Hacker News: benmmurphy

New comment by benmmurphy in "Delve sets the record straight on anonymous attacks"

benmmurphy — Sun, 05 Apr 2026 10:39:14 +0000

wasn't there some meme that 30u30 was some kind of predictor for fraud

New comment by benmmurphy in "Delve sets the record straight on anonymous attacks"

benmmurphy — Sun, 05 Apr 2026 10:35:56 +0000

The problem with Apache 2 is it might not be completely clear how this works with a Saas product. Of course if you are distributing binaries or source to customers then you are going to run into issues with Apache Licensing. But if you are just running code on your servers then its not so straight forward. However, I guess its likely they were distributing javascript code so that could be a problem for them. Also, I guess regardless of the licensing issues not being honest with your customers when you are a compliance company is not going to be great for business.

New comment by benmmurphy in "Another DOGE staffer explaining how he flagged grants at NEH for "DEI""

benmmurphy — Thu, 12 Mar 2026 16:26:42 +0000

it seems like if these statements that were part of the grants were 1FA protected then they should not have been part of the grants in the first place. since having 1FA protected statements in the grants allows the government to compel speech by favouring grants that make approved statements in the same way they can suppress speech by targeting grants that include disfavoured statements. people were previously claiming certain buzzwords needed to be included in order to hurdle the grant process. of course this is probably completely unworkable in practice since you need some kind of description of the grant and almost anything could be seen as some kind of speech that might be favored or punished for political reasons.

New comment by benmmurphy in "AIs can't stop recommending nuclear strikes in war game simulations"

benmmurphy — Wed, 25 Feb 2026 18:17:10 +0000

The games are on github (https://github.com/kennethpayne01/project_kahn_public/blob/m...) which might give better context as to how the simulation was run. Based on the code the LLMs only have a rough idea of the rules of the game. For example you can use 'Strategic Nuclear War' in order to force a draw as long as the opponent cannot win on the same turn. So as long as on your first turn you do 'Limited Nuclear Use' then presumably its impossible to actually lose a game unless you are so handicapped that your opponent can force a win with the same strategy. I suspect with knowledge of the internal mechanics of the game you can play in a risk free way where you try to make progress towards a win but if your opponent threatens to move into a winning position then you can just execute the 'Strategic Nuclear War' action.

From the article:

> They also made mistakes in the fog of war: accidents happened in 86 per cent of the conflicts, with an action escalating higher than the AI intended to, based on its reasoning.

Which I guess is technically true but also seems a bit misleading because it seems to imply the AI made these mistakes but these mistakes are just part of the simulation. The AI chooses an action then there is some chance that a different action will actually be selected instead.

New comment by benmmurphy in "Goodbye InnerHTML, Hello SetHTML: Stronger XSS Protection in Firefox 148"

benmmurphy — Tue, 24 Feb 2026 15:37:24 +0000

i think the use case for setHTML is for user content that contains rich text and to display that safely. so this is not an alternative for escaping text or inserting text into the DOM but rather a method for displaying rich text. for example maybe you have an editor that produces em, and strong tags so now you can just whitelist those tags and use setHTML to safely put that rich text into the DOM without worrying about all the possible HTML parsing edge cases.

New comment by benmmurphy in "SmartOS"

benmmurphy — Thu, 22 Jan 2026 11:02:36 +0000

i'm not sure if Dtrace interpreter was safer than EBPF. I guess in theory it should be because a JIT is just extra surface area but I'm not sure in practice. Both EBPF and DTrace had bugs. Also, I always thought EBPF JIT was just a translation to machine code and it didn't do any kind of optimization pass so should be very similar to how DTrace works. They both ship byte code to the kernel. But I guess the big difference is EBPF relies more on a verification pass while I think most of DTrace safety verification was performed while executing the bytecode. I remember there was a lot of stuff in EBPF where the verifier was meant to be able statically determine you were only accessing memory you were able to. I think there was a lot of bugs around this because the verifier would assume slightly different behaviour than what the runtime was producing. But this is also not necessarily a JIT problem you could have an interpreter that relied on a static safety pass as well.

New comment by benmmurphy in "Ozempic is changing the foods Americans buy"

benmmurphy — Mon, 12 Jan 2026 14:18:29 +0000

There might be health problems associated with these drugs but they need to be compared to the next best option. I think for a lot of people on these drugs the next best option is continuing the status quo which has a lot of negative health outcomes as well.

New comment by benmmurphy in "Minnesota officials say they can't access evidence after fatal ICE shooting"

benmmurphy — Fri, 09 Jan 2026 14:40:48 +0000

I can't imagine what would happen if federal agents killed someones son, wife and dog in a firefight when executing a warrant based on a crime that looked like entrapment while a Democrat was in office.

New comment by benmmurphy in "Show HN: Aroma: Every TCP Proxy Is Detectable with RTT Fingerprinting"

benmmurphy — Mon, 05 Jan 2026 09:00:01 +0000

for phones its a bit difficult because i don't think you can egress out ip traffic without root or jailbreak on iphone and iOS. but i guess on desktop this should be possible

New comment by benmmurphy in "Show HN: Aroma: Every TCP Proxy Is Detectable with RTT Fingerprinting"

benmmurphy — Sun, 04 Jan 2026 16:55:46 +0000

sshuttle as described sounds like a normal CONNECT proxy which this is able to detect: https://sshuttle.readthedocs.io/en/stable/how-it-works.html

like its similar to connect or socks proxy except it is using SSH as a transport layer instead of TCP as a transport layer and its doing it transparently without having applications to be written to use the proxy. but if you are just converting TCP packets into a datastream and then sending them somewhere else where you convert them back to TCP packets then this is what this TCP RTT strategy is fundamentally meant to detect. i suspect the TCP only RTT thing works because of the delayed ack behaviour of most operating systems and this will still happen with sshuttle unless you are explicitly using quick-ack. also, quick-ack just works around the TCP-RTT issue and not the differences in timing between TCP and TLS or other higher protocols. i think if you are testing for other RTT differences then quick-ack would make them more obvious.

