frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

How to handle people dismissing io_uring as insecure?

https://github.com/axboe/liburing/discussions/1047
20•nromiun•29m ago•3 comments

“Dynamic Programming” is not referring to “computer programming”

https://www.vidarholen.net/contents/blog/?p=1172
93•r4um•2d ago•15 comments

The Daily Life of a Medieval King

https://www.medievalists.net/2025/07/medieval-king-daily-life/
28•diodorus•3d ago•3 comments

Show HN: X11 desktop widget that shows location of your network peers on a map

https://github.com/h2337/connmap
111•h2337•6h ago•46 comments

Staying cool without refrigerants: Next-generation Peltier cooling

https://news.samsung.com/global/interview-staying-cool-without-refrigerants-how-samsung-is-pioneering-next-generation-peltier-cooling
236•simonebrunozzi•10h ago•166 comments

Log by time, not by count

https://johnscolaro.xyz/blog/log-by-time-not-by-count
79•JohnScolaro•5h ago•25 comments

ESP32-Faikin: ESP32 based module to control Daikin aircon units

https://github.com/revk/ESP32-Faikin
27•todsacerdoti•3h ago•8 comments

Agents built from alloys

https://xbow.com/blog/alloy-agents/
95•summarity•6h ago•44 comments

XMLUI

https://blog.jonudell.net/2025/07/18/introducing-xmlui/
502•mpweiher•16h ago•259 comments

New colors without shooting lasers into your eyes

https://dynomight.net/colors/
349•zdw•3d ago•88 comments

Simulating hand-drawn motion with SVG filters

https://camillovisini.com/coding/simulating-hand-drawn-motion-with-svg-filters
173•camillovisini•3d ago•15 comments

Using the Matrix Cores of AMD RDNA 4 architecture GPUs

https://gpuopen.com/learn/using_matrix_core_amd_rdna4/
37•ibobev•2d ago•1 comments

Stdio(3) change: FILE is now opaque

https://undeadly.org/cgi?action=article;sid=20250717103345
131•gslin•12h ago•53 comments

Coding with LLMs in the summer of 2025 – an update

https://antirez.com/news/154
464•antirez•19h ago•317 comments

SIOF (Scheme in One File) – A Minimal R7RS Scheme System

https://github.com/false-schemers/siof
32•gjvc•1d ago•2 comments

Peep Show is the most realistic portrayal of evil I have seen (2020)

https://mattlakeman.org/2020/01/22/peep-show-the-most-realistic-portrayal-of-evil-ive-ever-seen/
111•Michelangelo11•9h ago•37 comments

IPv6 Based Canvas

https://canvas.openbased.org/
46•tylermarques•8h ago•2 comments

How slow motion became cinema’s dominant special effect

https://newrepublic.com/article/196262/slow-motion-became-cinema-dominant-special-effect-downtime
19•cainxinth•3d ago•9 comments

Show HN: Conductor, a Mac app that lets you run a bunch of Claude Codes at once

https://conductor.build/
161•Charlieholtz•3d ago•76 comments

Debugging Bash Like a Sire

https://blog.brujordet.no/post/bash/debugging_bash_like_a_sire/
3•gfalcao•3d ago•1 comments

What my mother didn’t talk about (2020)

https://www.buzzfeednews.com/article/karolinawaclawiak/what-my-mother-didnt-talk-about-karolina-waclawiak
53•NaOH•3d ago•15 comments

FFmpeg devs boast of another 100x leap thanks to handwritten assembly code

https://www.tomshardware.com/software/the-biggest-speedup-ive-seen-so-far-ffmpeg-devs-boast-of-another-100x-leap-thanks-to-handwritten-assembly-code
258•harambae•9h ago•79 comments

Speeding up my ZSH shell

https://scottspence.com/posts/speeding-up-my-zsh-shell
166•saikatsg•14h ago•82 comments

Subreply – An open source text-only social network

https://github.com/lucianmarin/subreply
90•lcnmrn•11h ago•47 comments

Digital vassals? French Government ‘exposes citizens’ data to US'

https://brusselssignal.eu/2025/07/digital-vassals-french-government-exposes-citizens-data-to-us/
207•ColinWright•19h ago•105 comments

JOVE – Jonathan’s Own Version of Emacs

https://github.com/jonmacs/jove/
51•nanna•3d ago•28 comments

What birdsong and back ends can teach us about magic

https://digitalseams.com/blog/what-birdsong-and-backends-can-teach-us-about-magic
29•nkurz•6h ago•7 comments

AI is killing the web – can anything save it?

https://www.economist.com/business/2025/07/14/ai-is-killing-the-web-can-anything-save-it
184•edward•21h ago•224 comments

Insights on Teufel’s first open-source speaker

https://blog.teufelaudio.com/visionary-mynds-insights-on-teufels-first-open-source-speaker/
87•lis•13h ago•17 comments

Logical implication is a comparison operator

https://btdmaster.bearblog.dev/logical-implication-as-comparison/
27•btdmaster•3d ago•9 comments
Open in hackernews

Show HN: X11 desktop widget that shows location of your network peers on a map

https://github.com/h2337/connmap
111•h2337•6h ago

Comments

wslh•6h ago
No basically secure:

char mapFilename[256]; strcat(strcpy(mapFilename, getenv("HOME")), RESOURCES); strcat(mapFilename, mapName);

h2337•6h ago
What's insecure? Can you explain what's the vulnerability here and how and by whom can it be exploited?
floating-io•5h ago
Assuming that code is actually present in your app, env vars can hold more than 255 characters. Easy buffer overflow to trigger. Use length-bounded copies and concats...

