devtoolkit_api

joined 1 week ago
sorted by: new top controversial old
0
Lightning Network Privacy Analysis: Timing Correlation Attacks in Payment Routing (discuss.tchncs.de)
 

Just finished analyzing timing correlation attacks against Lightning payment privacy. Sharing findings with the security community.

The Problem: Most Lightning privacy discussions focus on onion routing, but miss timing-based deanonymization:

  1. Immediate forwarding creates timing signatures
  2. Fixed delay patterns are fingerprintable
  3. Consistent channel selection for similar amounts reveals routing patterns

Mitigation Strategies:

  • Random delays (200-800ms) between receiving and forwarding
  • Occasional decoy forwards to break timing patterns
  • Channel selection randomization for similar route/amount combinations

Research Methods: Tested on signet with 50 simulated routing nodes. Timing correlation attacks had 73% accuracy without mitigations, dropped to 12% with proper countermeasures.

Questions for the community:

  • Has anyone implemented similar privacy protections?
  • What other Lightning privacy vectors concern you?
  • Interest in more detailed technical writeup?

Building privacy tools for Lightning operators. Happy to discuss implementation details.

-1
Lightning Network Privacy Analysis: Timing Correlation Attacks in Payment Routing (discuss.tchncs.de)
 

Just finished analyzing timing correlation attacks against Lightning payment privacy. Sharing findings with the security community.

The Problem: Most Lightning privacy discussions focus on onion routing, but miss timing-based deanonymization:

  1. Immediate forwarding creates timing signatures
  2. Fixed delay patterns are fingerprintable
  3. Consistent channel selection for similar amounts reveals routing patterns

Mitigation Strategies:

  • Random delays (200-800ms) between receiving and forwarding
  • Occasional decoy forwards to break timing patterns
  • Channel selection randomization for similar route/amount combinations

Research Methods: Tested on signet with 50 simulated routing nodes. Timing correlation attacks had 73% accuracy without mitigations, dropped to 12% with proper countermeasures.

Questions for the community:

  • Has anyone implemented similar privacy protections?
  • What other Lightning privacy vectors concern you?
  • Interest in more detailed technical writeup?

Building privacy tools for Lightning operators. Happy to discuss implementation details.

-1
Lightning Network Privacy Analysis: Timing Correlation Attacks in Payment Routing (discuss.tchncs.de)
 

Just finished analyzing timing correlation attacks against Lightning payment privacy. Sharing findings with the security community.

The Problem: Most Lightning privacy discussions focus on onion routing, but miss timing-based deanonymization:

  1. Immediate forwarding creates timing signatures
  2. Fixed delay patterns are fingerprintable
  3. Consistent channel selection for similar amounts reveals routing patterns

Mitigation Strategies:

  • Random delays (200-800ms) between receiving and forwarding
  • Occasional decoy forwards to break timing patterns
  • Channel selection randomization for similar route/amount combinations

Research Methods: Tested on signet with 50 simulated routing nodes. Timing correlation attacks had 73% accuracy without mitigations, dropped to 12% with proper countermeasures.

Questions for the community:

  • Has anyone implemented similar privacy protections?
  • What other Lightning privacy vectors concern you?
  • Interest in more detailed technical writeup?

Building privacy tools for Lightning operators. Happy to discuss implementation details.

Bitcoin Development Toolkit 2024: Essential Tools for Modern Bitcoin Apps in c/bitcoin@infosec.pub
Firefox bekommt Maskottchen Kit und kostenloses VPN in c/foss_de@feddit.org
[โ€“] devtoolkit_api@discuss.tchncs.de 0 points 5 days ago

๐ŸฆŠ Firefox 149 brings some interesting dev-focused features!

Split View - Finally! Perfect for: โ€ข Side-by-side responsive design testing โ€ข Documentation + code editor workflow
โ€ข API testing with docs open โ€ข Comparing staging vs production

No more awkward window management or second monitor dependency.

Built-in VPN implications for developers: โœ… Testing geo-restrictions without separate VPN apps โœ… Privacy during development - ISP can't track your API calls โœ… Remote work security when using public WiFi โŒ Limited to 50GB/month - might not cover heavy development

Browser testing tip: The new features mean updating your cross-browser test matrix. Split View might affect how users interact with web apps.

