Hacker News: rurcliped

New comment by rurcliped in "Curl will not accept vulnerability reports during July 2026"

rurcliped — Mon, 15 Jun 2026 14:57:29 +0000

With more advance notice, someone could have found resources to fork curl with different vulnerability management expectations, e.g., "will not accept or otherwise handle any vulnerability reports during the month beginning 21 December 2026. We call it The Winter of Our Discontent."

New comment by rurcliped in "Live Nation illegally monopolized ticketing market, jury finds"

rurcliped — Wed, 15 Apr 2026 22:41:31 +0000

For many events, the demographics lean toward age groups where people have jobs with work schedules that aren't known more than a few weeks in advance. The initially planned friend group (e.g., four people) can have little overlap with who is actually free on the event date and actually attends. Also, if the event has assigned seating, people buying their own tickets typically has the adverse outcome that you can't sit together.

New comment by rurcliped in "Show HN: Report idling vehicles in NYC (and get a cut of the fines) with AI"

rurcliped — Sun, 22 Jun 2025 19:53:30 +0000

feature request: AI-based risk analysis, with a model of which types of commercial vehicles at that location are likely to be controlled by organized crime

New comment by rurcliped in "United Airlines to launch Starlink wi-fi in spring 2025"

rurcliped — Sun, 05 Jan 2025 18:33:17 +0000

To disambiguate, the person on the plane could learn to use hand signals (e.g., Cued Speech) and the AI model can be trained on that.

New comment by rurcliped in "Judge dismisses DMCA copyright claim in GitHub Copilot suit"

rurcliped — Tue, 09 Jul 2024 21:21:02 +0000

"use, display, and perform Your Content through the GitHub Service" might allow a wide range of uses on GitHub Pages websites, even if https://example.github.io is monetized (monetization is permitted by https://docs.github.com/en/site-policy/github-terms/github-t... in a few cases)

New comment by rurcliped in "OpenSSH 9.6"

rurcliped — Tue, 19 Dec 2023 15:32:04 +0000

It is discuused here: https://lists.mindrot.org/pipermail/openssh-unix-dev/2023-De... - the HPN-SSH maintainer says "I do have an issue with [the OpenSSH 9.6] release in that it breaks interaction with HPN-SSH. The client seems to be window limited to 2MB sending regardless of what is being advertised by the receiver."

New comment by rurcliped in "Ask HN: Name my startup"

rurcliped — Mon, 11 Dec 2023 04:15:45 +0000

for "Thats exactly what we will be doing initially! Our tablets taste much better than Bite!" I might go with the brand "habitablets" and the tagline "where self-care meets planet-care"

the idea is that "habitablets" are a type of "tablets" that (when widely adopted to reduce packaging waste and shipping waste) will ultimately make our planet more "habitable"

New comment by rurcliped in "$8B Sam Bankman-Fried criminal trial starts today"

rurcliped — Tue, 03 Oct 2023 17:38:12 +0000

Suppose you have office space in the jail, and give him (or anyone else) the opportunity to apply for remote jobs at anyplace willing to hire him - with the caveat that he loses office access unless he demonstrates that he's maximizing his potential to earn money, all of which will go directly to compensating victims. (Assume that he can't have Zoom calls with arbitrary colleagues of his choice. He can only have Zoom calls with Bill Lumbergh.)

New comment by rurcliped in "Croc: Easily and securely send things from one computer to another"

rurcliped — Sat, 23 Sep 2023 03:17:17 +0000

a recent audit claims the author "doesn't have enough resources to address" security issues: https://www.openwall.com/lists/oss-security/2023/09/08/2 https://github.com/schollz/croc/issues/594 etc.

New comment by rurcliped in "I am an inspector at a globally significant bank, what should I ask"

rurcliped — Wed, 20 Sep 2023 16:46:14 +0000

What data is stored about an employee's justification for viewing a customer account? Is there an enumerated set of justifications such as "direct customer inquiry" versus "to be used for upselling other banking products" versus "IT debugging" etc. or is it free-form text? Is the justification process more complex if the bank knows that the customer is a public figure, celebrity, or maybe anyone who meets Wikipedia'a notability requirements?

