Readit News logoReadit News
woodruffw commented on Europe's $24T Breakup with Visa and Mastercard Has Begun   europeanbusinessmagazine.... · Posted by u/NewCzech
woodruffw · 28 minutes ago
> neither Visa nor Mastercard will sit idle while Europe tries to dismantle their most profitable market.

Earnest question: is the EU really Visa and Mastercard's most profitable market? I would have expected it to be the US, both by customer volume numbers and in terms of regulatory environment (i.e. the US allowing payment processors to take a larger cut).

woodruffw commented on GitHub Agentic Workflows   github.github.io/gh-aw/... · Posted by u/mooreds
zozbot234 · 2 days ago
> I find this confusing: I can see the value in having an LLM assist you in developing a CI/CD workflow, but why would you want one involved in any continuous degree with your CI/CD?

The sensible case for this is for delivering human-facing project documentation, not actual code. (E.g. ask the AI agent to write its own "code review" report after looking at recent commits.) It's implemented using CI/CD solutions under the hood, but not real CI/CD.

woodruffw · 2 days ago
Sorry, maybe I phrased my original comment poorly: I agree there's value in that kind of "self" code-review or other agent-driven workflow; I'm less clear on how that value is produced (performantly, reliably, etc.) by the architecture described on the site.
woodruffw commented on GitHub Agentic Workflows   github.github.io/gh-aw/... · Posted by u/mooreds
clarkdale · 2 days ago
I feel like this solution hallucinated the concept of Workflow Lock File (.lock.yml), which is not available in Github Actions. This is a missing feature that would solve the security risk of changing git tag references when calling to actions like utility@v1
woodruffw · 2 days ago
I think in this context they mean “lock” as in “these are the generated contents corresponding to your source markdown,” not as in “this is a lockfile.” But I think that’s a pretty confusing overlap for them to have introduced, given that a lack of strong dependency pinning is a significant ongoing pain point in GHA.
woodruffw commented on GitHub Agentic Workflows   github.github.io/gh-aw/... · Posted by u/mooreds
woodruffw · 2 days ago
I find this confusing: I can see the value in having an LLM assist you in developing a CI/CD workflow, but why would you want one involved in any continuous degree with your CI/CD? Perhaps it’s not as bad as that given that there’s a “compilation” phase, but the value add there isn’t super clear either (why would I check in both the markdown and the generated workflow; should I always regenerate from the markdown when I need changes, etc.).

Given GitHub’s already lackluster reputation around security in GHA, I think I’d like to see them address some of GHA’s fundamental weaknesses before layering additional abstractions atop it.

Loading parent story...

Loading comment...

woodruffw commented on CIA to Sunset the World Factbook   abc.net.au/news/2026-02-0... · Posted by u/kshahkshah
PlatoIsADisease · 5 days ago
I remember this from literally 20 years ago.

Maybe the traffic made it not worth the cost?

And 'soft power'? Like lying about stats and using it for propaganda? Otherwise its just objective and someone else can do the work. For some reason I never attributed it to the US or CIA.

woodruffw · 5 days ago
“Soft power” refers usually to credibility. The point of the Factbook is to be a credible public resource for an entity that would otherwise not have much.
woodruffw commented on OpenSSL: Stack buffer overflow in CMS AuthEnvelopedData parsing   openssl-library.org/news/... · Posted by u/MagerValp
alanfranz · 14 days ago
I’ll answer to myself: an RCE is very unlikely on any modern platform. DoS is possible.

“ Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution.”

From: https://openssl-library.org/news/secadv/20260127.txt

woodruffw · 14 days ago
"Modern platform" is doing a lot of lifting; CMS and PKCS#7 rear their heads in all kinds of random places, like encryption/signing of OTA updates for routers. Those platforms are often (unreasonably) 10-20 years behind the norm for compile-time mitigations.
woodruffw commented on OpenSSL: Stack buffer overflow in CMS AuthEnvelopedData parsing   openssl-library.org/news/... · Posted by u/MagerValp
selckin · 14 days ago
Can someone translate

"Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable"

to human?

woodruffw · 14 days ago
Services that process CMS[1] or PKCS#7 envelopes may be vulnerable to this bug. The most common example of these is S/MIME (for signed/encrypted email), but PKCS#7 and CMS show up in all kinds of random places.

(Unless I'm missing something, a key piece of context here is that CMD/PKCS#7 blobs are typically allowed to select their own algorithms, at least within an allowlist controlled by the receiving party. So the fact that it depends on an AEAD-specific parameter encoding is probably not a huge hurdle for someone looking to exploit this.)

[1]: https://datatracker.ietf.org/doc/html/rfc5652

[2]: https://datatracker.ietf.org/doc/html/rfc2315

woodruffw commented on Over 36,500 killed in Iran's deadliest massacre, documents reveal   iranintl.com/en/202601255... · Posted by u/mhb
ares623 · 16 days ago
I can't comprehend how a population can kill that many of their own people. They aren't even an "other" people, which has been the most common scapegoat lately. Same skin color, same religion, same language, same homeland.
woodruffw · 16 days ago
It’s not necessarily the primary factor, but it’s worth noting that Iran is actually a relatively diverse country by the region’s standards. There are significant Kurdish, Azeri, Balochi, etc. minority groups, for whom the idea that they’re in the same “homeland” as the Persians is not necessarily given.
woodruffw commented on Spanish track was fractured before high-speed train disaster, report finds   bbc.com/news/articles/c1m... · Posted by u/Rygian
amelius · 16 days ago
My gut feeling says a lot of fatalities could have been prevented with a physical barrier between both tracks. Shouldn't this be mandatory with high speed trains?
woodruffw · 16 days ago
I think the physics of the situation don't make a barrier feasible: a derailed train going >100 mph is going to transfer a lot of energy to any kind of barrier it impacts, which in turn might exacerbate the situation (by spreading debris).

I think these kinds of accidents are largely mitigated by rail defect monitoring. I know rails in the US are equipped with defect detectors for passing trains; I'm surprised that a similar system doesn't exist for the rails themselves. Or more likely, one does exist and the outcome of this tragedy will be a lesson about operational failures.

w

u/woodruffw

KarmaCake day40614May 26, 2015
About
I'm a Software Engineer in New York City (prev. Trail of Bits, currently Astral). Before that, I studied philosophy.

On the philosophy side, I'm chiefly interested in metaphysics (ontology and mathematics/formal systems & semantics) and deontological ethics (praise and blame, moral education, honesty & bad faith).

On the computational side, I'm chiefly interested in program analysis (compilers), security (compilers), and systems (compilers). I do a decent amount of professional open source work on projects that encompass some of those.

My opinions are my own and do not reflect those of any employer, institutions, affiliates, lovers or haters past, present, or future. They might not even be mine anymore!

Sites: https://yossarian.net / https://blog.yossarian.net / @yossarian@infosec.exchange

View Original