Hacker News: chc4

New comment by chc4 in "Zero-day CSS: CVE-2026-2441 exists in the wild"

chc4 — Wed, 18 Feb 2026 19:47:16 +0000

I don't think you know anything about how these industries work and should probably read some of the published books about them, like "This Is How They Tell Me The World Ends", instead of speculating in a way that will mislead people. Most purchasers of browser exploits are nation-state groups ("gray market") who are heavily incentivized not to screw the seller and would just wire some money directly, not black market sales.

New comment by chc4 in "Zero-day CSS: CVE-2026-2441 exists in the wild"

chc4 — Wed, 18 Feb 2026 19:41:28 +0000

Browser exploits are almost always two steps: you exploit a renderer bug in order to get arbitrary code execution inside a sandboxed process, and then you use a second sandbox escape exploit in order to gain arbitrary code execution in the non-sandboxed broker process. The first line of that (almost definitely AI generated) summary is the bad part, and means that this is one half of a full browser compromise chain. The fact that you still need a sandbox escape doesn't mean that it is harmless, especially since if it's being exploited in the wild that means whoever is using it probably does also have a sandbox escape they are pairing with it.

New comment by chc4 in "Show HN: I taught LLMs to play Magic: The Gathering against each other"

chc4 — Tue, 17 Feb 2026 17:58:33 +0000

It's really funny reading the thought processes, where most of the time the agent doesn't actually remember trivial things about the cards they or their opponent are playing (thinking they have different mana costs, have different effects, mix up their effect with another card). The fact they're able to take game actions and win against other agants is cute, but it doesn't inspire much confidence.

The agents also constantly seem to evaluate if they're "behind" or "ahead" based on board state, which is a weird way of thinking about most games and often hard to evalaute, especially for decks like control which card more about resources like mana and card advantage, and always plan on stabalizing late game.

New comment by chc4 in "What every compiler writer should know about programmers (2015) [pdf]"

chc4 — Tue, 17 Feb 2026 05:44:08 +0000

Yeah, this is basically Sovereign Citizen-tier argumentation: through some magic of definitions and historical readings and arguing about commas, I prove that actually everyone is incorrect. That's not how programming languages work! If everyone for 10+ years has been developing compilers with some definition of undefined behavior, and all modern compilers use undefined behavior in order to drive optimization passes which depend on those invariants, there is no possible way to argue that they're wrong and you know the One True C Programming Language interpretation instead.

Moreover, compiler authors don't just go out maliciously trying to ruin programs through finding more and more torturous undefined behavior for fun: the vast majority of undefined behavior in C are things that if a compiler wasn't able to assume were upheld by the programmer would inhibit trivial optimizations that the programmer also expects the compiler to be able to do.

New comment by chc4 in "Show HN: Ghidra MCP Server – 110 tools for AI-assisted reverse engineering"

chc4 — Wed, 04 Feb 2026 13:35:03 +0000

Or better yet, the built-in Version Tracker, which is designed for porting markup to newer versions of binaries with several different heuristic tools for correlating functions that are the same due to e.g. the same data or function xrefs, and not purely off of identical function hashes...

Going off of only FunctionID will either have a lot of false positives or false negatives, depending on if you compute them masking out operands or not. If you mask out operands, then it says that "*param_1 = 4" and "*param_1 = 123" are the same hash. If you don't mask out operands, then it says that nearly all functions are different because your call displacements have shifted due to different code layout. That's why the built-in Version Tracker tool uses hashes for only one of the heuristics, and has other correlation heuristics to apply as well in addition.

New comment by chc4 in "OpenSSL: Stack buffer overflow in CMS AuthEnvelopedData parsing"

chc4 — Tue, 27 Jan 2026 18:27:17 +0000

OpenSSL is used by approximately everything under the sun. Some of those users will be vendors that use default compiler flags without stack cookies. A lot of IoT devices for example still don't have stack cookies for any of their software.

New comment by chc4 in "OpenSSL: Stack buffer overflow in CMS AuthEnvelopedData parsing"

chc4 — Tue, 27 Jan 2026 18:06:39 +0000

2026 and we still have bugs from copying unbounded user input into fixed size stack buffers in security critical code. Oh well, maybe we'll fix it in the next 30 years instead.

