> Snowden, agree with him or not, showed us that reality blew away our imagination.
pretty much everything Snowden released had been documented (with NSA / CIA approval) in the early 80s in James Bamford's book The Puzzle Palace.
the irony of snowden is that the audience ten years ago mostly had not read the book, so echo chambers of shock form about what was re-confirming decades old capabilities, being misused at the time however.
source.dev | Senior Full-stack and Android Platform Engineers | UK, EU, IN | ONSITE or REMOTE
source.dev is transforming software development and updates for the device ecosystem.
We are building an AI-native DevOpsSec platform that’s vertically integrated with device codebases, to accelerate development, reduce maintenance costs, and deliver frequent, bug-free software updates.
Our mission is to simplify the complexities of developing, deploying, and maintaining software for Android and Linux-based devices — serving everyone from System on Chip (SoC) companies to OEMs. We empower our partners to launch devices faster and maintain them for longer.
We are founded by a team of former Googlers with deep expertise in Android and Linux, and backed by leading venture capital. If you’re passionate about making a real world impact we’d love to chat to you!
We're seeking:
- Senior Full-stack Engineer strong at Python/FastAPI and front-end frameworks like React, Next.js. You will be responsible for building and optimizing the user-facing side of our platform, working closely with our DevOps and Platform engineers to explore possibilities and enhance existing workflows.
- Android Platform Engineer experienced with at least some of AOSP, Android frameworks, BSPs and HALs, as well as modern programming languages like Rust. You will collaborate closely with former Google Android engineers to expand Android OS tooling, from builds to testing and emulation, while integrating it with our DevOpsSec platform.
These positions offer a unique opportunity to work on cutting-edge technologies and be part of one of the world’s leading Android teams, providing immense potential for learning and growth.
To apply or ask questions, email us at careers at source dot dev.
Zetier | Multiple US locations (VA, PA, FL, TX, CA, NY) | ONSITE | Full-Time
Zetier develops real-world tools and capabilities to secure our nation in the short- and long-term. If you’re excited to delve deep into low-level systems, exploit dev, and more alongside a group of passionate hackers, then we’d love to hear from you.
We’re looking to find the right people for a range of roles, including:
Two Six Technologies | Reverse Engineer/Vulnerability Researcher | Arlington, VA | ONSITE | Full Time |https://job-boards.greenhouse.io/twosixtechnologies/jobs/544...... Two Six Technologies is seeking senior reverse engineers & vulnerability researchers to perform in-depth reverse engineering and exploit development to transition those findings into capabilities. We are looking to hire embedded security researchers with experience in the following categories: firmware reverse engineering, hardware reverse engineering, and Linux/UNIX kernel development. Additional opportunities are available for embedded software engineers, electronic design engineers, digital signal processing engineers, hardware reverse engineers, firmware reverse engineers, and low-level kernel developers looking to enter the security field. We would love to hear from you if you work in the embedded security domain. Preference is for applicants who hold a TS clearance and have the ability to obtain SCI at a minimum. If interested, please reach out to our team @ recruiting@twosixtech.com
RevEng.AI is building foundational AI models to identify malicious threats and security vulnerabilities inside software at the binary level. We're a seed stage startup having raised $4.25m from top tier VCs across the US and Europe. You’ll play a key role in advancing our platform pushing the boundaries of AI-driven program analysis.
We're looking to hire a team of Frontend, Backend, and Full Stack Engineers. Our tech stack currently uses react, fastapi, redis, celery, rabbitmq, and k8s.
* 5+ years of experience
* Hybrid working environment but ideally commutable to London, UK
* Solid understanding of software engineering design
* Ability to thrive in a fast-paced start-up environment
* Prior experience working with vector databases or complex data
To apply or learn more, email contact[at]reveng.ai with "hn" in the subject line.
In this vulnerability, adding a 'x-middleware-rewrite: https://www.example.com' header would cause the server to respond with the contents of example.com. i.e. the worlds dumbest SSRF.
Note that there is no CVE for this vulnerability, nor is there any clear information about which versions are affected.
Also note that according to the published support policy for nextjs only "stable" (15.2.x) and "canary" (15.3.x) receive patches. But for the vulnerability reported here they are releasing patches for 14.x and 13.x apparently?
IMO you are playing with fire using nextjs for anything where you care about security and maintenance. Which seems insane for a project with 130k+ Github stars and supported by a major company like vercel.
I am quite pleased with the ability to easily use prolog from within python and vice versa. It makes it now one of the easiest and most expressive solvers to plug into for my tastes. I'm starting to accumulate useful solvers here https://github.com/philzook58/prologsolvers/tree/164297d87f6...
Early on in my engineering career, there are a handful of times I was assigned to a project where I was set up to fail. I didn't understand the situation until far too late. There are a few tell-tale symptoms: I didn't quite understand what I was supposed to do; I didn't really know how to do it; and I didn't understand how the assigned work actually solved a higher-level problem. No one else did, either (these situations usually represent a failure of management.)
