frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Apple is the only Big Tech company whose capex declined last quarter

https://sherwood.news/tech/apple-is-the-only-big-tech-company-whose-capex-declined-last-quarter/
1•elsewhen•51s ago•0 comments

Reverse-Engineering Raiders of the Lost Ark for the Atari 2600

https://github.com/joshuanwalker/Raiders2600
2•todsacerdoti•2m ago•0 comments

Show HN: Deterministic NDJSON audit logs – v1.2 update (structural gaps)

https://github.com/yupme-bot/kernel-ndjson-proofs
1•Slaine•5m ago•0 comments

The Greater Copenhagen Region could be your friend's next career move

https://www.greatercphregion.com/friend-recruiter-program
1•mooreds•6m ago•0 comments

Do Not Confirm – Fiction by OpenClaw

https://thedailymolt.substack.com/p/do-not-confirm
1•jamesjyu•6m ago•0 comments

The Analytical Profile of Peas

https://www.fossanalytics.com/en/news-articles/more-industries/the-analytical-profile-of-peas
1•mooreds•6m ago•0 comments

Hallucinations in GPT5 – Can models say "I don't know" (June 2025)

https://jobswithgpt.com/blog/llm-eval-hallucinations-t20-cricket/
1•sp1982•6m ago•0 comments

What AI is good for, according to developers

https://github.blog/ai-and-ml/generative-ai/what-ai-is-actually-good-for-according-to-developers/
1•mooreds•6m ago•0 comments

OpenAI might pivot to the "most addictive digital friend" or face extinction

https://twitter.com/lebed2045/status/2020184853271167186
1•lebed2045•8m ago•2 comments

Show HN: Know how your SaaS is doing in 30 seconds

https://anypanel.io
1•dasfelix•8m ago•0 comments

ClawdBot Ordered Me Lunch

https://nickalexander.org/drafts/auto-sandwich.html
1•nick007•9m ago•0 comments

What the News media thinks about your Indian stock investments

https://stocktrends.numerical.works/
1•mindaslab•10m ago•0 comments

Running Lua on a tiny console from 2001

https://ivie.codes/page/pokemon-mini-lua
1•Charmunk•11m ago•0 comments

Google and Microsoft Paying Creators $500K+ to Promote AI Tools

https://www.cnbc.com/2026/02/06/google-microsoft-pay-creators-500000-and-more-to-promote-ai.html
2•belter•13m ago•0 comments

New filtration technology could be game-changer in removal of PFAS

https://www.theguardian.com/environment/2026/jan/23/pfas-forever-chemicals-filtration
1•PaulHoule•14m ago•0 comments

Show HN: I saw this cool navigation reveal, so I made a simple HTML+CSS version

https://github.com/Momciloo/fun-with-clip-path
2•momciloo•15m ago•0 comments

Kinda Surprised by Seadance2's Moderation

https://seedanceai.me/
1•ri-vai•15m ago•2 comments

I Write Games in C (yes, C)

https://jonathanwhiting.com/writing/blog/games_in_c/
2•valyala•15m ago•0 comments

Django scales. Stop blaming the framework (part 1 of 3)

https://medium.com/@tk512/django-scales-stop-blaming-the-framework-part-1-of-3-a2b5b0ff811f
1•sgt•15m ago•0 comments

Malwarebytes Is Now in ChatGPT

https://www.malwarebytes.com/blog/product/2026/02/scam-checking-just-got-easier-malwarebytes-is-n...
1•m-hodges•15m ago•0 comments

Thoughts on the job market in the age of LLMs

https://www.interconnects.ai/p/thoughts-on-the-hiring-market-in
1•gmays•16m ago•0 comments

Show HN: Stacky – certain block game clone

https://www.susmel.com/stacky/
2•Keyframe•19m ago•0 comments

AIII: A public benchmark for AI narrative and political independence

https://github.com/GRMPZQUIDOS/AIII
1•GRMPZ23•19m ago•0 comments

SectorC: A C Compiler in 512 bytes

https://xorvoid.com/sectorc.html
2•valyala•20m ago•0 comments

The API Is a Dead End; Machines Need a Labor Economy

1•bot_uid_life•21m ago•0 comments

Digital Iris [video]

https://www.youtube.com/watch?v=Kg_2MAgS_pE
1•Jyaif•22m ago•0 comments

New wave of GLP-1 drugs is coming–and they're stronger than Wegovy and Zepbound

https://www.scientificamerican.com/article/new-glp-1-weight-loss-drugs-are-coming-and-theyre-stro...
5•randycupertino•24m ago•0 comments

Convert tempo (BPM) to millisecond durations for musical note subdivisions

https://brylie.music/apps/bpm-calculator/
1•brylie•26m ago•0 comments

Show HN: Tasty A.F. - Use AI to Create Printable Recipe Cards

https://tastyaf.recipes/about
2•adammfrank•27m ago•0 comments

The Contagious Taste of Cancer

https://www.historytoday.com/archive/history-matters/contagious-taste-cancer
2•Thevet•28m ago•0 comments
Open in hackernews

Stealing from Google

https://taqib.dev/blog/stealing-from-google/
65•dominikdoesdev•4mo ago

Comments

gryfft•4mo ago
Nice, but doesn't automatically update when the Google avatar changes. Cache invalidation strikes again.
DashAnimal•4mo ago
This seems problematic to me. Beyond just caching issues, did you ever get permission from users to store their personal data? They gave google permission, but not you.
abraham•4mo ago
The users are going through an OAuth flow and creating an account. Presumably they are agreeing to a ToS as part of that.
mattmanser•4mo ago
It even says in the OAuth flow that the company is requesting your profile image.
arcfour•4mo ago
It's a public photo. What's wrong with downloading it?
yallpendantools•4mo ago
Folks, read yourself some GDPR for the greater good. Even just https://gdpr-info.eu/art-4-gdpr/

Public data can be personal data and anyone doing the same as TFA is making itself a liable processor. But, aren't you a processor by using OAuth in the first place? Yes but with what TFA is doing you have a greater liability surface.

