Bradley Kemp
@bradleyjkemp.dev
Experienced ignorer of Safe Browsing warnings
Founder @ Phish Report 🎣
Founder @ Phish Report 🎣
storing hashed phone number pairs is a very smart way to do this
obviously needs some further scrutiny, but this approach solves so, so many of the vulnerabilities you usually see in contact discovery systems
obviously needs some further scrutiny, but this approach solves so, so many of the vulnerabilities you usually see in contact discovery systems
"Find friends by phone" is a common tool in social networks. We're proposing a secure scheme and requesting comments from the dev community.
Goals:
・Double opt-in: you're not findable by your phone unless YOU use the tool
・Secure to enumeration attacks
・Resistant to decryption if compromised
Goals:
・Double opt-in: you're not findable by your phone unless YOU use the tool
・Secure to enumeration attacks
・Resistant to decryption if compromised
Request For Comments: A secure contact import scheme for social networks | Bluesky
This article outlines plans for a future Bluesky feature \- it doesn’t exist yet\! By sharing our ideas early, we hope to solicit feedback from the community.
docs.bsky.app
November 19, 2025 at 10:09 AM
storing hashed phone number pairs is a very smart way to do this
obviously needs some further scrutiny, but this approach solves so, so many of the vulnerabilities you usually see in contact discovery systems
obviously needs some further scrutiny, but this approach solves so, so many of the vulnerabilities you usually see in contact discovery systems
in a similar vein: a surprising number of cold-email bots assume you can get the company name by:
stripping TLD from the domain name, and capitalising
I get multiple emails a week congratulating me for founding Phish...
stripping TLD from the domain name, and capitalising
I get multiple emails a week congratulating me for founding Phish...
btw you can put a symbol as the first character of your name in linkin and auto-filter any email with that symbol in straight to your spam drawer :)
November 17, 2025 at 10:15 AM
in a similar vein: a surprising number of cold-email bots assume you can get the company name by:
stripping TLD from the domain name, and capitalising
I get multiple emails a week congratulating me for founding Phish...
stripping TLD from the domain name, and capitalising
I get multiple emails a week congratulating me for founding Phish...
feels like the terminal is just an aesthetic choice now? wouldn't building an actual GUI be way simpler at this point?
> [use] your mouse to click and navigate directly within the input
> clean and polished display regardless of how you resize your window
> [use] your mouse to click and navigate directly within the input
> clean and polished display regardless of how you resize your window
Making the terminal beautiful one pixel at a time- Google Developers Blog
Build AI-powered Android apps! Explore the open-source Android AI Sample Catalog featuring on-device (Gemini Nano) and Cloud examples.
developers.googleblog.com
November 14, 2025 at 11:14 AM
feels like the terminal is just an aesthetic choice now? wouldn't building an actual GUI be way simpler at this point?
> [use] your mouse to click and navigate directly within the input
> clean and polished display regardless of how you resize your window
> [use] your mouse to click and navigate directly within the input
> clean and polished display regardless of how you resize your window
honestly it'd be better if updating Chrome meant losing all my tabs
i'd actually have a clean browser at least every couple weeks
i'd actually have a clean browser at least every couple weeks
November 13, 2025 at 12:41 PM
honestly it'd be better if updating Chrome meant losing all my tabs
i'd actually have a clean browser at least every couple weeks
i'd actually have a clean browser at least every couple weeks
my worst company docs experience:
all the documentation used to be on Dropbox Paper, but it got too expensive so they did a crappy export to Google Docs of the most important ones and stopped giving people Dropbox access
need to actually read a doc? better find an OG and get them to send you a PDF
all the documentation used to be on Dropbox Paper, but it got too expensive so they did a crappy export to Google Docs of the most important ones and stopped giving people Dropbox access
need to actually read a doc? better find an OG and get them to send you a PDF
The documentation? It's on Notion, bro. It's literally on Confluence. You have to log into Coda. It's on Obsidian. It's on MediaWiki. You can find it on Google Docs. You can go to Google Docs. Log into Google Docs. You can Docs it. Oh, I guess that's out of date
it's on miro. it's literally on figma. you have to log into okta. it's in jira. it's on zoom. it's on pureref. it's on flow. it's on perforce. it's on slack. you can find it on slack. you can go to slack and find it. log onto slack right now. you can slack it. slack has it for you. it's on slack.
