Andrew White's Avatar

Andrew White

@pixeltrix.bsky.social

CTO @unboxed.co

322 Followers  |  238 Following  |  612 Posts  |  Joined: 13.09.2023  |  1.797

Latest posts by pixeltrix.bsky.social on Bluesky

I assume the person who wrote this wasn't including hospital porters and cleaners in "skilled frontline workers" yet they're every bit as vital to a functioning NHS as nurses and doctors.

07.12.2025 10:26 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I assume you're falling back to webmock for testing error conditions on those clients? Timeouts, server errors, etc.

06.12.2025 12:07 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Yes, I do like that ability but most of what we deal with is fairly stable APIs like GOV.UK Notify so generally don't need it.

I've worked on apps with huge cassettes and it was impossible to re-record them because there was no test envs for the APIs - had to resort to manual editing of the YAML πŸ™ˆ

05.12.2025 18:43 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

I've always tended to avoid using the vcr gem, preferring to use webmock directly as it's easy to abuse it to record everything. However it comes into its own when recording embedding generation for pgvector based searches - no-one wants to mock vectors with 1024 dimensions πŸ˜…

05.12.2025 18:27 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0

I'm not going to name and shame the person but you can find out who's they really are by looking at the early PRs where they interact with their real GitHub account and not the throwaway anonymous account they've created - their LinkedIn page is tagged "Stealth Startup" πŸ™„

05.12.2025 07:10 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
[Security] Fix CRITICAL vulnerability: V-001 by orbisai0security Β· Pull Request #1951 Β· basecamp/fizzy Security Fix This PR addresses a CRITICAL severity vulnerability detected by our security scanner. Security Impact Assessment Aspect Rating Rationale Impact High In this board management rep...

This is just another in a long line of AI slop vulnerability reports on open source projects but it really does start to feel like we're being exploited to provide free training data 🫠

github.com/basecamp/fiz...

05.12.2025 06:07 β€” πŸ‘ 5    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0

Perhaps clearer with an example - if I split at MKC when going from COV-EUS I can travel on the 18:14 back with an off-peak return but if I don't split I have to travel on the 19:14.

Both trains are overcrowded but are more than 50% empty after MKC.

03.12.2025 07:56 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

The thing that's really crazy about this is the off-peak day return to MKC works before 7pm - if you're travelling further than that you can't use it even though most of the passengers get off there.

03.12.2025 07:46 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Screenshot of the response headers when requesting the OBR November 2025 budget report which indicate the resource is protected by Cloudflare caching

Screenshot of the response headers when requesting the OBR November 2025 budget report which indicate the resource is protected by Cloudflare caching

It looks like there's Cloudflare caching on the URL - it might be they're only seeing the origin requests for the file and even then mostly the 'Not Found' requests as it's got a 365 day max-age on it. You'd need the CDN logs to get more detail - not sure whether you can access that with WPEngine

02.12.2025 07:02 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Yeah, not digging any further - I just wanted to check whether there was different, original developer but they seem to be the same.

01.12.2025 21:43 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Unfortunately the developer's identity is easily traced from a variety of sources - no doubt the press are already planning an exposé ☹️

01.12.2025 21:29 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Doing a bit of digging on archive.org shows the site was originally hosted on RedWeb, probably using Apache. It was then move to WPEngine, probably for greater bandwidth/faster hosting but it looks like the developer didn't realise it broke the protection.

01.12.2025 21:27 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

WPEngine has a split hosting setup - they serve static files using nginx and then have a separate backend to serve PHP requests. This may have confused the detection in the plugin.

01.12.2025 21:25 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

It's the Download Monitor plugin - it's in the report. There's a function to write a .htaccess file to protect the directory but it's hosted on WPEngine which uses nginx for static files so the config was ignored.

