Hacker News: jamilbk

The identity join problem: Linking SSO profiles to directory users

jamilbk — Wed, 13 May 2026 02:47:28 +0000

Article URL: https://workos.com/blog/linking-sso-profiles-to-directory-users

Comments URL: https://news.ycombinator.com/item?id=48117235

Points: 3

# Comments: 0

Sans-IO: The secret to effective Rust for network services (2024)

jamilbk — Wed, 06 May 2026 15:44:55 +0000

Article URL: https://www.firezone.dev/blog/sans-io

Comments URL: https://news.ycombinator.com/item?id=48037563

Points: 1

# Comments: 0

Against DNSSEC (2015)

jamilbk — Wed, 06 May 2026 13:07:20 +0000

Article URL: https://sockpuppet.org/blog/2015/01/15/against-dnssec/

Comments URL: https://news.ycombinator.com/item?id=48035788

Points: 1

# Comments: 0

New comment by jamilbk in "Talking to strangers at the gym"

jamilbk — Tue, 05 May 2026 02:15:28 +0000

Yeah, the weight floor can be hit or miss with regards to striking convos with strangers. Many of the people there want to make friends too, but many just want to focus on their workout.

Two related contexts that I've found to be much more friendly for this:

1. Climbing gyms, for reasons mentioned previously

2. The sauna! Actually very ideal for convos with strangers. Max overlap time is ~15 minutes, people are generally relaxed, no phones to distract and if it doesn't go well either party can always leave.

New comment by jamilbk in "Can I disable all data collection from my vehicle?"

jamilbk — Thu, 30 Apr 2026 20:38:16 +0000

I remember yanking out the onstar unit in my 2015 silverado to physically disconnect the cell antenna. This was (is?) the only practical way to disable cellular in that vehicle.

Kudos to Rivian for making this a supported user privacy feature.

New comment by jamilbk in "The challenges of soft delete"

jamilbk — Tue, 20 Jan 2026 23:47:50 +0000

At Firezone we started with soft-deletes thinking it might be useful for an audit / compliance log and quickly ran into each of the problems described in this article. The real issue for us was migrations - having to maintain structure of deleted data alongside live data just didn't make sense, and undermined the point of an immutable audit trail.

We've switched to CDC using Postgres which emits into another (non-replicated) write-optimized table. The replication connection maintains a 'subject' variable to provide audit context for each INSERT/UPDATE/DELETE. So far, CDC has worked very well for us in this manner (Elixir / Postgrex).

I do think soft-deletes have their place in this world, maybe for user-facing "restore deleted" features. I don't think compliance or audit trails are the right place for them however.

New comment by jamilbk in "Self-hosting is being enshittified"

jamilbk — Mon, 29 Dec 2025 03:12:05 +0000

I don't fully understand the complaints about enshittification of open source permissively licensed software.

If the source code is available for you to fork, modify, and maintain as you see fit, what's the complaining really about?

Hard Mode Rust (2022)

jamilbk — Sun, 12 Jan 2025 18:11:12 +0000

Article URL: https://matklad.github.io/2022/10/06/hard-mode-rust.html

Comments URL: https://news.ycombinator.com/item?id=42675445

Points: 3

# Comments: 0

New comment by jamilbk in "How NAT Traversal Works (2020)"

jamilbk — Sun, 05 Jan 2025 12:20:32 +0000

Yes, the established standard here is known collectively as Interactive Connectivity Establishment (ICE) [1] which WebRTC relies on -- there are a few good libraries out there that implement it and/or various elements of it [2] [3].

libp2p [4] may be what you're after if you want something geared more towards general purpose connectivity.

[1] https://datatracker.ietf.org/doc/html/rfc8445

[2] https://github.com/pion/webrtc

[3] https://github.com/algesten/str0m

[4] https://libp2p.io

New comment by jamilbk in "Show HN: Test your WireGuard connectivity and see global stats, no client needed"

jamilbk — Sun, 11 Aug 2024 00:55:47 +0000

PRs welcome! We may not have much bandwidth to help, but happy to review anything that comes along. We can discuss further perhaps on a GitHub issue so the rest of the Firezone team can offer input: https://github.com/firezone/probe/issues/new.

New comment by jamilbk in "Show HN: Test your WireGuard connectivity and see global stats, no client needed"

jamilbk — Sun, 11 Aug 2024 00:53:37 +0000

I've exposed `Android` as a support OS. Give it a shot now.

New comment by jamilbk in "Show HN: Test your WireGuard connectivity and see global stats, no client needed"

jamilbk — Sun, 11 Aug 2024 00:20:10 +0000

Noted! I'll update it to use the Unix instructions in that case. Thanks for the feedback!

New comment by jamilbk in "Show HN: Test your WireGuard connectivity and see global stats, no client needed"

jamilbk — Sat, 10 Aug 2024 18:11:52 +0000

Unfortunately the app wasn't designed to intake test results from runs that didn't originate from itself. We wanted to make it harder to submit fake results, and didn't want to add a lot of friction around user auth and such.

