Hacker News: 0x0

New comment by 0x0 in "Dav2d"

0x0 — Sat, 02 May 2026 20:30:08 +0000

Just recently noticed this got posted to deb-multimedia, although I think there is a typo in the package description....

https://www.deb-multimedia.org/dists/unstable/main/binary-am...

... it says "fast and small AV1 video stream decoder"

... should probably be "AV2" ?

New comment by 0x0 in "Running Adobe's 1991 PostScript Interpreter in the Browser"

0x0 — Fri, 01 May 2026 19:01:07 +0000

Details here: https://eclecticlight.co/2023/09/25/postscripts-sudden-death...

New comment by 0x0 in "Running Adobe's 1991 PostScript Interpreter in the Browser"

0x0 — Fri, 01 May 2026 17:29:15 +0000

Such a shame that macOS lost all its built-in postscript support including Preview.app in recent versions :(

New comment by 0x0 in "For Linux kernel vulnerabilities, there is no heads-up to distributions"

0x0 — Thu, 30 Apr 2026 22:19:44 +0000

I find it curious to call someone dropping a weaponized root exploit before major distros or even LTS kernel git branches have patches ready "good guys". This could have been handled with much more grace.

New comment by 0x0 in "For Linux kernel vulnerabilities, there is no heads-up to distributions"

0x0 — Thu, 30 Apr 2026 19:49:09 +0000

The disclosure doesn't appear very "full". Looks like this was slipped into mainline linux among dozens of other mostly-irrelevant "CVEs" with nobody highlighting the fact that it is in fact dirty-cow-on-steroids.

https://x.com/spendergrsec/status/2049566830771970483

https://lore.kernel.org/linux-cve-announce/2026042214-CVE-20...

Or is everyone expected to upgrade and reboot every 48 hours for all eternity and just deal with potential regressions all the time?

I think this reflects poorly on the original reporters. If you have a weaponized 700-byte universal local root exploit script ready to go, perhaps you should coordinate with major distros for patches to be available before unleashing it on the world. No matter how "veteran" you are.

New comment by 0x0 in "Copy Fail – CVE-2026-31431"

0x0 — Wed, 29 Apr 2026 20:44:40 +0000

Dropping a public exploit on github before distros have patches available isn't very cool, or is that just how veterans roll these days?

New comment by 0x0 in "21,864 Yugoslavian .yu domains"

0x0 — Fri, 27 Mar 2026 09:09:47 +0000

Enumeration of the entire DNS space is not available in general, but it does appear that some TLDs offer complete zone files for legitimate research purposes, see for example https://czds.icann.org/help#zone-files

New comment by 0x0 in "Dolphin Progress Release 2603"

0x0 — Thu, 12 Mar 2026 15:56:08 +0000

The breakout engineering to exploit Dolphin has already happened, see for example:

* https://dougallj.wordpress.com/2016/11/13/exploiting-dolphin...

* https://gist.github.com/hthh/502ae16db55612f64d3966769a154c3...

* https://github.com/dolphin-emu/dolphin/pull/4447

New comment by 0x0 in "Don't use passkeys for encrypting user data"

0x0 — Sat, 28 Feb 2026 11:18:52 +0000

> "they can't be provisioned by the website itself."

It's funny, we used to have a html tag that would exactly that:

New comment by 0x0 in "10 Years of Let's Encrypt"

0x0 — Tue, 09 Dec 2025 20:44:37 +0000

They were great in the beginning, and then when you issued a few more certs than they liked you were asked to pony up some $$$, and then when you did that and actually "verified" who you were on a personal international phone call, you got a grace, and then issued a few more, they decided they didn't like you so they would randomly reject your renewals close to the expiration date, and then they got bought out by some scummy foreign outfit which apparently caused the entire CA to be de-listed as untrustworthy in all major browsers. Quite the ride.

Also, the only website I've ever encountered that actually used the HTML tag.

