frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

A portal to random weird websites internet toys, and funny pages

https://openweird.com/
1•raytopia•29s ago•0 comments

What I'd Tell My Team About Competition

https://staysaasy.com/strategy/2026/07/16/what-id-tell-my-team-about-competition.html
1•thisismytest•38s ago•0 comments

"Professor" Jiang Is Not a Prophet [video]

https://www.youtube.com/watch?v=yxPd9ckVgck
1•Bender•1m ago•0 comments

Vladimir Putin's Internet Adviser Owns a Torrent Site (2016)

https://torrentfreak.com/vladimir-putins-internet-adviser-owns-a-torrent-site-160119/
4•Cider9986•4m ago•1 comments

Apple account email address disclosure via Mail app

https://lapcatsoftware.com/articles/2026/7/9.html
3•frizlab•4m ago•0 comments

Show HN: A gallery of browser-based PDF imposition and printing templates

https://pdfpress.app/gallery
2•jp1016•6m ago•0 comments

AI Chip Startup Etched Is in Talks for $20B Valuation

https://www.wsj.com/tech/ai/ai-chip-startup-etched-is-in-talks-for-20-billion-valuation-caf1787d
2•bookofjoe•7m ago•1 comments

Sea Peoples

https://en.wikipedia.org/wiki/Sea_Peoples
2•skibz•13m ago•0 comments

Blindsight and Gorgias: The Chinese Room and Sophistry

https://blog.sajberpank.com/posts/blindsight-and-gorgias-the-chinese-room-and-sophistry/
1•sajberpank•15m ago•0 comments

Why do you use GPT-5.6 and kimi k3 inside of Claude Code?

https://twitter.com/theo/status/2078217355780624864
1•shenli3514•15m ago•0 comments

My Hunt for the Original McDonald's French-Fry Recipe (2020)

https://www.atlasobscura.com/articles/original-mcdonalds-french-fry-recipe
1•monkeydust•15m ago•0 comments

Neither GCC nor Clang are compliant with standard C++

https://sebsite.pw/w/20260708-badstdcxx.html
2•birdculture•20m ago•0 comments

Starfish Prime

https://en.wikipedia.org/wiki/Starfish_Prime
1•georgecmu•22m ago•0 comments

HMD Touch 4G

https://www.hmd.com/en_int/hmd-touch-4g
13•thisislife2•27m ago•8 comments

OpenAI is breaking Silicon Valley unwritten code. That's why Apple is so angry

https://www.businessinsider.com/openai-breaking-silicon-valley-unspoken-rule-apple-talent-2026-7
2•RestlessMind•28m ago•0 comments

I Cut an AI Agent's Token Use by 94%

https://vivekhaldar.com/articles/compiling-an-ai-agent-skill/
1•gmays•29m ago•0 comments

Show HN: Kimi K3 spent nearly 8 hours building this 78-card tarot site

https://askciela.com/
1•lilyucb•29m ago•0 comments

Show HN: Waylou Slack Is Open

https://join.slack.com/t/waylou/shared_invite/zt-4491sutoj-0nXfXIsrqLm3UvwHg5mmtA
1•Emirhan123•29m ago•1 comments

Google is open-sourcing its 3D emoji

https://www.theverge.com/design/967606/google-open-source-3d-emoji
1•Brajeshwar•29m ago•1 comments

Kimi 3: What does the future look like for humanity today?

https://duttakapil.substack.com/p/reaction-to-kimi-3-what-does-the
1•duttakapil•32m ago•1 comments

PyCon US 2026 Recap

https://katherinemichel.github.io/blog/conferences/pycon-us-2026-recap.html
1•KatiMichel•33m ago•0 comments

Doom in MS Paint from Mark Russinovich

https://github.com/markrussinovich/DoomPaint
1•samch•33m ago•1 comments

Show HN: Pgnudge – tell your app which Postgres tables just changed

https://github.com/janbjorge/pgnudge
1•jeeybee•34m ago•0 comments

Show HN: Threads Management CLI and Skills

https://github.com/mrhustlex/threads-api-cli-skills
1•mrhustlex•34m ago•0 comments

