Hacker News: piccirello

New comment by piccirello in "We found a stable Firefox identifier linking all your private Tor identities"

piccirello — Wed, 22 Apr 2026 20:35:58 +0000

This excerpt from the article describes the risk well.

> In Firefox Private Browsing mode, the identifier can also persist after all private windows are closed, as long as the Firefox process remains running. In Tor Browser, the stable identifier persists even through the "New Identity" feature, which is designed to be a full reset that clears cookies and browser history and uses new Tor circuits.

New comment by piccirello in "SSH Secret Menu"

piccirello — Wed, 11 Mar 2026 00:29:08 +0000

I've been using SSH for ~15 years and never knew about these escape sequences. I'm eagerly awaiting my next hung session so that I can test `~.`. It's much nicer than my current approach of having to close that terminal window.

SSH Secret Menu

piccirello — Tue, 10 Mar 2026 03:28:38 +0000

https://xcancel.com/rebane2001/status/2031037389347406054

Comments URL: https://news.ycombinator.com/item?id=47318797

Points: 353

# Comments: 176

New comment by piccirello in "Goodbye InnerHTML, Hello SetHTML: Stronger XSS Protection in Firefox 148"

piccirello — Tue, 24 Feb 2026 15:33:54 +0000

`setHTML` is meant as a replacement for `innerHTML`. In the use case you describe, you would have never wanted `innerHTML` anyway. You'd want `innerText` or `textContent`.

New comment by piccirello in "Microsoft gave FBI set of BitLocker encryption keys to unlock suspects' laptops"

piccirello — Fri, 23 Jan 2026 18:29:10 +0000

In Apple's case, starting with macOS Tahoe, Filevault saves your recovery key to your iCloud Keychain [0]. iCloud Keychain is end-to-end encrypted, and so Apple doesn't have access to the key.

As a US company, it's certainly true that given a court order Apple would have to provide these keys to law enforcement. That's why getting the architecture right is so important. Also check out iCloud Advanced Data Protection for similar protections over the rest of your iCloud data.

[0] https://sixcolors.com/post/2025/09/filevault-on-macos-tahoe-...

New comment by piccirello in "Opening the AWS European Sovereign Cloud"

piccirello — Tue, 20 Jan 2026 04:31:05 +0000

> We’re gradually transitioning the AWS European Sovereign Cloud to be operated exclusively by EU citizens located in the EU. During this transition period, we will continue to work with a blended team of EU residents and EU citizens located in the EU.

I find it fascinating that the goal is to staff this exclusively with EU citizens, thereby excluding non-citizen residents of the EU.

New comment by piccirello in "Opening the AWS European Sovereign Cloud"

piccirello — Tue, 20 Jan 2026 04:28:12 +0000

The docs explicitly describe this cloud's independence from the US.

> The AWS European Sovereign Cloud will be capable of operation without dependency on global AWS systems so that the AWS European Sovereign Cloud will remain viable for operating workloads indefinitely even in the face of exceptional circumstances that could isolate the AWS European Sovereign Cloud from AWS resources located outside the EU, such as catastrophic disruption of transatlantic communications infrastructure or a military or geopolitical crisis threatening the sovereignty of EU member states.

New comment by piccirello in "Inside PostHog: SSRF, ClickHouse SQL Escape and Default Postgres Creds to RCE"

piccirello — Thu, 18 Dec 2025 00:53:20 +0000

Here's the PR[0] that resolved the SSRF issue. This fix was shipped within 24 hours of receiving the initial report.

It's worth noting that at the time of this report, this only affected PostHog's single tenant hobby deployment (i.e. our self hosted version). Our Cloud deployment used our Rust service for sending webhooks, which has had SSRF protection since May 2024[1].

Since this report we've evolved our Cloud architecture significantly, and we have similar IP-based filtering throughout our backend services.

[0] https://github.com/PostHog/posthog/pull/25398

[1] https://github.com/PostHog/posthog/commit/281af615b4874da1b8...

New comment by piccirello in "Inside PostHog: SSRF, ClickHouse SQL Escape and Default Postgres Creds to RCE"

piccirello — Thu, 18 Dec 2025 00:10:21 +0000

I work on security at PostHog. We resolved these SSRF findings back in October 2024 when this report was responsibly disclosed to us. I'm currently gathering the relevant PRs so that we can share them here. We're also working on some architectural improvements around egress, namely using smokescreen, to better protect against this class of issue.

Eight Sleep: Making the Pod outage-proof

piccirello — Thu, 23 Oct 2025 01:56:05 +0000

Article URL: https://www.eightsleep.com/blog/backup-mode/

Comments URL: https://news.ycombinator.com/item?id=45677351

Points: 6

# Comments: 5

There's another leak on the ISS, but NASA is not saying much about it

piccirello — Fri, 13 Jun 2025 19:46:50 +0000

Article URL: https://arstechnica.com/space/2025/06/theres-another-leak-on-the-iss-but-nasa-is-not-saying-much-about-it/

Comments URL: https://news.ycombinator.com/item?id=44271642

Points: 10

# Comments: 1

New comment by piccirello in "Apple sued for false advertising over Apple Intelligence"

piccirello — Sat, 22 Mar 2025 00:39:22 +0000

This is bullshit. What real harm can the defendant(s) claim over these features being delayed? Someone is trying to make a quick buck.

Confidential Computing at 1Password

piccirello — Fri, 17 Jan 2025 21:12:08 +0000

Article URL: https://blog.1password.com/confidential-computing/

Comments URL: https://news.ycombinator.com/item?id=42743288

Points: 6

# Comments: 0

New comment by piccirello in "Server-Sent Events (SSE) Are Underrated"

piccirello — Wed, 25 Dec 2024 22:45:39 +0000

I utilized SSE when building automatic restart functionality[0] into Doppler's CLI. Our api server would send down an event whenever an application's secrets changed. The CLI would then fetch the latest secrets to inject into the application process. (I opted not to directly send the changed secrets via SSE as that would necessitate rechecking the access token that was used to establish the connection, lest we send changed secrets to a recently deauthorized client). I chose SSE over websockets because the latter required pulling in additional dependencies into our Golang application, and we truly only needed server->client communication. One issue we ran into that hasn't been discussed is HTTP timeouts. Some load balancers close an HTTP connection after a certain timeout (e.g. 1 hour) to prevent connection exhaustion. You can usually extend this timeout, but it has to be explicitly configured. We also found that our server had to send intermittent "ping" events to prevent either Cloudflare or Google Cloud Load Balancing from closing the connection, though I don't remember how frequently these were sent. Otherwise, SSE worked great for our use case.

[0] https://docs.doppler.com/docs/automatic-restart

Upgrading the Supermicro X12SDV-4C-SP6F CPU Cooler

piccirello — Tue, 24 Sep 2024 22:02:06 +0000

Article URL: https://www.pic.dev/blog/2024/09/24/x12sdv-cooling.html

Comments URL: https://news.ycombinator.com/item?id=41641437

Points: 2

# Comments: 0

New comment by piccirello in "Private Cloud Compute: A new frontier for AI privacy in the cloud"

piccirello — Tue, 11 Jun 2024 01:04:01 +0000

> The Secure Enclave randomizes the data volume’s encryption keys on every reboot and does not persist these random keys, ensuring that data written to the data volume cannot be retained across reboot. In other words, there is an enforceable guarantee that the data volume is cryptographically erased every time the PCC node’s Secure Enclave Processor reboots.