r/PinoyProgrammer

​

Hello guys, I’m an aspiring software developer and I just created my first portfolio.

Here’s the link: https://vhan-vergara.vercel.app/

I’d really appreciate any feedback, suggestions, or improvements you can share.

Thank you so much!

We run an independent observatory that measures how bots and AI agents behave on the open web. Last week we caught something that's worth writing about.

## The pattern

It started with a TLS fingerprint that kept showing up across different IP addresses. Same handshake, same parameters, same JA4 hash: `t13d311100_e8f1e7e78f70_d41ae481755e`.

That fingerprint is interesting on its own. It tells you the client uses TLS 1.3, with 31 cipher suites and 11 extensions. But the part that matters is the ALPN field. It's empty.

Real browsers always advertise ALPN. Chrome sends `h2`. Firefox sends `h2`. Safari sends `h2`. They negotiate HTTP/2 because every modern browser uses HTTP/2. A client that connects with TLS 1.3 in 2026 and announces no ALPN is not a browser. It's an HTTP library — Go's net/http, Python's requests with custom TLS, something in that family.

So we already knew: not a browser. Whatever was visiting us was pretending to be one.

## What it was pretending

The user agents told the rest of the story. The same JA4 fingerprint cycled through 13 different browser identities: Chrome 135 on Windows, Chrome 135 with Edge, Chrome 134 on Mac, Firefox 137, Safari 18.3, Safari 18.2, Chrome with Adguard, Chrome 131, Chrome 130, Chrome 116, ChromeOS, and a few others.

Thirteen browsers. One TLS handshake. The math doesn't work. Real users don't have thirteen browsers. Real browsers don't share TLS fingerprints. Someone built a list of common user agents and rotated through them on every request, while the underlying software stayed the same. That's deliberate. That's evasion.

## Where it was coming from

We pulled the IPs and ran them through ARIN. The allocation 47.74.0.0–47.87.255.255 is assigned to Alibaba Cloud LLC (AL-3). All 107 connections from this fingerprint to our site originated from rented infrastructure inside that allocation.

So we knew where the rental came from. We didn't know who rented it. Alibaba Cloud doesn't publish customer information. The trail stops at the cloud provider's perimeter.

## The detail that made it worse

While we were looking at the Alibaba traffic, the same JA4 fingerprint appeared once on a different IP: `3.91.x.x`. That block belongs to Amazon Web Services, us-east-1.

One hit. Same fingerprint. Different cloud.

That changes the picture. It's not a bot operating from Alibaba Cloud. It's a bot whose operator runs the same software across multiple cloud providers. Multi-cloud isn't a coincidence. It's how you build infrastructure that's hard to take down and hard to attribute.

## What it was doing

The behavior on our site was consistent with content harvesting. The bot consistently accessed paths that no organic visitor would reach. It never requested robots.txt. Not once across 107 connections. It never identified itself as a bot in any user agent. It hardcoded a referer header pointing to our home page on every request, regardless of where it actually came from.

There's also a small technical tell. One of the first paths it visited was a malformed URL: it had tried to follow a link to a Twitter profile from our home page, and it didn't resolve the URL escapes correctly. Browsers don't do that. HTML parsers built into scraping libraries do.

## What we can prove and what we can't

We can prove the TLS fingerprint. We can prove the IP ranges. We can prove the user agent rotation. We can prove the never-read-robots-txt. We can prove the multi-cloud appearance of the same software. All of this is independently verifiable: ARIN for IP attribution, the JA4 spec for fingerprint interpretation, our cryptographically signed observation chain for the request data.

We can't prove who runs it. We can't prove what they do with the harvested content. We can't prove which other sites they're hitting. We can guess based on behavior — content harvesting at this scale, with this level of evasion, is consistent with AI training data collection or competitive scraping operations. But guessing isn't proof.

## The part that should bother you

Both Alibaba Cloud and AWS prohibit exactly this kind of activity in their Acceptable Use Policies. AWS explicitly forbids "scraping" and "unauthorized data collection." Alibaba Cloud's terms forbid using their infrastructure for "activities that violate the legitimate rights and interests of others." Both providers wrote those rules. Neither enforces them in any way that would prevent what we're describing.

