Hacker News: mukesh610

Code of Ur-Nammu

mukesh610 — Sat, 08 Nov 2025 21:48:48 +0000

Article URL: https://en.wikipedia.org/wiki/Code_of_Ur-Nammu

Comments URL: https://news.ycombinator.com/item?id=45860370

Points: 5

# Comments: 0

New comment by mukesh610 in "Filedb: Disk-based key-value store inspired by Bitcask"

mukesh610 — Sat, 14 Jun 2025 08:10:59 +0000

From the README:

A sync process syncs the open disk files once every config.syncInterval. Sync also can be done on every request if config.alwaysFsync is True.

New comment by mukesh610 in "The unreasonable effectiveness of an LLM agent loop with tool use"

mukesh610 — Thu, 15 May 2025 21:44:19 +0000

Ah, failed to notice that.

I was so excited because this was exactly what I coded up today, I jumped straight to the comments.

New comment by mukesh610 in "The unreasonable effectiveness of an LLM agent loop with tool use"

mukesh610 — Thu, 15 May 2025 21:21:47 +0000

I built this very same thing today! The only difference is that i pushed the tool call outputs into the conversation history and resent it back to the LLM for it to summarize, or perform further tool calls, if necessary, automagically.

I used ollama to build this and ollama supports tool calling natively, by passing a `tools=[...]` in the Python SDK. The tools can be regular Python functions with docstrings that describe the tool use. The SDK handles converting the docstrings into a format the LLM can recognize, so my tool's code documentation becomes the model's source of truth. I can also include usage examples right in the docstring to guide the LLM to work closely with all my available tools. No system prompt needed!

Moreover, I wrote all my tools in a separate module, and just use `inspect.getmembers` to construct the `tools` list that i pass to Ollama. So when I need to write a new tool, I just write another function in the tools module and it Just Works™

Paired with qwen 32b running locally, i was fairly satisfied with the output.

New comment by mukesh610 in "Don't watermark your legal PDFs with purple dragons in suits"

mukesh610 — Fri, 02 May 2025 07:21:51 +0000

Unintentionally discovering a thing you know you're going to hate has got to be top 10 internet experiences.

New comment by mukesh610 in "Ssl.com: DCV bypass and issue fake certificates for any MX hostname"

mukesh610 — Sat, 19 Apr 2025 19:29:56 +0000

Even then, use of a DNS CAA record should mitigate this, right?

New comment by mukesh610 in "My Own Private Binary: An Idiosyncratic Introduction to Linux Kernel Modules"

mukesh610 — Fri, 11 Apr 2025 08:10:15 +0000

Both articles are correct, from me reading them. When you invoke a shell script directly, it gets passed to the kernel to try and execve. The kernel returns ENOEXEC when it detects it doesn't have a shebang. The shell catches the error, and then as a last resort, tries opening the file and interpreting its instructions.

I might be wrong, so do correct me if so.

Advanced web application fingerprinting with favicon hashes

mukesh610 — Fri, 13 Sep 2024 15:26:38 +0000

Article URL: https://blog.razzsecurity.com/2024/09/13/information-gathering/advanced-web-application-fingerprinting-with-favicon-hashes/

Comments URL: https://news.ycombinator.com/item?id=41532109

Points: 1

# Comments: 0

New comment by mukesh610 in "Exploiting CI / CD Pipelines for fun and profit"

mukesh610 — Mon, 09 Sep 2024 11:59:50 +0000

No, in my YAML example, you could see that there were no credentials directly hard-coded into the pipeline. The credentials are configured separately, and the Pipelines are free to use them to do whatever actions they want.

This is how all major players in the market recommend you set up your CI pipeline. The problem here lies in implicit trust of the pipeline configuration which is stored along with the code.

