Hacker News: winstonwinston

New comment by winstonwinston in "Project Glasswing: An Initial Update"

winstonwinston — Fri, 22 May 2026 20:44:32 +0000

> I expect tools like this to be a regular part of the development lifecycle from here on. We code with AI, we review with AI, we search for vulns with AI. Even if it isn't perfect, it is easily worth the cost IMHO.

So, how is that supposed to work? Claude Code generates security bugs, then Claude Security finds them, then Claude Code generate fix, spend tokens, profit?

New comment by winstonwinston in "Microsoft rejects critical Azure vulnerability report, no CVE issued"

winstonwinston — Sun, 17 May 2026 13:56:11 +0000

I think it’s problematic that one permission was automatically adding another high trust permission, that they argued as expected behavior and then they silently changed this behavior, fixing the reported security issue.

New comment by winstonwinston in "Let’s Encrypt – Stopping Issuance for Potential Incident"

winstonwinston — Fri, 08 May 2026 20:43:24 +0000

On my account they always serve Google issued certificates. There is also Let’s encrypt certificate but it is not used though. I guess that’s a fail-safe.

New comment by winstonwinston in "Who owns the code Claude Code wrote?"

winstonwinston — Fri, 01 May 2026 15:45:51 +0000

I see your point.

New comment by winstonwinston in "Who owns the code Claude Code wrote?"

winstonwinston — Fri, 01 May 2026 07:15:37 +0000

It's a software, not a machine. The comment is relevant to the suspicion that THE software is using (distributing) some OSS code without attribution.

New comment by winstonwinston in "FastCGI: 30 years old and still the better protocol for reverse proxies"

winstonwinston — Thu, 30 Apr 2026 16:12:11 +0000

I agree with your point but this is the reality:

F.E. Python stdlib http.server comes with a warning: Warning http.server is not recommended for production. It only implements basic security checks.

The `standard` way is then to use WSGI or ASGI, not FastCGI, but it is similar interface implementation.

New comment by winstonwinston in "FastCGI: 30 years old and still the better protocol for reverse proxies"

winstonwinston — Wed, 29 Apr 2026 18:57:03 +0000

These are often not enough ‘battle-tested” and come with a warning to never expose to public internet. So then you put a WAF in front of it, and you are back to HTTP reverse proxy setup.

New comment by winstonwinston in "I Got Sick of Remembering Port Numbers"

winstonwinston — Tue, 28 Apr 2026 21:04:36 +0000

There is /etc/services to map port numbers to service names, and using getportbyname() to resolve port numbers.

New comment by winstonwinston in "No one can force me to have a secure website [pdf]"

winstonwinston — Tue, 28 Apr 2026 20:23:46 +0000

> Let’sn’t Encrypt

But also very funny.

New comment by winstonwinston in "Who owns the code Claude Code wrote?"

winstonwinston — Tue, 28 Apr 2026 19:55:50 +0000

> There's nothing anyone can do about it, but the suspicion is that the big companies have taken everyone's code on GitHub, without consent, and trained on it.

I asked agent X what is the source of training data it generated code from, it couldn’t say. Then I asked why the code implementation is exactly the same as the output of agent Y. It said they were trained on the same ‘high-quality library’, and still couldn’t say which one.

So I guess that’s fine because everyone is doing it.

New comment by winstonwinston in "Replacing an Apple Time Capsule? Skip the Ubiquiti UNAS-2"

winstonwinston — Sun, 26 Apr 2026 02:40:54 +0000

For that use case SMB with Time Machine you just need a mini PC type that you can install Linux or BSD OS, and the Samba configuration is really simple, up to 20 lines in one conf file to support Apple Time machine. It will always be up to date, secure and support latest SMB protocol features, unlike any pre-built NAS devices.

New comment by winstonwinston in "Escrow Security for iCloud Keychain"

winstonwinston — Sat, 25 Apr 2026 17:04:24 +0000

First time I enabled iCloud keychain when it was released in iOS 7, it asked for both user defined security code (4-pin at the time) and a verification phone number.

When you switch to a new device and want to pull iCloud keychain to a new device you need to provide your security code (pin) and additionally a verification code that they send to the phone number.

Nowdays I’m not sure what my security code even is, because it stopped asking for it on a new devices, since you can approve pulling iCloud keychain from another device.

New comment by winstonwinston in "You don't want long-lived keys"

winstonwinston — Sat, 25 Apr 2026 11:04:24 +0000

No, the ssh CA model works like this: servers trust one CA, and the CA signs user keys. No more distributing individual public keys to every machine.

It is the user machine that needs new certificate signed by the CA once the short-lived one expires.

New comment by winstonwinston in "Can we please stop with curl | sudo bash, PLEASE"

winstonwinston — Wed, 22 Apr 2026 09:50:02 +0000

These are often to install a repository and a package.

The alternative is to run something like rpm -i from_url.rpm to install some package directly. Which is not exactly any different from security perspective.

There is no easy way around this when the software is not in a system repo or without attestation in some way.

New comment by winstonwinston in ""cat readme.txt" is not safe if you use iTerm2"

winstonwinston — Sat, 18 Apr 2026 05:21:44 +0000

There exist some disclosure embargo exceptions when you believe the vulnerability is being used in wild or when the vulnerability fix is already released publicly (such as git commit), which makes it possible to produce exploit quickly. In this case it is preferred by the community to publish vulnerability.

New comment by winstonwinston in "We have a 99% email reputation, but Gmail disagrees"

winstonwinston — Sun, 12 Apr 2026 16:47:39 +0000

> Now, there are definitely folks who will choose to mark some of what we send as spam. And for them, rightly so. We get that. But this is not that.

Your reputation depends on THAT. Other metrics you think matter, they do not.

New comment by winstonwinston in "Upwork Inc. violates its own DMARC and SPF policy"

winstonwinston — Mon, 06 Apr 2026 21:20:16 +0000

> Additionally, the DMARC policy for upwork.com is set to "strict" - which means that if the SPF check fails then all RFC-compliant SMTP servers should reject the message.

There is no “strict” policy. DMARC policy can be one of the following p= {none, quarantine, reject}.

The receiver decides if it wants to apply published DMARC policy for unauthenticated mail. What problem are you seeing exactly?

Remember both SPF and DKIM are used for policy evaluation.

New comment by winstonwinston in "Ubuntu now has higher system hardware requirements than Windows 11"

winstonwinston — Fri, 03 Apr 2026 15:53:55 +0000

Very likely, from experience package manager like dnf consumes about 1GB of memory just to fetch package metadata.

New comment by winstonwinston in "Ubuntu now has higher system hardware requirements than Windows 11"

winstonwinston — Fri, 03 Apr 2026 15:49:02 +0000

"Enterprise Linux 10" based distros by comparison cut out support for a lot of what they consider legacy hardware in current versions. Namely CPU must support x86-64-v3 which means AVX/AVX2 capable CPU only, whereas Windows (Server 2025) is supported, probably FreeBSD as well.

New comment by winstonwinston in "Microsoft plans to build 100% native apps for Windows"

winstonwinston — Wed, 01 Apr 2026 01:36:37 +0000

The last push for native apps was in Windows 8 era, i think, it didn’t work. Since then i don’t know of any native apps from Microsoft, anything new is web based or electron.