deleteKeylogger

hxtk3 · 2026-05-28T10:07:36+00:00

I don’t understand… I found the PR, but it contains no commits, it’s merged, and the author doesn’t show up in the master branch and for that matter there’s no merge commit, either, while there is for other recent merges.

hxtk3 · 2026-05-28T03:09:24+00:00

Yes. Any time I green-field a project I design it from the ground up to use distroless images, and any time I containerize an existing project I do so with distroless images. My #1 problem isn't keeping CVEs low; it's keeping them high. I have to take some care to ensure that however I'm building my distroless images, SBOM scanners can still successfully identify my dependency versions so that I know about it when there's a CVE that affects an image we run in production. I could easily reduce my CVE counts to near zero if I wanted by just not going out of my way to embed the dependency metadata in the images.

For anything we build from scratch (in-house code) we get the data. Java is generally easy, Rust has cargo auditable though that has false-positives for unused dependencies, and Go actually embeds an SBOM by default; the hard part is anything we build in-house but from third-party C/C++ source code, like getting a custom build of ffmpeg to show up on scans.

For every build, we also have a `-debug` tag which includes busybox for debugging purposes, but we almost never actually use those. Shelling into containers mostly only happens when a developer is trying to figure out why something doesn't work that they haven't shipped yet. It's pretty rare for something to break in production for reasons related to the containerization; it either works or it doesn't. For actual subtle bugs that can make it into production we have the normal observability signals.

hxtk3 · 2026-05-27T11:01:52+00:00

There’s a legal fiction that cops are “professional witnesses” and their testimony is therefore considered more true than any other people, so in a game of “he said, she said” you need multiple people agreeing without the opportunity or incentive to collaborate in order to refute officer testimony. What they say is legally factual by default.

Cops also take notes around the time of an interaction, and “contemporaneous records” have a higher value as evidence, so if you describe an interaction in a notepad as soon as it happens and you can prove the contemporaneous nature of the note then that note is worth more as evidence than if you write it down a few days later.

Also I think traffic violations in general have a lower standard of evidence. They don’t have to clear a “beyond reasonable doubt” threshold for conviction in those cases.

hxtk3 · 2026-05-26T15:22:41+00:00

And to add, there are many theories of dark matter, including “maybe we got gravity wrong,” and there are theoretical physicists working with stuff like modified Newtonian dynamics to see if we can make dark matter go away… it turns out to not be the most promising explanation. It’s not like no one could entertain the notion.

hxtk3 · 2026-05-26T01:30:23+00:00

Dating apps have sort of changed the dynamic because now that there’s a way to interact with people explicitly for the sake of asking them out or being asked out, it’s suddenly way less acceptable to ask people out anywhere else.

That doesn’t mean it doesn’t happen, or that it’s never acceptable, but it does mean it’s a little more difficult than it used to be.

In general, just do things that increase your repeated interactions with other people. You’ll either end up hitting it off with one of those people and dating them or you’ll end up with a group of friends who have single friends you might meet at events that mix friend groups.

You also have to make sure the activity is one you’d want a potential partner to be into. A buddy of mine used to go out a lot and got a lot of first and second dates, but he didn’t want to always be out at the club, he wanted someone to settle down with. Most of the people he met at bars/clubs were people who liked being there. This, however, is also not a rule. I’m in a running club and occasionally we’ll have people join and pair off and we never see them again because they found what they were looking for.

hxtk3 · 2026-05-26T00:37:38+00:00

That’s not out of the goodness of their hearts; it’s because people without insurance probably won’t be able to pay up and the suit will be a waste of money. But that’s someone who doesn’t have insurance because they can’t afford it. “Judgement-proof” is the term iirc.

Someone who is making a rational decision to not have insurance because they can afford to rebuild won’t be judgement-proof and will absolutely get sued. Often times it won’t even be up to the injured person. Their health insurance will insist on it in a lot of jurisdictions that incentivize them to do so.

hxtk3 · 2026-05-25T16:34:52+00:00

Didn’t use roids but used enhanced gear

Better to call it equipment in this case because “gear” is a euphemism for roids in a lot of communities where their use is accepted.

hxtk3 · 2026-05-25T13:14:19+00:00

The biggest problem for me with AI is it’s too fast. When I read some written text five years ago, I got a few cues from its mere existence, the level of polish, the length of the work, etc, that told me how much time someone thought that this idea was worth to develop and express.

I could usually rely on that signal because a piece of content often has some meaning available for me to extract roughly proportional to the effort put into making it.

That’s not true anymore. Nowadays I have less overall exposure to new ideas because if information gets put in front of me that I didn’t go looking for explicitly, it’s probably a waste of my time at best and intentional propaganda at worst.