New comment by 0x0 in "Sending DMARC reports is somewhat hazardous"

0x0 — Wed, 03 Dec 2025 10:58:05 +0000

Same here, and the worst part is the duplicates appear to reuse the same Message-id, which confuses macOS Mail.app to no end :-/

New comment by 0x0 in "Running Unsupported iOS on Deprecated Devices"

0x0 — Thu, 27 Nov 2025 06:18:38 +0000

It's actually a requirement by app store connect to use a modern sdk for uploading binaries, and modern sdk versions will often raise the minimum supported ios version, so this is not always the developer's fault. See for example https://developer.apple.com/news/upcoming-requirements/?id=0...

New comment by 0x0 in "Apple will phase out Rosetta 2 in macOS 28"

0x0 — Wed, 29 Oct 2025 10:03:01 +0000

I'm sure there's lots of x86_64 specific code in the macOS userland that is much more than just a recompile - things like safari/javascriptcore JIT, various quartz composer core animation graphics stack and video encoder decoder stack libraries, as well as various objective-c low level pointer tagging and message passing ABI shenanigans and so on. This is probably why 32bit intel mac app support was dropped pretty hard pretty fast, as the entire runtime and userland probably required a lot of upkeep. As just one example, 32bit intel objective-c had "fragile instance variables" which was a can of worms.

New comment by 0x0 in "Apple will phase out Rosetta 2 in macOS 28"

0x0 — Wed, 29 Oct 2025 07:14:07 +0000

I'm guessing they don't want to maintain and build and test x86_64 versions of all the macos libraries like Appkit and UIKit (including large changes like liquid glass) when they are no longer shipping x86_64 macOS versions. Which is not entirely unreasonable as I'm sure it takes a lot of effort to keep the whole ui library stack working properly on multiple archs.

Perhaps that's what they're hinting about with the note about a "subset of Rosetta". So maybe there is hope that the core x86_64 binary translator will stick around for things like VM and emulation of generic (linux? wine?) binaries, but they don't want to maintain a whole x86_64 macOS userspace going forward.

Space savings from not shipping fat binaries for everything will probably also be not insignificant. Or make room for a new fat binary for a future "arm64v2" :)

Microsoft's Root Program and the 1.1.1.1 Certificate Slip

0x0 — Thu, 04 Sep 2025 14:12:39 +0000

Article URL: https://unmitigatedrisk.com/?p=1092

Comments URL: https://news.ycombinator.com/item?id=45127497

Points: 10

# Comments: 1

New comment by 0x0 in "iOS 18.6.1 0-click RCE POC"

0x0 — Tue, 26 Aug 2025 19:38:42 +0000

Surprised to see no patch available for watchOS, which can also receive images via iMessage. Not important enough to patch, or not vulnerable, or just not exploited in the wild yet?

New comment by 0x0 in "Microsoft Edit"

0x0 — Wed, 25 Jun 2025 16:11:01 +0000

I was hoping this would work over ssh in a macOS Terminal.app, but last I tried it was inserting all kinds of weird characters into the edited text files.

Windows ships an official OpenSSH server these days, but so far there haven't been any good official text editors that work over OpenSSH, as far as I know.

I've had to resort to "copy con output.txt" the few times I needed to put things into a text file over windows-opensshd...

New comment by 0x0 in "Beating Google's kernelCTF PoW using AVX512"

0x0 — Fri, 30 May 2025 19:22:05 +0000

If linux kernel security really is so bad that google had to add a proof-of-work to introduce a 4 second race for 0day submissions, I'm surprised they're ok with still using the Linux kernel as the base for Android.

New comment by 0x0 in "Mozilla to shut down Pocket and Fakespot"

0x0 — Thu, 22 May 2025 20:36:36 +0000

> Safari only exist on Apple devices

Webkit, at least, builds on a lot more platforms than you think. Take a look at https://build.webkit.org/#/builders

I'm seeing at least three other MAJOR platforms:

  • GTK-Linux-64-bit-Release-Build
  • PlayStation-Release-Build
  • Windows-64-bit-Release-Build

Microsoft Telnet Server MS-TNAP Authentication Bypass

0x0 — Tue, 29 Apr 2025 19:35:03 +0000

Article URL: https://github.com/gavz/hfwintelnet

Comments URL: https://news.ycombinator.com/item?id=43837032

Points: 8

# Comments: 1