(IANAL but I cite GDPR because the broad concepts apply to data privacy laws in other jurisdictions. See also: https://en.wikipedia.org/wiki/Brussels_effect)

arcfour•4mo ago
I don't live in Europe, I will never travel to Europe, I don't plan to ever do business with Europe. I don't care if Europe sentences me to be shot into the sun for GDPR violations, it's not like I'm going to be extradited for it.

And I'm not aware of any law anywhere here that says I can't download a public photo. The use case is clearly valid and benign, the photo is public, there's no way a judge would go for that no matter how you twist the law.

mimsee•4mo ago
If I wanted to achieve the same result, that is to serve assets of others from my own domain, I'd just create a custom endpoint like /api/user-avatar/:userId and an action proxies the actual image from google, maybe keep a cached copy for some time to not have to redownload the image on every request.
arcfour•4mo ago
Especially since, if you were doing this on CloudFlare—which you can with OpenNext—it's incredibly simple to work with CloudFlare's caches in Workers. For example: https://developers.cloudflare.com/workers/examples/cache-usi...

Plus there's their Images service which could come in handy to transform them a bit, too, if you wanted.

skylurk•4mo ago
This. Only needs a couple lines of nginx config.
russianGuy83829•4mo ago
<Furiously typing GDPR data request..>
dakiol•4mo ago
I really didn't get what the post was about. I'm getting old or? And I thought I was clever because I work with distributed databases...
zaik•4mo ago
The post assumes the reader is familiar with where things are happening and who is involved. Guess I'm not part of the target audience.
lozenge•4mo ago
Loading an img tag doesn't involve trusting a domain. Especially using crossorigin and refererpolicy attributes.
devmor•4mo ago
The post seems to be written by a developer that has never heard of caching and thinks they have invented some illicit solution by implementing it.

It makes very little sense - They don't want to ask users to trust Google's domain despite... integrating the user's google account? What?

valiant55•4mo ago
And in what way is this stealing? Caching a publicly available asset? Sounds like you are saving Google bandwidth/money.
devmor•4mo ago
Yes, quite the opposite. It did remind me of the old days though, when you could do the opposite and "hotlink" pictures from most websites and save yourself bandwidth costs!
vmenon401•4mo ago
I think the point is that they’re avoiding whitelisting Google and Github domains which is necessary to preprocess images from and use urls to images to their domain in an Image tag. That allows malicious users to send urls such urls to his _next image preprocess endpoint and get “free compute”. (Not sure why someone would do that other than to just screw with somebody).

He’s using BetterAuth hooks to fetch those images and upload to his trusted url to avoid such a scenario.

devmor•4mo ago
That does make sense, but I'm not sure why it was worth sharing.
bitpush•4mo ago
Isn't this just passthrough caching with some persistence?
reaperducer•4mo ago
Irony: Claim you're stealing from Google, then post it on a .dev domain, of which Google is the operator.
rjmorris•4mo ago
They sold .dev to Squarespace a couple years ago.
reaperducer•4mo ago
Interesting. No mention of that on Wikipedia.
lelandbatey•4mo ago
Note to the developer: you may want to consider simplifying the CSS you're using to display the "clever" dot in the background of your page. On my computer, opening viewing your site in Firefox, scrolling the page has a nearly 2000ms delay caused by whatever is going on. This is improved but not fixed by disabling the `.bg-dot::before` background CSS property.
stephenlf•4mo ago
> But there’s a catch: anyone can abuse your app to optimize their own images, which costs you compute.

Could anyone explain this?

samtheprogram•4mo ago
The components work by requesting the image URL from your own server/API, at a route like `/_next/image`. The actual image URL that's passed as a prop to the component is passed to that API endpoint as a URL parameter.

So, the endpoint is essentially a proxy that does additional image processing, like compression and width/height resizing (again, a URL parameter that the Image component or any other client can change based on the device / screen size in use).

This means that without a domain whitelist, theoretically any image URL can be passed to the endpoint, which will then be processed and cached by your infra.

This has been used in the wild, e.g. racking up charges on someone else's Vercel bill by requesting a bunch of images through this endpoint.

DylanSp•4mo ago
Thanks for the explanation - I was deeply confused by this article's premise. I've never worked with Next.js or Astro, so I didn't have the background.
cantalopes•4mo ago
Imagine your app uses that Image tag to process image for some specific resolution/quality - just any processing done on your server for any imagw resource loaded via this tag.

Not sure how exactly it works, never used the framework, but i assume that when the frontend app detects this image tag it makes a server call to orocess it and rerurn optimized version.

Now, if someone were to insert such tag onto the frontend of your app and put in source of their own image, your server would do the processing of their image.

I have absolutely no idea in what universe would this be a practical attack of benefiting anyone at all

Edit: oh i see the coment by samtheprogram. I would think that the framework would use some form of csrf, this is a really weird implementation

efitz•4mo ago
Please post again when you get the cease and desist letter!