Hacker News: rainonmoon

New comment by rainonmoon in "Peerweb: Decentralized website hosting via WebTorrent"

rainonmoon — Sat, 31 Jan 2026 00:35:43 +0000

Yeah, I’m fully in support of a decentralised web but the internet is old enough now that being naive about this stuff has become equivalent to being maliciously incompetent. Without designing for things like community or self-governance and moderation, you’re designing for trouble. Thinking about ways to healthily cultivate a peer-to-peer web doesn’t make someone a Nazi, it makes them a responsible member of a community.

New comment by rainonmoon in "Ask HN: Do you also "hoard" notes/links but struggle to turn them into actions?"

rainonmoon — Sat, 31 Jan 2026 00:11:25 +0000

This isn’t an Obsidian thing, it’s just the next iteration of the GTD mania of the aughts or the Atomic Habits people or whatever other trend. There will always be people trying to optimise their organisational workflow to no end. Some of the least prolific coders I know have the most heavily customised vim. The problem with adding AI is these people are addicted to the brain crack of doing it themselves so AI is sort of antithetical to the philosophy.

New comment by rainonmoon in "Peerweb: Decentralized website hosting via WebTorrent"

rainonmoon — Sat, 31 Jan 2026 00:02:27 +0000

And also just… misguided? I don’t particularly think of neo-Nazis when I think of people who advocate against CSAM.

New comment by rainonmoon in "County pays $600k to pentesters it arrested for assessing courthouse security"

rainonmoon — Fri, 30 Jan 2026 04:41:41 +0000

Those were always my favourite episodes too! Enough to get into a career doing social engineering and physical intrusions. It's very tense! You're right to think it's insane; the nature of these jobs is that unlike most kinds of pentesting, very few people are aware that a test is occurring. We will sometimes bring a fake "get out of jail free" card to test the very thing you mention, whether people will actually verify out of band. I've been on jobs where we've been called out and they've checked our fake details and you see people's whole body language change in those moments between them figuring out you're not who you say you are and figuring out what they're willing to do about it. You absolutely see the thought "Do I need to hurt these guys? Are they going to hurt me?" go through someone's mind. It's never come to anything truly harrowing in my experience, professionalism and good communication skills go a long way, but they also can only go so far. It's much more common to have zero issues though, because as you can surmise, social engineering is extremely effective, so getting challenged at all is pretty rare.

New comment by rainonmoon in "County pays $600k to pentesters it arrested for assessing courthouse security"

rainonmoon — Thu, 29 Jan 2026 22:35:55 +0000

But I’m responding to the notion that they should’ve had signed documentation with the scope with them. They did. The fact that their own company hung them out to dry by not informing everyone on that list is not the pentesters’ fault.

New comment by rainonmoon in "County pays $600k to pentesters it arrested for assessing courthouse security"

rainonmoon — Thu, 29 Jan 2026 21:35:24 +0000

> If we were testing security for something like a courthouse we would've had a card on each of us with the personal cell phone number of the county clerk along with a statement of work that described exactly what we were authorized to do, with signatures.

You mean... the thing that they had? FTA:

"Within minutes, deputies arrived and confronted the two intruders. DeMercurio and Wynn produced an authorization letter—known as a “get out of jail free card” in pen-testing circles. After a deputy called one or more of the state court officials listed in the letter and got confirmation it was legit, the deputies said they were satisfied the men were authorized to be in the building."

There's also no indication that they damaged property (they used a UDT to trip a sensor to bypass the door). Neither of us were there, but based on the actual reporting it sounds like the worst anyone could accuse these people of being is stupidly unprofessional and bad communicators, which if you worked with pentesters shouldn't seem like an unprecedented aberration.

New comment by rainonmoon in "Mozilla is building an AI 'rebel alliance' to take on OpenAI, Anthropic"

rainonmoon — Thu, 29 Jan 2026 20:06:31 +0000

The best use? Probably not. But if I built a website that let people generate extremely convincing unlimited photos of you wearing an SS uniform and forcing your dog to smoke meth and sent them to everyone you’ve ever met, this might seem like a less worthy hill to die on. Or is that just a sticks and dirt thing too?

New comment by rainonmoon in "FBI is investigating Minnesota Signal chats tracking ICE"

rainonmoon — Tue, 27 Jan 2026 21:01:11 +0000

That’s really interesting extra context, thanks!

New comment by rainonmoon in "FBI is investigating Minnesota Signal chats tracking ICE"

rainonmoon — Tue, 27 Jan 2026 20:22:47 +0000

Absolutely nothing in this article is related to feds using conversation metadata to map participants, so, no they weren’t.

New comment by rainonmoon in "Our approach to age prediction"

rainonmoon — Wed, 21 Jan 2026 03:49:14 +0000

A society which took psychological safety seriously would never have created ChatGPT in the first place. But of course seriously advocating for safety would cost one their toys, and for one unwilling to pay that cost, empowering the surveillance apparatus seems very reasonable and easily confused for safe. When one’s children or friends’ children can no longer enter an airport because some vibe-coded slop leaked their biometrics, we’ll see if that holds true.

