Hacker News: vin10

New comment by vin10 in "SecurityBaseline.eu"

vin10 — Wed, 13 May 2026 08:21:40 +0000

There should be a metric for sites hosting malicious content!

https[:]//erasmus-plus.ec.europa.eu/sites/default/files/2026-05/mortal-kombat-2-cs.pdf

New comment by vin10 in "Vm.overcommit_memory=2 is the right setting for servers"

vin10 — Fri, 19 Dec 2025 20:49:33 +0000

it's a (then-)safe default from the age when having 1GB of RAM and 2GB of swap was the norm: https://linux-kernel.vger.kernel.narkive.com/U64kKQbW/should...

New comment by vin10 in "Vm.overcommit_memory=2 is the right setting for servers"

vin10 — Fri, 19 Dec 2025 20:35:09 +0000

> he way stuff fails when it runs out of memory is really confusing

have you checked what your `vm.overcommit_ratio` is? If its < 100%, then you will get OOM kills even if plenty of RAM is free since the default is 50 i.e. 50% of RAM can be COMMITTED and no more.

curious what kind of failures you are alluding to.

New comment by vin10 in "Vm.overcommit_memory=2 is the right setting for servers"

vin10 — Fri, 19 Dec 2025 20:33:00 +0000

For anyone feeling brave enough to disable overcommit after reading this, be mindful that default `vm.overcommit_ratio` is 50% which means that if no swap is available, on a system with 2GB of total RAM, more than 1GB of RAM can't be allocated and requests will fail with preemptive OOMs. (e.g. postgresql servers typically disable overcommit)

- https://github.com/torvalds/linux/blob/master/mm/util.c#L753

New comment by vin10 in "Al-LLM powered eBPF based security platform"

vin10 — Thu, 29 May 2025 14:03:38 +0000

Nice usability features definitely. Apart from that how would you say it compares against something like sysdig falco / cilium + tetragon?

Apart from this a major issue is DNS based dynamic filtering which is way batter to get right in a Kubernetes environment with something like Cilium. IP lists are impossible to manage with modern level of third party integrations.

New comment by vin10 in "How to harden GitHub Actions"

vin10 — Thu, 08 May 2025 16:27:22 +0000

Interesting project, I think I just found a way to crash the sandbox, just reported via an advisory.

New comment by vin10 in "How are cyber criminals rolling in 2025?"

vin10 — Tue, 06 May 2025 12:28:46 +0000

I would have expected at least Virustotal to flag them if that were the case. It does more than just looking up in a database of known malicious URLs and I think the reputation of the domains is the key factor here.

https://www.virustotal.com/gui/url/6dd23e90ee436e1ff066725aa...

> BitDefender - government

> Sophos - government

> Forcepoint ThreatSeeker - government

- https://docs.virustotal.com/docs/how-it-works

New comment by vin10 in "How are cyber criminals rolling in 2025?"

vin10 — Mon, 05 May 2025 17:46:59 +0000

It is the same for nested links as well. They mostly have a chain of links, each one taking you to a new one with hop count ranging anywhere from 5 up to 10 or more.

How are cyber criminals rolling in 2025?

vin10 — Mon, 05 May 2025 15:33:57 +0000

Article URL: https://vin01.github.io/piptagole/cybcecrime/security/cybersecurity/2025/05/05/state-cyber-security.html

Comments URL: https://news.ycombinator.com/item?id=43896188

Points: 266

# Comments: 92

New comment by vin10 in "Unfashionably secure: why we use isolated VMs"

vin10 — Thu, 25 Jul 2024 20:05:08 +0000

> If you wouldn't trust running it on your host, you probably shouldn't run it in a container as well.

- From a Docker/Moby Maintainer

CVE-2024-38396: Abusing escape sequences in iTerm2 for code execution

vin10 — Mon, 17 Jun 2024 14:47:39 +0000

Article URL: https://vin01.github.io/piptagole/escape-sequences/iterm2/rce/2024/06/16/iterm2-rce-window-title-tmux-integration.html

Comments URL: https://news.ycombinator.com/item?id=40706136

Points: 5

# Comments: 0

New comment by vin10 in "Abusing url handling in iTerm2 and Hyper for code execution"

vin10 — Wed, 22 May 2024 19:03:39 +0000

It is guarded by a warning and requires explicit approval similar to browsers but yes, it does broaden the attack surface: https://gitlab.com/gnachman/iterm2/-/commit/fc9ae5c90f53cb1e...

New comment by vin10 in "Abusing url handling in iTerm2 and Hyper for code execution"

vin10 — Wed, 22 May 2024 05:00:30 +0000

It is the first one, they need to be printed and clicked.

Abusing url handling in iTerm2 and Hyper for code execution

vin10 — Tue, 21 May 2024 13:09:10 +0000

Article URL: https://vin01.github.io/piptagole/escape-sequences/iterm2/hyper/url-handlers/code-execution/2024/05/21/arbitrary-url-schemes-terminal-emulators.html

Comments URL: https://news.ycombinator.com/item?id=40428032

Points: 141

# Comments: 56

New comment by vin10 in "You cannot simply publicly access private secure links, can you?"

vin10 — Thu, 07 Mar 2024 20:33:42 +0000

This is a very well formulated suggestion. Nicely written!

New comment by vin10 in "You cannot simply publicly access private secure links, can you?"

vin10 — Thu, 07 Mar 2024 19:46:54 +0000

You are right about short expiry times but another catch here is that if pre-signed URLs are being leaked in an automated fashion, these services also keep the downloaded content from these URLs around. I found various such examples where links no longer work, but PDFs downloaded from pre-signed URLs were still stored by scanning services.

From https://urlscan.io/blog/2022/07/11/urlscan-pro-product-updat...

> In the process of scanning websites, urlscan.io will sometimes encounter file downloads triggered by the website. If we are able to successfully download the file, we will store it, hash it and make it available for downloading by our customers.

You cannot simply publicly access private secure links, can you?

vin10 — Thu, 07 Mar 2024 16:29:47 +0000

Article URL: https://vin01.github.io/piptagole/security-tools/soar/urlscan/hybrid-analysis/data-leaks/urlscan.io/cloudflare-radar%22/2024/03/07/url-database-leaks-private-urls.html

Comments URL: https://news.ycombinator.com/item?id=39630985

Points: 420

# Comments: 218

New comment by vin10 in "SSH ProxyCommand == unexpected code execution (CVE-2023-51385)"

vin10 — Mon, 25 Dec 2023 10:29:50 +0000

OP here. Another interesting attack vector I have been working on is OSC 8 for hyperlink support in terminals. Mostly they allow arbitrary url schemes including "ssh://" without any prompt or user interaction to consent to open an external tool like ssh client in this case.

A good discussion on this: https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3c...

SSH ProxyCommand == unexpected code execution (CVE-2023-51385)

vin10 — Sun, 24 Dec 2023 15:55:12 +0000

Article URL: https://vin01.github.io/piptagole/ssh/security/openssh/libssh/remote-code-execution/2023/12/20/openssh-proxycommand-libssh-rce.html

Comments URL: https://news.ycombinator.com/item?id=38754304

Points: 30

# Comments: 14