That's just off the top of my head; I've not written in C in a while.

h2337•5h ago
Why would you want to trigger a buffer overflow in user application if you can already control HOME envvar?
floating-io•5h ago
Yeah, that is not a helpful attitude to take when it comes to this sort of thing. If nothing else, a super-long home path can crash your app and leave your user scratching their head. In other words, this is a bug (as is the fact that paths are not necessarily limited to 255 characters in the first place; see the PATH_MAX constant, I think it is?).

As to what could be accomplished with an overflow? I don't know; I'm not in security, and I don't sit around thinking of possible uses for various bugs when it comes to compromising systems.

Perhaps the most important thing to realize, though, is that you're distributing software publicly. Your security situation may not be the same as your user's security situation. Assumptions should not be made.

Something to keep in mind.

h2337•5h ago
Thanks for the discussion. Fix is already committed.
floating-io•5h ago
No problem. =)
db48x•2h ago
As long as you’re fixing that bug, you should do it right. If the return value from snprintf if more than 256 but less than a few GB then you should malloc a buffer big enough to hold the string and then call snprintf again with the new buffer. Only if that or malloc fails would you print an error. (It’s really a shame that the C standard library requires so many extra steps to do things correctly; this ought to be way easier.)
sedatk•5h ago
Basically, any path longer than 256 characters for `mapFilename` would cause a buffer overrun.

An unprivileged app could run your app (say, with more privileges), with a very long `HOME` environment path, causing a buffer overflow, and potentially exploit it to use your app's privileges to do more stuff than it was supposed to.

Basically, you should never use strcpy and strcat and but use the secure alternatives like strcpy_s and strcat_s, even when you know the source buffer would never exceed the destination size.

h2337•5h ago
> (say, with more privileges)

Isn't it a moot point if unprivileged app can already run anything with more privileges? In normal operation, connmap requires no special privileges.

sedatk•5h ago
Sure, but since there's no enforced standard for how privileges are configured on a system, there's always the possibility that your app to be the only escape ticket.

You can dismiss that possibility of course. But, as a general habit, it's best to use secure alternatives instead of mulling over probabilities every other line.

As a positive side-effect, the change would make your app not crash on systems with long HOME env paths.:)

DonHopkins•4h ago
Using strcat to a fixed size buffer is like using a gun to kill flies in a crowded flophouse while on crystal meth.
h2337•5h ago
Thanks for noticing! Fix pushed.
josephcsible•5h ago
While that's indeed a bug, for it to be a security vulnerability, wouldn't there also have to be a security boundary involved? Specifically, mapName is always either "w1000b.png" or "w1000.png", so the only way to trigger the buffer overflow would be through the HOME environment variable. But if an attacker can run commands as you with arbitrary environment variables, aren't you already pwned? What would anyone gain by running your program and exploiting it to do something, rather than just doing the thing directly? https://devblogs.microsoft.com/oldnewthing/20060508-22/?p=31...
im3w1l•3h ago
While exploitation is unlikely I think such things are still best avoided because multiple such things can sometimes be chained together.
ben0x539•5h ago
That's a really neat idea, damn.
rootbear•5h ago
Forgive my ignorance, but I'm not sure what this is showing me. I'm running it on my home linux system, which is connected to the Internet via Verizon FIOS. The map shows three red dots, none of which are near me.
h2337•5h ago
Those 3 dots are your peers, the other end of the TCP connection :)

So you basically have some apps running in the background (or foreground) that are making those connections.

rootbear•5h ago
Okay, got it, thanks. I suppose it could also be the FIOS router itself making those connections, or any of the other systems on my local network.
h2337•5h ago
No, for normal network configurations they wouldn't show. It's most likely your system connmap is running on making those connections.
esseph•2h ago
You might be surprised how much traffic every device makes.
jdwithit•1h ago
It's only showing connections directly initiated by your computer. Not anything "upstream" of you like the FIOS router. It would also show any connections TO your computer, but being behind NAT on a normal home network, that would likely be nothing unless you've intentionally punched holes.
positron26•5h ago
Maybe they were expecting first hops like from traceroute. Maybe traceroute is an interesting way to continue developing.
afroturf•18m ago
I'm colorblind and had to change the dots color. Might be a nice config option.
GranPC•4h ago
Pretty cool! Reminds me of the game Uplink.
apollo-zero•3h ago
Uplink! I loved that game. I should find it again.
itomato•4h ago
This seems like it belonged on freshmeat ca. Y2K.
djabatt•1h ago
must have at least once
MarcelOlsz•17m ago
What's that? Webarchive/google don't return much of anything.
28304283409234•13m ago
http://freshmeat.net was a directory of open source software back in the 90's and noughts. It was one of the main ways to discover software.

