Hacker News: stefan_bobev

New comment by stefan_bobev in "Lotusbail npm package found to be harvesting WhatsApp messages and contacts"

stefan_bobev — Tue, 23 Dec 2025 00:00:50 +0000

I am a big fan of Bazel and have explored Nix (although, regrettably not used it in anger quite yet) - both seem like good steps in the right direction and something I would love to see more usage/evolution of. However, it is important to recognize that these tools have a steep learning curve and require deep knowledge in more than one aspect in order to be used effectively/at all.

Speed of development and development experience are not metrics to be minimized/discarded lightly. If you were to start a company/product/project tomorrow, a lot of the things you want to be doing in the beginning are not related to these tools. You probably, most of the time, want to be exploring your solution space. Creating a development and CI/CD environment that can fully take advantage of these tools capabilities (like hermeticity and reproducibility) is not straightforward - in most cases setting up, scaling and maintaining these often requires a whole team with knowledge that most developers won't have. You don't want to gatekeep the writing of new software behind such requirements. But I do agree that the default should be closer to this, than what we have today. How we get there - now that is the million dollar question.

New comment by stefan_bobev in "Lotusbail npm package found to be harvesting WhatsApp messages and contacts"

stefan_bobev — Mon, 22 Dec 2025 23:31:51 +0000

I am slowly waking up to the realization that we (software engineers) are laughably bad at security. I used to think that it was only NPM (I have worked a lot in this ecosystem over the years), but I have found this to be essentially everywhere: NPM is a poster child for this because of executable scripts on install, but every package manager essentially boils down to "Install this thing by name, no security checks". Every ecosystem I touch now (apart from gamedev, but only because I roll everything myself there by choice) has this - e.g Cargo has a lot of "tools" that you install globally so that you get some capability (like flamegraphs, asm output, test runners etc.) - this is the same vulnerability, manifesting slightly differently. Like others have pointed out, it is common to just pull random Docker images via Helm charts. It is also common to get random "utility" tools during builds in CI/CD pipelines, just by curl-ing random URLs of various "release archives". You don't even have to look too hard - this is surface level in pretty much every company, almost every industry (I have my doubts about the security theatre in some, but I have no first hand experience, so cannot say)

The issue I have is that I don't really have a good idea for a solution to this problem - on one hand, I don't expect everyone to roll the entire modern stacks by hand every time. Killing collaborative software development seems like literally throwing the baby out with the bath water. On the other hand, I feel like nothing I touch is "secure" in any real sense - the tick boxes are there, and they are all checked, but I don't think a single one of them really protects me against anything - most of the time, the monster is already inside the house.

New comment by stefan_bobev in "Summary of the Amazon DynamoDB Service Disruption in US-East-1 Region"

stefan_bobev — Thu, 23 Oct 2025 19:27:25 +0000

I appreciate the details this went through, especially laying out the exact timelines of operations and how overlaying those timelines produces unexpected effects. One of my all time favourite bits about distributed systems comes from the (legendary) talk at GDC - I Shot You First[1] - where the speaker describes drawing sequence diagrams with tilted arrows to represent the flow of time and asking "Where is the lag?". This method has saved me many times, all throughout my career from making games, to livestream and VoD services to now fintech. Always account for the flow of time when doing a distributed operation - time's arrow always marches forward, your systems might not.

But the stale read didn't scare me nearly as much as this quote:

> Since this situation had no established operational recovery procedure, engineers took care in attempting to resolve the issue with DWFM without causing further issues

Everyone can make a distributed system mistake (these things are hard). But I did not expect something as core as the service managing the leases on the physical EC2 nodes to not have recovery procedure. Maybe I am reading too much into it, maybe what they meant was that they didn't have a recovery procedure for "this exact" set of circumstances, but it is a little worrying even if that were the case. EC2 is one of the original services in AWS. At this point I expect it to be so battle hardened that very few edge cases would not have been identified. It seems that the EC2 failure was more impactful in a way, as it cascaded to more and more services (like the NLB and Lambda) and took more time to fully recover. I'd be interested to know what gets put in place there to make it even more resilient.

[1] https://youtu.be/h47zZrqjgLc?t=1587

How to self study pure math – a complete guide (by YouTuber Aleph 0)

stefan_bobev — Fri, 24 Dec 2021 20:47:51 +0000

Article URL: https://www.youtube.com/watch?v=byNaO_zn2fI

Comments URL: https://news.ycombinator.com/item?id=29677596

Points: 9

# Comments: 0

New comment by stefan_bobev in "Unreal Engine 5 Early Access Release Notes"

stefan_bobev — Mon, 31 May 2021 19:04:01 +0000

One of the things I think goes a little underappreciated about Unreal is the fact that everyone gets the source code. Interested in how Nanite or Lumen work? The source is right there! With all the comments (or lack of), with all the debug statements and branches that can be used to diagnose the behaviour of the system.

Often while developing, I dive into the source of the engine to understand how exactly some low level system works. I also blatantly copy all the complex UI widgets available in the editor when I want to extend them/make custom ones for my games (I hate UI programming). This is invaluable for teaching the next generation of engine developers imo.

New comment by stefan_bobev in "Google banned almost 120k spam developer accounts in 2020 for the play store"

stefan_bobev — Tue, 04 May 2021 14:00:52 +0000

All of this reminds me of one of the best GDC talks ever given: https://www.youtube.com/watch?v=E8Lhqri8tZk

New comment by stefan_bobev in "Insecam: Directory of Unsecured Surveillance Cameras"

stefan_bobev — Mon, 13 Jul 2020 08:48:56 +0000

A camera like this makes me question something - why was it installed in the first place? You can't distinguish things like license plates on cars or faces (I doubt ML helps here either). So what is this for? The view is beautiful, but I fail to see the purpose of it.

New comment by stefan_bobev in "Internet Exchange Map"

stefan_bobev — Mon, 21 Oct 2019 10:30:19 +0000

This surprises me: there is an IX right on the border between Turkey and Bulgaria [1]. All other IXs are located in the capital. Is there a reason an IX would be located there?

[1]: https://www.internetexchangemap.com/#/internet-exchange/balc...