Hacker News: kklhttps://news.ycombinator.com/user?id=kklHacker News RSShttps://hnrss.org/hnrss v2.1.1Sat, 25 Apr 2026 16:24:28 +0000<![CDATA[New comment by kkl in "You don't want long-lived keys"]]>Part of the threat model for an Engineering team is that people come and go. They move teams which have different levels of access. They leave the organization, in most cases, on good terms. I want to set up infrastructure where I don't need to remember that your SSH pubkey is baked into production configuration after you leave the company.

There are several options for setting up per-connection keys that are dispensed to users through the company SSO. That setup means you don't need to maintain separate infrastructure for (de-)provisioning SSH keys.

]]>Sat, 25 Apr 2026 02:34:54 +0000https://news.ycombinator.com/item?id=47898108kklhttps://news.ycombinator.com/item?id=47898108https://news.ycombinator.com/item?id=47898108<![CDATA[You don't want long-lived keys]]>Article URL: https://argemma.com/blog/long-lived-keys/

Comments URL: https://news.ycombinator.com/item?id=47851377

Points: 74

# Comments: 53

]]>Tue, 21 Apr 2026 16:55:04 +0000https://argemma.com/blog/long-lived-keys/kklhttps://news.ycombinator.com/item?id=47851377https://news.ycombinator.com/item?id=47851377<![CDATA[Anonymous credentials: an illustrated primer (Part 2)]]>Article URL: https://blog.cryptographyengineering.com/2026/04/17/anonymous-credentials-an-illustrated-primer-part-2/

Comments URL: https://news.ycombinator.com/item?id=47838134

Points: 37

# Comments: 0

]]>Mon, 20 Apr 2026 17:58:13 +0000https://blog.cryptographyengineering.com/2026/04/17/anonymous-credentials-an-illustrated-primer-part-2/kklhttps://news.ycombinator.com/item?id=47838134https://news.ycombinator.com/item?id=47838134<![CDATA[New comment by kkl in "A rogue AI led to a serious security incident at Meta"]]>> "Had the engineer that acted on that known better, or did other checks, this would have been avoided."

takes long drag tweet[1] here>

I personally find "LLMs can do $THING poorly" and "LLMs can do $THING well" articles kinda boring at this point. But! I'm hopeful that stories like this will shift the industry's focus towards robustness instead of just short-term efficiency. I suspect many decision making and change management processes accidentally benefited from just being a bit slow.

[1] https://waffles.fun/amy.png

]]>Thu, 19 Mar 2026 22:07:28 +0000https://news.ycombinator.com/item?id=47446984kklhttps://news.ycombinator.com/item?id=47446984https://news.ycombinator.com/item?id=47446984<![CDATA[New comment by kkl in "Every layer of review makes you 10x slower"]]>> The job of a code reviewer isn't to review code. It's to figure out how to obsolete their code review comment, that whole class of comment, in all future cases, until you don't need their reviews at all anymore.

Making entire classes of issues effectively impossible is definitely the ideal outcome. But, this feels much more complicated when you consider that trust doesn't always extend beyond the company's wall and you cannot always ignore that fact because the negative outcomes can be external to the company.

What if I, a trusted engineer, run `npm update` at the wrong time and malware makes its way into production and user data is stolen? A mistake to learn from, for sure, but a post-mortem is too late for those users.

I'm certainly not advocating for relying on human checks everywhere, but reasoning about where you crank the trust knob can get very complicated or costly. Occasionally a trustworthy human reviewer can be part of a very reasonable control.

]]>Tue, 17 Mar 2026 17:40:13 +0000https://news.ycombinator.com/item?id=47415814kklhttps://news.ycombinator.com/item?id=47415814https://news.ycombinator.com/item?id=47415814<![CDATA[New comment by kkl in "Every layer of review makes you 10x slower"]]>It’s also the case that someone you trust makes an honest mistake and, for example, gets their laptop stolen and their credentials compromised. I do trust my team, and want that to be the foundation to our relationship, but I also recognize that humans are infallible and having guardrails (eg code review) is beneficial.

]]>Tue, 17 Mar 2026 17:00:08 +0000https://news.ycombinator.com/item?id=47415337kklhttps://news.ycombinator.com/item?id=47415337https://news.ycombinator.com/item?id=47415337<![CDATA[New comment by kkl in "Fish Shell 4.0 released. Rust re write finished"]]>Congratulations! Fish is such a wonderful shell. It’s been my daily driver for many years now but I’ve had a renewed appreciation for it now that I’m working in several different development environments. The default fish install Just Works so well that I don’t bother with trying to schlep my dotfiles around.

]]>Wed, 25 Feb 2026 18:12:21 +0000https://news.ycombinator.com/item?id=47155322kklhttps://news.ycombinator.com/item?id=47155322https://news.ycombinator.com/item?id=47155322<![CDATA[New comment by kkl in "Never buy a .online domain"]]>I could also buy that the free domains were ran up by scammers which could have caused some of the hair trigger Safe Browsing denylisting.

]]>Wed, 25 Feb 2026 16:36:38 +0000https://news.ycombinator.com/item?id=47153889kklhttps://news.ycombinator.com/item?id=47153889https://news.ycombinator.com/item?id=47153889<![CDATA[New comment by kkl in "Minions – Stripe's Coding Agents Part 2"]]>While there are compliance/security benefits it is not the primary motivation.