01.12.2025 21:07 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Less than Β£15k per year including hosting according to their published expenditure over Β£500 on their website (may have gone up since 2021 which is the last I could find easily)

01.12.2025 19:47 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

I did have a good laugh at the posts saying "WordPress is difficult to configure - they should've used an enterprise CMS" πŸ˜‚

01.12.2025 18:23 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
OBR chair quits after inquiry into early release of Reeves’s budget Richard Hughes departs after investigation into how official forecaster accidentally published budget 40 minutes early

A quick check of archive.org shows the obr.uk website has been running on WordPress and using the Download Monitor plugin since 2017 - this has probably been well-known to some people for years.

www.theguardian.com/business/202...

01.12.2025 18:19 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

BBC in six months: "Ayslum seekers costing the NHS millions in wasted appointments as they fail to turn up" to which the government response will be to block them from using the NHS

29.11.2025 09:46 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

It’s still getting bug fixes and security fixes but I assume they’re working on a replacement to improve security. It’s interesting that AWS have revived CodeCommit now - perhaps they’re not happy with GitHub as well

29.11.2025 08:27 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
Update safe_sleep.sh for bug when scheduler is paused for more than 1 second by horner Β· Pull Request #3157 Β· actions/runner fixed a rare condition where the comparison may not be made within the second and then this will loop forever (or at least until a rollover of SECONDS) ;-) sleep was replaced in #1707 But if safe_...

This is the bug - the sleep command was replaced with a script that burns CPU and could hang if the scheduler paused for more than a second.

github.com/actions/runn...

29.11.2025 07:58 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Preview
GitHub - actions/runner: The Runner for GitHub Actions :rocket: The Runner for GitHub Actions :rocket:. Contribute to actions/runner development by creating an account on GitHub.

Reading about the safe_sleep.sh bug on GHA and went to look at the runner code and basically it's in a code freeze.

I guess a some point we're going to have to redo all our CI setups again 😭

github.com/actions/runner

29.11.2025 07:49 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0

Yes, nothing wrong with using nginx but as you say configured by someone not fully understanding the implications. For highly sensitive documents like this that need to be delivered via CDN you really need to be using tech like AWS CloudFront signed urls with a minimum access time policy.

28.11.2025 11:29 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Seems to include commercial properties for me in Coventry - I assume this wouldn't apply to them? Also a number of them are farms - are they exempt?

28.11.2025 11:05 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

The OBR's problem is compounded by the fact that the server it's running on is nginx which doesn't support the .htaccess file that the plugin creates (TBF, the plugin does warn you if this is the case).

28.11.2025 09:27 β€” πŸ‘ 3    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Seems like it was basically a WordPress post scheduling/unprotected documents directory due to bad server config:

bsky.app/profile/pixe...

27.11.2025 13:44 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 2    πŸ“Œ 0

The Download Monitor plugin does try to prevent this by generating a .htaccess file for the directory but the OBR site is using nginx and not Apache …

(the plugin does detect this and warns you that it can't protect the directory)

27.11.2025 06:36 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 1    πŸ“Œ 2

Given the October 2024 budget document is called 'OBR_Economic_and_fiscal_outlook_Oct_2024.pdf' it wouldn't have taken many guesses to get to 'OBR_Economic_and_fiscal_outlook_November_2025.pdf'

I hope that the person who uploaded the document doesn't face any action because it's not their fault.

27.11.2025 06:22 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Preview
How Rachel Reeves’s budget was leaked 40 minutes early By the time the chancellor reached the dispatch box, the OBR had accidentally published its verdict in full online

Except they don't say how it was published early πŸ™„

A quick glance at the OBR website shows they use WordPress and a plugin 'Download Monitor'. They obviously scheduled the publication for the correct time in WP but didn't realise the actual file was unprotected

www.theguardian.com/uk-news/2025...

27.11.2025 06:22 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 1

The AI generated copyright check is 🀯

"They're not the same code - look one uses PREFIX_var_name and the other uses PREFIX_VAR_name" πŸ˜‚

23.11.2025 08:48 β€” πŸ‘ 0    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

How long would the video call have to be to get to LDL 50 for an X-Ray camera? πŸ€”

19.11.2025 11:53 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

@pixeltrix is following 19 prominent accounts