Hacker News: metafunctor

New comment by metafunctor in "I got hacked: My Hetzner server started mining Monero"

metafunctor — Thu, 18 Dec 2025 07:52:26 +0000

Not impossible at all with a policy-filtering HTTPS proxy. See https://laurikari.github.io/exfilguard/

In this model, hosts don’t need any direct internet connectivity or access to public DNS. All outbound traffic is forced through the proxy, giving you full control over where each host is allowed to connect.

It’s not painless: you must maintain a whitelist of allowed URLs and HTTP methods, distribute a trusted CA certificate, and ensure all software is configured to use the proxy.

New comment by metafunctor in "Native Secure Enclave backed SSH keys on macOS"

metafunctor — Mon, 24 Nov 2025 06:39:00 +0000

The key itself appears to have no validity period, the validity period is only for the certificate made for the key. Maybe you could create a CSR for the key/identity and then sign it with your own CA (or self-sign with openssl) for whatever validity period you like. Then `sc_auth import-ctk-certificate`.

New comment by metafunctor in "NPM debug and chalk packages compromised"

metafunctor — Tue, 09 Sep 2025 00:30:09 +0000

Good point! The web is going through its own endless September.

And so, it seems, is everything else. Perhaps, this commentary adds no value — just old man yells at cloud stuff.

New comment by metafunctor in "NPM debug and chalk packages compromised"

metafunctor — Mon, 08 Sep 2025 20:56:26 +0000

The npm team is, frankly, a bunch of idiots for saying that. It has been obvious for TEN YEARS that the bar for publishing npm packages is far too low. That’s what made npm what it is, but it’s no longer needed. They should put on their big boy pants.

New comment by metafunctor in "NPM debug and chalk packages compromised"

metafunctor — Mon, 08 Sep 2025 20:38:19 +0000

Welcome to the web side. Everything’s bonkers. Hard-earned software engineering truths get tossed out, because hey, wtf, I’ll just do some stuff and yippee. Feels like everyone’s stuck at year three of software engineering, and every three years the people get swapped out.

New comment by metafunctor in "Nginx introduces native support for ACME protocol"

metafunctor — Wed, 13 Aug 2025 21:44:41 +0000

I never saw it as a problem for nginx to just serve web content and let certbot handle cert renewals. Whatever happened to doing one thing well and making it composable? Fat tools that try to do everything inevitably suck at some important part.

New comment by metafunctor in "Get the location of the ISS using DNS"

metafunctor — Sun, 06 Jul 2025 14:04:17 +0000

It’s quite easy to run your own DNS server — I've found it a worthwhile exercise. Of course, you’ll need a server to run it on.

New comment by metafunctor in "Weight-loss drug found to shrink muscle in mice, human cells"

metafunctor — Thu, 21 Nov 2024 10:49:12 +0000

Those muscle mass percentages cannot be right. How were they measured?

New comment by metafunctor in "Cloudflare beats patent troll so badly it basically gives up"

metafunctor — Sat, 05 Oct 2024 19:12:59 +0000

Sabre or Sable?

New comment by metafunctor in "Show HN: A macOS app to prevent sound quality degradation on AirPods"

metafunctor — Mon, 30 Sep 2024 19:00:12 +0000

I was excited to try this, since I'm a bit tired of selecting the input manually multiple times per day. Unfortunately, connecting AirPods automatically switches the input to them, regardless of the previously selected input device, whether it's an aggregate device or not.

New comment by metafunctor in "Defusedxml – defusing XML bombs and other exploits"

metafunctor — Mon, 23 Sep 2024 19:36:49 +0000

OK, so the defusedxml.lxml submodule is deprecated and one should use the other APIs from defusedxml instead. That does not mean that defusedxml in it's entirety would be useless.

New comment by metafunctor in "Defusedxml – defusing XML bombs and other exploits"

metafunctor — Thu, 12 Sep 2024 18:11:45 +0000

Do you mean that it is, in fact, a mistake to use defusedxml instead of lxml in Python?

New comment by metafunctor in "You'll regret using natural keys"

metafunctor — Tue, 11 Jun 2024 22:26:59 +0000

Type safe and unguessable IDs are what I've been using in my projects for the past, oh, 10 years maybe? Inspired by Stripe!

In my databases, I often prefer integer primary keys for performance reasons. On the other hand, I don't want to expose my primary keys because they are easy to guess.

Recently I've been playing with Rust, and ended up publishing a library to encrypt IDs in they way I like:

https://crates.io/crates/cryptid-rs

New comment by metafunctor in "Microsoft Research chief scientist has no issue with Recall"

metafunctor — Thu, 06 Jun 2024 09:19:17 +0000

If they can get your sqlite files, what makes you think they wouldn't be able to get the encryption key as well?

New comment by metafunctor in "Flags Are Not Languages"

metafunctor — Sun, 05 May 2024 15:14:10 +0000

A commonly used icon or symbol for language selection seems to be the globe symbol (U+1F310). HN seems to filter it away, though, so cannot use it in this comment.

New comment by metafunctor in "French court issues damages award for violation of GPL"

metafunctor — Mon, 04 Mar 2024 14:28:17 +0000

So Orange won 12 years time to pay whatever you won in the end?

That's a factor of about 2.2x, assuming 7% capital gains year-on-year.

If the sums are large, it would've made a lot of sense for Orange to delay the decision for 12 years until having to pay.

But I'm not sure at all of the sums here were that substantial.

New comment by metafunctor in "French court issues damages award for violation of GPL"

metafunctor — Mon, 04 Mar 2024 09:13:29 +0000

Agreed, I think this is something the English language community should solve.

IMHO, I think “free” should be reserved for the wider meaning encompassing all the various aspects of freedom.

And a (new?) word like “gratis” should be used for the you-dont-have-to-pay-money-for-this-now meaning.

New comment by metafunctor in "A beginner's guide to constant-time cryptography (2017)"

metafunctor — Thu, 22 Feb 2024 09:23:12 +0000

That would make it quite easy to maliciously lock someone out.

Instead locking accounts, appropriate throttling might be a better idea.

New comment by metafunctor in "Ask HN: My company went bankrupt today and I have 2 options"

metafunctor — Mon, 19 Feb 2024 14:23:22 +0000

Yeah, there's no amount of dedication that will make the business fly if you stubbornly want to do “your thing”. You have to do what the market can find and is willing to pay for. Many of such businesses can be discovered without starting full-time.

New comment by metafunctor in "My notes on Gitlab's Postgres schema design (2022)"

metafunctor — Sun, 18 Feb 2024 09:37:58 +0000

Bugs happen also in access control. Unguessable IDs make it much harder to exploit some of those bugs. Of course the focus should be on ensuring correct access control in the first place, but unguessable IDs can make the difference between a horrible disaster and a close call.

It's also possible to use auto-incrementing database IDs and encrypt them, if using UUIDs doesn't work for you. With appropriate software layers in place, encrypted IDs work more or less automatically.