on the server side sshuttle just uses normal tcp sockets and nothing magic (https://github.com/sshuttle/sshuttle/blob/master/sshuttle/ss...)

also, if you have an sshuttle proxy this site cannot detect it may be due to how close the server is to the client. i have a CONNECT based proxy it is able to detect around 5% of the time (maybe only that often due to a bug) but this is because there is probably less than 10ms latency between the proxy and the client and probably around 50ms latency between the proxy and the server for some reason (?).

New comment by benmmurphy in "Pro-democracy HK tycoon Jimmy Lai convicted in national security trial"

benmmurphy — Mon, 15 Dec 2025 18:41:42 +0000

That reminds me of an old cold war joke. In China you are free to criticise western governments on Weibo. What is the problem?

New comment by benmmurphy in "Rust: Proof of Concept, Not Replacement"

benmmurphy — Wed, 10 Dec 2025 17:28:18 +0000

i would say the c-code is broken because the queue push method has undesirable behaviour when capacity is reached. for example if you push onto a full task queue then it just leaks a task without any feedback to the caller that something very bad has happened. you don't even need to look at the method body to see there is something weird going on. because its a fixed size task queue with a void return on the enqueue method. though, i guess its possible the task queue could be resized in the body.

probably, the push method should return a boolean indicating whether the task could be enqueued and if the capacity is reached then the task is not enqueued. but this is c so its very easy to write buggy code :) also, in this case the caller has no obvious safe way to check whether the queue method is safe to call so the author can't claim its up to the caller to verify some pre-condition before enqueuing a task.

New comment by benmmurphy in "US could ask foreign tourists for five-year social media history before entry"

benmmurphy — Wed, 10 Dec 2025 15:08:53 +0000

or try to travel to an islamic country with an Israeli stamp on your passport or an Israeli passport.

New comment by benmmurphy in "Grokipedia is the antithesis of Wikipedia"

benmmurphy — Fri, 05 Dec 2025 02:05:21 +0000

agreement on raising the minimum wage is suspect because its a controversial econ position and presumably some form of UBI or 'negative income tax' is a much better alternative which would have the redistributive effects of a higher minimum wage without the 'tariff' downsides. like we have recently heard why its a very bad idea to artificially raise prices but apparently we are unable to extend this analysis to the minimum wage.

New comment by benmmurphy in "RCE Vulnerability in React and Next.js"

benmmurphy — Wed, 03 Dec 2025 17:09:15 +0000

I suspect the commit to fix is:

https://github.com/facebook/react/commit/bbed0b0ee64b89353a4...

and it looks like its been squashed with some other stuff to hide it or maybe there are other problems as well.

this pattern appears 4 times and looks like it is reducing the functions that are exposed to the 'whitelist'. i presume the modules have dangerous functions in the prototype chain and clients were able to invoke them.

      -  return moduleExports[metadata.name];
      +  if (hasOwnProperty.call(moduleExports, metadata.name)) {
      +    return moduleExports[metadata.name];
      +  }
      +  return (undefined: any);

New comment by benmmurphy in "“Captain Gains” on Capitol Hill"

benmmurphy — Wed, 03 Dec 2025 16:49:56 +0000

I think sortition is a great idea but you would probably need a constitutional amendment if you wanted sortition in Congress or the Senate. I think the State's have some discretion over how elections are run but I don't think its enough discretion to allow appointment by RNG. I think the strongest argument you could make is its an election where everyone is forced to vote for themselves and tie-breaks are chosen by RNG but I don't think that would be valid because I assume the courts would demand electors execute some agency.

The text of the constitution for electing congress says:

> The House of Representatives shall be composed of Members chosen every second Year by the People of the several States

and there is something similar for the Senate after the 17th amendment. I think pre-17th amendment States may have been able to use Sortion to appoint Senators but it would not have been legally enforceable. The State legislature could pre-commit to elect Senators by Sortition but then they could bail out and just decided to choose who they want when it came to the actual selection.

New comment by benmmurphy in "“Captain Gains” on Capitol Hill"

benmmurphy — Wed, 03 Dec 2025 16:34:37 +0000

sortition is just democracy but with a weird probabilistic form of voting

New comment by benmmurphy in "I don't care how well your "AI" works"

benmmurphy — Wed, 26 Nov 2025 16:33:41 +0000

my guess is something like detailed in this article: https://meaningness.com/geeks-mops-sociopaths

New comment by benmmurphy in "Self-hosting a NAT Gateway"

benmmurphy — Sat, 22 Nov 2025 14:34:17 +0000

aws has security groups as well. using NAT for a firewall is overkill.

New comment by benmmurphy in "Brexit Hit to UK Economy Double Official Estimate, Study Finds"

benmmurphy — Fri, 21 Nov 2025 16:21:51 +0000

if the government wasn't incompetent in how they are handling certain immigration issues the anti-immigration parties would not have any momentum. for some bizarre reason the government is pursuing a course of action that is poisoning the well when it comes to immigration in the UK. i think immigration can bring a lot of benefits to the UK but by bringing in poor performing migrants into the UK it can end up turning the public against all immigration.