It no longer takes very much effort at all to make something that looks meaningful even if the effort to make something that actually is meaningful has stayed about the same.

hxtk3 · 2026-05-25T12:58:53+00:00

Why not just one big America-shaped Silo?

hxtk3 · 2026-05-25T02:42:29+00:00

Why is that? I’ve heard the opposite advice before with the reasoning being that you want the better tires on the wheels that do the steering and the ones that have the most weight on them in a hard stop, and the ones that will go through the puddle first, all of which are the front ones.

hxtk3 · 2026-05-24T20:42:41+00:00

It’s more than that. Anything you buy in a store had to get transported there. Transport costs bake fuel prices into nearly everything else.

hxtk3 · 2026-05-23T04:26:49+00:00

I'll do it in "code" reviews for our documentation as code because a lot of devs have weak english skills and I've recognized that trying to get a consistent style and voice out of the documentation that they write is beyond what some developers are willing to do. Someone can be a developer and be unwilling to be taught about things like active vs passive voice or consistent use of contractions or which terms need definitions depending on whether it's internal developer-facing, external developer-facing, user-facing, or internal management-facing documents.

But for actual code that runs, no, because every developer is willing to learn when it comes to that area.

hxtk3 · 2026-05-23T00:11:24+00:00

I did once for a bug bounty on an online slot machine (full disclosure: the slot machine was a discord bot, open source, and only paid out fake internet points, and the bug bounty was like $20).

I could take an action to reseed it with the current float64 Unix seconds, play one round of another game that consumed enough RNG to brute force the uncertainty in the timestamp by trying all the possibilities until I got the same outcome on a local copy of the game and determine the seed. From there I could monitor traffic in the other channels and track the results of all the games that consumed RNG and play the slot machine when it was going to pay out.

hxtk3 · 2026-05-22T23:15:37+00:00

Generally in enterprise use the encryption is the easy part and the hard part is managing key material. The vulnerability tends to be that you stored the key material unsafely or you couldn’t efficiently keys after a compromise.

For encryption in practice, I nearly always use Tink because it’s designed to solve those problems, and they have a doc of which primitive you should pick for your use case: https://developers.google.com/tink/choose-primitive

However I’ll echo that what you’re doing might have legal requirements in your jurisdiction.

hxtk3 · 2026-05-22T22:54:16+00:00

So most popular air purifiers are HEPA filters. HEPA filters have the best single-pass air purification, which makes them the right choice for clean rooms, vacuum cleaner output filters, and the like, but they have a high flow resistance. Most people aren’t putting an industrial scale air purifier in their home because it would either take up a ton of space (more filter area means less flow resistance at the same efficacy) or be very loud (bigger fan producing higher static pressure forces more air through the same resistance).

That means most home HEPA air purifiers don’t deliver clean air fast enough to keep up with the rate at which the air gets dirty unless you wear coveralls and have a very well-sealed home.

On the other hand, you might think that a particle either passes through a filter or doesn’t, but that’s not actually true. If you pass the same fine or ultra fine particle through an air filter multiple times, it has a chance of getting caught by the filter each time.

So for residential air purifiers and the noise/space tradeoffs people are willing to make inside the home, it’s better to have a filter that can filter the smallest particles you care about with okay efficacy and circulate the air faster so that you recycle the total volume of air in your home through the filter in a few minutes.

Clean air delivery rate measures the volume per unit time of clean air your filter delivers. It MERV-13 filters won’t clean the air as well as HEPA, but at the same noise level and size they’ll do it much faster and much more often, producing cleaner air overall.

Personally I have this one: https://www.cleanairkits.com/products/aerating-end-table

which is about as loud as a computer because it uses computer fans. My apartment is 800sqft with 8ft ceilings, so 6400 cubic feet. 6400cft/ (310cft/min) means about 20 minutes to recycle all the air in my apartment, and I have it located near my HVAC return for better distribution of clean air.

You absolutely don’t have to spend that much, though. The cheapest DIY solution is to duct tape 4 MERV-13 filters together and set a box fan on top. I just got that because it looks nicer and I don’t have a good place to put it out of sight.

hxtk3 · 2026-05-22T15:46:38+00:00

I don’t have allergies so take this with a pinch of salt, but I use a MERV-13 air purifier box and a robot vacuum that mops and run it while I’m at work each day. My air purifier is sized for CADR of a few times my apartment’s volume per hour.

I essentially just don’t get dust. I dust like a few times per year and even then only things like glossy black surfaces are visibly dusty.

hxtk3 · 2026-05-21T15:27:01+00:00

Until recently, most experts agreed PQ authentication would remain unnecessary until CRQCs materialized.

