Hacker News: JJJollyjim

New comment by JJJollyjim in "The RCE that AMD won't fix"

JJJollyjim — Fri, 06 Feb 2026 02:15:15 +0000

This is the place they direct researchers to report bugs. If they don’t want to pay out for MITM, that’s fine, but they should still be taking out-of-scope reports seriously

New comment by JJJollyjim in "Ask HN: Why hasn't x86 caught up with Apple M series?"

JJJollyjim — Tue, 26 Aug 2025 12:49:10 +0000

Apple CPUs do decode instructions into micro-ops.

https://dougallj.github.io/applecpu/firestorm.html

New comment by JJJollyjim in "Ask HN: Why does the US Visa application website do a port-scan of my network?"

JJJollyjim — Wed, 20 Aug 2025 11:47:01 +0000

Chrome doesn't allow it - local network services have to opt-in to being fetchable from public sites (https://github.com/WICG/private-network-access), although they're replacing it with a user-permission-based approach (https://github.com/WICG/local-network-access).

(There is some language online suggesting PNA has not actually shipped, but I experienced it myself in stable Chrome several years ago, so I am unsure of the current state).

Firefox doesn't implement either approach -- I assume this is indicative of their lack of development resources.

New comment by JJJollyjim in "Efficient Computer's Electron E1 CPU – 100x more efficient than Arm?"

JJJollyjim — Sat, 26 Jul 2025 13:21:24 +0000

Especially the fact that he says the toolchain is now available for download (which lends credibility – if they're willing to share it so people can see the quality of output it produces), when in fact the website has no download links.

New comment by JJJollyjim in "Reversing a Fingerprint Reader Protocol (2021)"

JJJollyjim — Wed, 23 Jul 2025 14:48:53 +0000

As noted in the article I reversed the protocol for a related Goodix device (which was on Intel so used actual SGX instead of the white-box): I used the firmware update system to insert additional vulnerabilities in the sensor firmware and extract the PSK from that side.

I did a talk about it here: https://www.youtube.com/watch?v=IyjUY-xvFw4

New comment by JJJollyjim in "Cutting down Rust compile times from 30 to 2 minutes with one thousand crates"

JJJollyjim — Thu, 17 Apr 2025 12:13:02 +0000

They mention that compiling one crate at a time (-j1) doesnt give the 7x slowdown, which rules out the object file/caching-in-rustc theories... I think the only explanation is the rustcs are sharing limited L3 cache.

New comment by JJJollyjim in "Perhaps Rust Needs "Defer""

JJJollyjim — Wed, 06 Nov 2024 10:15:24 +0000

It is in fact documented that you can't do this:

"Currently the default global allocator is unspecified. Libraries, however, like cdylibs and staticlibs are guaranteed to use the System by default.", however:

"[std::alloc::System] is based on malloc on Unix platforms and HeapAlloc on Windows, plus related functions. However, it is not valid to mix use of the backing system allocator with System, as this implementation may include extra work, such as to serve alignment requests greater than the alignment provided directly by the backing system allocator."

https://doc.rust-lang.org/std/alloc/index.html https://doc.rust-lang.org/std/alloc/struct.System.html

New comment by JJJollyjim in "Tell HN: Upgrade your Metabase installation"

JJJollyjim — Fri, 21 Jul 2023 13:53:09 +0000

Presumably the metabase instance also has credentials to access some databases, some of which may be have enough privileges to also get RCE on the database machines (as well as messing with the data they hold).

New comment by JJJollyjim in "Tell HN: Upgrade your Metabase installation"

JJJollyjim — Fri, 21 Jul 2023 13:36:57 +0000

I found something which is clearly a security fix, using the same idea but more naive: just diffing at the lengths of the decompiled files. It's not at all clear how the issue I found would be triggered by an unauthenticated user though.

New comment by JJJollyjim in "Tell HN: Upgrade your Metabase installation"

JJJollyjim — Fri, 21 Jul 2023 13:16:10 +0000

Oh, I didn't mean to imply you can, just that it's 404... presumably it exists in a repo checked out on someone's machine, and maybe in a separate private Github repo.

New comment by JJJollyjim in "Tell HN: Upgrade your Metabase installation"

JJJollyjim — Fri, 21 Jul 2023 13:07:38 +0000

They haven't released the source, and the compiled versions are non-trivial to diff (e.g. there are nondeterministic numbers from the clojure compiler that seem to have changed from one to the other, and .clj files have been removed from the jar).

The old version has `hash=1bb88f5`, which is a public commit: https://github.com/metabase/metabase/commit/1bb88f5

Whereas the new version has `hash=c8912af`, which is not: https://github.com/metabase/metabase/commit/c8912af

New comment by JJJollyjim in "Transformer architecture optimized for Apple Silicon"

JJJollyjim — Fri, 24 Mar 2023 08:52:28 +0000

llama.cpp runs on the CPU, not the ANE or GPU.

New comment by JJJollyjim in "Disclosure: Supervisor security vulnerability"

JJJollyjim — Thu, 09 Mar 2023 00:53:13 +0000

I don't believe so – from a quick glance it seems that supervisor requests are proxied through the normal HA port, and the supervisor doesn't have it's own port except for the Observer (which seems to be a simple read-only thing).

New comment by JJJollyjim in "Disclosure: Supervisor security vulnerability"

JJJollyjim — Thu, 09 Mar 2023 00:39:56 +0000

Shodan lists 125,000 HA installs exposed to the internet (though I don't know how accurate that statistic is, nor what fraction have a Supervisor) https://www.shodan.io/search?query=product%3A"Home+Assistant...

New comment by JJJollyjim in "My daughter's school took over my personal Microsoft account"

JJJollyjim — Sat, 25 Feb 2023 10:47:58 +0000

As a random example, if your Microsoft account is OAuthed to a GitHub login, and you log in through that, the popup browser just takes you back to a Microsoft account settings page instead of handing the OAuth flow back to Minecraft

New comment by JJJollyjim in "CVE-2022-41924 – tailscaled can be used to remotely execute code on Windows"

JJJollyjim — Mon, 21 Nov 2022 19:32:07 +0000

[co-author of the research here]

They actually approximate this functionality in the Windows implementation: It checks netstat to enforce that incoming TCP connections are from the expected Windows user! https://github.com/tailscale/tailscale/blob/2a991a3541ae5d56...

That's why we were happy with the solution they implemented as a stopgap, until they could switch to named pipes (which there is now an open PR for).

New comment by JJJollyjim in "A Superoptimizer for LLVM IR"

JJJollyjim — Thu, 04 Feb 2021 02:02:00 +0000

I'd also like to see motivating examples of specific things it does find (that LLVM doesn't), even if that's not a representative benchmark

New comment by JJJollyjim in "Element (Matrix chat app) suspended from the Google Play Store"

JJJollyjim — Sat, 30 Jan 2021 06:24:44 +0000

Android's has an app signing system which isn't dependent on Google Play. Updates to a given app have to be signed with the same certificate as previous versions.

New comment by JJJollyjim in "Robinhood Play Store listing went from 329K reviews to 180K in few hours"

JJJollyjim — Fri, 29 Jan 2021 03:18:37 +0000

Have you considered making the website actually show the comments instead of pinning yourself on every large post?

New comment by JJJollyjim in "GitHub blocks entire company because one employee was in Iran"

JJJollyjim — Tue, 05 Jan 2021 11:36:51 +0000

unfortunately this is a real thing the US imposes on the world (it's called Secondary Sanctions)