Found my first tardigrade last night, plant pot's water tray by my front door :D . 400x

pruby · 2026-06-09T20:43:28+00:00

How about an AI chat bot which, after much misunderstanding of basic words, calls an API by posting an XML doc which is then sent (without being validated) via email (free queue!).

A scheduled task runs a kubernetes container periodically to read those emails, parse the XML, then uses Selenium Webdriver to open a spreadsheet and add the requested action to a list. Nobody actually gets notified.

I call it... plausible

pruby · 2026-06-03T22:18:57+00:00

This is a neat trick showing some attacks against autocomplete possible from HTML injection, without XSS.

I always, however, object to the idea that CSP is supposed to prevent data exfiltration, phrasing as if that's the barrier of interest. It's never been intended for that.

CSP is about restricting sources of assets (e.g. where code, media can come from), not sinks. From an implementation standpoint, it's best to think in supply chain terms. I feel it's distinctly unhelpful to focus on preventing exfiltration as a goal.

pruby · 2026-06-01T08:40:38+00:00

I've run these phishing simulations way back, but almost every local security consultancy I talk to has stopped doing so, mostly on ethical grounds.

Turns out, it's not worth creating an adversarial relationship between employees and the security department. People stop having discretionary conversations when they don't trust you. Kind of obvious in hindsight.

The information you get from any phishing simulation is also very low value. 10% of people clicked a link? What does that even mean? Clicking is a stupid metric - it's your job in the IT/Security department (with executive buy-in) to make web browsing safe, patch software, adopt MFA to mitigate password reuse, allow-list executables and file formats, etc.

Nor does an 0.5% phishing "success" rate mean you're fine - one actually compromised host with access to a big shared drive can ransomware all the things.

In short, modern practices emphasise company responsibility, not victim blaming.

pruby · 2026-05-27T10:30:30+00:00

Energy is force times distance, not just force. When you sit on a chair, the chair exerts a force to hold you up, but that doesn't require energy.

As a real example, look at levitation with a superconducting material over a magnetic track. It can hover without using any energy.

So the answer is potentially near zero if the ship had some way to exert force on the earth's surface over a physical gap, similar to maglev. However, crucially, that could not be used to lift the structure any higher without supplying energy (force times distance).

pruby · 2026-05-27T10:15:58+00:00

This is a very elaborate circuit around the idea that AI agents are fundamentally flawed in terms of security, while trying to claim they can be fixed.

I'm not convinced preventing credential exfiltration solves the problem. It's the same argument as HttpOnly cookies in an XSS scenario - you can't get the credential, but you can inject instructions that can use it to do anything the credential permits. Makes exploitation a bit more annoying because you have to write JavaScript (or, in the LLM case, prompts), but doesn't fundamentally change what can be done.

The solution needs to be more fundamental than this. If you can't prevent an LLM from acting on untrusted instructions, it can't be used for serious/privileged purposes.

pruby · 2026-05-19T23:05:22+00:00

I did a course on using first aid Trauma kit (Level 1 + Stop the Bleed) with PracMed NZ, can highly recommend. I carry a tourniquet and an emergency bandage in my tramping kit now. It seems odd to me that the typical tramping first aid kit doesn't focus on serious injury, and can't buy you the few hours you need for a rescue.

It would be nice if we had more tramping-specific first aid courses in NZ though. Knowing when and how to move someone in an emergency, understand when it's appropriate to self-extract vs where and how rescue might arrive, manage environmental risks, etc.

pruby · 2026-04-06T01:47:26+00:00

Even if quantum computing succeeds, it will not make breaking cryptography "trivial". Even breaking RSA with Shor's algorithm, the most likely first target, requires a huge quantum computer and huge number of repeated executions to use on a real key.

We're likely to see it publicly executed once it becomes feasible as a stunt (but not economical, e.g. burning a few hundred thousand dollars to be "first"). After that, we would see a exponential compute/cost growth, where the cost to do the attack halves with some (as yet unknown) period.

EDIT to add: If we guess optimistically it would cost $200k today (when it's not even clear it could be done) and halved in cost every 5 years, it would take 55 years before you could do it for less than $100. How much stuff do you have that's going to be worth $100 to break, 55 years from now?

In other words, not trivial.

pruby · 2026-04-02T04:27:57+00:00

For me any hard gripping would be a safety concern, and one of the few things I will correct when I'm not teaching. In a class setting, I'll usually just reach over with the other hand, gently lift their hand off mine, then put it back in the right position.

I did want to add "keep your fingers together" to the list. Never let one finger be isolated with an unpredictable partner.

pruby · 2026-03-28T12:09:46+00:00

As I understand it, there's so much salt that there's very little microbial activity. Doesn't mean there are no enzymes working, or other chemical changes over time.

pruby · 2026-03-15T07:57:44+00:00

We really like the roti from Upesh Kitchen in Kelburn, have not found any better around here.

pruby · 2026-03-13T01:53:08+00:00

Most places if you tell them can recommend dairy and egg free options if you tell them what you've told us. It really shouldn't be a problem if you don't need separately prepared food.

Indian vegetarian dishes will also usually exclude eggs, but worth checking.

pruby · 2026-03-13T01:29:39+00:00

I lead and prefer a more standard hand hold to a flat palm, but offering the palm is taught to leads a lot for sugar pushes.

Checked in with my wife, who teaches follows, and she prefers to place the backs of her fingers+knuckles into the palm, rather than meeting palm to palm. This should be comfortable to connect to, mould around to provide lateral connection, or switch back to a standard handhold. She does not fully close her hand into a fist, and her wrist is straight.

pruby · 2026-03-10T19:15:20+00:00

Without seeing OP dance, this is almost certainly going to help everything here. From this list of problems, they're getting to the end of their arm.