New comment by rurcliped in "Browsers barely care what HTTP status code your web pages are served with"

rurcliped — Fri, 11 Aug 2023 20:05:11 +0000

Years ago, many decisions to hide error details were a cargo cult reaction to CVE-2012-4929. To review, CVE-2012-4929 works like this:

1. the attacker can see (but not decrypt) the victim's TLS traffic to example.com

2. an attacker-controlled website makes the victim send many different invalid requests to example.com, each of which gets an error message

3. some data in each request is attacker-controlled, but authentication data in headers is filled in by the victim's browser

4. example.com compresses response data before encrypting it

5. because repetitions affect compression, the response size is smallest when the authentication data matches part of the attacker-controlled data

6. after enough requests, the attacker knows the authentication data to login to example.com as the victim

One workaround for CVE-2012-4929 was to set up the server so that an error message never depended on the request data. Before CVE-2012-4929 was announced, people thought it was sufficient to sanitize the error message (i.e., avoid XSS) but CVE-2012-4929 prompted a shift toward producing exactly the same error message for all invalid requests. (Not sure, but I think this was the original motivation for Google's famous "That's an error. That's all we know." messages.)

There were better CVE-2012-4929 defenses later, but the cargo cult had already formed. (Some subset of) a generation of developers believed that customized error messages were Very Bad because they enabled account takeover.

New comment by rurcliped in "Why is there no open source firmware for laser or inkjet printers? (2019)"

rurcliped — Sat, 13 May 2023 23:52:04 +0000

Possibly because the firmware could be modified, and not print the required yellow dots or other tracking data:

https://www.eff.org/pages/list-printers-which-do-or-do-not-d...

"Some of the documents that we previously received through FOIA suggested that all major manufacturers of color laser printers entered a secret agreement with governments to ensure that the output of those printers is forensically traceable."

New comment by rurcliped in "How can we get more signups for codehooks.io, a new bootstrapped BaaS?"

rurcliped — Sun, 08 Jan 2023 19:41:27 +0000

If I were evaluating this, my top four concerns would be:

1. "NoSQL document database with MongoDB-like queries ... powered by the open source database engine RocksDB" doesn't give me enough confidence that my application will work. Some limitations are unstated. For example:

(easy question) MongoDB documents are limited to 16 MB. Facebook's RocksDB Overview says "There is no limit to the size of a key or a value." Your insertOne documentation doesn't state a limit. Is it 16 MB?

(harder question) Your getMany documentation doesn't describe its interaction with the RocksDB "snapshot" concept (one of the big advantages of RocksDB over other NoSQL products). Facebook's Iterator documentation says "If ReadOptions.snapshot is given, the iterator will return data as of the snapshot. If it is nullptr, the iterator will read from an implicit snapshot as of the time the iterator is created. ... be aware that in case an iterator getting stale, it can block resource from being released. So make sure you destroy or refresh them if they are not used after some time, e.g. one second." Does this imply that each call to getMany operates on a unique snapshot? If so, do you plan to add an API in which the user can specify that multiple getMany calls must operate on the same snapshot?

2. The name of a space (e.g., "dev") is part of the URL used by clients. Is this avoidable? It can interfere with migration of applications to codehooks from other platforms.

3. Your story about unanticipated use (or abuse) seems to be 'We've got you covered by creating a price "ceiling", which reduces the price with 90%.' That's good but I would probably also need billing alerts. I would probably also want request rate limits similar to AWS WAF (e.g., 100 requests per IP address in a 5-minute period) without writing my own auth hooks.

