Hacker News: theallan

New comment by theallan in "Astral to Join OpenAI"

theallan — Thu, 19 Mar 2026 17:38:09 +0000

> I maintain an open source project funded by the Sovereign Tech Fund.

I would absolutely love to know more about this if you are willing to share the story?

New comment by theallan in "TimeCapsuleLLM: LLM trained only on data from 1800-1875"

theallan — Mon, 12 Jan 2026 20:01:10 +0000

Can we follow along with your work / results somewhere?

New comment by theallan in "Using a laptop as an HDMI monitor for an SBC"

theallan — Thu, 09 Oct 2025 16:31:46 +0000

The Minisforum V3 does: https://store.minisforum.com/products/minisforum-v3 .

New comment by theallan in "DataTables CDN Outage – post incident review"

theallan — Wed, 17 Sep 2025 17:05:02 +0000

An SEO thing for them. Useful income for me. It isn't much ($49/year), but every little helps...

New comment by theallan in "DataTables CDN Outage – post incident review"

theallan — Wed, 17 Sep 2025 14:35:44 +0000

That's the only reason I could think of for doing this, but I saw zero evidence that it was done that way. Baffling!

New comment by theallan in "DataTables CDN Outage – post incident review"

theallan — Wed, 17 Sep 2025 14:33:40 +0000

> Out of curiosity, could this have been a vector for a supply chain attack?

If you were using the CDN without SRIs, then yes, that would have been the most obvious channel. However, I don't believe the attacker ever set up for that and the URLs never resolved due to CloudFlare blocking it.

> there's been some pretty huge breaking changes

Unless you were using the legacy API, there shouldn't be any major impediment [1]. I intentionally tried to keep backwards compatibility as I hate doing library upgrades myself! Drop me an email - allan at the domain in question if you have any questions about doing an upgrade.

> It looks like newer versions of datatables don't import static files from the datatables CDN like this.

I rewrote aspects to use CSS styled elements in place of images, so there were less resources to load.

> Would it make sense to issue a CVE for older datatables library versions that could be susceptible to this attack?

Per the above, if you were using the CDN without SRI for the resources, then any version could have been susceptible. However, I've seen no evidence that the attack took that vector.

[1] https://datatables.net/upgrade/2

New comment by theallan in "DataTables CDN Outage – post incident review"

theallan — Wed, 17 Sep 2025 13:22:14 +0000

That's awesome to hear - thank you :-).

New comment by theallan in "DataTables CDN Outage – post incident review"

theallan — Wed, 17 Sep 2025 12:07:19 +0000

Joker.com. Credit to them they fixed it reasonably quickly, but its a horrible policy to default to enact the change if no response if given. Their reasoning was what else would they do if someone got locked out of their email - they need a way to recover their domain somehow, and they ask for ID to be submitted, but as seen, that is trivial to fake.

New comment by theallan in "DataTables CDN Outage – post incident review"

theallan — Wed, 17 Sep 2025 11:19:10 +0000

The blog feed is here: https://datatables.net/feeds/blog.xml . It is advertised on the landing page, but it looks like I've missed having it on the blog page! As you say, that has the releases feed - thanks for pointing that out.

New comment by theallan in "DataTables CDN Outage – post incident review"

theallan — Wed, 17 Sep 2025 10:44:48 +0000

Yeah - it was a well set up attack. What I don't understand is that there was no obvious follow on. I can only guess that it was a proof that it could be done. Maybe?

Regarding the 1000 error - I didn't have any 1:1 support contact with CloudFlare - the first I knew was they were returning 1000 errors, which I presume they were doing due to a blacklisted IP being used for the DNS resolving. I'm really not sure though.

New comment by theallan in "DataTables CDN Outage – post incident review"

theallan — Wed, 17 Sep 2025 10:06:42 +0000

Yeah, I really wasn't happy about that. I did put it to the registrar that such a policy is wrong and open to such an attack. I got the impression that they weren't going to change their policy though. Such policies are something I'm going to be looking at when considering a new registrar.

