Bradley Kemp
@bradleyjkemp.dev
Experienced ignorer of Safe Browsing warnings
Founder @ Phish Report 🎣
Founder @ Phish Report 🎣
"🍌 is so close to 🍒" still could be true though!
(assuming it's an old-school machine with rotating drums which could have those symbols adjacent)
(assuming it's an old-school machine with rotating drums which could have those symbols adjacent)
November 21, 2025 at 2:28 PM
"🍌 is so close to 🍒" still could be true though!
(assuming it's an old-school machine with rotating drums which could have those symbols adjacent)
(assuming it's an old-school machine with rotating drums which could have those symbols adjacent)
it's also what I predicted 💪🏻
Sketch implementation: for a user A, hash pairs of phone numbers for each of their contacts. Sort the numbers before hashing so it might be A||B, C||A, A||D, etc.
Those get uploaded to bsky, and the client gets a list of hits back -> this tells them which of their contacts have bsky accounts
Those get uploaded to bsky, and the client gets a list of hits back -> this tells them which of their contacts have bsky accounts
November 19, 2025 at 10:10 AM
it's also what I predicted 💪🏻
wtf it's even using React!
gemini-cli/packages/cli/src/ui/components/messages/ToolGroupMessage.tsx at main · google-gemini/gemini-cli
An open-source AI agent that brings the power of Gemini directly into your terminal. - google-gemini/gemini-cli
github.com
November 14, 2025 at 12:12 PM
wtf it's even using React!
so maybe IDEs should just have an integrated web panel like they do a terminal 🤷🏻♂️
November 14, 2025 at 11:17 AM
so maybe IDEs should just have an integrated web panel like they do a terminal 🤷🏻♂️
the one benefit I can think of is: being in the terminal lets you embed yourself in arbitrary IDEs
cleaner than a separate GUI window, but without the overhead of maintaining separate extensions for intellij, vscode, zed, etc.
cleaner than a separate GUI window, but without the overhead of maintaining separate extensions for intellij, vscode, zed, etc.
November 14, 2025 at 11:16 AM
the one benefit I can think of is: being in the terminal lets you embed yourself in arbitrary IDEs
cleaner than a separate GUI window, but without the overhead of maintaining separate extensions for intellij, vscode, zed, etc.
cleaner than a separate GUI window, but without the overhead of maintaining separate extensions for intellij, vscode, zed, etc.
> Automatically closes inactive tabs and makes it easy to get them back
noooo they need to go into the void, never to be recovered
but ok yeah that seems pretty great, and even open source!
noooo they need to go into the void, never to be recovered
but ok yeah that seems pretty great, and even open source!
GitHub - tabwrangler/tabwrangler: A browser extension that automatically closes your unused tabs so you can focus on the tabs that matter
A browser extension that automatically closes your unused tabs so you can focus on the tabs that matter - tabwrangler/tabwrangler
github.com
November 13, 2025 at 12:57 PM
> Automatically closes inactive tabs and makes it easy to get them back
noooo they need to go into the void, never to be recovered
but ok yeah that seems pretty great, and even open source!
noooo they need to go into the void, never to be recovered
but ok yeah that seems pretty great, and even open source!
So much going on here...
The link to their website is an outlook safelinks url?
They're not even a security company, they're a "hide the fact you used an LLM" tool???
The link to their website is an outlook safelinks url?
They're not even a security company, they're a "hide the fact you used an LLM" tool???
November 12, 2025 at 4:22 PM
So much going on here...
The link to their website is an outlook safelinks url?
They're not even a security company, they're a "hide the fact you used an LLM" tool???
The link to their website is an outlook safelinks url?
They're not even a security company, they're a "hide the fact you used an LLM" tool???
Yeah, as a security engineer, for me this falls into the bucket of being an essentially free way to prevent some hypothetical attack we haven't thought of yet
Partitioning the cache by tenant very slightly reduces hit rate, but you'll sleep better at night knowing there's no novel attacks out there
Partitioning the cache by tenant very slightly reduces hit rate, but you'll sleep better at night knowing there's no novel attacks out there
November 10, 2025 at 2:10 PM
Yeah, as a security engineer, for me this falls into the bucket of being an essentially free way to prevent some hypothetical attack we haven't thought of yet
Partitioning the cache by tenant very slightly reduces hit rate, but you'll sleep better at night knowing there's no novel attacks out there
Partitioning the cache by tenant very slightly reduces hit rate, but you'll sleep better at night knowing there's no novel attacks out there
Sketch implementation: for a user A, hash pairs of phone numbers for each of their contacts. Sort the numbers before hashing so it might be A||B, C||A, A||D, etc.
Those get uploaded to bsky, and the client gets a list of hits back -> this tells them which of their contacts have bsky accounts
Those get uploaded to bsky, and the client gets a list of hits back -> this tells them which of their contacts have bsky accounts
November 7, 2025 at 10:31 AM
Sketch implementation: for a user A, hash pairs of phone numbers for each of their contacts. Sort the numbers before hashing so it might be A||B, C||A, A||D, etc.
