Like any tech nerds, I went through "camera phase" and carried canon 350d, 50d then 6d everywhere i go with my 50mm and 135mm ... but they were indeed bulky, it was a hassle to get people to pose for photos while i run 100m back so my 135mm can capture them perfectly... i couldn't enjoy the moment, i was that "camera friend" that would fly around everyone like fly, capturing them doing things and feeling proud that i got a good photo for them... But coming back from these trips, i realized i didnt spend enough time strolling the street with friends, talking about life, enjoying the moment so i stopped... especially now with kids.
If only people are not so against camera recording them, i think a rayban meta idea would have been cool but it needs to constantly recording like those car dash cam and when you just shared a perfect funny moment, you can immediately hit save to preserve that moment for later. So many times i wished i recorded the moment my childrens do things or being funny but it was too late.
I love taking photo with phone still and when my wife dress in her favourite coat and the setting is right, i would go back to being the "camera dude" using my best framing technique i learnt to capture the moment, at least the experience from those years did not go to waste.
Last but not least, one of the best purchase i ever done was the insta link wide bluetooth printer... it let me print, sign the date and gift my friends who visit something to take home and put on their fridge to remember the time we spent together.
> it was a hassle to get people to pose for photos
This so much. I bought a better camera for a big party my parents where organizing, and it was such a terrible experience trying to get people into a photo. Even if they welcomed the photo, they just couldn't stop moving or talking while posing for it.
Not exactly related but on the topic of finding target's location, A few years ago i used to run a little demo of capturing probe wifi ssid network on prefered network list of nearby devices and used https://wigle.net/ to identify places that people has visited... it was eye opening for some people in the audience for sure.
Relatedly, one of my favorite recent papers is "Surveilling the Masses with Wi-Fi-Based Positioning System" [1]. In the paper, they (ab)use the fact that smartphones report the location of WiFi access points to public databases in order to track human migration over several large scale events (from natural disasters to the invasion of Ukraine).
100% this... the authn/authz should be gated at the server that store sensitive data... whatever token/user that MCP uses must have its access scope down to what needed. I guess the biggest issue right now is many of these APIs have no granular access control and is open to abuse :(
With that said, some vulnerabilities like command injections or argument injection, the responsibility is on MCP developer to make sure they follow best practices and not let user take control of these commands when "shelling out".
Doing a bit of investigation with github_events in clickhouse, it is quite clear that the accounts used to perform the attack was "2ft2dKo28UazTZ", "mmvojwip" also seems suspicious:
It seems i forgot to cater for the quota applied to free "play" user in ClickHouse in my previous query... In fact, the threat actor did a lot more... this should give a better list of actions that was performed - Clearly showed he was testing his payload:
Nice find. Its a bit strange that the PRs listed there, are not present at all in the coinbase repo. Seems like the attack was directed there, but I also did not hear anything from Coinbase on this.
eg. Target their NPM and PYPI tokens, so they can push compromised packages.
I wonder if they forked it to "experiment" with the workflow coinbase has and doesn't actually make any pull request toward them, perhaps to validate their hypothesis/attack. with that said, coinbase pulled the workflow that used tj-actions/changed-files immediately around this time so hopefully no harm was done
https://github.com/coinbase/agentkit/pull/570/files
Note that these account seems to be deleted now - 2ft2dKo28UazTZ clearly did more than just changed-files and also seem to target coinbase/agentkit as well (Actually .. they might be targeted by the threat actor)
The attacker was trying to compromise agentkit and found changed-files used in the repo so looked around. Found that it was using a bot with a PAT to release.
Totally possible the bot account had a weak password, and the maintainer said it didn't have 2FA.
They got the release bot PAT so they tried possibly quite an obvious vector that. They didn't need anything sophisticated or to exfil the credentials because agentkit is public.
It just so happened that it was detected before agentkit updated dependencies.
It's possible that with if thye had checked the dependabot config they could've timed it a bit better so that it's picked up in agentkit before being detected.
edit: Although, I don't think PATs are visible after they're generated?
That is correct and s3 are in 3 different regions with object lifetime of maximum 10 days, it is backed by s3, the idea is to have the simplest code for anyone to review what it does (encrypt in browser and send encrypted blob to s3, key never leave browser)
AFAIK, Opensource Elasticsearch does not offer any form of authentication upon installation for many years but ClickHouse does and in fact I'm often surprised at how many authentication mechanisms were introduced over the years and can be easily configured:
- Password authentication (bcrypt, sha256 hashes)
- Certificate authentication (Fantastic for server to server communication)
- SSH key authentication (Personally, this is my favourite - every database should have this authentication mechanism to make it easy for Dev to work with)
Not very popular but LDAP and Http Authentication Server are also great options.
I also wonder how DeepSeek engineers deployed their ClickHouse instance. When I deployed using yum/apt install, the installation step literally ask you to input a default password.
And if you were to set it up manually with ClickHouse binary, the out-of-the-box config seal the instance from external network access and the default user is only exposed to localhost as explained by Alex here - https://news.ycombinator.com/item?id=42871371#42873446.
shame they paywalled JWT authn behind their expensive PaaS offering :(
forced us to use an alternative, and paywalling security features in an "open source" product didn't make us feel comfortable for a long-term investment like a db
ClickHouse + Grafana is definitely a fantastic choice, here is another blog from ClickHouse talking about dogfooding their own technology and save millions:
Note that if you have self-hosted runner and if some of the environment variable or state of execution are carried over between runs - you should not even reply or comment on any malicious PR.. The reason is - if they have pull_request_review_comment action workflow inside the fork...
well guess what? it bypasses even your "Require approval for all outside collaborators" flag in your repo setting and trigger it on your self-hosted runner anyway...
Scored 9876 and won it on first run but i did use the undo button! :) I stumbled the first half a bit but got the hang of it in the end and after finishing it I think i had more fun than original 2048. This is because this game requires you to carefully place the pieces each time while in original 2048, you could get to 1024 with just a lot of repeated movement (down+left for me) to group all biggest numbers to a corner
If only people are not so against camera recording them, i think a rayban meta idea would have been cool but it needs to constantly recording like those car dash cam and when you just shared a perfect funny moment, you can immediately hit save to preserve that moment for later. So many times i wished i recorded the moment my childrens do things or being funny but it was too late.
I love taking photo with phone still and when my wife dress in her favourite coat and the setting is right, i would go back to being the "camera dude" using my best framing technique i learnt to capture the moment, at least the experience from those years did not go to waste.
Last but not least, one of the best purchase i ever done was the insta link wide bluetooth printer... it let me print, sign the date and gift my friends who visit something to take home and put on their fridge to remember the time we spent together.