New comment by rainonmoon in "Releasing rainbow tables to accelerate Net-NTLMv1 protocol deprecation"

rainonmoon — Sun, 18 Jan 2026 00:14:22 +0000

Using any variant of NTLM is insecure, which is why Microsoft is phasing it out in Windows 11/Server 2025. Which means we should be free of it some time around 2060.

New comment by rainonmoon in "Releasing rainbow tables to accelerate Net-NTLMv1 protocol deprecation"

rainonmoon — Sun, 18 Jan 2026 00:05:59 +0000

Yes. This is no more pernicious than releasing a multiplication table.

New comment by rainonmoon in "AI will compromise your cybersecurity posture"

rainonmoon — Wed, 14 Jan 2026 06:46:54 +0000

Some citations would help your case a lot.

New comment by rainonmoon in "AI will compromise your cybersecurity posture"

rainonmoon — Wed, 14 Jan 2026 06:02:43 +0000

A lot of good information for infra teams to internalise, although I worry that it gets a bit lost in the structure of the piece (there's kind of like 3-5 separate essays here but nothing a good edit couldn't fix.) One thing I'll add (or at least crystallise because I think the pieces are there) is that attack surface management is critical. A lot of the issues here are relevant in exactly the same scenario as exposing web applications. I have reported vulnerabilities in a lot of AI applications in prod and the issues aren't magic or even novel. They're typically the same authorisation and injection issues people have been talking about for decades. The methods of securing them are the same. Unfortunately it's not uncommon for companies to get compromised via a good old fashioned REST API on an exposed dev domain, but I probably wouldn't go so far as to say "REST APIs will compromise your cybersecurity posture." I would just say companies have found another tool to flex their indifference towards protecting user and company data.

New comment by rainonmoon in "Flock Hardcoded the Password for America's Surveillance Infrastructure 53 Times"

rainonmoon — Sat, 10 Jan 2026 08:56:40 +0000

The gutless liberals that dominate your country’s preconceptions of “the left” are not your anti-police state faction, but you do their work for them by conflating the two. The anti-police state faction are the ones habitually being physically brutalised if not outright murdered by the cops while the media wags their finger at them for their apparent lack of civility.

New comment by rainonmoon in "Health care data breach affects over 600k patients, Illinois agency says"

rainonmoon — Thu, 08 Jan 2026 10:35:06 +0000

I just registered CVEs in several platforms in a related industry, the founders of whom likely all asked themselves a similar question. And yet, it's the wrong question. The right one is, "Does this company need to exist?" I don't know you or your company. Maybe it's great. But many startups are born thinking there's a technological answer to a question that requires a social/political one. And instead of fixing the problem, the same founders use their newfound wealth to lobby to entrench the problem that justifies their company's existence, rather than resolves the need for it to exist in the first place. "How do you propose we service our customers without their medical data?" Fix your fucked healthcare system.

New comment by rainonmoon in "ChatGPT Health"

rainonmoon — Thu, 08 Jan 2026 10:25:20 +0000

I'm also Australian and some of these comments have really made me re-appreciate what we have in Medicare. Damn, it's got its issues, but the American attitudes towards their healthcare system are downright bleak. Deeply worrying that the prevailing attitude seems to be "But ChatGPT is so good" rather than "Our healthcare system is so bad." Remind me to visit my GP next week to thank them.

New comment by rainonmoon in "ChatGPT Health"

rainonmoon — Thu, 08 Jan 2026 10:21:18 +0000

Yeah man, when would technology ever be abused to monitor health data. https://www.mirror.co.uk/news/health/period-tracking-apps-ou...

New comment by rainonmoon in "ChatGPT Health"

rainonmoon — Thu, 08 Jan 2026 10:14:33 +0000

It doesn't have to get to your employer, it just has to get to the enormous industry of grey-market data brokers who will supply the information to a third-party who will supply that information to a third-party who perform recruitment-based analytics which your employer (or their contracted recruitment firm) uses. Employers already use demographic data to bias their decisions all the time. If your issue is "There's no way conversations with ChatGPT would escape the interface in the first place," are you... familiar with Web 2.0?

Edit: Literally on the HN front page right now. https://news.ycombinator.com/item?id=46528353

New comment by rainonmoon in "Ask HN: How to do a Personal Cybersecurity audit"

rainonmoon — Mon, 29 Dec 2025 22:25:11 +0000

Start with your threat model. Who is the “someone” you’re imagining attacking you? What are the most likely risks to occur? What are the most damaging? Where do those two lists overlap? Prioritise addressing those first. There’s no point worrying about someone stealing your laptop if it rarely leaves the house, but something like not having reliable 2FA on your accounts is probably more likely to get exploited and potentially as damaging. There’s no point worrying about nation state actors exploiting a side-channel to leak data via an LED on your earphones if you’re currently embroiled in a messy divorce.