Comments URL: https://news.ycombinator.com/item?id=48354985

Points: 2

# Comments: 0

Comments URL: https://news.ycombinator.com/item?id=48173635

Points: 1

# Comments: 1

rebuild.sh makes a fresh Ubuntu installation, runs an ansible playbook to install Caddy and configures it, and uses curl to verify that Caddy is running correctly.

$ time ./rebuild.sh

[...]

real 0m11.664s

user 0m0.789s

sys 0m0.925s

Comments URL: https://news.ycombinator.com/item?id=47557343

Points: 2

# Comments: 0

Maybe it's like linux distros: all based on the same software, but optimized for different use-cases or preferences.

That 17% increase is in self-reported effectiveness. The software delivery throughput only went up 3%, at a cost of that 9% extra instability. So you can build 3% faster with 9% more bugs, if I'm reading those numbers right.

Bing, DuckDuckGo, Qwant, Ecosia, Brave all had the github repo and nanoclaw.net (the fake homepage) in the first or second place. Marginalia had fascinating results about biology but only tangentially related Nanoclaw results, not the github repo or either the fake or real homepage.

Mojeek was the exception, sort of. It had some random news sites up top, but the github repo in 2nd place and nanoclaw.dev (the real homepage) in the 4th place. The fake nanoclaw.net did not show.

Kagi is the only one I couldn't try because apparently I used up my free credits a year back. Can anyone see how they compare?

Hence pointing out that VM escape is a lot easier than that if your VM management tool syncs folders the way that Vagrant does by default.

> a malicious AI trying to escape the VM (VM escape vulnerabilities exist, but they’re rare and require deliberate exploitation)

No VM escape vulns necessary. A malicious AI could just add arbitrary code to your Vagrantfile and get host access the first time you run a vagrant command.

If you're only worried about mistakes, Claude could decide to fix/improve something by adding a commit hook. If that contains a mistake, the mistake gets executed on your host the first time you git commit/push.

(Yes, it's unpleasantly difficult to truly isolate dev environments without inconveniencing yourself.)

  Location: The Netherlands. I'm flexible with working hours, I usually work with clients from either Western Europe or the USA.
  Remote: Yes
  Willing to relocate: No, but willing to travel/visit
  Technologies: especially Ruby (including Ruby on Rails, Sinatra, and standalone applications), PostgreSQL, Ansible, Linux. Lots of others at the end of my comment.
  Résumé/CV: https://www.luitjes.it
  Email: lucas@luitjes.it 

* Have a slow web application that’s often down?

* Want to improve security and don’t know where to start?

* Have a legacy system that needs to be replaced?

* Are considering an acquisition but not sure about the technical side?

I can help with that. For example, in the past I have:

* Massively improved performance and reliability for a data visualization platform.

* Led a large effort to improve security for a cybersecurity SaaS.

* Built a micropayments system for a prominent media startup.

* Rebuilt an aging e-learning platform from scratch for a GDPR compliance SaaS.

* Conducted technical due diligence for acquisitions.

For more information: https://www.luitjes.it

Other tech I've worked with: Elixir, C#, Java (Spring/Hibernate), JavaScript, HTML/CSS/XSLT/XPATH/XSLFO, Elasticsearch, MongoDB, MySQL, Redis, Solr/Lucene, Graphite, Kibana, Grafana, Logstash, Icinga, Jenkins, Varnish, HAProxy, Pound, Nginx, Apache, Passenger, Vagrant, Docker, DCOS, Kubernetes, SSH, OpenVPN, TCP/IP, tcpdump/strace/lsof/etc, AWS (EC2, ELB/ALB, S3, CloudFront, Lambda, Batch, VPC, etc.

If you were writing a script to mass-scan the web for vulnerabilities, you would want to collect as many http endpoints as possible. JS files, regardless of whether they're commented out or not, are a great way to find endpoints in modern web applications.

If you were writing a scraper to collect source code to train LLMs on, I doubt you would care as much about a commented-out JS file. I'm not sure you'd even want to train on random low-quality JS served by websites. Anyone familiar with LLM training data collection who can comment on this?