November 13, 2025 at 9:54 AM
my worst company docs experience:
all the documentation used to be on Dropbox Paper, but it got too expensive so they did a crappy export to Google Docs of the most important ones and stopped giving people Dropbox access
need to actually read a doc? better find an OG and get them to send you a PDF
all the documentation used to be on Dropbox Paper, but it got too expensive so they did a crappy export to Google Docs of the most important ones and stopped giving people Dropbox access
need to actually read a doc? better find an OG and get them to send you a PDF
opening the window before attempting a tricky refactor
November 12, 2025 at 4:18 PM
opening the window before attempting a tricky refactor
Beautiful (ab)use of the go.bsky.app domain to make a pretty convincing link to the phishing site
November 11, 2025 at 9:55 PM
Beautiful (ab)use of the go.bsky.app domain to make a pretty convincing link to the phishing site
From experience, this is incredibly hard (bordering on impossible) to do without enabling enumeration attacks
But, perhaps they've pulled off something magical here?
*enumeration attacks meaning you can plug in 100,000 phone numbers and get back a list of matching usernames
But, perhaps they've pulled off something magical here?
*enumeration attacks meaning you can plug in 100,000 phone numbers and get back a list of matching usernames
We're working on a writeup that I'm pretty excited about --
Importing your address book to find friends is common for social, but it's insecure to enumeration attacks and database leaks so we've historically refused to implement it. The team has a proposal now that we think solves those risks.
Importing your address book to find friends is common for social, but it's insecure to enumeration attacks and database leaks so we've historically refused to implement it. The team has a proposal now that we think solves those risks.
November 7, 2025 at 10:23 AM
From experience, this is incredibly hard (bordering on impossible) to do without enabling enumeration attacks
But, perhaps they've pulled off something magical here?
*enumeration attacks meaning you can plug in 100,000 phone numbers and get back a list of matching usernames
But, perhaps they've pulled off something magical here?
*enumeration attacks meaning you can plug in 100,000 phone numbers and get back a list of matching usernames
Huh, as ever it's incredibly hard to segment power users from small businesses
Trying to think how you could (automatically) even detect the difference between a 100 user domain and a 1 user/100 email domain 🤔
Trying to think how you could (automatically) even detect the difference between a 100 user domain and a 1 user/100 email domain 🤔
Bloody hell! If you have a personal domain name for a catch-all email address, it'll cost you £170 to monitor it on Have I been Pwned.
Probably reasonable if you're a business, but a bit out of reach for domestic use.
(No need to snitch-tag.)
Probably reasonable if you're a business, but a bit out of reach for domestic use.
(No need to snitch-tag.)
November 6, 2025 at 9:48 AM
Huh, as ever it's incredibly hard to segment power users from small businesses
Trying to think how you could (automatically) even detect the difference between a 100 user domain and a 1 user/100 email domain 🤔
Trying to think how you could (automatically) even detect the difference between a 100 user domain and a 1 user/100 email domain 🤔
huh, I've built a lot of complex stuff using [LLM coding tool], but trying to unwind some badly designed postgres row-level security policies is what's finally stumped it
> ⚠ Heads up, you've used over 95% of your 5h limit.
> ⚠ Heads up, you've used over 95% of your 5h limit.
November 3, 2025 at 5:34 PM
huh, I've built a lot of complex stuff using [LLM coding tool], but trying to unwind some badly designed postgres row-level security policies is what's finally stumped it
> ⚠ Heads up, you've used over 95% of your 5h limit.
> ⚠ Heads up, you've used over 95% of your 5h limit.
this has a neat approach to fine-grained network filtering: sandboxed binary can only talk to a proxy which does hostname allowlisting
every other sandbox I've seen only supports all or nothing network blocking
but wow are they vibe-coding this (derogatory)
every other sandbox I've seen only supports all or nothing network blocking
but wow are they vibe-coding this (derogatory)
GitHub - anthropic-experimental/sandbox-runtime: A lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container.
A lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. - anthropic-experimental/sandbox-runtime
github.com
October 27, 2025 at 11:58 AM
this has a neat approach to fine-grained network filtering: sandboxed binary can only talk to a proxy which does hostname allowlisting
every other sandbox I've seen only supports all or nothing network blocking
but wow are they vibe-coding this (derogatory)
every other sandbox I've seen only supports all or nothing network blocking
but wow are they vibe-coding this (derogatory)
Reposted by Bradley Kemp
shame this isn't about a key signing ceremony like I first thought
some interpretive dance would certainly be a welcome addition to the hours on end of plugging cards into HSMs
some interpretive dance would certainly be a welcome addition to the hours on end of plugging cards into HSMs
October 25, 2025 at 9:10 AM
shame this isn't about a key signing ceremony like I first thought
some interpretive dance would certainly be a welcome addition to the hours on end of plugging cards into HSMs
some interpretive dance would certainly be a welcome addition to the hours on end of plugging cards into HSMs
shame this isn't about a key signing ceremony like I first thought
some interpretive dance would certainly be a welcome addition to the hours on end of plugging cards into HSMs
some interpretive dance would certainly be a welcome addition to the hours on end of plugging cards into HSMs
October 25, 2025 at 9:10 AM
shame this isn't about a key signing ceremony like I first thought
some interpretive dance would certainly be a welcome addition to the hours on end of plugging cards into HSMs
some interpretive dance would certainly be a welcome addition to the hours on end of plugging cards into HSMs
there needs to be a "Holidays" calendar but just for holidays where people traditionally set off fireworks
takes me by surprise every year!
takes me by surprise every year!
October 20, 2025 at 6:26 PM
there needs to be a "Holidays" calendar but just for holidays where people traditionally set off fireworks
takes me by surprise every year!
takes me by surprise every year!
very annoying when vendors create their own completely custom file formats (and don't provide a grammar so you can parse things yourself)
*but* it's wild that just giving codex/claude code/etc. a directory of examples and telling it to build a parser actually works?!?
*but* it's wild that just giving codex/claude code/etc. a directory of examples and telling it to build a parser actually works?!?
October 20, 2025 at 2:02 PM
very annoying when vendors create their own completely custom file formats (and don't provide a grammar so you can parse things yourself)
*but* it's wild that just giving codex/claude code/etc. a directory of examples and telling it to build a parser actually works?!?
*but* it's wild that just giving codex/claude code/etc. a directory of examples and telling it to build a parser actually works?!?
cooked.wiki solves so many issues with the online recipe experience:
it just extracts the steps, skips the author's life story
puts the ingredient quantities *inline* in the step that actually uses them
keeps your phone from locking (saves me from a lot of screen cleaning...)
it just extracts the steps, skips the author's life story
puts the ingredient quantities *inline* in the step that actually uses them
keeps your phone from locking (saves me from a lot of screen cleaning...)
Cooked - Your Smart Cookbook
Are you tired of scattered recipes from the internet? Cooked transforms those long cluttered pages into a short version which you can save and read while cooking. Even works with videos!
cooked.wiki
October 19, 2025 at 3:58 PM
cooked.wiki solves so many issues with the online recipe experience:
it just extracts the steps, skips the author's life story
puts the ingredient quantities *inline* in the step that actually uses them
keeps your phone from locking (saves me from a lot of screen cleaning...)
it just extracts the steps, skips the author's life story
puts the ingredient quantities *inline* in the step that actually uses them
keeps your phone from locking (saves me from a lot of screen cleaning...)
wish I'd done this a loooong time ago. I'm finding so many utility providers where you can't update the email address on an account 😭
the only thing I'd add: spend some time to find a domain that's also a cute anagram of your names, it's fun!
the only thing I'd add: spend some time to find a domain that's also a cute anagram of your names, it's fun!
My unusual marriage advice is to use a couple's email domain. It eliminates a lot of miscommunication on shared email threads and shared online services. mtlynch.io/couples-emai...
Give Your Spouse the Gift of a Couple's Email Domain
The brilliant relationship tip you won't find anywhere else.
mtlynch.io
October 10, 2025 at 2:15 PM
wish I'd done this a loooong time ago. I'm finding so many utility providers where you can't update the email address on an account 😭
the only thing I'd add: spend some time to find a domain that's also a cute anagram of your names, it's fun!
the only thing I'd add: spend some time to find a domain that's also a cute anagram of your names, it's fun!
have we tried just not outputting code that's immediately detected as broken?
guess this would probably also happen if I reviewed my own PRs though...
guess this would probably also happen if I reviewed my own PRs though...