If you have fairly complicated infrastructure it can be way more efficient to have a pool of ready to go beefy EC2 instances on a recent commit of your multi-GB git repo instead of having to run everything on a laptop.

]]>Sat, 21 Feb 2026 03:59:51 +0000https://news.ycombinator.com/item?id=47097359kklhttps://news.ycombinator.com/item?id=47097359https://news.ycombinator.com/item?id=47097359<![CDATA[Go's filepath.Clean does not prevent path traversal]]>Article URL: https://argemma.com/blog/go-filepath-clean/

Comments URL: https://news.ycombinator.com/item?id=46810843

Points: 2

# Comments: 0

]]>Thu, 29 Jan 2026 14:44:49 +0000https://argemma.com/blog/go-filepath-clean/kklhttps://news.ycombinator.com/item?id=46810843https://news.ycombinator.com/item?id=46810843<![CDATA[String comparison timing attacks in Go]]>Article URL: https://kel.bz/post/go-timing/

Comments URL: https://news.ycombinator.com/item?id=46501251

Points: 1

# Comments: 0

]]>Mon, 05 Jan 2026 16:53:47 +0000https://kel.bz/post/go-timing/kklhttps://news.ycombinator.com/item?id=46501251https://news.ycombinator.com/item?id=46501251<![CDATA[Confessions to a Data Lake]]>Article URL: https://confer.to/blog/2025/12/confessions-to-a-data-lake/

Comments URL: https://news.ycombinator.com/item?id=46367377

Points: 37

# Comments: 13

]]>Tue, 23 Dec 2025 17:51:13 +0000https://confer.to/blog/2025/12/confessions-to-a-data-lake/kklhttps://news.ycombinator.com/item?id=46367377https://news.ycombinator.com/item?id=46367377<![CDATA[Control planes are a useful concept]]>Article URL: https://kel.bz/post/control-plane/

Comments URL: https://news.ycombinator.com/item?id=46283855

Points: 2

# Comments: 1

]]>Tue, 16 Dec 2025 02:06:15 +0000https://kel.bz/post/control-plane/kklhttps://news.ycombinator.com/item?id=46283855https://news.ycombinator.com/item?id=46283855<![CDATA[Authenticated Dictionaries with Skip Lists and Commutative Hashing]]>Article URL: https://kel.bz/post/authdict/

Comments URL: https://news.ycombinator.com/item?id=21964499

Points: 3

# Comments: 0

]]>Sun, 05 Jan 2020 22:08:18 +0000https://kel.bz/post/authdict/kklhttps://news.ycombinator.com/item?id=21964499https://news.ycombinator.com/item?id=21964499<![CDATA[RSA-Based Key Encapsulation Mechanisms]]>Article URL: https://kel.bz/post/kem/

Comments URL: https://news.ycombinator.com/item?id=20023974

Points: 1

# Comments: 0

]]>Mon, 27 May 2019 17:50:53 +0000https://kel.bz/post/kem/kklhttps://news.ycombinator.com/item?id=20023974https://news.ycombinator.com/item?id=20023974<![CDATA[Building lattice reduction (LLL) intuition]]>Article URL: https://kel.bz/post/lll/

Comments URL: https://news.ycombinator.com/item?id=14847560

Points: 81

# Comments: 7

]]>Tue, 25 Jul 2017 13:33:29 +0000https://kel.bz/post/lll/kklhttps://news.ycombinator.com/item?id=14847560https://news.ycombinator.com/item?id=14847560<![CDATA[The Goldreich–Goldwasser–Halevi (GGH) Cryptosystem]]>Article URL: https://kel.bz/post/lattices/

Comments URL: https://news.ycombinator.com/item?id=14200300

Points: 2

# Comments: 0

]]>Wed, 26 Apr 2017 03:50:54 +0000https://kel.bz/post/lattices/kklhttps://news.ycombinator.com/item?id=14200300https://news.ycombinator.com/item?id=14200300<![CDATA[New comment by kkl in "Show HN: Evilpass – A slightly evil password strength checker"]]>Losing control of your actual phone is not the same as losing control of your phone number.

I'm not sure about Microsoft, but Google supports several other 2FA mechanisms in addition to SMS.

]]>Sat, 18 Feb 2017 18:08:03 +0000https://news.ycombinator.com/item?id=13675843kklhttps://news.ycombinator.com/item?id=13675843https://news.ycombinator.com/item?id=13675843<![CDATA[New comment by kkl in "Differences between Heavy Metal, Thrash Metal, Black Metal, and Death Metal"]]>I think this is true of "Second Wave" black metal bands but less true of more recent output.

]]>Wed, 11 Jan 2017 01:24:11 +0000https://news.ycombinator.com/item?id=13370985kklhttps://news.ycombinator.com/item?id=13370985https://news.ycombinator.com/item?id=13370985<![CDATA[New comment by kkl in "I'm giving up on PGP"]]>What properties does email have that asynchronous messaging services (e.g. Signal) do not?

]]>Tue, 06 Dec 2016 16:18:19 +0000https://news.ycombinator.com/item?id=13115741kklhttps://news.ycombinator.com/item?id=13115741https://news.ycombinator.com/item?id=13115741