Hacker News: maltalex

New comment by maltalex in "Warez Scene"

maltalex — Sat, 11 Apr 2026 02:29:15 +0000

Wouldn't a "WebRip" have to come from a streaming service by definition?

Warez Scene

maltalex — Sat, 11 Apr 2026 00:52:09 +0000

Article URL: https://en.wikipedia.org/wiki/Warez_scene

Comments URL: https://news.ycombinator.com/item?id=47725942

Points: 25

# Comments: 7

New comment by maltalex in "Is BGP safe yet?"

maltalex — Wed, 01 Apr 2026 18:35:36 +0000

Only with certificate pinning or something similar. Otherwise, the attacker can get valid TLS certificates for any domain hosted on the hijacked IP addresses.

New comment by maltalex in "Is BGP safe yet?"

maltalex — Wed, 01 Apr 2026 15:17:02 +0000

Here are some examples:

The attacker can impersonate the victim, get a valid x509 certificate issued to it, and create a perfect replica of their website/api/whatever.

The attacker can perform a man-in-the-middle attack on the victim - record traffic, inject traffic, manipulate traffic, etc.

The attacker can just deny access to the victim - just drop packets meant for the victim.

New comment by maltalex in "Is BGP safe yet?"

maltalex — Wed, 01 Apr 2026 14:06:14 +0000

RPKI doesn't make BGP safe, it makes it safer. BGP hijacks can still happen.

RPKI only secures the ownership information of a given prefix, not the path to that prefix. Under RPKI, an attacker can still claim to be on the path to a victim AS, and get the victim's traffic sent to it.

The solution to this was supposed to be BGPSec, but it's widely seen as un-deployable.

New comment by maltalex in "Microsoft Set for Worst Quarter Since 2008"

maltalex — Sun, 29 Mar 2026 00:53:26 +0000

Absolutely. They've made the same mess with "Copilot" as with ".NET" in the early 00's [0]. Everything was ".NET" from consumer oriented services (".NET Passport"), to "Visual Studio .NET" without anyone understanding what ".NET" was.

Now it's "Microsoft Copilot" which is different from "Microsoft 365 Copilot", which is different from "Copilot Chat" and from "GitHub Copilot", and the many other flavors.

It's a mess.

Still, their developer-focused offering seems to be "GitHub Copilot", which among other things includes "GitHub Copilot CLI" [1], their terminal-based agent. It's not bad.

[0]: https://en.wikipedia.org/wiki/Microsoft_.NET_strategy

[1]: https://github.com/features/copilot/cli/

New comment by maltalex in "Microsoft Set for Worst Quarter Since 2008"

maltalex — Sat, 28 Mar 2026 20:13:32 +0000

“Copilot” is not one product, it’s around 15 different products, seriously.

I think that people often compare apples to oranges by comparing the “copilot” they have in Windows/Office/Teams etc to Claude Code which is ridiculous.

A better product to compare Claude Code to would be “Github Copilot CLI”, but I haven’t seen the two seriously compared anywhere.

Ten Months with Copilot Coding Agent in Dotnet/Runtime

maltalex — Thu, 26 Mar 2026 14:56:12 +0000

Article URL: https://devblogs.microsoft.com/dotnet/ten-months-with-cca-in-dotnet-runtime/

Comments URL: https://news.ycombinator.com/item?id=47531268

Points: 2

# Comments: 0

Emergent Cyber Behavior: When AI Agents Become Offensive Threat Actors

maltalex — Thu, 12 Mar 2026 17:36:31 +0000

Article URL: https://www.irregular.com/publications/emergent-offensive-cyber-behavior-in-ai-agents

Comments URL: https://news.ycombinator.com/item?id=47354436

Points: 4

# Comments: 0

New comment by maltalex in "We are building data breach machines and nobody cares"

maltalex — Wed, 11 Mar 2026 03:01:28 +0000

> and nobody cares

Everyone cares. In fact, there's an entire industry of tools being developed to solve this very problem. The current governance gaps are obvious to anyone who's ever used an agent.

We are still in the very early stages of all of this. The capabilities of current models are ahead of our engineering practices, and other organizational practices for that matter. Everyone is new to this.

New comment by maltalex in "When AI writes the software, who verifies it?"

maltalex — Wed, 04 Mar 2026 01:07:17 +0000

Maybe I'm missing something, but isn't this the same as writing code, but with extra steps?

Currently, engineers work with loose specifications, which they translate into code. With the proposed approach, they would need to first convert those specifications into a formally verifiable form before using LLMs to generate the implementation.

But to be production-ready, that spec would have to cover all possible use-cases, edge cases, error handling, performance targets, security and privacy controls, etc. That sounds awfully close to being an actual implementation, only in a different language.

