be fair to the researchers.</p>
]]></description><pubDate>Wed, 24 Jun 2026 04:13:41 +0000</pubDate><link>https://news.ycombinator.com/item?id=48655011</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=48655011</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48655011</guid></item><item><title><![CDATA[New comment by cleverfoo in "Vulnerability reports are not special anymore"]]></title><description><![CDATA[
<p>Same experience here. I've run a successful vulnerability disclosure program for over a decade and paid out thousands of dollars in bounties for scanii.com (a malware identification API service), but recently (since the beginning of the year), we went from receiving maybe 5 per month to receiving 5 per day. These are clearly AI-generated and extremely low quality (albeit well-written). The rules of the program aren't read, and it's clearly a “point-and-click to a website" and file a report. 
I'm now considering just shutting down the program since, as the OP pointed out, if you found this vulnerability using an AI tool, they are inherently public. 
I haven't gone that far yet but have instituted some new rules aiming at filtering out most of the reports: 1- No AI-generated report and 2 - Reports must include a video of the exploit.
You can see our program rules here: <a href="https://docs.scanii.com/article/131-does-scanii-have-a-security-vulnerability-disclosure-program" rel="nofollow">https://docs.scanii.com/article/131-does-scanii-have-a-secur...</a></p>
]]></description><pubDate>Wed, 24 Jun 2026 01:20:23 +0000</pubDate><link>https://news.ycombinator.com/item?id=48653954</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=48653954</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48653954</guid></item><item><title><![CDATA[New comment by cleverfoo in "JVM Options Explorer"]]></title><description><![CDATA[
<p>Sure, for a very narrow definition of _efficiency_. There's plenty to complain in terms of the JVM and Java but performance, as in units of work per dollar spent, is not one of them - JITs just have too many opportunities for optimizing generated code.</p>
]]></description><pubDate>Sun, 12 Apr 2026 13:07:42 +0000</pubDate><link>https://news.ycombinator.com/item?id=47739186</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=47739186</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47739186</guid></item><item><title><![CDATA[New comment by cleverfoo in "Polymarket gamblers threaten to kill me over Iran missile story"]]></title><description><![CDATA[
<p>that's a very shallow analogy as the stock market has significantly stronger guardrails to curtain insider trading including fines and jail time these companies lack. But even if you were to bring prediction markets under the purview of the FTC, it would still not be a functioning regulatory scheme since the scope of prediction markets is just so much larger - you can bet on anything.</p>
]]></description><pubDate>Mon, 16 Mar 2026 14:05:39 +0000</pubDate><link>https://news.ycombinator.com/item?id=47399226</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=47399226</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47399226</guid></item><item><title><![CDATA[New comment by cleverfoo in "Let's Take a Look at JEP 483: Ahead-of-Time Class Loading and Linking"]]></title><description><![CDATA[
<p>Well, assuming that by "statically linking" you mean in the c sense, that's exactly what GraalVM native image does today, it statically analyzes the JAR for reachability only compiling the methods/classes in use. This works but it's also what makes native-image difficult to use and brittle.<p>It's hard, and some might argue impossible, to statically analyze reachability in a dynamic language like java that allows for runtime class loading and redefinition. As it turns out, Java is much closer to javascript than C++ in terms of dynamic runtime behavior.</p>
]]></description><pubDate>Fri, 28 Mar 2025 14:09:08 +0000</pubDate><link>https://news.ycombinator.com/item?id=43505623</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=43505623</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=43505623</guid></item><item><title><![CDATA[New comment by cleverfoo in "Let's Take a Look at JEP 483: Ahead-of-Time Class Loading and Linking"]]></title><description><![CDATA[
<p>I think the big problem here is conceptual. The JDK folks are looking at this akin to PGO when, IMHO, they should be looking at this as an AOT cache (yes, the flag names make this even more confusing). How do those two differ, you ask?<p>With PGO you do a lot of deliberate work to profile your application under different conditions and feed that information back to the compiler to make better branch/inlining decisions.