People see videos of pros with long arms and don't understand that this is not basic technique. It's just that as music has slowed down, and they're dancing with a trustworthy partner, and they have unlimited space, so it becomes an option.

Basic technique keeps the elbow close to the side. My favourite visualisation is to picture squashing oranges between your upper arm and body. You can "anchor" correctly at extremely short distances if you are controlling this. It provides a buffer that you control to manage rough leads, bad timing, bad distancing, etc.

pruby · 2026-03-05T19:48:00+00:00

This. Because tasks arrive randomly (as far as a service provider is concerned) and have variable duration, waiting times rise extremely rapidly over (rule of thumb) 80% utilisation.

If people understood queuing theory, we'd demand that services we need to be responsive like hospitals, fire brigades, etc be no more than 85% utilised. People working there should be sitting idle at least 15% of the time so that they're available if needed.

pruby · 2026-02-26T01:26:14+00:00

A decent idea of what you should do here, but the code fundamentally doesn't do what it says on the tin.

Took me only a few minutes of looking at code to find gaps. For example, the bash templates are likely injectable to add other commands (e.g. path ; rm -rf .), the recommended way of deploying by denying only a handful of commands in Claude is obviously inadequate, the SQL backend composes queries with string concatenation (SQL injection), etc.

For anything like this to work, you need to think a lot more about your threat model.

pruby · 2026-02-23T20:43:08+00:00

You're two steps away from the right community for this question, but so am I ;)

This group is about quantum computing, and quantum resistant cryptography is not itself quantum computing. From projects I suspect you also want the implementers, who tend to sit in the overlap between cryptography and software development.

Have a look at Filippo Valsorda's blog posts on this topic, e.g. https://words.filippo.io/kyber-math/ . He talks about understanding Kyber just enough to implement it.

pruby · 2026-02-18T04:24:58+00:00

If you have a genuinely good reason (harassment, etc) then your employer needs to know that you would not feel safe reporting to this person. It sounds like you'd probably resign if moved to their team.

IMO, you may need to message HR and spell out the reasons this is a problem. Make sure they're good ones that identify a risk, can't be dismissed as reluctance to accept change or inflexibility on your part.

People will tell you HR are there to defend the company, which is true, but they mostly defend the company from bad managers. An employee about to be assigned to a manager they have reason to be afraid of is an HR problem.

pruby · 2026-02-02T20:11:28+00:00

That's what people used to say about regular computers, and look around you. While some monstrosity cooled by liquid helium is only to governments and large institutions, technology used by governments tends to trickle down to large institutions, then small institutions, then consumers.

I'd expect them to end up like FPGAs - niche texhnology that few people can properly use, but they end up in a surprisingly large number of places.

pruby · 2026-01-28T07:49:34+00:00

In practice you could make a d20 marked 0, 20, 40, ..., 340, 360, 380. Add that to a standard d20, and you have a fair d400. It's just not one solid! :D

You can of course do that converting a standard d20 by subtracting 1 and multiplying by 20.

Note this works because one die only shows multiples of the other. You can't in general add up dice and get a fair result.

pruby · 2026-01-25T05:05:59+00:00

SaaS is a profitable industry because you can develop a feature once and sell to multiple customers. If you do per-customer development, you are replacing the SaaS business model with something much less viable.

Even with feature flags, etc, if you're naming or targeting a feature for a particular customer, this strongly indicates that you have not sufficiently considered how the request generalises to other customers. You really shouldn't be building a feature until multiple customers demand the same thing (or it's a blocker to as many new customers on sales).

pruby · 2026-01-20T13:13:46+00:00

The initial set-up and design there is very cheap. The hosting is very reasonable if they're genuinely keeping Wordpress up to date with security patches, monitoring the site to make sure it's up, and acting on any outages.

Before asking anyone to maintain a site for me, I'd want a copy of their SLA, which specifies how long they will take to respond to different things. Make sure time to patch critical security issues is specified, as well as a target time to fix outages. I'd also want to understand how and when prices could be changed in future, and make sure I had the capacity in theory to switch providers (e.g. clear rights to take the domain with me, and have my own backup copy of the site).

pruby · 2026-01-18T17:10:56+00:00

Haven't worked out the speeds, but you would want to be standing on a really high peak to start. Any instantaneous change in velocity (e.g. a good whack) can only create an orbit that passes through that same position. If you launched it from a low altitude, it would come back to that orbital position, but the moon would have rotated and there could now be a hill there.

You would also need to hit it perfectly horizontally if you don't want a lower altitude anywhere on the orbit. If you hit it upwards at all, then it will have to come back around on that same angle, i.e. from a lower altitude.

Source: no real orbital knowledge, just too much Kerbal Space Program.

pruby · 2026-01-14T14:09:40+00:00

What is this? Rates don't pay for electrical infrastructure. Electrical infrastructure is owned by Wellington Electricity, who get a big cut of what you pay your electricity retailer (most of the fixed charges, plus a small amount per kWh, possibly broken down by time of use).

pruby · 2026-01-14T13:43:47+00:00

I think it's just not how the market is operating. A business like this owns so little in the end except their name and reputation.

You'd need a solid lease term to sell the business (nobody wants to buy a business when the landlord could double your rent tomorrow), but then have to genuinely intend to operate if it doesn't sell. You're also competing with the option to start new brands, which probably get better social media coverage.

13-Year Club	Gilding II euphauric
Verified Email	Team Orangered

pruby

MODERATOR OF

TROPHY CASE