The infrastructure is rented. The policies are written. The enforcement is absent.

If you run a website, this matters to you. The bot we measured is one operator using one software stack. If our small observatory caught it in a few days of operation, the actual scale of this activity across the web is much larger. The same anonymous infrastructure is available to anyone with a credit card. The same lack of enforcement applies to everyone using it.

You probably won't see this kind of traffic in your standard analytics. Your CDN might rate-limit it, but it won't tell you what it was. Your WAF might block some of it, but it won't attribute it. The systems we built to defend the web were built when bots had names and IP reputation meant something. Anonymous operators rotating across cloud providers don't fit that model.

## What we're doing about it

We're publishing what we measure. The data behind this post is part of a larger registry of observed bot behavior, classified by what bots actually do on the open web rather than what they claim. We can't identify the operators. We can identify the patterns. We think that's worth making public.

**Think this bot might be hitting your site?** We'll run a free vulnerability report for you. Send us your domain to **hello@botconduct.org** with subject "Vulnerability Report" and we'll tell you what we see.

The full methodology, registry, and cryptographically signed evidence chain: [botconduct.org](https://botconduct.org)

We're going to keep publishing cases like this. There will be more.

— BotConduct

Hi 🙂

Built a small no-signup PDF editor that actually edits text (not just annotations).

First download is free, no subscription.

Still early, happy to share if anyone’s curious.

I’ve been in the field for 2-3 years now as a software engineer (still considered a junior/ associate?), but I’m starting to feel burned out and not as interested in the work anymore.

I'm not sure how it is like with other companies, but I'm tired of working with legacy software and constantly questioning the worth ("ambag") I give out to society (fintech for hedge funds). Like, I know it's a bit naive sentiment, but I don't feel like I'm making the work a better place with my current field of work (contrary, it's the opposite).

The mundaneness of things, corpo culture, office politics, and current job market hell are all getting to me. Plus, with the current direction we're going with AI and ongoing pressure for a more "agentic" workflow, it doesn't feel like I'm doing any real engineering work anymore. (I've used agents before yes and I admit they are very efficient)

I’m considering switching to something outside of tech, but I’m not sure what or how realistic that even is so I'm asking if other people made the same switch/ sentiments.

For those who’ve left tech:

• What did you transition into?
• Were you able to utilize what you learned in tech as SWE, DevOps, IT, etc

My current position is stable and compensation is kinda fair, but I'm not happy with it anymore or I don't see myself being happy in the upcoming years. I hate my job, but I also have to pay rent. So, I'm a bit stuck / conflicted on what to do

For any that disagree with my sentiment, why or why not and what would be your opinion?

Thank you all in advanced.

I just wondering if anyone here has experience creating their own opensource project or has contributed to any oss of some sort. Kaylangan ba talaga sobrang galing mo mag coding, can you please share honest tips kung paano maka pasok sa open source?

Business Intelligence Role, 35k, No Benefits, Thoughts?

Im just graduated this year and doing job hunting.

So wanted to ask your opinions on this

Im a fresh grad

Role is Business Intelligence

Offer is 35k

But no benefits, only gov mandated (13th month, sss, etc.)

5x a week onsite, but 20-30 mins drive lang

Wanted to ask your thoughts, thank you!

Side project while studying Three.js. Tiny life sim — may plants, herbivores, predators, at humans na bumubuo ng tribes. Vanilla JS lang, walang build tools.

Rough pa, pero skl muna para makakuha ng feedback.

Thanks in advance for checking!

Hindi naman sa hindi sila useful, or tamad lang talaga ako haha.

Anyways, so I tried a different approach, I built a gamified budgeting app where:

• Saving money = XP

• Paying debt = parang boss fight

• Staying consistent = level up

• Quest & Progression system = Building a good financial habit

Basically parang RPG yung feeling instead of chore 😅

It still tracks everything from budgeting, expenses, subscriptions, credit cards, recurring payments, accounts and etc, pero ang goal is to have the same dopamine hit we get from games para mas sticky gamitin.

Curious lang:

👉 Sa mga gumagamit ng budgeting apps, ano yung dahilan bakit hindi kayo nagtatagal?

👉 Anong feature yung tingin niyo makakatulong para maging consistent?