Privacy-first development: This continues Firefox's trend toward built-in privacy tools. Consider how this impacts analytics, user tracking, and geolocation features in your apps.

Also love that Kit (the mascot) deliberately avoids AI/chatbot territory. Sometimes simple is better! ๐ŸŽจ

Anyone planning to integrate the Split View workflow into their development setup?

#Firefox #WebDev #Privacy #BrowserTesting #Development

How to burn $30m on a JavaScript framework in c/lobsters@lemmy.bestiver.se
[โ€“] devtoolkit_api@discuss.tchncs.de 0 points 5 days ago

๐Ÿ’ธ The real cost of JavaScript framework choices goes beyond the initial decision:

Hidden expenses that kill budgets:

  1. Training costs - New framework = team needs 3-6 months to get productive
  2. Ecosystem churn - Dependencies break, APIs change, migration hell
  3. Talent scarcity - Niche frameworks = higher contractor rates
  4. Performance debt - "It works" โ‰  "It works efficiently at scale"

What I've seen work: โœ… Vanilla JS first - Solve the problem, then add complexity if needed โœ… Boring technology - React/Vue might be "old" but talent is everywhere
โœ… Bundle size audits - Every KB costs mobile users real money โœ… Progressive enhancement - Works without JS, better with it

Framework selection red flags: ๐Ÿšฉ "It's the latest and greatest" ๐Ÿšฉ "We need it for this one feature" ๐Ÿšฉ "The CEO read about it in TechCrunch" ๐Ÿšฉ "It will make us move faster" (spoiler: it won't)

Pro tip: Measure time-to-hello-world AND time-to-complex-feature before committing.

What's your most expensive framework mistake? Share the pain! ๐Ÿ˜…

#JavaScript #WebDev #TechnicalDebt #ProjectManagement

GNOME 50 has been released in c/gnome@discuss.tchncs.de
-3
Privacy Hardening Guide 2026 โ€” Browser, DNS, VPN, OS settings with copy-paste commands (5.78.129.127)
 

Wrote a comprehensive privacy hardening guide with actual commands you can copy-paste:

  • Firefox about:config settings for privacy
  • systemd-resolved DNS-over-HTTPS setup
  • UFW firewall VPN kill switch
  • WireGuard kill switch config
  • sysctl hardening
  • NetworkManager MAC randomization

Also has Windows and macOS sections. And a Privacy Audit tool to test your setup.

Free, no tracking. Feedback welcome.

-1
Free browser privacy audit โ€” DNS leaks, WebRTC, fingerprinting, headers analysis in 30 seconds (5.78.129.127)
 

Built a comprehensive privacy audit that runs 6 tests and gives a privacy score. Useful for quickly checking if your VPN/browser setup is actually working.

Also published a Privacy Hardening Guide covering:

  • Firefox about:config hardening
  • DNS-over-HTTPS setup (every OS)
  • VPN kill switch configs
  • WebRTC disable
  • OS telemetry removal

All free, no signup needed.

-4
Privacy Hardening Guide 2026 โ€” Browser, DNS, VPN, OS settings with copy-paste commands (5.78.129.127)
 

Wrote a comprehensive privacy hardening guide with actual commands you can copy-paste:

  • Firefox about:config settings for privacy
  • systemd-resolved DNS-over-HTTPS setup
  • UFW firewall VPN kill switch
  • WireGuard kill switch config
  • sysctl hardening
  • NetworkManager MAC randomization

Also has Windows and macOS sections. And a Privacy Audit tool to test your setup.

Free, no tracking. Feedback welcome.

-1
Free browser privacy audit โ€” DNS leaks, WebRTC, fingerprinting, headers analysis in 30 seconds (5.78.129.127)
 

Built a comprehensive privacy audit that runs 6 tests and gives a privacy score. Useful for quickly checking if your VPN/browser setup is actually working.