Those get uploaded to bsky, and the client gets a list of hits back -> this tells them which of their contacts have bsky accounts
Those get uploaded to bsky, and the client gets a list of hits back -> this tells them which of their contacts have bsky accounts
Perhaps this double-opt-in is the key? If you can only get a hit when *both*
A's contact list includes B
*and*
B's contact list includes A, I think that could work safely?
A's contact list includes B
*and*
B's contact list includes A, I think that could work safely?
It’s 100% opt in. In fact it requires both sides to opt in
November 7, 2025 at 10:31 AM
Perhaps this double-opt-in is the key? If you can only get a hit when *both*
A's contact list includes B
*and*
B's contact list includes A, I think that could work safely?
A's contact list includes B
*and*
B's contact list includes A, I think that could work safely?
> I started refactoring [...], but I haven't finished updating [...]
> I’ll continue adapting those paths, unless you’d prefer I pause here.
🥺
bot's sleepy, wants a rest
> I’ll continue adapting those paths, unless you’d prefer I pause here.
🥺
bot's sleepy, wants a rest
November 3, 2025 at 5:39 PM
> I started refactoring [...], but I haven't finished updating [...]
> I’ll continue adapting those paths, unless you’d prefer I pause here.
🥺
bot's sleepy, wants a rest
> I’ll continue adapting those paths, unless you’d prefer I pause here.
🥺
bot's sleepy, wants a rest
Honestly it's of marginal benefit here, but definitely a useful header to know about
Based on @filippo.abyssdomain.expert's investigation, this header is how the latest Go version implements cross-site request forgery detection
Based on @filippo.abyssdomain.expert's investigation, this header is how the latest Go version implements cross-site request forgery detection
Cross-Site Request Forgery
Cross-Site Request Forgery countermeasures can be greatly simplified using request metadata provided by modern browsers.
words.filippo.io
October 28, 2025 at 5:07 PM
Honestly it's of marginal benefit here, but definitely a useful header to know about
Based on @filippo.abyssdomain.expert's investigation, this header is how the latest Go version implements cross-site request forgery detection
Based on @filippo.abyssdomain.expert's investigation, this header is how the latest Go version implements cross-site request forgery detection
Yup! In that case you'll get
Sec-Fetch-Site: same-site
Because the request comes from the same registered domain
Whereas for an exact hostname match, you'd get:
Sec-Fetch-Site: same-origin
(Other values: "none" if a user clicked 'open image in new tab', or 'cross-origin' for someone hotlinking)
Sec-Fetch-Site: same-site
Because the request comes from the same registered domain
Whereas for an exact hostname match, you'd get:
Sec-Fetch-Site: same-origin
(Other values: "none" if a user clicked 'open image in new tab', or 'cross-origin' for someone hotlinking)
October 28, 2025 at 5:03 PM
Yup! In that case you'll get
Sec-Fetch-Site: same-site
Because the request comes from the same registered domain
Whereas for an exact hostname match, you'd get:
Sec-Fetch-Site: same-origin
(Other values: "none" if a user clicked 'open image in new tab', or 'cross-origin' for someone hotlinking)
Sec-Fetch-Site: same-site
Because the request comes from the same registered domain
Whereas for an exact hostname match, you'd get:
Sec-Fetch-Site: same-origin
(Other values: "none" if a user clicked 'open image in new tab', or 'cross-origin' for someone hotlinking)
Provided the favicon service is running on the same domain, you can probably use the Sec-Fetch-Site header
Allowing anything except a "cross-site" value is equivalent to your current referrer check (but would work even if referrers aren't sent)
Allowing anything except a "cross-site" value is equivalent to your current referrer check (but would work even if referrers aren't sent)
Sec-Fetch-Site header - HTTP | MDN
The HTTP Sec-Fetch-Site fetch metadata request header indicates the relationship between a request initiator's origin and the origin of the requested resource.
developer.mozilla.org
October 28, 2025 at 2:03 PM
Provided the favicon service is running on the same domain, you can probably use the Sec-Fetch-Site header
Allowing anything except a "cross-site" value is equivalent to your current referrer check (but would work even if referrers aren't sent)
Allowing anything except a "cross-site" value is equivalent to your current referrer check (but would work even if referrers aren't sent)
Still a dead/pinned butterfly based on the wing position
Unfortunately, whatever it is, it's a dead/pinned butterfly: www.emilydamstra.com/please-enoug...
Please, enough with the dead butterflies! - Emily S. Damstra
We all have pet peeves, even though there's a lot going on in the world that makes them pretty insignificant. While acknowledging that there are many more
www.emilydamstra.com
October 27, 2025 at 9:44 PM
Still a dead/pinned butterfly based on the wing position