Readit News logoReadit News
caleblloyd commented on Kratos - Cloud native Auth0 open-source alternative (self-hosted)   github.com/ory/kratos... · Posted by u/curtistyr
fady0 · a month ago
Aren’t these codes supposed to have a timeout, like you have to use them within 10 minutes or they become invalid?
caleblloyd · a month ago
Sure, but say the implementation lets you try 5 codes in that 10 minutes with a 30 minute lockout. An attacker could trigger Account Recovery, blindly try 5 six-digit codes immediately, and have a 0.0005% chance getting into your account.

They could script this to run over a long period of time targeting 1 account, or they could target many accounts at once, and would probably have success.

caleblloyd commented on Kratos - Cloud native Auth0 open-source alternative (self-hosted)   github.com/ory/kratos... · Posted by u/curtistyr
caleblloyd · a month ago
I used Ory Kratos in a Go application a couple years ago by installing it as a dependency. It worked pretty well but in hindsight I would have hosted it as a separate application because it was a pain to bring along all of its dependencies.

One of my biggest complaints was that one of the Account Recovery flows was just an emailed 6-digit code. So a 1 in 1 million chance that somebody without access to any of your stuff could hack you by just hitting reset and guessing "123456". It's actually surprising how many other Account Recovery flows across the web I have noticed recently that do the same thing. Not sure if Ory has added the option for more entropy in this code as of today's release though it's been a while since I've used it.

Otherwise it was a great project to work with that has tons of knobs to customize. I commend the authors, aeneasr especially. It must be a ton of work to keep up with all of the auth standards and offer this in an Apache2 licensed package all while building a business around it as well!

caleblloyd commented on Ally Petitt: Youngest OSCP at 16yo. Over 11 CVEs by 18   ally-petitt.com/en/posts/... · Posted by u/nullbyte808
caleblloyd · 2 months ago
I sometimes dream of what it would have looked like to become a doctor (or PA or similar) instead of choosing Software. Mainly the allure of interacting with and helping more people.

This young person sounds like they are motivated enough to succeed at any study they put their mind to. Of course many companies will deny a young person employment based on age, just like they would deny them employment based on a lack of a formal degree.

But one day you turn 25, you are the right age, and you have the right degree. Then the praises for saving the company 70% on their cloud computing costs stop, and the same managers start asking you to work the weekend to fix other people’s code. And if you oblige, the burnout will become as real as a Doctor’s burnout, I imagine.

caleblloyd commented on Amazon has mostly sat out the AI talent war   businessinsider.com/amazo... · Posted by u/ripe
mountainriver · 4 months ago
AWS has now become one of the most hated tools, right next to Jenkins.

Amazon is turning into a dinosaur like Cisco or IBM.

caleblloyd · 4 months ago
I still like AWS all these years later. It’s trusted in the enterprise and you can empower people to do what they need to themselves with IAM. And it’s pretty reliable.
caleblloyd commented on XSLT removal will break multiple government and regulatory sites   github.com/whatwg/html/is... · Posted by u/colejohnson66
caleblloyd · 4 months ago
Flash removal broke multiple government sites. I couldn't take a required training course for a few months after flash support was removed and the site was taken offline for an upgrade.

I’m sure ActiveX and Silverlight removal did too. And iframes not sharing cross domain cookies. And HTTP mixed content warnings. I get it, some of these are not web specs, but some were much more popular than XSLT is now.

The government will do what they do best, hire a contractor to update the site to something more modern. Where it will sit unchanged until that spec too is removed, some years from now.

caleblloyd commented on Cross-Site Request Forgery   words.filippo.io/csrf/... · Posted by u/tatersolid
fabian2k · 4 months ago
So am I understanding it right that you don't need any CSRF tokens anymore to fully protect against CSRF attacks?

And if Go is implementing this specific protection, are other ecosystems doing this as well? My specific interest would be .NET/C#, but I am wondering in general how widespread this specific solution is at the moment.

caleblloyd · 4 months ago
I don’t quite understand the part of the article that deems that you can skip all the checks under the assumption that this is an older browser, and that there is no CSRF vulnerability.

The algorithm seems sane for modern browsers. But you could probably find an outdated browser - older Android device WebView would be common -where the whole thing breaks down.

So I think tokens can be a thing of the past for modern browsers. I like the middleware, I hope it does show up in ASP.NET proper soon. My guess is they’ll keep tokens middleware around alongside it for some time once it does though, and the decision on which to use will come down to whether or not you want to make sure older browsers are secure.

caleblloyd commented on Ask HN: With all the AI hype, how are software engineers feeling?    · Posted by u/cpt100
caleblloyd · 4 months ago
I am the Product/Eng Lead and a Co-founder of a company formed ~1 year ago building AI-native developer tooling for Platform Engineers. Have been able to iterate very quickly through PoC phases and get initial feedback on ideas quicker. For features that make it into production code, we do have to spend some time re-working them with more formal architectures to remove "AI slop" but we are also able to try more things out to figure out what to move forward, so I feel like it is a net gain.

Part of "AI-native" means being able to really focus on how we can improve our Product to lessen upfront burden on users and increase time-to-value. For the first time in a while, I feel like there is more skill needed in building an app than just doing MVC + REST + Validation + Form Building. We focus on the minimum data needed for each form upfront from our users, then stream things like Titles, Icons, Descriptions, etc in a progressive manner to reduce form filling burden on our users.

I've been able to hire and mentor Engineers at a quicker pace than in the past. We have a mix of newer and seasoned Engineers. The newer Engineers seem to be learning far quicker with focused mentoring on how to effectively prompt AI for code discovery, scaffolding, and writing tests. Seasoned Engineers are able to work across the stack to understand and contribute to dependencies outside of their main focus because it's easier to understand the codebase and work across languages/frameworks.

AI in development has proven useful for some things, but thoughtful architecture with skilled personnel driving always seems to get the best results. Our vision from our product is the same, we want it to be a force multiplier for skilled Platform Engineers.

Deleted Comment

Loading parent story...

Loading comment...

caleblloyd commented on Enough AI copilots, we need AI HUDs   geoffreylitt.com/2025/07/... · Posted by u/walterbell
perching_aix · 5 months ago
Been thinking about something similar, from fairly grounded ideas like letting a model autogenerate new features with their own name, keybind and icon, all the way to silly ideas, like letting a model synthesize arbitrary shader code and just letting it do whatever within the viewport. Think the entire UI being created on the fly specifically for the task you're working on, constantly evolving in mesh with your workflow habits. Now if only I went beyond being an idea man...
caleblloyd · 5 months ago
The reason we are not seeing this in mainstream software may also be due to cost. Paying for tokens on every interaction means paying to use the app. Upfront development may actually be cheaper, but the incremental cost per interaction could cost much more in the long term, especially if the software is used frequently and has a long lifetime.

As the cost of tokens goes down, or commodity hardware can handle running models capable of driving these interactions, we may start to see these UIs emerge.

c

u/caleblloyd

KarmaCake day1699September 17, 2015
About
Product/Eng Lead and Co-founder at codecargo.com
View Original