Hacker News: morgante

Ramp Sheets

morgante — Tue, 18 Nov 2025 21:58:43 +0000

Article URL: https://labs.ramp.com/sheets

Comments URL: https://news.ycombinator.com/item?id=45972773

Points: 2

# Comments: 0

New comment by morgante in "How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos"

morgante — Wed, 20 Aug 2025 17:09:10 +0000

We built on firecracker VMMs but today I'd just use a hosted provider like morph.so or e2b.dev.

New comment by morgante in "How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos"

morgante — Wed, 20 Aug 2025 06:10:27 +0000

The exploit is there either way.

New comment by morgante in "How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos"

morgante — Tue, 19 Aug 2025 22:51:48 +0000

You should treat running a code analyzer/builder/linter against a codebase as being no safer than running that codebase itself.

New comment by morgante in "How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos"

morgante — Tue, 19 Aug 2025 22:48:27 +0000

A pretty straightforward solution is to have an isolated service that keeps the private key and hands back the temporary per-repo tokens for other libraries to use. Only this isolated service has access to the root key, and it should have fairly strict rate limiting for how often it gives other services temporary keys.

New comment by morgante in "How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos"

morgante — Tue, 19 Aug 2025 22:43:26 +0000

Yikes, this is a pretty bad vulnerability. It's good that they fixed it, but damning that it was ever a problem in the first place.

Rule #1 of building any cloud platform analyzing user code is that you must run analyzers in isolated environments. Even beyond analysis tools frequently allowing direct code injection through plugins, linters/analyzers/compiler are complex software artifacts with large surface areas for bugs. You should ~never assume it's safe to run a tool against arbitrary repos in a shared environment.

I also ran a code analysis platform, where we ran our own analyzer[1] against customer repos. Even though we developed the analyzer ourself, and didn't include any access to environment variables or network requests, I still architected it so executions ran in a sandbox. It's the only safe way to analyze code.

[1] https://github.com/getgrit/gritql

New comment by morgante in "Your Startup Doesn't Need to Be a Unicorn"

morgante — Mon, 07 Apr 2025 10:19:41 +0000

This is way too broad of a statement.

The smartest person and the dumbest person I've met professionally are both investors.

New comment by morgante in "How to gain code execution on hundreds of millions of people and popular apps"

morgante — Sat, 01 Mar 2025 01:51:36 +0000

They don’t elaborate on the logging details, but certainly must good systems don’t allow log tampering even for admins.

New comment by morgante in "Partnering with the Shawnee Tribe for Civilization VII"

morgante — Mon, 24 Feb 2025 02:20:28 +0000

All of those battles involve battlefield tactics, and in several of them the numerically inferior force won — exactly the opposite of "death stacks."

New comment by morgante in "We are the builders"

morgante — Fri, 21 Feb 2025 23:54:21 +0000

Unfortunately nuance is dead. I too wish Musk had tried to empower USDS instead of immediately alienating many of the people best positioned to improve things.

New comment by morgante in "We are the builders"

morgante — Fri, 21 Feb 2025 22:55:44 +0000

That's not true.

Look at USAID: they canceled everything, but there was a significant outcry about PEPFAR specifically. Now PEPFAR is back, and likely to stay.

New comment by morgante in "We are the builders"

morgante — Fri, 21 Feb 2025 22:53:18 +0000

I'm not here to defend DOGE, but you're making the same mistake as the article of assuming the DOGE approach has no merit.

Deleting processes somewhat randomly, then listening for the pain, is a pretty well-known technique for understanding and cleaning up legacy systems. Of course, it should only be used on systems where (temporary) failures are tolerable.

There are parts of the government where that is true, and parts where it is dangerous. The problem on both sides is assuming the same techniques should be applied across the entire government, when some services are indeed life-and-death and others absolutely should be deleted.

New comment by morgante in "We are the builders"

morgante — Fri, 21 Feb 2025 22:39:44 +0000

The efficiency comparison is interesting, since it starts relatively evenly but quickly dismisses the value of the DOGE approach. Everyone I know who worked at USDS has been talented and well-meaning, but I can't help but feel they've been hamstrung specifically by

1. Methodical improvements mostly work to improve processes as they are. They don't delete processes that shouldn't exist.

2. Agency "empowerment" often means working with a lot of incumbent teams that are simply not suited to digital work and sinks way too much time/energy into stakeholder management.

USDS has done good work, but could have done a lot more if they were actually empowered.

[1] https://www.wethebuilders.org/posts/a-tale-of-two-effiencies...

New comment by morgante in "My Life in Weeks"

morgante — Sun, 16 Feb 2025 01:53:44 +0000

> It will never be enough for you.

That's not a good assumption to make for everyone. There are many people who do grow income without growing expenses (see the whole financial independence movement).

I spend about as much now as I did 7 years ago when I made 4x less.

New comment by morgante in "YC Graveyard: 821 inactive Y Combinator startups"

morgante — Sun, 26 Jan 2025 17:16:33 +0000

> However YC gets preferential shares; YC is not aligned with the common shareholders (founders; builders).

YC invests on a SAFE, the terms are public.[0]

For most companies, pre-seed SAFEs don't end up much above common.

[0] https://www.ycombinator.com/deal

New comment by morgante in "A very Chicago gamble"

morgante — Sat, 25 Jan 2025 22:08:02 +0000

You're right. I was bucketing the pricing/payout issues into the loan terms but they equally apply if you don't take out the loan.

Obviously there are many better ways to structure this if a sophisticated counterparty actually wanted a good investment opportunity for the community. Sadly that's not in anyone's interest.

New comment by morgante in "A very Chicago gamble"

morgante — Sat, 25 Jan 2025 18:34:45 +0000

Yeah I personally think the valuation is the least egregious part. If they get sued, they’ll have a defense for how they arrived at that number. It’s not 10x off.

The bigger problem is the terrible loan terms.

New comment by morgante in "A very Chicago gamble"

morgante — Sat, 25 Jan 2025 18:31:46 +0000

It’s Chicago. They’re likely getting kickbacks/bribes.

New comment by morgante in "I am (not) a failure: Lessons learned from six failed startup attempts"

morgante — Mon, 20 Jan 2025 22:45:15 +0000

OP would have to speak to his experience, but between a Google IPO and the $10M Virgin acquisition I would be surprised if he didn't average >$200k lifetime.

Throughout this thread, it's clear you have an ax to grind. Startups are obviously not for you, but many enjoy them and benefit.

New comment by morgante in "I am (not) a failure: Lessons learned from six failed startup attempts"

morgante — Mon, 20 Jan 2025 22:36:13 +0000

> Seeing tts outcome of the startups he listed, it would have been much better to work as an enterprise CRUD developer at a bank, insurance company, etc

Enterprise CRUD developers don't make that much. I'm confident OP made more over his career than them.