Hacker News: steventhedev

New comment by steventhedev in "Vibe coding and agentic engineering are getting closer than I'd like"

steventhedev — Thu, 07 May 2026 04:22:57 +0000

The dirty secret if you work inside BigCorp and look around at the projects they're showcasing:

1. They're low stakes to get wrong.

2. The most common is MCPs or similar ai-tooling.

3. Making them look good takes time and effort still. It's a multiplier, not a replacement.

4. Quality and maintainability require investment. I had to restart an agentic project several times because it painted itself into a corner.

New comment by steventhedev in "Why One Key Shouldn't Rule Them All: Threshold Signatures for the Rest of Us"

steventhedev — Sat, 21 Mar 2026 17:15:31 +0000

The entire point of this is that the complexity is encapsulated on the signing side - not the verifier. So it's more that you would split the keys between systems you control - say the reverse proxy and the application server.

Or one that's checked into your version control (representing that it is your company's code that's running) and one that lives on the server (representing that it is a server your company controls).

Or to take your example - a key in the repo, a key from the dev, and a key from the build server.

New comment by steventhedev in "Spyware maker NSO Group confirms acquisition by US investors"

steventhedev — Sun, 12 Oct 2025 07:03:15 +0000

More like a failure on TechCrunch. There is an implied agreement and violating it will result in a flat refusal to talk outside of prepared press releases.

This isn't good journalism and should not be celebrated.

New comment by steventhedev in "The "Wage Level" Mirage: H-1B proposal could help outsourcers and hurt US talent"

steventhedev — Thu, 25 Sep 2025 10:33:19 +0000

Reading through that I stand corrected. Thank you for sharing a link.

At the same time, if a US person applies and is similarly qualified, they must be offered the job.

Which is trivially abuseable by offering substantially less for the H-1B position. I'm not sure if there's an easy policy solution for that.

New comment by steventhedev in "The "Wage Level" Mirage: H-1B proposal could help outsourcers and hurt US talent"

steventhedev — Thu, 25 Sep 2025 03:42:22 +0000

No.

The H1-B visa is intended for bringing specific technical expertise that does not exist in the US for a set period of time. This is why one of the requirements is that you must have interviewed US persons first. Its the same reason it's a nonimmigration visa.

The rampant abuse of the visa has a remedy - criminal charges against the HR directors of any company who is found to have committed fraud, and capping the number of visas per company (setting up many shell companies is a strong signal that fraud is being committed).

If an H1-B worker can't negotiate on a global level for their expertise - they should not be on that visa.

New comment by steventhedev in "%CPU utilization is a lie"

steventhedev — Wed, 03 Sep 2025 06:25:23 +0000

%cpu is misleading at best, and should largely be considered harmful.

System load is well defined, matches user expectations, and covers several edge cases (auditd going crazy, broken CPU timers, etc).

New comment by steventhedev in "SQLite offline sync for Android quick start"

steventhedev — Thu, 07 Aug 2025 06:49:51 +0000

Elastic license, so many people refer to this as source available rather than open source

New comment by steventhedev in "Realizing we needed two sorts of alerts for our temperature monitoring"

steventhedev — Wed, 06 Aug 2025 18:59:24 +0000

Temperature sensors are a great example for alerting because they fluctuate constantly, have multiple seasonalities, and failures can be subtle. In the end, you'll want:

1. If the sensor dies and there is no data at all

2. If the sensor gets stuck (giving same value)

3. If the sensor slowly drifts (adjusting for daily, weekly, and yearly seasons) - indicating a clogged filter or leaking refrigerant

4. Statistical spikes - this is the hardest to tune so you need to treat it as a model that detects anomalies and it takes a long time to label extremely rare events

5. Static thresholds, over varying windows to deal with sensor error and transient spikes.

It also raises questions like "if the sensor is reporting 400C then either the building is on fire or the sensor is broken", or "how do we get the alert if the building is indeed on fire" and the inevitable followup: do we even need to get an alert if the building is on literal fire?

Palo Alto to scoop up CyberArk for $25B to tackle AI-era threats

steventhedev — Wed, 30 Jul 2025 13:13:57 +0000

Article URL: https://www.reuters.com/world/middle-east/palo-alto-scoop-up-cyberark-25-billion-tackle-ai-era-threats-2025-07-30/

Comments URL: https://news.ycombinator.com/item?id=44733783

Points: 2

# Comments: 0

New comment by steventhedev in "TikZJax: Embedding LaTeX Drawings in HTML"

steventhedev — Mon, 21 Apr 2025 11:38:37 +0000

I'm fond of using KaTeX for my personal blog posts. There is support for server side rendering for KaTeX (but not on GitHub pages because it necessarily opens it to arbitrary code execution - I asked).

