It's been a year. Has it been disclosed what tool had this misconfiguration?
Readit Newsawirth commented on · Posted by u/benterix
awirth commented on Show HN: I'm making an open-source platform for learning Japanese kanadojo.com... · Posted by u/tentoumushi
Anki definitely works for memorizing the hell out of vocabulary and I also don't regret completing WaniKani, although I would probably choose an Anki only approach if I had to start over. At some intermediate level I stopped looking at the mnemonics completely and just did as many reviews as possible until it stuck.
I also got a lot of value out of wanikani even without completing it.
I tried and failed several times to get started with Anki before having success with Wanikani. The key diffentiator for me was the learning step. Anki is great for remembering things you were taught or learned outside of it, but using Anki to learn new things is very much a learned skill that Wanikani holds your hand through.
I have N2 and am working on N1 now, and feel I still have a very long way to go before getting to CEFR C1. Now I only use Anki with the yomitan and takoboto integrations to quickly add any words I look up, which seems to be working well.
awirth commented on Malicious versions of Nx and some supporting plugins were published github.com/nrwl/nx/securi... · Posted by u/longcat
gh cli is such a ticking time bomb. Anything can just run `gh auth token` and get a token that probably can read + write to all your work code.
These tokens never expire, and there is no way for organization administrators to get them to expire (or revoke them, only the user can do that), and they are also excluded from some audit logs. This applies not just to gh cli, but also several other first party apps.
See this page for more details: https://docs.github.com/en/apps/using-github-apps/privileged...
After discussing our concerns about these tokens with our account team, we concluded the only reasonable way to enforce session lengths we're comfortable with on GitHub cloud is to require an IP allowlist with access through a VPN we control that requires SSO.
https://github.com/cli/cli/issues/5924 is a related open feature request
awirth commented on Copilot broke audit logs, but Microsoft won't tell customers pistachioapp.com/blog/cop... · Posted by u/Sayrus
I am assigned to develop a company internal chatbot that accesses confidential documents and I am having a really hard time communicating this problem to executives:
As long as not ALL the data the agent hat access too is checked against the rights of the current user placing the request, there WILL be ways to leak data. This means Vector databases, Search Indexes or fancy "AI Search Databases" would be required on a per user basis or track the access rights along with the content, which is infeasible and does not scale.
And as access rights are complex and can change at any given moment, that would still be prone to race conditions.
What you're describing is a specific case of a confused deputy problem: https://en.wikipedia.org/wiki/Confused_deputy_problem
This is captured in the OWASP LLM Top 10 "LLM02:2025 Sensitive Information Disclosure" risk: https://genai.owasp.org/llmrisk/llm022025-sensitive-informat... although in some cases the "LLM06:2025 Excessive Agency" risk is also applicable.
I believe that some enterprise RAG solutions create a per user index to solve this problem when there are lots of complex ACLs involved. How vendors manage this problem is an important question to ask when analyzing RAG solutions.
At my current company at least we call this "権限混同" in Japanese - Literally "authorization confusion" which I think is a more fun name
Voting by fax from a convenient store in Japan and immediately buying a beer to drink on the way home is a fond voting memory of mine.
> A few weeks later, I even started receiving political flyers in the mail. I guess you can just buy a voter registration database for this purpose, and it includes temporary addresses.
Also spam emails to the address you asked the ballot to be sent to. Either that or an unrelated data leak…
Now, I've done it by email! (although still using the convenience store for print/scan)
Unfortunately, https://www.sec.state.ma.us/ is geo-blocked for all of Japan (and several other countries AFAICT) "due to cybersecurity reasons", so I can no longer check/update my registration to vote without a VPN. I tried contacting different parts of the MA state government to get it unblocked several times over the past few years, but had no success. I have no idea what the other MA-voting residents of Japan do.
Last time I contacted the secretary of state's office via my state representative, they were kind enough to temporarily unblock my home IP address for one week though!
Everything about it is funny. Humans are absurd, and Cat’s Cradle revels in the absurdity. It’s funny in the same way atom bombs are funny, that our species would hate itself so much as to make a weapon that could destroy us all, and like, we ignore it almost all of the time? Bokonon and the dictator becoming their roles is absurd, but aren’t people this absurd?