New comment by mukesh610 in "Exploiting CI / CD Pipelines for fun and profit"

mukesh610 — Mon, 09 Sep 2024 11:55:42 +0000

You're right, there are other avenues of exploitation. This particular approach was interesting to me because it is easily automatable (scour the internet for exposed credentials, clone the repo and detect if Pipelines are being used, profit).

Other exploits might need more targeted steps to achieve. For example, embedding a malware into the source code might require language / framework fingerprinting.

New comment by mukesh610 in "Exploiting CI / CD Pipelines for fun and profit"

mukesh610 — Sun, 08 Sep 2024 23:44:12 +0000

It's pretty common in systems where the final output to be deployed is the same as the root of the source tree. More often than not, lazy developers tend to just git clone the repo and point their web server's document root to the cloned source folder. In default configurations, .git is happily served to anyone asking for it.

This seems to be automatically mitigated in systems which might have a "build" / "compilation" phase, because for the application to work in the first place, you only need the compiled output to be deployed. For instance, Apache Tomcat.

Exploiting CI / CD Pipelines for fun and profit

mukesh610 — Sun, 08 Sep 2024 21:52:04 +0000

Article URL: https://blog.razzsecurity.com/2024/09/08/exploitation-research/exploiting-ci-cd-pipelines-for-fun-and-profit/

Comments URL: https://news.ycombinator.com/item?id=41483541

Points: 124

# Comments: 44

New comment by mukesh610 in "Windows on Btrfs"

mukesh610 — Sat, 22 Apr 2023 03:23:03 +0000

Don't use this. I once tried it and it changed the UUID of the Linux partition without any warning. Grub was unable to pick up the partition and boot, so I was stuck at grub rescue.

God knows what other bugs their software has.

New comment by mukesh610 in "Pgrok – Poor Man’s Ngrok"

mukesh610 — Sun, 12 Mar 2023 13:51:52 +0000

Not exactly sure how streamlined your security process is, but for some orgs it is a red tape roller coaster to even get one TCP port open.

Anyways, you could also block all traffic to ngrok servers just to ensure your Dev teams aren't skirting around your firewall.

New comment by mukesh610 in "GitHub is sued, and we may learn something about Creative Commons licensing"

mukesh610 — Fri, 06 Jan 2023 15:24:09 +0000

IMO fair use is still not a strong argument for Microsoft. They commercialized the product and made money out of it.

Fair use is only allowed if the work you're doing is purely for the greater good. I might be wrong though, IANAL.

New comment by mukesh610 in "Tencent WeChat is now a GitHub secret scanning partner"

mukesh610 — Tue, 20 Dec 2022 15:25:26 +0000

I don't see what your comment is trying to point out.

The same could be said for all the other Secret Scanning partners GitHub has, like AWS and so on.

That being said, it's impossible that a "bad regexp" is gonna make its way to the GitHub codebase.

New comment by mukesh610 in "Disputing a Parking Fine with ChatGPT"

mukesh610 — Sun, 11 Dec 2022 04:01:42 +0000

Detecting GPT generated content will take a fairly large language model to be reliable. Obviously this would need to be run in the cloud. Considering Apple's stance on privacy, sending private correspondence to the cloud is a huge no-no for them. Nobody is gonna implement GPT detection, atleast for emails.

New comment by mukesh610 in "Sign in with Google has been removed for your privacy"

mukesh610 — Sun, 11 Dec 2022 03:19:03 +0000

I'm confused. In your first comment you seemed to refer to legitimate sites harvesting credentials using Google SSO (whatever that means)

Now you're talking about phishing sites.

Can you clarify which kind of websites you're referring to?

New comment by mukesh610 in "Meta fires a software engineer two days after he relocated from India to Canada"

mukesh610 — Mon, 14 Nov 2022 10:59:48 +0000

There's a difference between getting fired and laid off

New comment by mukesh610 in "Statistical Analysis shows Echos process voice to serve ads"

mukesh610 — Wed, 27 Apr 2022 09:31:38 +0000

Fiction isn't exactly a good argument