Hacker News: codedokodehttps://news.ycombinator.com/user?id=codedokodeHacker News RSShttps://hnrss.org/hnrss v2.1.1Sat, 23 May 2026 02:30:23 +0000<![CDATA[New comment by codedokode in "GitHub confirms breach of 3,800 repos via malicious VSCode extension"]]>Note that VS Code is built on Electron and it is a pain to sandbox because Electron has (had?) SUID sandbox helper, and you cannot run SUID binaries in sandbox easily. Sandboxing on Linux is extremely difficult task.

]]>Wed, 20 May 2026 19:45:04 +0000https://news.ycombinator.com/item?id=48213078codedokodehttps://news.ycombinator.com/item?id=48213078https://news.ycombinator.com/item?id=48213078<![CDATA[New comment by codedokode in "Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised"]]>Namespaces look dangerous to me because they break lot of assumptions software was built on before. For example, sudo relies on /etc/sudoers being accessible only to root. But with unprivileged containers one can easily create a filesystem namespace where /etc/sudoers would contain arbitrary data. I think, SUID bit won't work in container, but there might be other ways to confuse privileged software using containers. Or not?

Also, if the container has access to dbus, one can try to exploit multiple services listening on dbus.

]]>Tue, 19 May 2026 18:52:28 +0000https://news.ycombinator.com/item?id=48197628codedokodehttps://news.ycombinator.com/item?id=48197628https://news.ycombinator.com/item?id=48197628<![CDATA[New comment by codedokode in "Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised"]]>If you are using NPM for business, you should be paying for a repository which was checked by antivirus company and not rely on free repository supported by unpaid volunteers.

]]>Tue, 19 May 2026 18:41:33 +0000https://news.ycombinator.com/item?id=48197467codedokodehttps://news.ycombinator.com/item?id=48197467https://news.ycombinator.com/item?id=48197467<![CDATA[New comment by codedokode in "Iran starts Bitcoin-backed ship insurance for Hormuz strait"]]>It is ridiculous that countries like Australia (a party to a convention) have a say in whether Turkey should or should not pass ships through the strait. This looks like a legacy of colonization era. This convention should be repelled, and the new agreement should be made by Russia and Turkey and other Black sea countries ignoring the interests of colonizers.

]]>Tue, 19 May 2026 08:59:10 +0000https://news.ycombinator.com/item?id=48190953codedokodehttps://news.ycombinator.com/item?id=48190953https://news.ycombinator.com/item?id=48190953<![CDATA[New comment by codedokode in "Iran starts Bitcoin-backed ship insurance for Hormuz strait"]]>I think US blocked international waters around Cuba, without any legal basis (although there is no such thing as international law anyway) at the time of Cuban crisis. And now US seems to block international waters near Iran threatening to attack any ship going to or from Iran, without any legal basis.

Proof: https://apnews.com/article/us-iran-war-navy-blockade-strait-...

]]>Tue, 19 May 2026 08:43:50 +0000https://news.ycombinator.com/item?id=48190829codedokodehttps://news.ycombinator.com/item?id=48190829https://news.ycombinator.com/item?id=48190829<![CDATA[New comment by codedokode in "Iran starts Bitcoin-backed ship insurance for Hormuz strait"]]>I think US established a naval blockage against Cuba and other countries multiple times in history, blocking passage of ships in international waters.

]]>Tue, 19 May 2026 07:58:56 +0000https://news.ycombinator.com/item?id=48190518codedokodehttps://news.ycombinator.com/item?id=48190518https://news.ycombinator.com/item?id=48190518<![CDATA[New comment by codedokode in "War game exposed U.S. vulnerability to low-tech warfare"]]>Anyone can buy a StarLink terminal though. Also, you can use a friend's spy satellite if you don't have your own.

]]>Tue, 19 May 2026 05:23:06 +0000https://news.ycombinator.com/item?id=48189498codedokodehttps://news.ycombinator.com/item?id=48189498https://news.ycombinator.com/item?id=48189498<![CDATA[New comment by codedokode in "War game exposed U.S. vulnerability to low-tech warfare"]]>Modern Shaheds can be controlled through satellite links like StarLink, with high quality video. Also, targeting a large pile of metal in the sea should not be difficult with something like a radar.

]]>Tue, 19 May 2026 05:18:52 +0000https://news.ycombinator.com/item?id=48189465codedokodehttps://news.ycombinator.com/item?id=48189465https://news.ycombinator.com/item?id=48189465<![CDATA[New comment by codedokode in "U.S. DOJ demands Apple and Google unmask over 100k users of car-tinkering app"]]>That's why you should be downloading from F-Droid anonymously.

]]>Fri, 15 May 2026 18:11:18 +0000https://news.ycombinator.com/item?id=48151869codedokodehttps://news.ycombinator.com/item?id=48151869https://news.ycombinator.com/item?id=48151869<![CDATA[New comment by codedokode in "A 0-click exploit chain for the Pixel 10"]]>I think it is 3 extra instructions on RISC-V if you add signed numbers. So 1 addition (the most popular operation) turns into 4 instructions. What are those people thinking? I generally like RISC-V but this part in my opinion, is wrong. They should just have added "overflow enabled" bit to the add instruction.

]]>Fri, 15 May 2026 17:02:51 +0000https://news.ycombinator.com/item?id=48151050codedokodehttps://news.ycombinator.com/item?id=48151050https://news.ycombinator.com/item?id=48151050<![CDATA[New comment by codedokode in "A 0-click exploit chain for the Pixel 10"]]>> is a choice you can make when compiling software

That is not a solution because it means the code can behave differently, and expose vulnerability if wrong compilation settings are chosen.