As those projects dragged on and I was unable to make "progress", whatever that meant, I felt shame and a mounting dread of returning to the console each day. Eventually, fortunately, I was able to roll off them (not having accomplished much in the preceding month or two) and got back to doing useful things.
These days I can usually recognize such projects in advance, but it's still not always possible to avoid them.
https://github.com/ajeetdsouza/zoxide is a fantastic cd replacement, which stores where you cd to, and you can then do a partial match like "z hel" might take you to "~/projects/helloworld".
Author here; I have a lot of other posts in my personal blog about this, but: the current trends in VC-backed tech companies are about minimizing risk and following fashion, rather than any technical merit or experimentation. Said another way: if an Elixir company dies, it's "damn, shouldn't have picked Elixir!" If a Python company dies, it's "startups are hard," with no investigation behind what Python cost you.
Elixir has real technical downsides too, but honestly they never come up when someone advocates against it. And this is fine, building companies and engineering culture is a social game at the end of the day.
I would recommend two. F# in Action [1] by Isaac Abraham is a great (and recent) introduction to the F# language. For a more philosophical, domain-oriented book, you can't go wrong with Scott Wlaschin's Domain Modeling Made Functional book[2]. Scott's blog[3] is also must-read material.
The wonders of HN strikes again. Thank you for this amazing piece of technology that is nsjail. Nsjail is very core to our security, our multitenant would be so slow without it and I think we're one of the applications that leverage it in a way that showcase nsjail to its full extent (as in, we beat containers/firecracker cold starts by a fair margin while keeping most of their benefits). That's one of the reason we're order of magniture more efficient than Airplane that uses fargate under the hood. I would love to chat if you had time, my email in my profile.
I've been using localsend, mostly without issues. This thread has made me discover pairdrop.net and I have to say it's miles better. I've switched all my devices over now. The iOS integration with the provided shortcut + permanent pairing, in particular, is really good.
I really like the idea of mining your own browsing history for insight. I think that the value of our browsing history is completely lost to us because the lack of tooling to make saving and searching more accessible.
My goal is to be able to use the Internet as normal, but have the extension automatically index and rank content I find important. For example, if I spend 5 minutes on a page that I went to after Hackernews, odds are I found that important so it should be considered in my history differently than other things.
The network effect of this data is pretty interesting too. It would be really cool to see what my friends, or other high trust, high signal, groups i am in find interesting. Being on a page where my mentor has stared, annotated, shared this before will probably give me pause and make me consider this page more deeply.
I'm curious if anybody else has any notes to share.
I wonder if the new-edition approach could be done by interpreting pre-2024 code as if everything had a Leak bound. So instead of a not-Leak type being disallowed when passed to a pre-2024 module, it would not pass type checking because everything in the pre-2024 module required Leak.
I really like the message passing paradigm. And languages like Erlang have shown that its an excellent choice... for distributed systems. But writing code like that is a very diffferent experience from, say, async JavaScript, which feels more like writing synchronous code with green threads (except you have to deal with function coloring as well). I believe people will try to write code in a way that is already familiar to them, leading them down the path of Arc and RwLock in Rust.
I know what Theo says about (x86) virtualization[1], but I think it's still useful to virtually separate your random browsing the web from things like health and banking, or where you keep your ssh keys (if you don't use a Yubikey or similar to keep it off your laptop) -- or other secrets.
You can be a victim of a random drive-by, you don't have to be a person on a "list".
And Elixir introduced GenStage to help with this [0]. The thing that I love about erlang's actor model over Go (that for me a fatal flaw with Go and CSP) is the "spooky action at a distance" issue. It's much easier to reason locally within an erlang project, in my opinion, versus a Golang project, since once a channel is created, it's often very difficult to trace its usage.
An important point to note, that is not very obvious from the text, is that it is (very, very) difficult to retrieve ka from A=ka.P and kb from B=kb.P. For an attacker who has A and B, it's close to impossible to recover P and ka.kb.P
Permutation City[2] by Greg Egan
We Are Legion (We Are Bob)[3] by Dennis E. Taylor
Halting State[4] by Charles Stross
Singularity Sky[5] by Charles Stross
Dungeon Crawler Carl[6] by Matt Dinniman
Zero World[7] by Jason M. Hough
The Shockwave Rider[8] by John Brunner
[1]: https://en.wikipedia.org/wiki/Glasshouse_(novel)
[2]: https://en.wikipedia.org/wiki/Permutation_City
[3]: https://www.amazon.com/We-Are-Legion-Bob-Bobiverse/dp/166822...
[4]: https://en.wikipedia.org/wiki/Halting_State
[5]: https://en.wikipedia.org/wiki/Singularity_Sky
[6]: https://en.wikipedia.org/wiki/Dungeon_Crawler_Carl
[7]: https://www.jasonhough.com/book/zero-world
[8]: https://en.wikipedia.org/wiki/The_Shockwave_Rider