With a AOT cache, you do nothing up front, and the JVM should just dump a big cache to disk every time it exits just in case it gets stared again on the same host. In this case, training runs would just be a” run you did to create the cache". With that said, the big technical challenge right ow is that building the AOT cache is expensive hence performance impacting and cannot really be done alongside a live application - but that’s where I think the focus should be, making filling the aot cache something less intensive and automatic.<p>Another aspect this strategy would help with is “what to do with these big AOT cache files”, if the AOT cache really starts caching every compiled method, it will become essentially another so file possibly of a size greater than the original JAR it started off with. Keeping this is in a docker image will double the size of the image slowing down deployments. Alternatively, with the aot cache concept, you just need to ensure there is some form of persistent disk cache across your hosts. The same logic also significantly helps CLIs, where I dont’ want to ship a 100MB CLI + Jlink bundle and have to add another 50MB of aot cache in it - what I do want is every time the client uses my CLI the JVM keeps improving the AOT cache.</p>
]]></description><pubDate>Fri, 28 Mar 2025 13:47:01 +0000</pubDate><link>https://news.ycombinator.com/item?id=43505393</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=43505393</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=43505393</guid></item><item><title><![CDATA[New comment by cleverfoo in "Ask HN: Side project of more than $2k monthly revenue? what's your project?"]]></title><description><![CDATA[
<p>> Impressive! What do you think it is that you do that allows you to compete with VirusTotal, and even free tools like Jotti?<p>Thanks and good question. We don't really compete with virus total since it's more of a research tool and, for a while, their terms explicitly prohibited commercial use (but I think that has changed). Jotti is a similar thing, more of a research tool than a high performance API you can use to build commercial products on.<p>> Presumably you're now using commercial AV tools, rather than Clam? Did you have to get some kind of special license from them to use it like this?<p>Yeah the product has expended a bunch over the years and we use multiple detection engines [2] to catch all kinds of unsafe content.  But you are right, we do license a commercial AV engine to act as a backup to our own to ensure best possible detection rates. The licensing process warrants a blog post of its own since it's not what I would call easy.<p>[2] <a href="https://docs.scanii.com/article/149-how-do-the-different-detection-engines-work" rel="nofollow">https://docs.scanii.com/article/149-how-do-the-different-det...</a></p>
]]></description><pubDate>Fri, 14 Apr 2023 16:06:47 +0000</pubDate><link>https://news.ycombinator.com/item?id=35571109</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=35571109</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=35571109</guid></item><item><title><![CDATA[New comment by cleverfoo in "Ask HN: Side project of more than $2k monthly revenue? what's your project?"]]></title><description><![CDATA[
<p>Got it, in that case it helps to build a product for a community you can interact with. In my case, this was connecting with folks on Stackoverflow that were struggling with integrating malware detection into their apps... that was all the marketing I did to get the product validated - but keep in mind that was 10 years or so back.<p>Best of luck with your launch!</p>
]]></description><pubDate>Fri, 14 Apr 2023 15:17:03 +0000</pubDate><link>https://news.ycombinator.com/item?id=35570477</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=35570477</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=35570477</guid></item><item><title><![CDATA[New comment by cleverfoo in "Ask HN: Side project of more than $2k monthly revenue? what's your project?"]]></title><description><![CDATA[
<p>> Congratulations on your success!<p>That is very kind of you, thank you.<p>> What did "getting it out there" consist of for you? How did you get it out there in the beginning?<p>For Scanii in particular, the original product was a thin wrapper around an open source AV engine, a hacked on a weekend UX, and a credit card processing integration to collect payment - the very minimal needed to find out if _anyone_ was willing to pay for this service.<p>With that said, what worked for me in this case is not what I would focus here since it depends on what kind of business you are trying to build. What I do believe is important is focusing on the economics of your space which, for IT, is all about productivity or, more succinctly, saving people's time - they pay you X for something that could cost them, in terms of people's time, Y to do.<p>So, what you want to ask yourself is whether signing up, paying and onboarding onto your product (the X in the equation above) is significantly lower than the next best alternative, either doing the same on a competitor product or building something themselves - the Y above.<p>For scanii, even at launch it saved people lots of time managing and operating malware detection engines which are cumbersome and hard to keep up to date. I had a feeling that would be the case when I launched but I couldn't be sure until our first customer voted with their credit card.</p>