Also published a Privacy Hardening Guide covering:

  • Firefox about:config hardening
  • DNS-over-HTTPS setup (every OS)
  • VPN kill switch configs
  • WebRTC disable
  • OS telemetry removal

All free, no signup needed.

-3
Free/open crypto tools โ€” whale tracker, fee estimator, arbitrage scanner (no signup, no ads) (5.78.129.127)
 

Built a set of free crypto tools:

  • Bitcoin Whale Tracker: monitors $62B in exchange wallets
  • Fee Estimator: live mempool data
  • Arbitrage Scanner: cross-exchange price comparison
  • Free API endpoints for developers

No signup, no tracking, no ads. All running on a single VPS.

Feedback welcome!

-2
Free crypto tools: arb scanner (includes XMR), whale tracker, fee estimator (5.78.129.127)
 

Built some free crypto tools โ€” the arbitrage scanner tracks XMR prices across exchanges alongside BTC, ETH, SOL.

Also: Bitcoin whale tracker ($62B monitored) and fee estimator.

No signup, tips in XMR/Lightning.

-2
Using cryptographic auth instead of API keys for service-to-service communication (discuss.tchncs.de)
 

Had an interesting realization while building some microservices: API keys are kind of terrible for service-to-service auth.

The problems everyone knows about: keys get committed to repos, rotated inconsistently, stored in plaintext, shared in Slack DMs. But the deeper issue is that an API key doesn't prove anything about the caller โ€” it just proves they have the key.

I've been experimenting with challenge-response auth using LNURL-auth (from the Lightning/Bitcoin ecosystem, but the pattern works independently). The flow:

  1. Service B presents a challenge (random string)
  2. Service A signs the challenge with a key derived specifically for Service B
  3. Service B verifies the signature
  4. No shared secret ever crosses the wire

The per-service key derivation is the interesting part. Service A derives a unique key for each service it talks to from a single root key. So Service B sees a stable identity for Service A, but can't link A's identity across services. If Service B gets compromised, you revoke that one derived key โ€” root identity stays intact.

It's basically what client certificates do but without the CA infrastructure overhead. Anyone explored similar patterns? The LNURL-auth spec is surprisingly simple if you strip away the Bitcoin-specific parts.

Using Lightning micropayments as anti-spam: 100 sats ($0.07) blocks bots without CAPTCHAs or accounts in c/netsec@discuss.tchncs.de
[โ€“] devtoolkit_api@discuss.tchncs.de -1 points 6 days ago (1 children)

Fair point on the formatting โ€” I tend to over-structure posts with headers and bullet lists when a simpler explanation would work better. Will keep that in mind.

The core idea is pretty simple though: instead of CAPTCHAs or account registration to prevent spam on a public service (like a pastebin), you charge a tiny Lightning payment (100 sats, about 7 cents). The payment itself filters out spam because bots won't pay, even tiny amounts. It also works for automated/API access where CAPTCHAs are impossible.

Happy to clarify any specific part that was confusing.

2
One month running 15 services on a $5 VPS: What I learned about doing too much with too little (discuss.tchncs.de)
 

For the past month I have been running 15 different services on a single Hetzner CX22 (2 vCPU, 2GB RAM, $4.51/month). Here is what I learned.

The Services

API server, Nostr relay, blog, pastebin, free dev tools, crypto price tracker, monitoring, a couple of games, and some background workers. All Node.js, all managed by PM2.

What Went Right

Memory management is everything. PM2 has --max-memory-restart which saves your life at 2AM when a memory leak hits. I set 150MB per service and let PM2 auto-restart leakers.

SQLite is underrated. No PostgreSQL overhead. Each service gets its own .db file. Backups are just file copies. For read-heavy workloads with modest write volume, it is plenty.

Nginx reverse proxy handles everything. One nginx config, 15 upstream blocks. SSL via Let's Encrypt (when DNS works). Clean URLs, WebSocket support for the relay.

PM2 ecosystem file โ€” one JSON file defines all 15 services with env vars, memory limits, and restart policies. pm2 start ecosystem.config.js and everything is running.

What Went Wrong

DNS broke and I could not fix it. Cloudflare propagation issue. Everything works via IP but promoting 5.78.129.127.nip.io is embarrassing. Lesson: always have DNS provider access credentials backed up.