Willing to relocate: no, but willing to travel/visit. I'm flexible with working hours, I usually work with clients from either Western Europe or the USA.

I do dev/devops/security, usually for startups or scale-ups or other small orgs with limited resources, and I've been doing that for 15+ years. So, if you:

* Have a slow web application that’s often down?

* Want to improve security and don’t know where to start?

* Have a legacy system that needs to be replaced?

* Are considering an acquisition but not sure about the technical side?

I can help with that. For example, in the past I have:

* Massively improved performance and reliability for a data visualization platform.

* Led a large effort to improve security for a cybersecurity SaaS.

* Built a micropayments system for a prominent media startup.

* Rebuilt an aging e-learning platform from scratch for a GDPR compliance SaaS.

* Conducted technical due diligence for acquisitions.

For more information: https://www.luitjes.it

Favorite buzzwords: Ruby (including Ruby on Rails, Sinatra, and standalone applications), PostgreSQL, Ansible, Linux.

Other buzzwords: Elixir, C#, Java (Spring/Hibernate), JavaScript, HTML/CSS/XSLT/XPATH/XSLFO, Elasticsearch, MongoDB, MySQL, Redis, Solr/Lucene, Graphite, Kibana, Grafana, Logstash, Icinga, Jenkins, Varnish, HAProxy, Pound, Nginx, Apache, Passenger, Vagrant, Docker, DCOS, Kubernetes, SSH, OpenVPN, TCP/IP, tcpdump/strace/lsof/etc, AWS (EC2, ELB/ALB, S3, CloudFront, Lambda, Batch, VPC, etc.

I'm curious what effects you would see with secular moral philosophy, other religions, etc. Is Buddhism special, as the paper seems to argue?

Comments URL: https://news.ycombinator.com/item?id=45147728

Points: 3

# Comments: 2

Willing to relocate: no, but willing to travel/visit. I'm flexible with working hours, I usually work with clients from either Western Europe or the USA.

I do dev/devops/security, usually for startups or scale-ups or other small orgs with limited resources, and I've been doing that for 15+ years. So, if you:

* Have a slow web application that’s often down?

* Want to improve security and don’t know where to start?

* Have a legacy system that needs to be replaced?

* Are considering an acquisition but not sure about the technical side?

I can help with that. For example, in the past I have:

* Massively improved performance and reliability for a data visualization platform.

* Led a large effort to improve security for a cybersecurity SaaS.

* Built a micropayments system for a prominent media startup.

* Rebuilt an aging e-learning platform from scratch for a GDPR compliance SaaS.

* Conducted technical due diligence for acquisitions.

For more information: https://www.luitjes.it

Favorite buzzwords: Ruby (including Ruby on Rails, Sinatra, and standalone applications), PostgreSQL, Ansible, Linux.

Other buzzwords: Elixir, C#, Java (Spring/Hibernate), JavaScript, HTML/CSS/XSLT/XPATH/XSLFO, Elasticsearch, MongoDB, MySQL, Redis, Solr/Lucene, Graphite, Kibana, Grafana, Logstash, Icinga, Jenkins, Varnish, HAProxy, Pound, Nginx, Apache, Passenger, Vagrant, Docker, DCOS, Kubernetes, SSH, OpenVPN, TCP/IP, tcpdump/strace/lsof/etc, AWS (EC2, ELB/ALB, S3, CloudFront, Lambda, Batch, VPC, etc.

> Cloudflare apparently did something similar recently.

Sure, LLMs don't magically remove your ability to audit code. But the way they're currently being used, do they make the average dev more or less likely to introduce vulnerabilities?

By the way, a cursory look [0] revealed a number of security issues with that Cloudflare OAuth library. None directly exploitable, but not something you want in your most security-critical code either.

[0] https://neilmadden.blog/2025/06/06/a-look-at-cloudflares-ai-...

Also, I'm curious how the average coder would fare on this benchmark.

Since debugging hardware is an even higher threshold, I would expect hardware devices this to be wildly insecure unless there are strong incentive for investing in security. Same as the "security" of the average IoT device.