Hacker News: eblume

New comment by eblume in "U.S. science is in chaos"

eblume — Wed, 17 Jun 2026 21:49:03 +0000

I'm not sure I follow. I am a US citizen and have never lived abroad, but my understanding is that US Citizens living abroad must still pay the US a full federal income tax. It's graduated/progressive, of course, so the actual percentage may vary, but it should probably be between 15% and 40% of income. Not what I would call small. I don't think they can deduct local taxes, can they?

New comment by eblume in "A backdoor in a LinkedIn job offer"

eblume — Mon, 15 Jun 2026 20:47:18 +0000

https://www.ic3.gov

You won't hear back from them, though. But, at least for US citizens (and possibly for anyone?), this is as far as I know the closest thing there is to an "Internet 911".

New comment by eblume in "Apple's AI Can Now Change Your Passwords. What Could Possibly Go Wrong?"

eblume — Tue, 09 Jun 2026 20:26:56 +0000

As per the demo, in order for Siri to rotate your passwords "for you", you have to open the Password app, go to their dashboard on weak or exposed passwords, and click a button asking it to rotate your password account by account.

So yes. It's off by default. You have to affirmatively use the feature. (This is purely based on what I remember from the demo, mind you. I have not used the feature.)

New comment by eblume in "Leaving GitHub for Forgejo"

eblume — Wed, 13 May 2026 13:52:47 +0000

You’re welcome! I only ran in to this last week and I might not have this straight yet because I haven’t had time to sit and untangle it. I have a private repo that has a release workflow that publishes a Python package to the forgejo package repository using my public user profile. I mistakenly assumed that because the repo was private the package would be as well but that link is not enough to set public/private and it is instead fully public. Listable and everything, no PAT needed. This is where I’m less clear: I think I could make my user profile private and this would hide the packages, but I want my profile public. So I just black-holed the entire packages api outside of the tailnet.

New comment by eblume in "Leaving GitHub for Forgejo"

eblume — Wed, 13 May 2026 13:35:10 +0000

Yup, I’ve done this. I use a fly.io proxy that runs nginx, fail2ban, and that forwards to my tailnet where Caddy resolves to the actual instance. It’s critical that you disable local registration - I have authentik (only available on the tailnet) as an IdP but you can also just disable reg after making your own account of course. I also have a robots.txt that disables some stuff like all the individual rendered git commit views otherwise scrapers get stuck in an endless loop and also I strictly forbid access to the forgejo package repository since I have some private packages and the permission granularity there is not what I want it to be, still dialing that in. I’m keeping an eye on it and so far nothing terrible has happened. docs.eblu.me if you would like details… I could also link straight to the infra code if you like.

New comment by eblume in "Can someone please explain whether Cloudflare blackmailed Canonical?"

eblume — Mon, 11 May 2026 23:18:21 +0000

This is called KYC and is a standard part of operating a financial service. Seems to me like it should be part of internet infrastructure services as well. And, I thought, in some cases already is?

New comment by eblume in "FSF trying to contact Google about spammer sending 10k+ mails from Gmail account"

eblume — Thu, 16 Apr 2026 14:49:27 +0000

There are strict rules about not talking about open investigations because of so-called "Tipping-off" rules. It can carry some pretty serious penalties - jail time, fines. I agree it would be nice if the FBI itself made some announcements about these sorts of things, and they might do that in aggregate, but if you're a bank or fintech employee and you're in communication with the FBI you absolutely cannot say anything about it. Even confirming that an investigation existed could be penalized.

New comment by eblume in "Backblaze has stopped backing up OneDrive and Dropbox folders and maybe others"

eblume — Thu, 16 Apr 2026 14:10:00 +0000

Thanks... hence, 3-2-1 backups with offsite :) appreciate it though. Will definitely be rolling my own NAS in the future, I just needed something easy at the time.

New comment by eblume in "FSF trying to contact Google about spammer sending 10k+ mails from Gmail account"

eblume — Thu, 16 Apr 2026 14:06:42 +0000

Having worked in compliance engineering I have also reported through the IC3 portal, and spoken with lawyers and analysts who register with FinCEN (which, to be clear, is maybe just a step beyond "My Uncle works at Nintendo...") and I have heard that those reports do get reviewed and often acted on, but yes, you will typically never hear back from them. (FinCEN has its own reporting structure, but we also submitted certain reports through the IC3 portal as well.)

New comment by eblume in "Backblaze has stopped backing up OneDrive and Dropbox folders and maybe others"

eblume — Tue, 14 Apr 2026 16:50:50 +0000

Same. I lost a lot of photos this way. I've recently moved over to Immich + Borg backup with a 3-2-1 backup between a local synology NAS and BorgBase. Painful lesson, but at least now I feel much more confident. I've even built some end-to-end monitoring with Grafana.