Also, there are a lot of chapters. Every single chapter break is there to let a punchline sink in. It’s a literary pause for laughter.
That's interesting, I've always reveled in the absurdity, but perhaps I'll re-read it with an eye to take each chapter in as a discrete unit. Thanks!
I can never decide if Cat's Cradle is the funniest book I've ever read, or Toole's A Confederacy of Dunces. Some days, Dunces wins, but the majority of the time all it takes is remembering ice-nine and it's back to camp Kurt I go.
Cat's Cradle is one of my favorite books, but to be honest, I've never found it that funny - at least not in the sense that it makes me laugh much. What do you find so funny about it?
awirth commented on Spring Core on JDK9 is vulnerable to remote code execution praetorian.com/blog/sprin... · Posted by u/groundshark
There is a lot of bad information out there about this issue.
What I have gathered so far, is that this is actually a real problem, but it may not affect most configurations.
This[0] seems to be the original vulnerability analysis, and this is the example vulnerable app[1].
The main issue seems to be, that since java 9, WebDataBinder can be abused to access the classloader via the "class.module.classloader", you might think that "class.classloader" would work, but it's explicitly filtered out[2], it seems they need to add some filtering for module, as well.
The proof of concept, then access the "AccessLogValve" class via "class.classLoader.resources.context.parent.pipeline.first", which is only accessible if the application is running using a "WeappClassLoaderBase", it then configures the logger, to output an arbitrary JSP file to the webapp root directory, which can then be used to get a shell.
It looks like this issue is only exploitable if your app is deployed as a war file.
[0]: https://github.com/TheGejr/SpringShell/blob/master/Vulnerabi...
[1]: https://github.com/fengguangbin/spring-rce-war
[2]: https://github.com/spring-projects/spring-framework/blob/mai...
If you can access the classloader that's pretty bad, it's likely people will find other gadgets.
It's insane to me though that class.* isn't completely disallowed. What is the legitimate use case for deserializing allowing web requests to call setters in the reflection API?
Also, agree it is impressive to me how much bad information I've seen.
Keep in mind, balloting the US is based on place of residence. You’ll have a different set of elections to vote in from municipality to municipality (or ward to ward).
So you need to have a specific address in the US.
This makes sense. You shouldn’t be able to vote for an alder person in a different ward. But it requires a specific, “in US” residence.
If you don’t have a specific address in the US, (you’re permanently residing outside the country) your last state of residence should be able to provide you with “President Only” ballots.
I’ve never heard of this actually happening though.
The US embassy has no involvement in any of this whatsoever. They will refer you to the clerk of courts (or whatever).
Realistically, do everything you can in the US (including absentee voting if possible).
Edit: keep in mind, many places have over a dozen distinct election events over a 4-year cycle. Presidential, presidential primary, mid-term, mid-term primary, non-partisan, non partisan primary, local school board, etc.
Some states combine this into as few elections as possible, some as many elections as possible.
I once tried to vote in every election. Lack of publicity made this impossible. For many minor elections, there was no public info on the candidates for, say, clerk of court primary elections.
I've been able to vote abroad in state/presidential elections from my last address in the US. I do it by email.
My only major hiccup is that the MA secretary of state's website www.sec.state.ma.us (which has the info about upcoming elections, the tool to check your registration, and the instructions for voting overseas) is blocked in Japan "for cybersecurity reasons". I've tried contacting the department of state and my state representative about this, but nothing's come of it.
The government of Cambridge on the other hand has been quite pleasant to deal with.
In the last 6 years there have been two or three earthquakes that caused enough water to slosh on to the floor.
Of those only the 2021 Fukushima earthquake caused any fish to slosh out - perhaps 10 medaka if I recall correctly. Luckily I was home and I was able to save all the fish, however there was one adult red cherry shrimp that didn't make it because I had trouble picking it up off the floor. I cleaned up the water with some paper towels and it didn't seem to cause any lasting damage.
I think if I had a 600 lb (270L?) tank or expensive fish though I would probably have a different perspective.