frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

We built another object storage

https://fractalbits.com/blog/why-we-built-another-object-storage/
59•fractalbits•2h ago•9 comments

Java FFM zero-copy transport using io_uring

https://www.mvp.express/
25•mands•5d ago•6 comments

How exchanges turn order books into distributed logs

https://quant.engineering/exchange-order-book-distributed-logs.html
47•rundef•5d ago•17 comments

macOS 26.2 enables fast AI clusters with RDMA over Thunderbolt

https://developer.apple.com/documentation/macos-release-notes/macos-26_2-release-notes#RDMA-over-...
467•guiand•18h ago•237 comments

AI is bringing old nuclear plants out of retirement

https://www.wbur.org/hereandnow/2025/12/09/nuclear-power-ai
31•geox•1h ago•24 comments

Sick of smart TVs? Here are your best options

https://arstechnica.com/gadgets/2025/12/the-ars-technica-guide-to-dumb-tvs/
433•fleahunter•1d ago•361 comments

Photographer built a medium-format rangefinder, and so can you

https://petapixel.com/2025/12/06/this-photographer-built-an-awesome-medium-format-rangefinder-and...
77•shinryuu•6d ago•9 comments

Apple has locked my Apple ID, and I have no recourse. A plea for help

https://hey.paris/posts/appleid/
864•parisidau•10h ago•440 comments

GNU Unifont

https://unifoundry.com/unifont/index.html
287•remywang•18h ago•68 comments

A 'toaster with a lens': The story behind the first handheld digital camera

https://www.bbc.com/future/article/20251205-how-the-handheld-digital-camera-was-born
41•selvan•5d ago•18 comments

Beautiful Abelian Sandpiles

https://eavan.blog/posts/beautiful-sandpiles.html
83•eavan0•3d ago•16 comments

Rats Play DOOM

https://ratsplaydoom.com/
332•ano-ther•18h ago•123 comments

Show HN: Tiny VM sandbox in C with apps in Rust, C and Zig

https://github.com/ringtailsoftware/uvm32
167•trj•17h ago•11 comments

OpenAI are quietly adopting skills, now available in ChatGPT and Codex CLI

https://simonwillison.net/2025/Dec/12/openai-skills/
481•simonw•15h ago•271 comments

Computer Animator and Amiga fanatic Dick Van Dyke turns 100

108•ggm•6h ago•23 comments

Formula One Handovers and Handovers From Surgery to Intensive Care (2008) [pdf]

https://gwern.net/doc/technology/2008-sower.pdf
82•bookofjoe•6d ago•33 comments

Show HN: I made a spreadsheet where formulas also update backwards

https://victorpoughon.github.io/bidicalc/
179•fouronnes3•1d ago•85 comments

Will West Coast Jazz Get Some Respect?

https://www.honest-broker.com/p/will-west-coast-jazz-finally-get
9•paulpauper•6d ago•2 comments

Freeing a Xiaomi humidifier from the cloud

https://0l.de/blog/2025/11/xiaomi-humidifier/
124•stv0g•1d ago•51 comments

Obscuring P2P Nodes with Dandelion

https://www.johndcook.com/blog/2025/12/08/dandelion/
57•ColinWright•4d ago•1 comments

Go is portable, until it isn't

https://simpleobservability.com/blog/go-portable-until-isnt
119•khazit•6d ago•101 comments

Ensuring a National Policy Framework for Artificial Intelligence

https://www.whitehouse.gov/presidential-actions/2025/12/eliminating-state-law-obstruction-of-nati...
169•andsoitis•1d ago•217 comments

Poor Johnny still won't encrypt

https://bfswa.substack.com/p/poor-johnny-still-wont-encrypt
52•zdw•10h ago•63 comments

YouTube's CEO limits his kids' social media use – other tech bosses do the same

https://www.cnbc.com/2025/12/13/youtubes-ceo-is-latest-tech-boss-limiting-his-kids-social-media-u...
81•pseudolus•3h ago•65 comments

Slax: Live Pocket Linux

https://www.slax.org/
41•Ulf950•5d ago•5 comments

50 years of proof assistants

https://lawrencecpaulson.github.io//2025/12/05/History_of_Proof_Assistants.html
107•baruchel•15h ago•16 comments