New comment by eblume in "If you don't opt out by Apr 24 GitHub will train on your private repos"

eblume — Fri, 27 Mar 2026 21:18:17 +0000

I've recently started hosting my own forgejo instance. It works so well! Free tailscale for connectivity. I expose mine over fly.io proxy, also free, but not to be done without caution.

New comment by eblume in "This picture broke my brain [3B1B video]"

eblume — Fri, 27 Mar 2026 15:35:19 +0000

It's a pretty common feature of youtube creator studio. https://www.theverge.com/news/840789/youtube-video-title-a-b...

New comment by eblume in "Moving from GitHub to Codeberg, for lazy people"

eblume — Thu, 26 Mar 2026 15:55:53 +0000

Same! I've also recently exposed mine to the internet through a fly.io proxy, though. So far, no issues, but I'm keeping a close eye.

New comment by eblume in "Wikipedia was in read-only mode following mass admin account compromise"

eblume — Thu, 05 Mar 2026 19:54:45 +0000

Correct. Not sure about a sql archive, but the kiwix ZIM archive of the top 1M English articles including (downsized but not minimized) images is 43GiB: https://download.kiwix.org/zim/wikipedia/

And the entire English wikipedia with no images is, interestingly, also 43GiB.

New comment by eblume in "GPT‑5.3 Instant"

eblume — Tue, 03 Mar 2026 20:58:12 +0000

I don't know; we also grow corn for ethanol and add it to gas.

New comment by eblume in "Use the Mikado Method to do safe changes in a complex codebase"

eblume — Mon, 02 Mar 2026 14:52:16 +0000

It goes a lot further than plan mode though, in fact I would say the key difference of mikado refactors from waterfall refactors is that you don’t do all the planning up front with mikado. If anything you try to do as little planning as possible.

New comment by eblume in "Use the Mikado Method to do safe changes in a complex codebase"

eblume — Mon, 02 Mar 2026 14:50:23 +0000

I’ve been using a form of the Mikado Method based on a specific ordering of git commits (by message prefix) along with some pre commit hook scripts, governed by a document: https://docs.eblu.me/how-to/agent-change-process

I have this configured to feed in to an agent for large changes. It’s been working pretty well, still not perfect though… the tricky part is that it is very tempting (and maybe even sometimes correct) to not fully reset between mikado “iterations”, but then you wind up with a messy state transfer. The advantage so far has been that it’s easy to make progress while ditching a session context “poisoned” by some failure.

New comment by eblume in "Password managers less secure than promised"

eblume — Sun, 22 Feb 2026 00:00:14 +0000

Thanks, it's also available via my 1password cloud account, so it'd have to be a joint fire at my home and the 1password data center (and my phone, for that matter). Pretty bad day I feel.

Unrelated note: this was the first time I've linked to my static generated docs for this project and it was really fun watching the grafana dash of my fly.io nginx proxy pick up all the scraping traffic. Thanks for warming my cache :) I work with this tech all the time at my day job but this is the first time I've hosted something from my home, it's genuinely made my afternoon to see it light up.

New comment by eblume in "Password managers less secure than promised"

eblume — Sat, 21 Feb 2026 23:23:45 +0000

I recently orchestrated this, although in my case I've chosen to use 1password's cloud based store as my primary secret store, so I'm accepting some exposure right off the bat that you might not be comfortable with.

I've documented the recovery process here: https://docs.eblu.me/how-to/operations/restore-1password-bac...

Basically, I have a borg backup job which runs every day, in a 3-2-1 replication strategy with the backups being sent both to a locally encrypted NAS (backups themselves have an additional layer of encryption via borg) as well as off-site with BorgBase. Those backups scoop up an export of 1password that I have a reminder to kick off manually about once a month via this script: https://github.com/eblume/blumeops/blob/main/mise-tasks/op-b...

The password that decrypts the key (along with the password that decrypts the backup) is stored on a piece of paper in a fireproof safe in my house. I've got a reminder to practice the entire DR process every six months, although I've only done it once so far as this is all pretty new.

It was fun to build!

New comment by eblume in "How did Windows 95 get permission to put Weezer video 'Buddy Holly' on the CD?"

eblume — Wed, 11 Feb 2026 03:17:15 +0000

I've sworn off Sony products - well, as much as one can do so - for the past, what, 20 years? - because of that. It's kind of funny to me because I don't usually have a high opinion of "wallet activism", but one day when I was 20 I found out I had a rootkit installed on my computer by Sony and now they are _dead to me_.