October 8, 2025 at 3:30 PM
have we tried just not outputting code that's immediately detected as broken?
guess this would probably also happen if I reviewed my own PRs though...
guess this would probably also happen if I reviewed my own PRs though...
🤯 dynamically generating og:images like this in pure Go is impressive
most projects give up and use a headless browser to render a mini webpage and screenshot it
Stealing this approach!
most projects give up and use a headless browser to render a mini webpage and screenshot it
Stealing this approach!
for those curious, this is the lib in use (with a good chunk of it borrowed from forgejo): tangled.org/@tangled.org...
appview/repo/ogcard/card.go at master · @tangled.org/core
Monorepo for Tangled — https://tangled.org
tangled.org
October 8, 2025 at 2:01 PM
🤯 dynamically generating og:images like this in pure Go is impressive
most projects give up and use a headless browser to render a mini webpage and screenshot it
Stealing this approach!
most projects give up and use a headless browser to render a mini webpage and screenshot it
Stealing this approach!
example.com is down? I wonder how many unit tests are failing right now
August 10, 2025 at 6:10 PM
example.com is down? I wonder how many unit tests are failing right now
> go to check the GitHub status page
> asked to accept cookies from Atlassian
🤔
I guess good on them for having their statuspage infra so separate from their main infra, that it's hosted by a competitor?
> asked to accept cookies from Atlassian
🤔
I guess good on them for having their statuspage infra so separate from their main infra, that it's hosted by a competitor?
August 4, 2025 at 9:15 AM
> go to check the GitHub status page
> asked to accept cookies from Atlassian
🤔
I guess good on them for having their statuspage infra so separate from their main infra, that it's hosted by a competitor?
> asked to accept cookies from Atlassian
🤔
I guess good on them for having their statuspage infra so separate from their main infra, that it's hosted by a competitor?
Ask an LLM for an OAuth2 implementation? Get boilerplate with hard-coded values where there should be randomised ones (e.g. state param)
Mention "PKCE" and suddenly you get a perfect implementation...
Mention "PKCE" and suddenly you get a perfect implementation...
July 31, 2025 at 8:16 AM
Ask an LLM for an OAuth2 implementation? Get boilerplate with hard-coded values where there should be randomised ones (e.g. state param)
Mention "PKCE" and suddenly you get a perfect implementation...
Mention "PKCE" and suddenly you get a perfect implementation...
Reposted by Bradley Kemp
"I'm behind 7 proxies" but they're in parallel not in series, because no single location has a full view of the internet
July 25, 2025 at 11:03 PM
"I'm behind 7 proxies" but they're in parallel not in series, because no single location has a full view of the internet
The new (beta) GitHub PR view *finally* lets you switch between unified and split diff without reloading the page 🙌🏻
an elderly woman says it 's been 84 years ...
Alt: The woman from titanic saying "it's been 84 years..."
media.tenor.com
July 8, 2025 at 9:04 AM
The new (beta) GitHub PR view *finally* lets you switch between unified and split diff without reloading the page 🙌🏻
OpenAI Codex has weirdly become my coding TODO list
When I have a feature idea, bug, etc. rather than writing up a ticket, I just set Codex running on it
When I come back to review, either I've got a mostly-mergable PR, or it's completely failed and I can convert to an actual ticket
When I have a feature idea, bug, etc. rather than writing up a ticket, I just set Codex running on it
When I come back to review, either I've got a mostly-mergable PR, or it's completely failed and I can convert to an actual ticket
July 2, 2025 at 11:25 AM
OpenAI Codex has weirdly become my coding TODO list
When I have a feature idea, bug, etc. rather than writing up a ticket, I just set Codex running on it
When I come back to review, either I've got a mostly-mergable PR, or it's completely failed and I can convert to an actual ticket
When I have a feature idea, bug, etc. rather than writing up a ticket, I just set Codex running on it
When I come back to review, either I've got a mostly-mergable PR, or it's completely failed and I can convert to an actual ticket