New comment by maltalex in "Turn Dependabot off"

maltalex — Sat, 21 Feb 2026 15:01:53 +0000

> Dependabot has some value IME, but all naïve tools that only check software and version numbers against a vulnerability database tend to be noisy if they don’t then do something else to determine whether your code is actually exposed to a matching vulnerability.

For non-SaaS products it doesn’t matter. Your customer’s security teams have their own scanners. If you ship them vulnerable binaries, they’ll complain even if the vulnerable code is never used or isn’t exploitable in your product.

New comment by maltalex in "AI is destroying open source, and it's not even good yet"

maltalex — Tue, 17 Feb 2026 04:03:59 +0000

It's not just open source though. Many high quality sources of information are being (over-)exploited and hurt in the process. StackOverflow is effectively dead [0], the internet archive is being shunned by publishers [1], scientific journals are bombarded by fake papers [2] (and anecdotally, low-effort LLM-driven reviews), projects like OpenStreetMap incur significant costs due to scraping [3], and many more.

We went from data mining to data fracking.

[0]: https://blog.pragmaticengineer.com/stack-overflow-is-almost-...

[1]: https://www.niemanlab.org/2026/01/news-publishers-limit-inte...

[2]: https://www.theregister.com/2024/05/16/wiley_journals_ai/

[3]: https://www.heise.de/en/news/OpenStreetMap-is-concerned-thou...

New comment by maltalex in "AT&T, Verizon blocking release of Salt Typhoon security assessment reports"

maltalex — Mon, 09 Feb 2026 18:36:51 +0000

> you are both confusing two issues.

How am I confusing the two? My whole point was the same as yours - that the existence of lawful intercept is a separate issue and that the focus should be on securing telecoms.

New comment by maltalex in "AT&T, Verizon blocking release of Salt Typhoon security assessment reports"

maltalex — Mon, 09 Feb 2026 17:17:41 +0000

I get that you don't like lawful intercept. That's fine. But focusing on only that aspect of telcos derails the conversation and prevents us (in the very broad sense of "us") from making progress on things we all agree on. Can we stop bikeshedding and agree that telcos are critical infrastructure and need to be highly secure in general?

A hacker in control of a telco can do as they please regardless of any backdoors or lawful intercept systems. They can just use regular network functions to route calls wherever they want.

New comment by maltalex in "AT&T, Verizon blocking release of Salt Typhoon security assessment reports"

maltalex — Mon, 09 Feb 2026 16:29:06 +0000

Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure. Telecoms should be highly secure. Period.

New comment by maltalex in "AT&T, Verizon blocking release of Salt Typhoon security assessment reports"

maltalex — Mon, 09 Feb 2026 16:25:27 +0000

Yes, telecoms should be forced to invest in their own security if they're not doing it. But the focus on the back door misses the point in my opinion. Even if the back door wasn't there, you wouldn't want nation state hackers anywhere near telecoms since they're critical infrastructure.

New comment by maltalex in "AT&T, Verizon blocking release of Salt Typhoon security assessment reports"

maltalex — Mon, 09 Feb 2026 15:45:45 +0000

The problem isn't the back door. Every telecom company in every country provides access for "lawful intercept". Phone taps have been a thing for decades and as far as I know, require a warrant.

The problem is that telecoms are very large, very complex environments, often with poor security controls. Investing in better controls is hard, time-consuming and expensive, and many telecoms are reluctant to do it. That's not great great since telcos are prime targets for nation state hackers as Salt Typhoon shows.

Hacking the lawful intercept systems is very brazen, but even if the hackers didn't don't go as far, and "only" gained control of normal telco stuff like call routing, numbering, billing, etc. it still would have been incredibly dangerous.

New comment by maltalex in "Show HN: Browse Internet Infrastructure"

maltalex — Mon, 09 Feb 2026 14:30:22 +0000

Nice website, but I feel like calling it "wire wiki" is quite ambitious. Currently, it's a (beautiful) DNS lookup tool, but that's about it. I expected something like RIPE Stat [0], or something like the undersea cable map [1] (based on the "wire" in the name). Also, if you're doing DNS, take a look at resolve.rs [2], they have some nice DNS tools, though not as pretty as yours :)

And since you mentioned scanning the IPv4 address space for DNS servers - I did that as well at a some point for a product I've built (and even have a patent on). The list of servers you're going to get with a naive scanning approach is not what you want. It won't include the servers you probably want (such as the customer-facing DNS servers of ISPs) and will include an insane amount of junk like home routers or weird IoT devices that expose their port 53. Hit me up via the email in my profile if you want to chat.

[0]: https://stat.ripe.net/

[1]: https://www.submarinecablemap.com/

[2]: https://resolve.rs/

The Trigger in the Haystack: Extracting and Reconstructing LLM Backdoor Triggers

maltalex — Wed, 04 Feb 2026 23:28:00 +0000

Article URL: https://arxiv.org/abs/2602.03085

Comments URL: https://news.ycombinator.com/item?id=46893430

Points: 1

# Comments: 0