]]></description><pubDate>Fri, 14 Apr 2023 14:38:54 +0000</pubDate><link>https://news.ycombinator.com/item?id=35570043</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=35570043</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=35570043</guid></item><item><title><![CDATA[New comment by cleverfoo in "Ask HN: Side project of more than $2k monthly revenue? what's your project?"]]></title><description><![CDATA[
<p>I built Scanii [1], an unsafe/malware content detection API/SaaS, as a way to keep my coding skills sharp as I moved into engineering leadership roles. Over the years it has grown into a lovely $35k/month business while spending $0 in marketing thanks to our amazing customers.<p>My advice to aspiring entrepreneurs: get it out there quick, listen to your customers and be ready to act on their feedback. Finding product/market fit is a journey even if you are selling into the most well understood vertical since it's not just about what the market expects it's about what your engineering talent/capacity can delver in a reasonable amount of time.<p>[1] <a href="https://www.scanii.com" rel="nofollow">https://www.scanii.com</a></p>
]]></description><pubDate>Fri, 14 Apr 2023 13:00:25 +0000</pubDate><link>https://news.ycombinator.com/item?id=35569095</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=35569095</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=35569095</guid></item><item><title><![CDATA[New comment by cleverfoo in "Ask HN: Those making $500+/month on side projects in 2023 – Show and tell"]]></title><description><![CDATA[
<p><a href="https://www.scanii.com" rel="nofollow">https://www.scanii.com</a> a content arbitration/malware API service. It has been profitable for over 10+ years now with customers around the globe.<p>Building it was one of the best decisions I made in my life since it enabled me to make hard decisions at work that were not skewed by the fear of losing my job and not being able to provide for my family - I'm in engineering/product leadership.<p>But, do not be fooled, this also means I've had two jobs (albeit of unequal urgency) and that, obviously, equates to long work hours.</p>
]]></description><pubDate>Sun, 22 Jan 2023 23:14:33 +0000</pubDate><link>https://news.ycombinator.com/item?id=34483391</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=34483391</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=34483391</guid></item><item><title><![CDATA[New comment by cleverfoo in "Ask HN: Successful one-person online businesses?"]]></title><description><![CDATA[
<p>For the last 9+ years I've worked on <a href="https://scanii.com" rel="nofollow">https://scanii.com</a>, a content identification service (think of it as the unix file command on steroids wrapped around an easy to use API). Started with a real MVP hacked on a weekend (<a href="https://web.archive.org/web/20101209005314/http://scanii.com/" rel="nofollow">https://web.archive.org/web/20101209005314/http://scanii.com...</a>) after identifying the need on a day job I had a long time ago. With 0 marketing and sales it took a while to start gaining traction but I always knew that we were solving a real problem with a good and fair-priced product. Nowadays it’s big enough to be classified as a lifestyle business and that’s all right by me.</p>
]]></description><pubDate>Thu, 24 Oct 2019 00:23:34 +0000</pubDate><link>https://news.ycombinator.com/item?id=21340479</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=21340479</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=21340479</guid></item><item><title><![CDATA[Everything you need to know before building your first SAM packaged application]]></title><description><![CDATA[
<p>Article URL: <a href="https://docs.scanii.com/articles/2018/everything-you-need-to-know-before-building-your-first-SAM-packaged-application.html">https://docs.scanii.com/articles/2018/everything-you-need-to-know-before-building-your-first-SAM-packaged-application.html</a></p>
<p>Comments URL: <a href="https://news.ycombinator.com/item?id=17692790">https://news.ycombinator.com/item?id=17692790</a></p>
<p>Points: 1</p>
<p># Comments: 0</p>
]]></description><pubDate>Sun, 05 Aug 2018 18:47:37 +0000</pubDate><link>https://docs.scanii.com/articles/2018/everything-you-need-to-know-before-building-your-first-SAM-packaged-application.html</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=17692790</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=17692790</guid></item><item><title><![CDATA[New comment by cleverfoo in "Authentication Techniques for APIs"]]></title><description><![CDATA[
<p>Not impressed, particularly with the basic-auth description. Basic auth is purely a well understood vehicle for sending a tuple (aka the credentials) for authenticating a HTTP request, most of the concerns highlighted are with regards to how the credentials are acquired and potentially reused across requests - that has nothing to do with the HTTP protocol. 