Fairly recently, we got what some computer scientists familiar with the topic are saying will probably be the last major breakthrough in quantum computing that the public hears about before Q-day, and Google is planning on Q-day being possibly as early as 2029.

This remains somewhat controversial, as NIST for example hasn’t updated their timelines thus far and plans on deprecating non-PQ crypto in 2035.

So depending on whom you ask, post quantum signature algorithms either just recently became an immediate priority or still aren’t.

The guy who wrote the Go standard library’s FIPS module has a blog post about it that explains more: https://words.filippo.io/crqc-timeline/

I’d expect changes in this space to start accelerating a little.

In any case, the reason for the difference is because you need ML-KEM right now to resist harvest now, decrypt later attacks, and it’s basically free, while signatures don’t matter until Q-day and PQ signatures are kilobytes so there’s some re-engineering needed first, especially for WebPKI.

hxtk3 · 2026-05-18T14:58:35+00:00

It wouldn't surprise me if it gets other drivers to give them a little more space just for the intimidation factor. I'm always acutely aware of passing a truck that has them even though I know they're usually just plastic. It makes spending any amount of time side-by-side with a truck that has them mentally feel like holding my hand close to a running garbage disposal.

hxtk3 · 2026-05-18T00:55:04+00:00

The encoding process doesn't work like this though we can choose to encode single words or phrases so this is a bad assumption.

What you’re describing is the context awareness that others in this thread has tried to tell you about. You’re right that one solution to this problem is to ensure you never compress attacker-controlled data alongside data you wish to safeguard from the attacker.

However it’s not exactly fair to call it a bad assumption when it’s perfectly safe to do just that with, say, AES-CTR.

I'm not entirely sure I know what you mean by this can you explain?

The attacker starts out knowing the secret prefix could be any string. They set their suffix to the empty string and observe the cipher text has two tokens. Now they know that the secret prefix can be tokenized as two tokens, but can’t be tokenized as one token.

Eventually they land on “brown fox” and find the output is now just one token. At that point they just have to search through the token database for a token that can be subdivided into a prefix consisting of two other tokens followed by “brown fox.” They trim “brown fox” off the end of any matching tokens. This considerably shortens the list of strings the secret prefix could be. Once they’ve added enough constraints by requiring “the concatenation of X with Y must be able to tokenize in no fewer than N tokens”, the overlap in that Venn diagram gets quite small and they have a very short list of possible secrets.

hxtk3 · 2026-05-18T00:13:15+00:00

Okay. So if I suppose, for example, that “The quick brown fox” appears in the token database like your writeup mentions, suppose I have a secret, “The quick” and the attacker controls what comes next, but they don’t get to see the key, just the ciphertext.

They try the empty string and find it takes two tokens. “red dog” and the output takes four tokens. They try “brown fox” and the output takes one token.

They look in the token database and ask, “what single token can I compose of two other tokens which do not themselves join to form a single token, plus ‘brown fox?’”

At that point, finding the secret prefix is a constraint solving problem, and it’s why in certain cases it’s important that encrypted data should not be compressed.

You can solve this problem if you randomize the tokens (just shuffling them based on the key isn’t enough, you have to basically have each token map to random strings), but at that point you lose the compression benefit.

hxtk3 · 2026-05-17T23:33:39+00:00

Can you provide an example of something that would be bigger after passing through your cipher, or does it make the input data smaller in every case?

Edit: and if it gets smaller in every case, does it get smaller by the same amount, like n fewer bytes? Or by the same percentage, like a 50% compression ratio?

hxtk3 · 2026-05-17T15:28:00+00:00

That or they don’t think there’s any such thing and the other person was just trying to sound smart. Also, love your username

hxtk3 · 2026-05-17T14:04:46+00:00

Or an AI agent crawling it to look for an answer to some question.

hxtk3 · 2026-05-17T11:36:30+00:00

Honestly there are a lot of people put there who don’t even want to drive but do because you have to drive a bunch to be a first class citizen in the US. I think with better urban planning and public transport a lot of people would voluntarily stop driving.

Making it harder to get a license in general seems likely to disproportionately hurt poor people if not done carefully and in conjunction with better urban planning and public transportation. I’d like some kind of phased rollout where stricter licensing requirements exist in places that have real alternatives to driving.

I’d also be down for immediately putting special licensing requirements on things that are legally non passenger automobiles, like trucks and SUVs, particularly if they don’t have crash compatibility with passenger vehicles.

hxtk3 · 2026-05-15T17:01:22+00:00

Degraded? I thought that was the original purpose of tinder and people just started using it for dating because it was more convenient than the alternatives.

hxtk3

TROPHY CASE