New comment by jamilbk in "Show HN: Test your WireGuard connectivity and see global stats, no client needed"

jamilbk — Sat, 10 Aug 2024 15:59:37 +0000

Great! Did the test report the block accurately for you?

Show HN: Test your WireGuard connectivity and see global stats, no client needed

jamilbk — Fri, 09 Aug 2024 20:27:13 +0000

Hi HN,

Some misbehaving networks drop WireGuard packets either by accident or on purpose. Commonly the latter is done with simple DPI rules that block the handshake initiation [1], but it could be applied to other message types as well.

We thought it would be great if there was tool for folks to use as a quick litmus test to see if this happening for them, without having to configure a client to send data through a random, functional WireGuard tunnel to an untrusted remote host. So we built probe.sh.

How it works:

- The probe.sh web app is an Elixir Phoenix app that spawns a few gen_udp servers across a variety of common UDP ports. - When a user visits the app, Probe starts a LiveView process and generates a unique cryptographic token to use for the test. - When the user runs the script shown, it first sends an HTTP request to start the test, followed by a series of UDP payloads, and finally either a complete or cancel request to end the test. - The UDP payloads are crafted to resemble real world WireGuard packets and sent with widely available tools like netcat (Unix) and System.Net.Sockets.UdpClient (Win) already on your OS. - The gen_udp server receives these payloads, and if they match one of the four WireGuard message types by header, it broadcasts test updates to the LiveView process for that test, and the test is marked as success. - The user is immediately shown the results of the test.

The entire tool is open source at https://github.com/firezone/probe (README contains guide for self-hosting) and you can find a FAQ with more useful info at https://probe.sh/faq. You can also see our tally of global results organized by country: https://probe.sh/stats

We hope you find it useful for testing your network for WireGuard connectivity issues.

Thanks for reading - feedback welcome!

[1] https://x.com/6h4n3m/status/1459462360003919875

Comments URL: https://news.ycombinator.com/item?id=41205141

Points: 43

# Comments: 10

New comment by jamilbk in "Launch HN: Firezone (YC W22) – Zero-trust access platform built on WireGuard"

jamilbk — Wed, 07 Aug 2024 14:41:02 +0000

We have a few intrepid users self-hosting the entire Firezone stack, but we don't have documentation to support it (yet), and wouldn't recommend it for production. It's something we'd like to write and maintain eventually, even if only for smaller / hobby deployments.

We do have a self-hosted community support channel on Discord if you are feeling adventurous: https://discord.gg/DY8gxpSgep

I would recommend starting here with a local development cluster:

https://github.com/firezone/firezone/blob/main/docs/CONTRIBU...

New comment by jamilbk in "Launch HN: Firezone (YC W22) – Zero-trust access platform built on WireGuard"

jamilbk — Wed, 07 Aug 2024 14:30:03 +0000

You can read more about how we came up with the current implementation here:

https://github.com/firezone/firezone/issues/3553

We didn't invent these techniques. Host candidates are part of standard ICE:

https://datatracker.ietf.org/doc/html/rfc8445#section-5.1.1....

New comment by jamilbk in "Launch HN: Firezone (YC W22) – Zero-trust access platform built on WireGuard"

jamilbk — Wed, 07 Aug 2024 14:19:48 +0000

Firezone's DNS-based routing is able to manage access to multiple services independently, even if they share the same IP address. So you could for example allow access to gitlab.company.com but not jira.company.com even if they were on the same webserver / loadbalancer.

It took a couple iterations to get it right - lots of fun edge cases involved. We ended up having to build automatic NAT64 and 46 for DNS resources to handle some of them. We wrote a post on how this works: https://www.firezone.dev/blog/how-dns-works-in-firezone

In terms of attributes for allowing access, we currently support time-based, country/region-based, auth method, and IP-based, with more planned: https://www.firezone.dev/kb/deploy/policies#conditional-acce...

New comment by jamilbk in "Launch HN: Firezone (YC W22) – Zero-trust access platform built on WireGuard"

jamilbk — Wed, 07 Aug 2024 03:59:29 +0000

We don't support full-tunnel yet, but it's just around the corner. Track this issue if you're interested in its progress: https://github.com/firezone/firezone/issues/2667

New comment by jamilbk in "Launch HN: Firezone (YC W22) – Zero-trust access platform built on WireGuard"

jamilbk — Wed, 07 Aug 2024 03:44:58 +0000

Thanks!

Erlang/OTP has so far been an excellent platform to build on for a product like Firezone. We chose it specifically for its reputation for powering soft realtime systems. Phoenix Channels are an added bonus that allow us to push all updates where they need to go, in just a few hundred lines of code.

We couldn't be happier with the stack choice.