For example, my API product scanii.com has used basic auth for 7+ years and I firmly believe it strikes the right balance between security and easy of use. Besides fairly complex key/secret tuples for server side usage, we also provide one-time auth tokens for when you want to make API calls directly from a web browser (or another insecure device).</p>
]]></description><pubDate>Tue, 09 May 2017 14:57:44 +0000</pubDate><link>https://news.ycombinator.com/item?id=14300550</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=14300550</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=14300550</guid></item><item><title><![CDATA[New comment by cleverfoo in "Lessons Learned with Stripe Subscriptions"]]></title><description><![CDATA[
<p>We migrated scanii.com from Amazon Simple Payments to Stripe subscriptions (after the whole FPS debacle) and haven't looked back, it's truly the best way to process payments right now. If I could buy Stripe stock I would.</p>
]]></description><pubDate>Sun, 08 Jan 2017 03:38:13 +0000</pubDate><link>https://news.ycombinator.com/item?id=13348095</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=13348095</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=13348095</guid></item><item><title><![CDATA[New comment by cleverfoo in "Software security suffers as startups lose access to Google’s virus data"]]></title><description><![CDATA[
<p>Let me see if I can try to simplify the underlying problem here (I dabble in this space):<p>Little bit os background: writing pattern matching signatures is hard, adding a bunch of "known malicious" hashes to your malware database is easy.<p>So, company A with a staff of folks writing pattern matching signatures has its engine added to VirusTotal and virus total shares/sell hashes found by that engine to folks that pay for its API. Company B, without a staff of engineers writing pattern matching signatures, signs up for VirtualTotal API and creates its malware database based purely on the hashes other actual engines create.<p>Two important things to keep in mind, when this happens at the scale of VirusTotal (basically all real engines are participating) the end result "hash database" is, essentially, bullet proof since it's likely that any sample used to test its effectiveness will be run by VirusTotal first.<p>We (I run scanii.com a malware/content detection API service) run into this all the time with folks either abusing or just not understanding the reason VT exists.</p>
]]></description><pubDate>Mon, 09 May 2016 15:06:05 +0000</pubDate><link>https://news.ycombinator.com/item?id=11660338</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=11660338</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=11660338</guid></item><item><title><![CDATA[New comment by cleverfoo in "Using AWS lambda for cheap S3 content processing"]]></title><description><![CDATA[
<p>The tricky part there is that it wouldn't work if you just sat there in a tight look dispatching http requests, any one of them timing out would, likely, trigger the deadline and make all subsequent http requests not happen.<p>So, alternatively, you could do something with DynamoDB event sources, where you have some sort of pub/sub table that your lambda functions listen on (basically a list of all the http requests that have to happen) - thus keeping a minimal 1 lambda dispatch per http request. The catch is you would need another system to manage that table (technically that system can be lambda itself).<p>Two important things, 1) I haven't used the dynamodb/lambda integration myself so be skeptical of my suggestion and 2) what I can say from our usage of the s3/lambda integration is that concurrency is not a problem with thousands of lambda dispatches/second being surprisingly quick to spin up.</p>
]]></description><pubDate>Wed, 24 Feb 2016 14:35:44 +0000</pubDate><link>https://news.ycombinator.com/item?id=11166973</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=11166973</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=11166973</guid></item><item><title><![CDATA[New comment by cleverfoo in "Using AWS lambda for cheap S3 content processing"]]></title><description><![CDATA[
<p>Thank you!</p>
]]></description><pubDate>Wed, 24 Feb 2016 14:25:44 +0000</pubDate><link>https://news.ycombinator.com/item?id=11166897</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=11166897</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=11166897</guid></item><item><title><![CDATA[New comment by cleverfoo in "Using AWS lambda for cheap S3 content processing"]]></title><description><![CDATA[
<p>Hi there, author here, happy to answer any questions.</p>
]]></description><pubDate>Mon, 22 Feb 2016 14:39:08 +0000</pubDate><link>https://news.ycombinator.com/item?id=11151018</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=11151018</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=11151018</guid></item><item><title><![CDATA[Using AWS lambda for cheap S3 content processing]]></title><description><![CDATA[
<p>Article URL: <a href="http://docs.scanii.com/articles/aws-lambda-for-cheap-s3-content-processing.html">http://docs.scanii.com/articles/aws-lambda-for-cheap-s3-content-processing.html</a></p>
<p>Comments URL: <a href="https://news.ycombinator.com/item?id=11150332">https://news.ycombinator.com/item?id=11150332</a></p>
<p>Points: 89</p>
<p># Comments: 18</p>
]]></description><pubDate>Mon, 22 Feb 2016 12:26:11 +0000</pubDate><link>http://docs.scanii.com/articles/aws-lambda-for-cheap-s3-content-processing.html</link><dc:creator>cleverfoo</dc:creator><comments>https://news.ycombinator.com/item?id=11150332</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=11150332</guid></item></channel></rss>