But it notably lacks tikz support and if it can emit SVGs I'm beginning to wonder why I even use KaTeX and not something like this (beyond my personal anti-JS sentiment)

New comment by steventhedev in "Show HN: JuryNow – Get an anonymous instant verdict from 12 real people"

steventhedev — Mon, 21 Apr 2025 05:52:50 +0000

Why not juries of 13 people? That way you never have a clean tie?

New comment by steventhedev in "The effect of deactivating Facebook and Instagram on users' emotional state"

steventhedev — Mon, 21 Apr 2025 05:46:07 +0000

It means that there is a statistically significant improvement, but that improvement is tiny, and will not make you happier than your peers all by itself (assuming a standard peer group of 200 people - you'd likely swap places with 1 or 2 people).

Of course, this study only considered normative people, not marginalized or those who were experiencing active harm from exposure to social media - your personal results may vary and it's important to remember that science is imperfect and social sciences are doubly so.

If going off Facebook improves your life - you do you.

New comment by steventhedev in "TikZJax: Embedding LaTeX Drawings in HTML"

steventhedev — Mon, 21 Apr 2025 04:07:27 +0000

Apparently there are some forks that offer more features and fix some of those bugs. Maybe one of those can help you?

This is the one that was shared on lobsters, but there are likely more: https://bill-ion.github.io/tikzjax-live/

TikZJax: Embedding LaTeX Drawings in HTML

steventhedev — Sun, 20 Apr 2025 22:04:22 +0000

Article URL: https://tikzjax.com/

Comments URL: https://news.ycombinator.com/item?id=43746831

Points: 137

# Comments: 31

New comment by steventhedev in "TLS certificate lifetimes will officially reduce to 47 days"

steventhedev — Wed, 16 Apr 2025 05:06:34 +0000

TLS chose the threat model that includes MITM - there's no good reason that should ever change. All I'm arguing is that having a middle ground between http and https would prevent eavesdropping, and that investment elsewhere could have been used to mitigate the MITM attacks (to the benefit of all protocols, even those that don't offer confidentiality). Instead we got OpenSSL and the CA model with all it's warts.

More importantly - this debate gets raised in every single HN post related to TLS or CAs. Answering with a "my threat model is better than yours" or somehow that my threat model is incorrect is even more silly than offering a configuration of TLS without authenticity. Maybe if we had invested more effort in 801.x and IPSec then we would get those same guarantees that TLS offers, but for all traffic and for free everywhere with no need for CA shenanigans or shortening lifetimes. Maybe in that alternative world we would be arguing that nonrepudiation is a valuable property or not.

New comment by steventhedev in "TLS certificate lifetimes will officially reduce to 47 days"

steventhedev — Tue, 15 Apr 2025 21:06:46 +0000

Yes. MITM attacks do happen in reality. But by their nature they require active participation which for practical purposes means leaving some sort of trail. More importantly is that by decoupling confidentionality from authenticity, you can easily prevent eavesdropping attacks at scale.

Which for some threat models is sufficiently good.

New comment by steventhedev in "TLS certificate lifetimes will officially reduce to 47 days"

steventhedev — Tue, 15 Apr 2025 16:03:20 +0000

MITM attacks are common, but noisy - BGP hijacks are literally public to the internet by their nature. I believe that insisting on coupling confidentiality to authenticity is counterproductive and prevents the development of more sophisticated security models and network design.

New comment by steventhedev in "TLS certificate lifetimes will officially reduce to 47 days"

steventhedev — Tue, 15 Apr 2025 15:51:27 +0000

There is a security model where MITM is not viable - and separating that specific threat from that of passive eavesdropping is incredibly useful.

New comment by steventhedev in "Zig's new LinkedList API (it's time to learn fieldParentPtr)"

steventhedev — Mon, 14 Apr 2025 17:26:38 +0000

The generic version in TFA puts the data type allocated alongside the next pointer - no additional allocation needed. The only functional difference is if the zig compiler is not sufficiently advanced to understand it can reorder the fields (hence the alignment question).

The removal scenario is merely specifying that you are passing in ConnectionListNode instead of a Connection. Although maybe it's a good idea to think about how they compose comparatively.

New comment by steventhedev in "Zig's new LinkedList API (it's time to learn fieldParentPtr)"

steventhedev — Mon, 14 Apr 2025 11:22:43 +0000

This feels like a net negative result. It removes some of the complexity of using generics, but it couples between the data type and the collections it can be indexed by.

What are the benefits of this approach? Is it limited to data alignment, or is it out of a greater desire to remove generics?