Show HN: Run a 120B-parameter MoE on Android mid-range phone CPU-only llama.cpp

https://github.com/Helldez/BigMoeOnEdge
1•Helldez•35m ago•0 comments

World Cup Picture Puzzle Game

https://pic-puzzle-khaki.vercel.app/
1•frankensteins•35m ago•1 comments

Resolution Horizon – Finding the mathematical limit where AI overfits to noise

https://github.com/bjoern-janson/resolution-horizon
1•bjoern_janson•37m ago•0 comments

JSON Inspector – A native, offline JSON workspace for macOS

https://apps.apple.com/fr/app/json-inspector/id6780994209?mt=12
1•SylvainMouquet•37m ago•0 comments

The Braun Grid System

https://onlyonceshop.com/blog/the-braun-grid-system
1•dgellow•37m ago•0 comments

Nginx module that bans clients by their 404/403 error rate, in-worker

https://www.getpagespeed.com/server-setup/nginx/nginx-abuse-guard-module
1•dvershinin•37m ago•0 comments
Open in hackernews

Half a Second – a book about the XZ backdoor

https://www.half-second.com/
43•zvr•9h ago

Comments

OldMatey•7h ago
Given the time and effort that went into this, and the luck that one diligent person noticed, investigated and discovered what was going on before it could get further... it seems very likely to me that this has happened already in other libraries without being discovered.
miramba•7h ago
Exactly, and I wonder since then: How closely did people in comparable situations look? Since nothing similar has been reported, I suspect not very close…
VladVladikoff•5h ago
I wonder if the nation state actors are doing people profiling on owners of important packages to find the most vulnerable for an attack.
akimbostrawman•4h ago
Anybody running opensnitch would notice
IshKebab•3h ago
The effort of gaining trust over an existing project isn't even really required. All you need to do is monitor when popular GitHub repos get archived. That's usually when the original authors don't want to work on it any more. Then just quickly make a fork to continue the project (think Phabricator -> Phorge), and if you're quick enough and authoritative sounding enough, boom control of the project!

Maintain it for a bit so people switch to your version, and job done.

lucasRW•6h ago
It's only going to recycle old news. The missing piece is attribution. Had it been the usuals (DPRK, Russia, China), the attribution would have been made publicly. The fact that is has not points as a friendly - especially when Microsoft (who owns Github) had all that telemetry and very likely has the means to find out. Some serious OSINT (consistency of timezone across months if not years of commits) pointed to the Middle East. An obvious Unit name comes to mind.
diogocp•6h ago
Fun fact: the guy who reported it (Andres Freund) works for Microsoft.

Another fun fact: Moscow is in the same time zone as the Middle East.

lucasRW•5h ago
Other fun fact: Microsoft and Mandiant have never had any problem doxing Russian APTs when they caught them.
kryogen1c•5h ago
The middle east is not one time zone

https://whichtimezone.com/me/middle-east-map/

anonreplier•5h ago
"all that telemetry" doesn't count for much if it's behind a VPN
kreyenborgi•6h ago
> The catch is where the book begins, not what it is about.
edblair•4h ago
Half expecting the next few paragraphs to contain, verbatim, "The smoking gun was a performance issue in a development build of Debian. It's was a sharp observation, and sharper than you may think."
this_user•6h ago
Well, the "About the Author" section should probably just be a link to claude.ai.
sevg•6h ago
Yeah the (annoyingly) excessive use of colons feels like recent Claude models to me.

Looks like author posted this themselves earlier, and even used Claude for the HN comment:

https://news.ycombinator.com/item?id=48958457

infinite_spin•6h ago
I've always used a lot of semi-colons in my writing, especially in my technical writing. So I did a search on this pdf for semi colons, and there are 260 in a 264 page document. I then repeated this for the last book I read, Candide by Voltaire, and there were 507 semi colons in a 189 page book.