Gild Just One Lily

https://www.smashingmagazine.com/2025/04/gild-just-one-lily/
29•serialx•5d ago•5 comments

Capsudo: Rethinking sudo with object capabilities

https://ariadne.space/2025/12/12/rethinking-sudo-with-object-capabilities.html
74•fanf2•17h ago•44 comments

Google removes Sci-Hub domains from U.S. search results due to dated court order

https://torrentfreak.com/google-removes-sci-hub-domains-from-u-s-search-results-due-to-dated-cour...
193•t-3•11h ago•34 comments

String theory inspires a brilliant, baffling new math proof

https://www.quantamagazine.org/string-theory-inspires-a-brilliant-baffling-new-math-proof-20251212/
167•ArmageddonIt•22h ago•153 comments
Open in hackernews

Oracle VM VirtualBox – VM Escape via VGA Device

https://github.com/google/security-research/security/advisories/GHSA-qx2m-rcpc-v43v
93•serhack_•7mo ago

Comments

smegger001•7mo ago
Would this work with a headless VM only accessed via SSH? I naively perhaps assume it would be safe as its not using a virtual vga device but perhaps the machines still has the vga device present in the virtual environment it just not being used by the user but still vulnerable?

also is this specific to any particular host operating system or all versions of virtualbox?

bobmcnamara•7mo ago
Availability of the VM device is up to the host's configuration for that VM. You can remove it, but there's one display present by default - don't recall which
orev•7mo ago
All* PCs require a VGA console to boot. Maybe there’s some special type that doesn’t, but it would be extremely rare. When running headless it’s just hiding the console window, but the device still exists on the machine.
Retr0id•7mo ago
Linux has no problem booting without a VGA device present
_flux•7mo ago
That's true, but there may be some some desktop BIOSes that will fail to boot without a display adapter—though I've had good luck on that on the few hosts I've made headless servers.
Retr0id•7mo ago
Fortunately the BIOSes shipping in hypervisors tend to be more sane, and QEMU for example can direct-boot a linux kernel without even needing to emulate a BIOS/EFI first.
da768•7mo ago
Network appliances (Lanner, Netgate, Axiomtek, PC Engines, etc) typically only have a serial console and no GPU hardware at all. Same applies for any linux VMs, you can remove VGA devices and keep a serial port in the config
fulafel•7mo ago
Despite the title, the vulnerable function name (vmsvga3dSurfaceMipBufferSize) tells it's in the VMSVGA virtual 3D graphics device, not basic VGA hardware needed for normal bootup console stuff.
rjsw•7mo ago
If the kernel in the VM has the DRM code loaded into it, maybe as a module, then I think you would be able to trigger this bug.
lyu07282•7mo ago
The linked repo wasn't updated in 8 months, up-to-date code is here:

https://www.virtualbox.org/browser/vbox/trunk/src/VBox/Devic...

I think this was the fix:

https://www.virtualbox.org/changeset/108903/vbox/trunk/src/V...

johnisgood•7mo ago
Thanks. Wild. I bet the codebase is full of code like the originally exploitable one. At this point maybe one should use wrappers for all sorts of calculations. :D
vardump•7mo ago
VirtualBox just crashes all the time anyways. At least the few newest versions keep crashing when running Ubuntu 22.04 or 24.04 LTS.
oguz-ismail•7mo ago
works on my machine
Neywiny•7mo ago
I updated to the latest (7.1.8?) and that fixed the inability to use 3d acceleration. But yes I've found they have a terrible release "process" that seems to not include testing. I tried switching to VMWare but A) broadcom makes it difficult to download B) since a recent kernel/driver update on my host, even a fresh Windows guest locks up in boot (can't get through install).

Might try going back to qemu. VMWare had the best performance by far, though, which was great for windows only 3d model software. When with 3d acceleration Virtualbox is so sluggish for me.

immibis•7mo ago
Broadcom is one of those companies that gets you hooked and then sues you for a lot of money.

... So is Oracle, though.

vardump•7mo ago
I’m using the latest, same version. Just a horrible experience overall. Whole VirtualBox hypervisor crashes regularly.