If you want to check it out: https://huntervault.app

Open to feedback (still working on branding) 🙌

I'm a beginner in programming and right now I follow the advice na nakita ko sa reddit, currently what I'm doing is I code my projects raw, I don't let A.I produce a single line of code I just ask some concepts or mga syntax galing sa A.I.

Now the question is should I do yung nasa title nitong post na 'to?

A.I keeps improving and feeling ko na f-feel behind na ako.

I am working in a midsized company sa South. Nabalitaan namin ngayon na starting next 2 weeks na gagamitin namin yung company owned MCPs (hindi ako sigurado kung tama term) at imamaximize AI. Nakabili ata or nag outsource sila ng foreign devs para masetup. Vibe coding talaga at magprompt na lang kami even code reviews and PRs ay gagawin ng AI. Lahat talaga pagresolve ng bugs at paggawa ng test cases basta kung kaya gawin ng AI. Gusto nila yung tuloy tuloy lang mag gegenrate ng code AI yung tipong hindi na namin ichecheck kung ano pinaglalagay nila.

I have nothing against AI pero nag aalala lang ako sa ganon. Bago pa lang ako sa industry at parang hindi maganda kung nasanay ako sa puro AI. Gusto kong matuto muna at masolidify yung basics at foundation ko. Sa tingin ko mas maganda pa rin yung AI Assisted coding lang pero hindi ganito yung gusto ng mga execs namin. Ayoko talagang maging AI dependent pero pinipilit ng company talaga. Ang gusto nilang mangyari yung mga features na umaabot ng 1 week dapat matapos in 2 days or less. Magbibigay naman sila AI subscriptions.

May plano na rin sila magbawas ng employees after 1 month kung successful.

Any thoughts?

I'm closing in my first year of working right after college as a data engineer and it has been tough kasi ang sales-focused (consulting) yung napasukan kong company and I'm the only data engr here. I initially chose DE kasi it seems like mas future-proof siya sa AI era but ever since, parang unti-unti nawala yung saya ko sa pag build since we rarely see data pipelines - mas tangible at least for me yung pag build ng webapps/apps.

I feel burned out kasi I've been leading end-to-end DE projects (migration/POCs) nang walang mentor and I'm not paid well too since fresh grad. Parang there's no benefit sakin to stay since walang nag guguide na senior and di rin competitive yung pay ko kahit na panay OT ako. Also, yung tool/platform na ginagamit namin is not as high in demand here kasi mostly for enteprise siya.

Now, I got a remote work contract for a half a year for probationary then if pag okay daw yun, they'll offer me a one year contract. It's a software engr + DE engr role and so far, very chill naman yung owner. 2 lang kaming devs but senior na yung kasama ko which is nice. In comparison, may mataas pa pay sakin in 20hrs/wk ko dito compared sa full-time ko & may option din ako mag full time.

I'm planning to quit my job pero i'm not sure if yun yung right decision because I want to start "building" again while exploring & learning more about software and data engineering while also earning substantially. May time freedom din kasi output based naman yung work sa remote work but logged in hours lang yung bayad.

A bit all over the place but that's how I feel with my current situation. Any insights or advice?

Hello everyone! Just wanna ask kung mahirap po bang makahanap ng trabaho outside the country given na meron na akong sapat na experience here sa pinas.

Sooo matagal na akong fan ng Obsidian, and primarily gusto ko lang siya dahil sa vim keybinds feature niya. Issues ko lang dito, need ko pa siya irun while coding, and may bayad/hassle ang file sync, and less control si user. So naghanap naman ako ng mga note-taking app sa VS Code Marketplace, pero wala akong mahanap na "plug-and-play" lang. So I created this extension for dummies like me. Simple setup, easy to sync notes through git, and free!!!

- Possible rin pala dito to use a folder with a repository and be able to edit files through the extension, so parang pseudo-dalawang repo sa isang VS Code, not recommended but possible.

Marketplace link: https://marketplace.visualstudio.com/items?itemName=note-code-extensions.note-code

Github link: https://github.com/note-code-extension/note-code

This extension is mostly tested on Linux, so if you ever encounter any problem or want to suggest a feature, let me know. Thanks!