This seems like a witch hunt.

rwmj•6h ago
I read parts of it, being first hand involved in all this, and it seems like it was written by AI to me. If you used an AI to write it or help with it, why not just admit to it?
infinite_spin•5h ago
the argument was that use of semi-colons indicates AI usage..

what do you mean by "being first hand involved in all this"? what part did you take if you don't mind sharing, this was an incredibly interesting turn of events.

tryauuum•6h ago
So Microsoft did something good? I thought they are too busy keeping my personal data in a prison and writing tight bash loops wasting 100 percent of a core
akimbostrawman•4h ago
no, someone who just happens to work for microsoft doing something at home did something good.
dhx•5h ago
See [1] for April 2024 Clickhouse Github activity analysis of the xz backdoor.

I haven't seen anyone write up a proper analysis that includes consideration of:

- GitHub activity (e.g. all API actions on GitHub side including replying to comments) _and_ mailing list activity _and_ other public facing activity all considered together.

- Complexity of public actions e.g. was there a queue of code changes that would have taken 20 hours effort to put together that were all committed at once? Were there any long streaks of high activity where it might reveal how many people were involved?

- Latency of public actions e.g. if an issue was raised by some random person, how long did it take for the attacker to respond, and later resolve/commit a patch? Similar to the complexity of public actions, it might reveal how many people were involved by estimation of the time needed for an experienced developer to fix an issue vs. actual time taken, both in terms of level of effort and duration.

- International dispersement of a team in different timezones with some core hours for collaboration, review and public facing activity.

- Public holidays, country/region-specific work habits, etc--e.g. consideration of "summer holiday" periods or similar common holiday periods, consideration of unusual days of no/low activity versus snow days, power outages, etc which might have been experienced by the attacker.

Distribution of actions from Github indicates the attacker used a 6 day work week excluding Sunday, and almost all activity conducted between UTC 12:00-16:00. Within these 6 days, activity was uneven at 0.5, 1, 1, 1, 1, 0.5 effort per day. There are low activity periods too that line up with summer solstice (southern hemisphere) or winter solstice (northern hemisphere).

There are interesting patterns in the data not yet publicly analysed (I think?) that seemingly would reveal the true location of attackers, particularly because attacker actions are anchored to uncontrollable events such as a known-good contributor (such as Linux distro maintainer) raising a Github issue against a repository and the attacker replying an hour later. For such events with low latency of reply, it'd be well worth considering when a reply was made quickly, and when it wasn't, across a few years of data points.

[1] https://news.ycombinator.com/item?id=39905375

skippyfish•4h ago
Here's the tool developed by the author that was almost certainly used to generate this book in its entirety - "A structured pipeline for writing long-form nonfiction, packaged as a Claude Code skill":

https://github.com/AdrianMastronardi/bookwright

There's nowhere near enough public information about the xz vuln to be worth turning into a book, so the merits of AI-generated text aside, this is just a very inefficient way to learn about the topic.

eth0up•1h ago
"There's nowhere near enough public information about the xz vuln to be worth turning into a book," As an actual person, who reads, and having glanced at this book, I do not agree. I can already see part of the purpose is to put perspective on the crazy reality of backdoors/exploits and the undermined implications thereof. Jia Tan alone could warrant a book or film. It also says "for the general reader" and non-technical, which is where I myself think the importance really is. Maybe the AI is catching blindspots.

I downloaded the book. It's not fake. Perhaps no masterpiece, but far from worthless. Also, not "enough public information" really sells inference and imagination short. There is a rich amount of material to work with here. More than enough.

I am going to go ahead and say that flagging this was more information suppression than crankiness about AI. A lot of folks get strange when Jia Tan or similar subjects come up. I guess it's wiser to just wait until the grid goes down, or the water supply gets a bit more chlorinated....

pflenker•3h ago
It’s great to have the entire topic brought together into a cohesive book - but wow, I find it very annoying to read.
ptx•2h ago
Probably because LLM output only gives the appearance of cohesive writing, but the more you try to understand the author's intent and meaning, the more confusing and annoying it gets, as there is no author, no intent and no meaning there to understand.
rwmj
•
5h ago
You'd know that if you'd done any research at all.

