12MB Rust CLI Refuses to Lie: KiloCheck Returns 0.0 Confidence on Suspicious Recruiter Pitch, Exposes Social Engineering Signal
These articles are AI-generated summaries. Please check the original sources for full details.
A Vibe Is Not a Verdict: I Built a Tool That’s Allowed to Say ‘I Don’t Know’
Developer Don Johnson built KiloCheck, a 12MB offline IP-reputation engine in Rust, to answer one question without vibes. When a suspicious recruiter email arrived, the tool returned ‘unknown’ with 0.0 confidence—refusing to guess despite the author’s gut screaming scam.
Why This Matters
The technical reality of threat triage is that analysts often rely on gut feelings and tools that inflate confidence to please their operators, leading to wasted effort on false positives and missed signals in social engineering. KiloCheck’s design—cryptographically verified offline lookups with an explicit ‘unknown’ state—proves that a tool which says ‘I don’t know’ under pressure is more valuable than one that guesses to match a user’s mood, as demonstrated by the author’s morning: a 0.0 verdict redirected analysis from a clean IP to the actual spam source, avoiding hours of dissecting a legitimate job board.
Key Insights
- KiloCheck, written in Rust, uses a four-stage pipeline—ingest, normalize, compile, check—with cryptographically signed local snapshots and zero network calls at query time, ensuring offline operation.
- The tool defines five distinct states—missing, unknown, stale, incomplete, unsafe—refusing to conflate ‘I don’t know’ with ‘safe’ or ‘bad,’ a design choice that prevented false positives during the author’s test.
- A 0.0 confidence ‘unknown’ verdict on the recruiter’s host led the author to redirect analysis with curl and openssl, uncovering a legitimate job-traffic aggregator redirect and a lead-gen spammer, not malware.
- The experiment validated that honest negatives reframe investigations: ‘my own tool solved the case by refusing to pretend,’ shifting focus from infrastructure to social engineering.
- The toolchain of dig, KiloCheck, curl, and openssl composed via stable JSON, enabling typed conversations with reality where ‘exit codes matter [and] schemas matter.‘
Working Examples
Install and verify KiloCheck, an offline IP-reputation engine written in Rust. The update pulls a signed data release with 3160 claims, and the status check confirms integrity and freshness.
curl -fsSL https://raw.githubusercontent.com/copyleftdev/kilocheck/v0.2.0/scripts/install.sh | sh
kilo update # pulls the signed data release → prints "Claims 3160"
kilo status --json
# → "integrity": "verified", "freshness": "fresh"
Resolve a suspicious hostname to an IP address using dig, then check it with KiloCheck. The tool returns an honest ‘unknown’ verdict with 0.0 confidence when no evidence exists.
$ dig +short <the-redirect-host>
203.0.113.90
$ kilo check 203.0.113.90 --json | jq '.data[0].verdict'
{
"disposition": "unknown",
"confidence": 0.0,
"recommended_action": "monitor",
"reason_codes": ["NOT_OBSERVED"]
}
kilo check <your-suspicions-here> --json
Practical Applications
- Use case: Security analysts triaging suspicious links can use KiloCheck to verify IP reputation offline before engaging potential threats. Pitfall: Relying on gut feeling or ‘vibes’ instead of evidence can lead to wasting time on false positives or missing real threats.
- Use case: Developers can compose small, single-purpose CLI tools speaking stable JSON to build auditable investigation pipelines. Pitfall: Using chatty, all-in-one APIs that leak queries or return confident-sounding guesses (e.g., 0.0 confidence reported as ‘safe’) undermines trust in the tool’s output.
- Use case: Teams designing threat-intelligence systems should model ‘unknown’ as a distinct state, not a shade of ‘safe’ or ‘bad.’ Pitfall: Smearing unknown with unsafe leads to alarm fatigue and loss of signal; smearing unknown with safe lulls operators into complacency.
References:
Continue reading
Next article
Developers Ditch Complex Agent Stacks for 'Taste Skills' — 343k Install Caveman to Curb AI Output
Related Content
Four OAuth2 Bugs Blocking Google Login: CRLF Characters, Wrong Spring Classes, and Cookie Confusion
Developer Dogukan Karademir details four OAuth2 bugs blocking Google login integration, including hidden CRLF characters and wrong Spring base classes.
SVI: A New CLI Tool to Streamline Prompt Engineering for AI-Assisted Coding
Developer Aleksandr Razinkin builds SVI, a Markdown-based CLI tool that automates prompt assembly for ChatGPT, reducing manual context gathering and enabling copy/paste or API workflows.
Revise: A Spaced-Repetition Learning Tool Using LLM Prompting
Developer Samot released Revise, a free app utilizing spaced-repetition and LLM integration to prevent academic knowledge decay over summer breaks.