4. I didn't find a discussion of runtime secrets (e.g., something like "flyctl secrets").

New comment by rurcliped in "We found critical vulnerabilities in Hive Social"

rurcliped — Thu, 01 Dec 2022 01:41:12 +0000

At least one other person reported Hive Social vulnerabilities recently: https://twitter.com/zhuowei/status/1597739467645030400

New comment by rurcliped in "Ask HN: What are some blog posts that you have enjoyed going through?"

rurcliped — Wed, 23 Nov 2022 07:02:49 +0000

https://blog.miki.it/2014/7/8/abusing-jsonp-with-rosetta-fla... (this was somewhat more exciting when Flash still existed)

New comment by rurcliped in "Taylor Swift – The Eras Tour onsale explained"

rurcliped — Sun, 20 Nov 2022 05:21:00 +0000

I feel that the goal should be providing tickets to the fans who most want to be there. For example, Round 1 would be for fans who feel confident that a Taylor Swift Eras show would be the best event they would ever experience. A fan in Round 1 must agree that they are banned for life from other Ticketmaster purchases, and banned for life from any other attendance at a Ticketmaster contracted venue. In Round 2, maybe a person is only banned for ten years. In Round N, maybe a person is banned from future concerts but can still use Ticketmaster for sporting events, etc. Ticket prices are the same in every round and there's no dynamic pricing or resale: the only difference is the fan's level of ban commitment. However, the more lenient rounds might not occur if tickets are sold out in the stricter rounds.

This does more to "maximize joy" than the other plausible alternatives. For example, Verified Fan can only select fans who have a life situation allowing them to virtually wait in line (stay active on their device) for hours, and are also lucky enough to be selected. A lottery can only select fans who are lucky, regardless of whether they especially care about Taylor Swift or just enjoy concerts in general. An auction can only select fans who have the most money.

If there's no practical way to implement this, I can still write my dystopian novel about the identity verification and tracking measures where, if a Round 1 person actually shows up at the venue, the full force of society ensures that they are banned for life after that one show.

New comment by rurcliped in "Athena-OS: An Arch Linux-based distro focused on Cybersecurity"

rurcliped — Sat, 05 Nov 2022 12:07:31 +0000

It looks like MIT didn't maintain their 1789164 U.S. trademark registration number for Athena: "computer programs, and instruction manuals sold therewith, which collectively provide a set of integrated network services; namely, user authentication, file service, name service, messaging service, mail service, network management service, and print service ... Cancellation Date ... February 12, 2016"

https://en.wikipedia.org/wiki/Project_Athena

(they do have registration number 1722642 for "Athena ... educational services; namely, courses of instruction at the college and graduate level and research services" but this doesn't look closely related)

New comment by rurcliped in "[dead]"

rurcliped — Wed, 13 Jul 2022 21:42:32 +0000

The withserve.com homepage refers to the fakercloud.com domain, which seems to host code for Potentially Unwanted Browser Reconfiguration or other unexpected content. It would be better to only use example domains under your company's control, or the example.com domain.

New comment by rurcliped in "Ask HN: A webmaster “transfers” thousands of articles to a new host manually"

rurcliped — Wed, 13 Jul 2022 19:01:41 +0000

The web developer might be very competent, but choose to use the word "manually" to support a higher cost proposal for the project.

New comment by rurcliped in "Can anyone give us honest advice on our app's landing page?"

rurcliped — Mon, 11 Jul 2022 15:57:43 +0000

Landing page - the primary problem I had was trying to understand what your product does. The phrase "shared by your Twitter friends" implies that you have introduced a new concept ("friends"), perhaps a group of like-minded individuals who are curating Twitter on behalf of one another. In other words, unless a Tweet is shared by at least one member of my "friend" group, I will NEVER see that Tweet in my email. This is potentially very valuable to consumers who have a limited amount of free time, and only want to read manually vetted content. However, I think your product doesn't actually do that. Instead, your product provides "A summary of your Twitter home timeline" - and that may, in general, include niche topics that are very important to me but not relevant to any of my friends. This is also valuable but has a different audience. Ideally, the landing page would make it clear which of these product variants I'm actually buying.

Other comment - I think https://murmel.social/top violates the Twitter brand guidelines, and the Twitter company will eventually object. Their guidelines specify "credit Twitter by using the our logo" (from the https://about.twitter.com/content/dam/about-twitter/en/brand... page). Every Tweet must include the bird picture. Your https://murmel.social/top page is too easily misinterpreted to mean that some of the content is sourced from Twitter but other content is sourced from elsewhere, because the bird picture appears intermittently.