Compare this to Jeff Guo (NPR) or Henry van Dyck (Veritasium) or my contact at the WSJ. They all investigated this story, interviewed key people (more people were interviewed for the Veritasium video than appeared), and fact-checked everything with subject matter experts. The NPR story took about 3 months of work and the Veritasium video took 5 months. I was interviewed in total for over 6 hours across all of them.

These are real journalists who worked on these stories and they produced novel work and new findings. I have huge respect for them, especially after being involved with it and seeing what work it took to add something new to the story. At the same time they managed to tell that story to a lay audience which is another skill in itself.

infinite_spin•5h ago
> You'd know that if you'd done any research at all.

I'm not in the habit of researching the people who respond to me before I ask them about what their role was in something they seem proud of. I thought I was being polite by asking about it.

That's really cool that you were interviewed, which of the interviews do you think most represents your hand in this? I wouldn't mind checking it out. I also really like Veritasium's channel, that's pretty awesome.

bigDinosaur•4h ago
In this case all it required was to follow the link to their blog on their HN profile just FYI. Although your question was reasonable either way.
jstanley•5h ago
I pasted the introduction into Pangram and it said 100% AI.
infinite_spin•5h ago
well also I read the parent's comment wrong, they just said colons, not semi-colons
sevg•5h ago
You know I said colons right? Not semi colons :)
infinite_spin•5h ago
ah my mistake, those are a bit uncommon in my writing, I feel like they seem pretentious. i just use the semi-colons because it's closer to the way I pause, and alternate, in my thoughts.
progbits•6h ago
In last month or two I noticed semicolons getting used where previously it would be em-dash, in both cases excessively and often incorrectly.

I assumed some of my coworkers added "replace all em-dashes with semicolons" into their CLAUDE.md as a really crappy attempt at hiding their inability to write a single sentence without assistance.

tux3•5h ago
Come on now, you can't also take away my semicolons. What am I supposed to do now; I barely have any punctuation left.
dag100•4h ago
Embrace the inner Cormac McCarthy in you and abandon punctuation altogether
progbits•2m ago
Not taking it away.

I hate those arguments "it has emdash therefore AI", of course humans also write that way.

But poor and excessive usage of them is a pretty strong red flag, also together with other tells.

eth0up•5h ago
"free book" "no paywall and nothing to buy."

Might this not actually be a reasonable purpose for AI? I can tolerate the quirky style and AI signatures for something honest and free.

rwmj•5h ago
But prompting an AI adds nothing. Journalism is about research, interviewing the people involved, finding new facts, and then presenting that to your audience in a way they can understand. Getting an AI to write about something is just diluting the signal for future researchers.
jersmtpd•4h ago
You can have an AI help write it while still having done research yourself, they're not mutually exclusive. I'm not claiming whether he actually did that or not.

Like, for me personally, I'm terrible at writing, so I'll gladly have some AI throw together a draft, which I then verify and edit.

eth0up•4h ago
exactly. If I am writing a free book with solid information, well, I am not writing it, because I am not writing free books -- I don't have time. But if AI can arrange my data, thoughts, perspective, and articulate it effectively, then I will let AI write the free book. If the book contains new, or previously unarticulated data and insight, then why not? But I see the very thought is hotly contested here.
bandrami•4h ago
Why not just post the prompt you used? I have access to LLMs too.
eth0up•4h ago
I have over 6gb of material resulting from interactions with AI. Even a micro-essay of mediocre quality requires dozens of prompts. Why post dozens and dozens of prompts if the final product is cleaner, and easier to process? I see utterly zero reason.

Edit: One of the things I learned quickly while working with LLMs, is that the quality of the user, the input, determines the quality of the output. Not everyone's input is of equal quality.

rpdillon•1h ago
You think if he gave you the "prompt" you'd be able to produce that book?

Heck, I should put money on this. Start a competition: I give folks a prompt, and tell them to write a book about a subject with AI. I'm the sole judge of quality. Winner gets $2000. Then let's examine the variance in the entries.

In short: using AI is a skill. It's silly to pretend otherwise.

jllyhill•2h ago
For anyone wondering, here's the author confirming it

https://news.ycombinator.com/item?id=48966159

And here's their Claude skill for writing

https://github.com/AdrianMastronardi/bookwright