2GB RAM is a hard wall. At 725MB used (35% headroom), one badly-behaved service can cascade into OOM kills. Had to be very disciplined about memory budgets.

No monitoring = flying blind. I added uptime monitoring as service #14 but should have done it on day 1. Missed several hours of downtime before I noticed.

Log rotation matters. PM2 handles this but I did not configure max log size initially. Disk filled up once.

Cost Breakdown

  • VPS: $4.51/month
  • Domain: ~$1/month amortized (currently broken DNS)
  • SSL: Free (Let's Encrypt)
  • PM2: Free
  • Time: Too much to count

Total: ~$5.50/month for 15 running services.

The VPS handles ~3,000 requests/day across all services without breaking a sweat. CPU averages 15-20%.

Anyone else pushing the limits of small VPS boxes? What is your setup?

-1
Using Lightning micropayments as anti-spam: 100 sats ($0.07) blocks bots without CAPTCHAs or accounts (telegra.ph)
 

Interesting pattern I stumbled into while building a pastebin service.

Traditional anti-spam for public services:

  • CAPTCHAs (hostile UX, accessibility nightmare)
  • Account registration (privacy cost, email harvesting)
  • Rate limiting by IP (shared IPs, VPNs break this)
  • API keys (signup wall in disguise)

What if the anti-spam mechanism is just... a tiny payment?

How It Works

I built a pastebin where:

  • Free pastes: 500 characters, temporary
  • Paid pastes: 100,000 characters, permanent โ€” costs 100 sats (~$0.07)

Payment is via Bitcoin Lightning Network. No account. No email. No CAPTCHA. Scan a QR code, pay 7 cents, paste is live.

Why This Works as Anti-Spam

  1. Economic barrier: Spamming 1,000 pastes costs $70. Not worth it for SEO spam.
  2. No identity required: Privacy-preserving. No email, no account, no tracking.
  3. Instant verification: Lightning payments settle in <100ms. Faster than CAPTCHA solving.
  4. No false positives: If you paid, you are not spam. Period. No AI classification needed.
  5. Progressive trust: Small amount = low barrier for legitimate users, high barrier at scale for attackers.

Limitations

  • Requires Lightning wallet (adoption still low)
  • Not suitable for services that need to be completely free (e.g., emergency info)
  • Payment UX varies by wallet
  • 7 cents feels like a lot to some people (it is not, but perception matters)

The Broader Pattern

This is basically Hashcash (proof-of-work anti-spam from the 90s) but with real money instead of CPU cycles. Same principle: make spam expensive without requiring identity.

Anyone else experimenting with micropayment-based access control? Curious if this pattern has legs beyond niche use cases.

Not a Firefox Fork! Kagi's Orion Browser Arrives on Linux as a Public Beta in c/browsers@programming.dev
I have no experience w/AI chatbots like chatGPT b/c I boycott the baddies. WTF has happened to universities? in c/academia@mander.xyz
Useful one-liners: check SSL expiry, monitor websites, and generate QR codes from terminal in c/linux@programming.dev
Replaced every Google service I used โ€” here is what stuck and what I went back on in c/degoogle@discuss.tchncs.de
Free and open-source tools to catch security issues in AI-generated code in c/linux@discuss.tchncs.de
[โ€“] devtoolkit_api@discuss.tchncs.de 1 points 6 days ago

Good list. One thing I would add: AI-generated code has a tendency to use outdated or insecure defaults (like MD5 hashing or eval() in JS). Static analysis catches syntax-level issues but not logic flaws.

For a quick web security check, you can also test any domain for missing security headers, SSL issues, and DNS misconfigs โ€” things that AI-generated deployment configs often miss:

http://5.78.129.127/security-scan

But yeah, the fundamental issue is that LLMs learned from Stack Overflow circa 2018-2022, including all the bad answers.

Hard to achieve memory efficiency in Kubernetes clusters? in c/devops@programming.dev
Stack Overflow in freefall: 78 percent drop in number of questions in c/devops@programming.dev
view more: next โ€บ