If you can point to any part of the analogy that’s valuable, I’m happy to go along. But this post is like breaking into someone’s home and shitting on their table. There, I can analogy too.

Except you’re not really given the soup. It’s just there for your taking, with a sign “contains piss”.

I’m just permanently surprised by the entitlement of people smh

How much free stuff did you create in your life, piss or not?

Except you’re not exactly homeless, are you?

Hu, it never occurred to me to check out these icons there - thanks for the heads-up: TIL

Seems like you’re talking about a different article: there was no context-poisoning, or in fact even anything LLM specific in this attack.

This wasn’t even a prompt-injection or context-poisoning attack. The vulnerable infrastructure itself exposed everything to hack into the valuable parts of the company:

Public JS asset  
    → discover backend URL  
        → Unauthenticated GET request triggers debug error page  
            → Environment variables expose admin credentials  
                → access Admin panel  
                    → see live OAuth tokens  
                        → Query Microsoft Graph  
                            → Access Millions of user profiles  

Hasty AI deployments amplify a familiar pattern: Speed pressure from management keeps the focus on the AI model’s capabilities, leaving surrounding infrastructure as an afterthought — and security thinking concentrated where attention is, rather than where exposure is.

I love grafana, but it’s a resource hog, and my machine isn’t powerful. Prometheus/node_exporter however is as lightweight as it can get.

So I made a little Python script that fetches the data from Prometheus and uses mathplotlib to generate a graph.

The dashboard calls that python script for every configured graph and embeds the image so it looks nice.

You can find the script in one of my other repos (Prometheus-renderer probably), but there are dozen similar ones: search github for Prometheus renderer and you’ll see

If there are other things unclear, please don’t hesitate to ask

Go for it 👍

Wow, I can really see this taking off in the international dashboading-scene!

Is it … a new tool? I love new tools 🥹

Couldn’t stop worrying about this, so I added:

• --no-tooltips param: Don’t include check output for hover tooltips
• --no-timestamp param: Omit the “Generated at” timestamp to hide system clock and monitoring cadence.

If you’re using these, I feel much better about making the html publicly accessible, but when you set up a config please remember that links-tags can expose your internal topology and the tile/slot name might do the same! Don’t go naming your tiles something like “Database Primary”, “Payment Service Worker”, or “Internal Auth API”!

(unless you wanna place a honeypot)

Well, Ilias can certainly fill this niche. With a caveat:

Currently all output from checks are accessible as tooltips (so they’re in the HTML source), but for usecases such as yours it might be helpful to have the ability to suppress that kind of information leakage.

I think I’ll implement that in the coming days …

Loved that idea so much that I went and implemented it:

• The checks now have an automatic type inferrence and shorthand
• introduced default rules that are used when nothing’s configured
• realized that yaml-anchors always worked thanks to the lib I’m using.

So now with this preamble:

# Defaults are used when nothing is defined at the slot level. They can be overridden by defining rules directly on a slot.  
defaults:  
  rules:  
    - match:  
        code: 0  
      status: { id: ok, label: "✅" }  
    - match: {}  
      status: { id: error, label: "❌" }  

# YAML anchors: reusable fragments ilias doesn't interpret directly... 
# it's all just yaml  
_anchors:  
  pct_rules: &pct_rules           # works for disk, memory, CPU …  
    - match:  
        output: "^[0-6]\\d%$|^[0-9]%$"  
      status: { id: ok, label: "✅ <70%" }  
    - match:  
        output: "^[7-8]\\d%$"  
      status: { id: warn, label: "⚠️ 70–89%" }  
    - match: {}  
      status: { id: critical, label: "🔴 ≥90%" }  

I can now have a tile like this:

      - name: Memory  
        slots: # combine anchors and default rules as well as check shorthands  
          - name: usage  
            check: "free | awk '/^Mem:/ {printf \"%.0f%\", $3/$2 * 100}'"  
            rules: *pct_rules  
          - name: available  
            check: "free -h | awk '/^Mem:/ {print $7 \" free\"}'"  
            # uses default rules  
          - name: total  
            check: "free -h | awk '/^Mem:/ {print $2 \" total\"}'"  
            # uses default rules  

And the best? It’s fully backwards compatible ❤️

Thanks again for the suggestion!

Yes, I’m aware of that, but I always found it weird to have a live service for something that hardly ever changes. And then I had the idea of this whole “fully self contained html”, and now I can’t imagine it another way 😆

That’s just opinions though, and if Homepage strikes your fancy go for it - it’s an awesome project.

Hu, never thought of that - that’s a pretty neat idea! Thank you 🤗

Awesome, thanks for the consideration!

Please don’t immediately start public facing however - I literally just bashed the thing together in an afternoon, so who knows what kind of exploitable information leaks it might bring!

I’m personally using it from within a tailnet, so not public facing.

Edit:
I have since added:

• --no-tooltips param: Don’t include check output for hover tooltips
• --no-timestamp param: Omit the “Generated at” timestamp to hide system clock and monitoring cadence.

If you’re using these, I feel much better about making the html publicly accessible, but when you set up a config please remember that link-tags can expose your internal topology and the tile/slot name might do the same! Don’t go naming your tiles something like “Database Primary”, “Payment Service Worker”, or “Internal Auth API”!

Oh, I see. I didn’t read the implied /s 😂

Yes, of course your router (that’s routing your network traffic) sees the traffic it’s routing - although these days almost everything is using https , so the router wouldn’t be able to inspect the content.

However, the original question was about windows, and I don’t know of any router that uses windows, so I’m not sure if that addresses your actual question.

Hier mein Versuch einer Übersetzung:

Make the switch to the good side every first Sunday!

Our digital lives are controlled by a few over-wealthy individuals. Through their corporate monopolies, people like Elon Musk, Jeff Bezos, and Mark Zuckerberg dictate worldwide how we access information online, how we discuss issues, communicate, or act. No individual or corporation should wield such unchecked influence, because under those conditions we can no longer live in freedom.

#DIDit