New comment by chc4 in "Proton spam and the AI consent problem"

chc4 — Fri, 23 Jan 2026 07:28:34 +0000

I saw a Mastodon tweet a while ago, which went something like:

Do tech companies understand consent?:

- [ ] Yes

- [ ] Ask me again in a few days

New comment by chc4 in "Computer Systems Security 6.566 / Spring 2024"

chc4 — Sun, 18 Jan 2026 21:46:53 +0000

RPISEC's Modern Binary Exploitation is somewhat famous for doing exactly that!

New comment by chc4 in "Why senior engineers let bad projects fail"

chc4 — Thu, 15 Jan 2026 23:33:38 +0000

brb taking out a 10:1 bet on a new project which will print money and then rm -rf'ing all the code so i get a payout

New comment by chc4 in "CVEs affecting the Svelte ecosystem"

chc4 — Thu, 15 Jan 2026 20:20:17 +0000

SSRF is not just a DoS.

New comment by chc4 in "TimeCapsuleLLM: LLM trained only on data from 1800-1875"

chc4 — Mon, 12 Jan 2026 19:53:53 +0000

I think it would be very cute to train a model exclusively in pre-information age documents, and then try to teach it what a computer is and get it to write some programs. That said, this doesn't look like it's nearly there yet, with the output looking closer to Markov chain than ChatGPT quality.

New comment by chc4 in "Ask HN: What tech purchase did you regret even though reviews were great?"

chc4 — Fri, 26 Dec 2025 01:28:10 +0000

Amazon Fire Tablet, one of the only things I've ever returned.

New comment by chc4 in "Molly: An Improved Signal App"

chc4 — Fri, 28 Nov 2025 19:17:03 +0000

Signal is an end-to-end encrypted messaging app. People continue to breathlessly mentioning the lack of database encryption as a problem, but that never made it a real security issue: its job is not, and has never been, dissuading an attacker who has local access to one of the ends, especially because that is an incoherent security boundary (just like the people who were very upset about Signal using the system keyboard which is potentially backdoored - if your phone is compromised, of course someone will be be able to read your Signal messages).

New comment by chc4 in "APT Rust requirement raises questions"

chc4 — Tue, 25 Nov 2025 16:44:19 +0000

No one is using an Alpha, Motorola 680x0, PA-RISC, or SuperH computer because that's the only thing they can afford. Rust supports 32bit x86.

New comment by chc4 in "NSA and IETF, part 3: Dodging the issues at hand"

chc4 — Mon, 24 Nov 2025 15:48:39 +0000

They're vulnerable to "High-S" malleable signatures, while ed25519 isn't. No one is claiming they're backdoored (well, some people somewhere probably are), but they do have failure modes that ed25519 doesn't which is the GP's point.

New comment by chc4 in "Kodak ran a nuclear device in its basement for decades"

chc4 — Sat, 22 Nov 2025 19:47:29 +0000

UMass Lowell has a 1MW research reactor as well.

New comment by chc4 in "Optimizing Datalog for the GPU"

chc4 — Tue, 04 Nov 2025 23:10:33 +0000

CodeQL compiles to the Souffle datalog engine and I use it for static analysis. I've also used ascent for a few random side projects in Rust which is very convenient.

New comment by chc4 in "Alleged Jabber Zeus Coder 'MrICQ' in U.S. Custody"

chc4 — Sun, 02 Nov 2025 23:16:31 +0000

The human brain is just really bad at evaluating risk, especially over long periods of time. A lot of people are wanted overseas for years or even decades without anything happening, which makes it hard to maintain the mindset of being at risk without falling back to "eh, I've been fine this long"; a lot of them do foreign travel anyway and get away with it, which makes it hard to not fall into "what's one more vacation to a extradition-friendly country".

New comment by chc4 in "Sandhill cranes have adopted a Canada gosling"

chc4 — Mon, 27 Oct 2025 06:39:53 +0000

...And this is how I learn that the line "Steele Dakota's sandhill crane" from mewithoutYou's Nine Stories is talking about a bird species and not a literal mechanical crane. Apparently they have the largest sculpture of a sandhill crane in the world at 40ft (which makes more sense in the context of the song than a mechnical one!) https://www.ndtourism.com/steele/attractions-entertainment/f...