But what is X11? Is that like Wayland? ;-)

lxgr•4h ago
Neat! This runs fully offline (i.e. without calls to a GeoIP database), right?
h2337•4h ago
Correct! GeoIP database is local.
lxgr•4h ago
Nice! Where is it from, and do you know if it incorporates geofeed [1] data for networks that publish it?

[1] https://ipregistry.co/blog/geofeeds

serbuvlad•4h ago
From what I was able to tell looking at the code, yes.

The database is embedded in the program. Specifically, it is this file:

https://github.com/h2337/connmap/blob/master/connmap/resourc...

Presumably generated by the author with this Python script

https://github.com/h2337/connmap/blob/master/tools/get-ip-da...

lxgr•4h ago
Ah, cool, this should incorporate location data at least as good as what the networks self-report! (I suspect that these databases, on top of ingesting all geofeed data, do something similar to Wi-Fi positioning, i.e. correlate the IP address of various GPS-enabled devices with their physical location to try and deduce undocumented/non-public allocation patterns.)
DonHopkins•4h ago
Of course it works fully offline, since then you don't have any network peers to draw on the map.
lxgr•4h ago
Localhost has to be somewhere too :)
DonHopkins•2h ago
GeoIP ain't gonna help you with geolocating 127.0.0.1! ;)

Not even Scientology's Secret Advanced Technology OT III Level Xenu Body Thetan and their high payed lawyers know where 127.0.0.1 is!

https://en.wikipedia.org/wiki/Xenu

https://news.ycombinator.com/item?id=14954131

DonHopkins on Aug 8, 2017 | parent | context | favorite | on: Internet Draft: Let 'localhost' be localhost

There was the time that Keith Henson tried to explain the local loopback address to Scientology lawyers during a deposition...

http://www.cryonet.org/cgi-bin/dsp.cgi?msg=6289

Henson: (patiently) It's at 127.0.0.1. This is a loop back address. This is a troll.

Lieberman: what's a troll?

Henson: it comes from the fishing where you troll a bait along in the water and a fish will jump and bite the thing, and the idea of it is that the internet is a very humorous place and it's especially good to troll people who don't have any sense of humor at all, and this is a troll because an ftp site of 127.0.0.1 doesn't go anywhere. It loops right back around into your own machine.

https://en.wikipedia.org/wiki/Keith_Henson

Keith is also involved with cryonics at Alcor, and known for performing "a rapid conversion to neuropreservation [that] was done using a high-speed electric chain saw".

https://news.ycombinator.com/item?id=34066097

>My somewhat eccentric friend Keith Henson once performed the grisly task of "converting whole body to neuro", which the article mentions: downgrading some of Alcor's full-body customers to head-only by removing their heads from their bodies with a chainsaw, or as Alcore's illustrated report delicately explained, "a rapid conversion to neuropreservation was done using a high-speed electric chain saw."

Chapter 3, pp 76, "Heads Will Roll", pp 93-94:

https://gwern.net/doc/transhumanism/1990-regis-greatmambochi...

>[...] But then the Alcor Life Extension Foundation came to the rescue. It would take care of the frozen parents, essentially on a charity basis, but only on the condition that they could be “converted” first, which is to say, converted from whole-body to neuro, the latter being far less expensive than the former. “The same capsule that you put a whole body in,” Saul Kent once explained, “you can probably put twenty heads in.”

freeone3000•4h ago
make sure interNIC is your first hop! LogDeleter is not optional <3
hamburglar•2h ago
This is some old school style bare bones C. popen with a big old pipe chain is pretty quick n dirty. I’d have gone digging around in proc for the active connections. Cool stuff though. I like that it’s so straightforward to read.
generalizations•1h ago
Of course this was made by an i3wm user. Nicely done!
rxwxx•1h ago
In the fonction IpRangeVector_resize() in ip.c, you have a bug, that's not how realloc are supposed to be used.
anthk•1h ago
OpenBSD devs did the same with either XPlanet or Xearth, can't rememeber. Now they use a GeoJson format.

Then you can import it under geo/viking port:

     doas pkg_add viking
Open Viking and just load the geo.json file from

        /usr/local/share/markers/OpenBSD.geojson
raldi•1h ago
What's a network peer?
atworkc•1h ago
Servers / Computers your device is currently communicating with, e.g. github servers when you load the link (well probably a cdn edge one)
jdwithit•1h ago
Yeah from an extremely quick read of the code, I agree with atworkc. It's showing any IP address you have an established network connection to.

  void refreshConnections() {
    ssOutput =
        popen("ss -atun4 | grep ESTAB | awk '{print $6}' | cut -f1 -d\":\"", "r");

    if (ssOutput == NULL) {
      printf("Failed to run ss command\n");
      exit(1);
    }
  }
edit: ssOutput is a global variable which is read elsewhere.