VMWare was the gold standard before, but so hopeless now.

I wish Parallels released something for Windows. Their Mac offerings are great.

Maybe I should try QEMU on the desktop as well.

alyandon•6mo ago

  they have a terrible release "process" that seems to not include testing
I wouldn't say they have no testing process at all but it seems to me that they lack discipline when it comes to building releases and testing. I've seen releases that had debug-by-logging type code left in spamming the VM logs as well as breakage in what most would consider very common host + guest combinations.

It's a shame that Oracle doesn't seem to care much about the overall quality of that product. I guess we should be happy Oracle cares enough to still develop it. :-/

Edit: And right now - VirtualBox is still not offering v7.1.8 inside the GUI app and there is no mention of this CVE in the 7.1.8 change logs.

Neywiny•6mo ago
Yeah when I checked for updates in the GUI it found nothing. Had to download manually. Though actually I didn't update the extension pack. Doubt it'd help but I should check.
mhitza•7mo ago
In my recent experience Ubuntu is pretty buggy, I think the distro should also be part of the consideration.

Using Ubuntu on a daily machine for 6 months, after 15 years of Fedora, that's how I would describe my entire experience. Buggy.

simion314•7mo ago
No such issues with Kubuntu, so maybe is the GNOME ecosystem or maybe so unfortunate kernel+drivers, GPU combo.
mhitza•7mo ago
I'm using KDE as well (after giving GNOME another shot for a week, which had even more issues), though I installed KDE in parallel, so there's always the chance that some GNOME residue is causing those issues.
simion314•6mo ago
What kind of issues ? is X or Wayland crashing and you are losing your work? I am still on X11 , in rare cases X crashes and is probably the video card/nvidia driver issues since all crashes happened when I had some 3d GPU stuff happening.
noosphr•7mo ago
This is a problem with Ubuntu and not VirtualBox. I spend a few hours today fighting with 24.04.02 in libvirt only to realize that they are using some fancy new GUI library for the installer which crashes on all VMs: https://www.dell.com/support/kbdoc/en-us/000123893/manual-no...

Mandatory Ubuntu considered harmful.

If only NVidia considered Debian a first class distribution so I never had to use Ubuntu again.

fulafel•7mo ago
It was crashy years ago as well. In the host kernel driver part, which is the worst place. And half of open source dev projects had Vagrant setups needing VirtualBox. Even though Docker has its problems, it's not half as bad.
Thaxll•7mo ago
There is no reason to use virtual box on Windows nowdays, Hyper-v and vmware are free for personnal use and are much much better than VirtualBox.

https://blogs.vmware.com/workstation/2024/05/vmware-workstat...

AshamedCaptain•7mo ago
VirtualBox is the only one of the 3 mentioned is still both free as in beer (even for commercial use*) as well as free as in freedom (GPLv3).

* Unless you use the Oracle plugin, but you really shouldn't, because most features from it have been moved to the GPL base.

The only other really free alternative is Qemu.

notpushkin•7mo ago
> most features from it have been moved to the GPL base

Wow, that’s nice to hear! Installing the ext pack used to be an almost mandatory step for me.

TMWNN•7mo ago
> * Unless you use the Oracle plugin, but you really shouldn't, because most features from it have been moved to the GPL base.

Oh? I moved to KVM via UnRAID, but not because of any particular complaint with VirtualBox or the Oracle plugin. But then, I only used the plugin for the RDP feature. Has that been moved into the main codebase?

AshamedCaptain•6mo ago
Not RDP, but like encryption, it's the only other feature I can think of which remains on the extpack. IMHO they are all enterprisey "mark a checkbox" level features that should be irrelevant for even actual enterprise users.

Why do you have to use RDP anyway? It gives almost zero advantages over VNC here since all the output is going to be raster.

TMWNN•6mo ago
>Why do you have to use RDP anyway? It gives almost zero advantages over VNC here since all the output is going to be raster.