New comment by theallan in "DataTables CDN Outage – post incident review"

theallan — Wed, 17 Sep 2025 10:04:31 +0000

Didn't expect to see this here, it was over a month ago this incident happened! Happy to answer any questions about it (author of DataTables here). It was a super stressful event to say the least, and I've been reading along with the recent npm incidents wondering what I can do to make sure my OpSec is as good as it reasonably can be.

New comment by theallan in "My Dream Productivity Device Is Done – and It's Becoming a Kit [video]"

theallan — Mon, 11 Aug 2025 05:41:02 +0000

Just looked up their stuff again (it's been a while) and they appear to be out of business, although the website is still running. Don't order from them, based on Reddit reviews... Real shame, I loved the Psion keyboard.

New comment by theallan in "My Dream Productivity Device Is Done – and It's Becoming a Kit [video]"

theallan — Sun, 10 Aug 2025 22:00:11 +0000

Take a look at Plant Computers PDAs: https://www.www3.planetcom.co.uk/planetphones . The hardware is a bit old notre and if love to see a refresh, but the Pison keyboard is there!

New comment by theallan in "CrowdStrike Update: Windows Bluescreen and Boot Loops"

theallan — Fri, 19 Jul 2024 09:57:11 +0000

The flip side is, if you don't do auto updates and an exploit is published and used against you and you haven't yet tested / pushed the patch, that you would have been protected against if it had auto updated, you are up the creak without a paddle in that situation as well.

To some degree you have to trust the software you are using not to mess things up.

New comment by theallan in "Region-specific Machines pricing"

theallan — Thu, 04 Jul 2024 16:30:17 +0000

Adding another one to say that I've only have a positive experience with Hetzner so far. 6 months in, and 4 machines. All doing fine.

New comment by theallan in "Ask HN: Email List Software"

theallan — Thu, 23 May 2024 15:13:56 +0000

In case anyone finds this through search in future, I've just received this from the Yahoo postmaster team:

> Our engineering team has looked into this and you'll need to have your users mark the mail and not spam. We don't have anything else to suggest.

It is unbelievably frustrating. I'm giving up on using Google Groups (which is perhaps what Yahoo and Microsoft want).

New comment by theallan in "Ask HN: Email List Software"

theallan — Sat, 18 May 2024 07:02:05 +0000

SPF, DKIM, DMARC are all set up correctly. There is no issue with deliverability when just sending from an indiviual account of the charity's domain to Outlook / Yahoo, it is purely when going through Google Groups that there is an issue.

Ask HN: Email List Software

theallan — Fri, 17 May 2024 13:17:02 +0000

What do you all use / recommend for mailing list software?

I help a local charity with their website, and we have a number of Google Groups (with our domain) for our internal communication (no external marketing). However, the email will frequently be classed as spam by Yahoo and Outlook. I've been in touch with their postmaster teams, and each time they will first blame Google and then tweak their spam filters, which works for a week and then our list email goes to spam again.

I wouldn't be surprised to learn that it being filtered as spam due to the Google Group footer - which can't be disabled for external email addresses.

I'm fed up with the whack-a-mole, and wondering what alternatives there are? I just need a central email address that members can email, and that then be sent out to the members.

Comments URL: https://news.ycombinator.com/item?id=40389539

Points: 5

# Comments: 5

New comment by theallan in "The Bulma CSS framework reaches 1.0"

theallan — Fri, 22 Mar 2024 17:07:29 +0000

Daft question, but if you hadn't realised, then your client's obviously asked that question yet (and might not)?

Open source needs to find a way to make money and backlinks is a reasonable way of doing it. I should say for my own open source project I refuse backlinks to gambling sites on morality grounds though - although looking at how much revenue it might bring in on a monthly basis, there is a lot of temptation there.