https://vincent.bernat.ch
Readit Newsvbernat commented on Ask HN: Share your personal website · Posted by u/susam
vbernat commented on We can't have nice things because of AI scrapers blog.metabrainz.org/2025/... · Posted by u/LorenDB
> residential IP pools
So, is this a new profit center for sleazeball household ISPs?
No, this is done by paying app developers to bundle some random SDK. Search for Bright Data.
vbernat commented on My Home Fibre Network Disintegrated alienchow.dev/post/fibre_... · Posted by u/alienchow
From the photos, it does not look like the fibers themselves are damaged. You should check the error rate on both sides. If it is 0, the not optimal values of your speedtest are not related to your fiber. If it is not 0, the more likely issues are in order: connectors to clean (buy a cleaning pen), bend radius somewhere, faulty optics, then the fiber. You can also pay a professional to run an OTDR on your fiber. It would show where the fiber is degraded.
I am using something like this on Linux:
bwrap --ro-bind /{,} --dev /dev --proc /proc --tmpfs /run --tmpfs /tmp --tmpfs /var/tmp --tmpfs ${HOME} --ro-bind ${HOME}/.nix-profile{,} --unshare-all --die-with-parent --tmpfs ${XDG_RUNTIME_DIR} --ro-bind /run/systemd/resolve/stub-resolv.conf{,} --share-net --bind ${HOME}/.config/claude-code{,} --overlay-src ${HOME}/.cache/go --tmp-overlay ${HOME}/.cache/go --bind ${PWD}{,} --ro-bind ${PWD}/.git{,} -- env SHELL=/bin/bash CLAUDE_CONFIG_DIR=${HOME}/.config/claude-code =claudevbernat commented on Show HN: Shittp – Volatile Dotfiles over SSH github.com/FOBshippingpoi... · Posted by u/sdovan1
vbernat commented on Show HN: Shittp – Volatile Dotfiles over SSH github.com/FOBshippingpoi... · Posted by u/sdovan1
How about mounting your dotfiles directory (~/.config) or even your entire home directory on the remote system using SSHFS or NFS? I'm sure somebody would have tried it or some project may already exist. Any idea why that isn't as prevalent as copying your dotfiles over?
This would enable a lot of attacks.
vbernat commented on The future of Terraform CDK github.com/hashicorp/terr... · Posted by u/mfornasa
It's odd to always say "Hashicorp, an IBM company". Looks like they want to assign blame.
I did try Pulumi a while back, but the compatibility with Terraform modules was not great, so I've switched to CDKTF, which can handle unmodified modules. Dunno if I'll switch back to Pulumi or just use OpenTofu directly.
vbernat commented on BGP handling bug causes widespread internet routing instability blog.benjojo.co.uk/post/b... · Posted by u/robin_reala
If you just drop malfromed attributes, there is no blackhole spreading.
If the attribute says "encapsulate this", dropping just the attribute will create a blackhole as you will attract traffic that should be encapsulated and packets following this route will be dropped it if not.
vbernat commented on Offline PKI using 3 Yubikeys and an ARM single board computer vincent.bernat.ch/en/blog... · Posted by u/todsacerdoti
vbernat commented on Offline PKI using 3 Yubikeys and an ARM single board computer vincent.bernat.ch/en/blog... · Posted by u/todsacerdoti
This is a pretty nice guide, though it misses some steps I'd consider important. If you're making a CA for internal use today, I would highly encourage you to use Name Constraints. Name Constraints allow you to specify that your CA will only be used to sign domains you pre commit to. This means you can add your internal CA to your system trust stores on all of your corporate systems and not worry about it being abused to MITM your employees connections to the wider internet. (If that is a feature you'd like to have, I would be happy to expound further on why that's a bad idea)
I'm giving a workshop in a few weeks at Bsides Seattle[1] about this - Pick up a Yubikey and come play with PKI with me.
Author here. I agree this is an important feature for a CA. I'll try to add it.