No preference for either protocol; I just used RDP because that was the most convenient with VirtualBox and the plugin. (I think (?) I tried VNC and couldn't get it to work.) I use VNC now with UnRAID's KVM, but probably would have stuck with RDP were it supported.

hk1337•7mo ago
That and most development virtual box use has moved to using Docker which has caused things like Hyper-V on Windows and macOS to create better alternatives for Docker to use and Linux doesn't need the VM.
VladVladikoff•7mo ago
Except virtual box is open source and probably the whole reason these vulnerabilities are found. I’m sure similar vulnerabilities could exist in VMware but are much harder to find due to being closed source.
rrdharan•7mo ago
It’s really not harder for the folks with this skill set, and plenty of these vulnerabilities have been found in VMware too over the years.

https://www.blackhat.com/presentations/bh-usa-09/KORTCHINSKY...

https://www.darkreading.com/vulnerabilities-threats/vmware-z...

https://cloud.google.com/blog/topics/threat-intelligence/vmw...

nicce•7mo ago
It is always harder, because it always take more time. We don't know the ratio (how many bugs more would have been found if VMware would be open source)
rrdharan•6mo ago
We can agree to disagree. I just don’t think it’s the high order bit in determining the rate of vulnerability discovery - in my opinion the commercial utility (white / black / grey) of the exploits is a more important factor in determining how quickly they are found.
Retr0id•7mo ago
Even if we accept the premise, I'd rather use software that contains hard-to-find bugs than easy-to-find bugs, all other things being equal.

In my experience of casual usage VMware is less buggy in general (no random crashes, etc.), and that usually translates into fewer security bugs too.

But if your adversary is spending $$$$$ on vulns to throw at you, you can probably assume they can vm-escape either one.

ekianjo•7mo ago
Your post is obsolete. VMware workstation is now free for all users, even commercial ones.

https://blogs.vmware.com/cloud-foundation/2024/11/11/vmware-...

nicce•7mo ago
Is there any catch? Can we say that Broadcom brought something good when they bought it?
AshamedCaptain•7mo ago
Yes, that development of vmware workstation has been abandoned for years ever since the original team was fired.
ekianjo•7mo ago
No catch as far as I know.
sinuhe69•6mo ago
Nope. Hyper-V only works on pro and higher versions of Windows. VMWare is not free. I can run VirtualBox on demand (as a portable app) and that simplifies things immensely. VirtualBox can also work with all different kinds of virtual hard disks, can archive and import archives from different versions without any problem and that make it a versatile and useful tool. There are also tons of information about VirtualBox from the community.
AshamedCaptain•7mo ago
For the record: Oracle does not consider that the 3D feature should be enabled when the VM is untrusted. It's still classified as experimental and will likely be so for another decade at least.
fulafel•7mo ago
They don't say anything about untrusted VMs or security in the documentation (https://www.virtualbox.org/manual/topics/guestadditions.html...).
AshamedCaptain•6mo ago
It does say it is experimental. In any case, my remark comes from my discussions with Oracle.
westurner•6mo ago
https://news.ycombinator.com/item?id=43067347 :

> Still hoping for SR-IOV in retail GPUs.

> Not sure about vCPU functionality in GPUs

> Process isolation on vCPUs with or without SR-IOV is probably not as advanced as secure enclave approaches

[Which just fell to post-spectre side channels]

>> Is there sufficient process isolation in GPUs?

/? Sr-iov iommu: https://www.google.com/search?q=sr-iov+iommu

Is there branch prediction in GPUs? What about other side channels between insufficiently-isolated GPU processes?

I see that vgpu_unlock no longer works for technical reasons.

jawavvaa•6mo ago
I've seen something like this in ChromeOS too, since both devices will use similar methodologies and technologies in their respective VMs. The attackers would glitch the VGA framebuffer, and the only way you can tell was your screen would show random garbage briefly. As the attack escalated, the glitches got worse until either the computer crashed or they accomplished their exfiltration. I think ChromeOS patched it a while ago, so I don't see it anymore. Attack vector was something like Chrome Browser -> (?) -> Framebuffer -> [Cross VMs to host].
snvzz•6mo ago
This would not have been possible with seL4 virtualization.

There, VM exceptions are turned into messages for VMM, which is unprivileged, and has capabilities that do not exceed those of the VM itself.