The functions like "wrapping_add" have such a long names so that nobody wants to use them and they make the code ugly. Instead, "+" should be used for addition with exceptions, and something like "wrap+" or "<+>" or "[+]" used for wrapping addition.

That's how people work, they will choose the laziest path (the simplest function name) and this is why you should use "+" for safer, non-wrapping addition and make the symbol for wrapping addition long and unattractive. Make writing unsafe code harder. This is just basic psychology.

C has the same problem, they have functions checking for overflow, but they also have long and ugly names that discourage their use.

> modern hardware will just wrap if you don't check and that's cheaper

So you suggest that because x86 is a poorly designed architecture, we should adapt programing languages to its poor design? x86 will be gone sooner or later anyway.

Also, there are languages like JS, Python, Swift which chose the right path, it is only C and Rust developers who seem to be backwards.

]]>Fri, 15 May 2026 16:50:23 +0000https://news.ycombinator.com/item?id=48150888codedokodehttps://news.ycombinator.com/item?id=48150888https://news.ycombinator.com/item?id=48150888<![CDATA[New comment by codedokode in "A 0-click exploit chain for the Pixel 10"]]>I read about Pixel 9 Dolby Decoder bug, and it is based on integer overflow. It was a mistake to allow "+" operator to overflow, and this must be fixed in new languages like Rust, but it is not.

]]>Fri, 15 May 2026 14:31:59 +0000https://news.ycombinator.com/item?id=48149143codedokodehttps://news.ycombinator.com/item?id=48149143https://news.ycombinator.com/item?id=48149143<![CDATA[New comment by codedokode in "A few words on DS4"]]>It contains comparisons: https://huggingface.co/deepseek-ai/DeepSeek-V4-Flash

]]>Fri, 15 May 2026 00:14:13 +0000https://news.ycombinator.com/item?id=48142922codedokodehttps://news.ycombinator.com/item?id=48142922https://news.ycombinator.com/item?id=48142922<![CDATA[New comment by codedokode in "A few words on DS4"]]>I thought DeepSeek was closed-weights and proprietary? I wonder how it compares against Western open-weight models. The hugging face page contains the comparison only with proprietary models for some reason.

]]>Thu, 14 May 2026 23:49:27 +0000https://news.ycombinator.com/item?id=48142751codedokodehttps://news.ycombinator.com/item?id=48142751https://news.ycombinator.com/item?id=48142751<![CDATA[New comment by codedokode in "New Nginx Exploit"]]>I think "rewrite" is rarely used nowadays? Isn't it something from old days of PHP and Apache?

]]>Thu, 14 May 2026 23:08:47 +0000https://news.ycombinator.com/item?id=48142441codedokodehttps://news.ycombinator.com/item?id=48142441https://news.ycombinator.com/item?id=48142441<![CDATA[New comment by codedokode in "Kickstarter is forced to ban adult content by payment processors"]]>They do not have SMS OTP confirmation for bank card purchases? It is much more difficult to deny anything when there is a record of delivered SMS message along with phone identifier and precise location.

]]>Wed, 13 May 2026 21:56:52 +0000https://news.ycombinator.com/item?id=48128148codedokodehttps://news.ycombinator.com/item?id=48128148https://news.ycombinator.com/item?id=48128148<![CDATA[New comment by codedokode in "Kickstarter is forced to ban adult content by payment processors"]]>In my country you usually need to confirm payments with SMS OTP, except for trusted merchants (but they take the risk of fraud by opting out from confirmation). So simply stealing a bank card doesn't get you far. And pretending that you did not pay is also more difficult. Is US different? Do banks and clients trust each other in US and do not require OTP?

]]>Wed, 13 May 2026 21:49:14 +0000https://news.ycombinator.com/item?id=48128081codedokodehttps://news.ycombinator.com/item?id=48128081https://news.ycombinator.com/item?id=48128081<![CDATA[New comment by codedokode in "Kickstarter is forced to ban adult content by payment processors"]]>> Adult content purchases have another problem where purchasers often deny having made the purchase when their significant other finds it on the credit card statement. Shaggy's "It wasn't me" defense.

Ridiculous. People who consume adult content could at least behave like adults.

]]>Wed, 13 May 2026 16:26:57 +0000https://news.ycombinator.com/item?id=48124076codedokodehttps://news.ycombinator.com/item?id=48124076https://news.ycombinator.com/item?id=48124076<![CDATA[New comment by codedokode in "Kickstarter is forced to ban adult content by payment processors"]]>Well that is fair point, but cannot they just increase the commission to cover them? Also I think it is weird that when someone steals a bank card, they use it to buy adult games instead of buying an iPhone or MacBook and shipping it to the third world country.

]]>Wed, 13 May 2026 16:08:57 +0000https://news.ycombinator.com/item?id=48123800codedokodehttps://news.ycombinator.com/item?id=48123800https://news.ycombinator.com/item?id=48123800<![CDATA[New comment by codedokode in "Kickstarter is forced to ban adult content by payment processors"]]>Why payment processors do it? Why people in America do not want to earn more money from commissions? Strong church lobby? Legal risks? I think its mostly religious groups who who are against adult content and sex, or there are other groups?

Also this is why we should work to increase circulation of cryptocurrency. No stupid religious restrictions and stupid political sanctions.

Also why PornHub and OnlyFans are immune to religious lobby?

]]>Wed, 13 May 2026 16:02:29 +0000https://news.ycombinator.com/item?id=48123686codedokodehttps://news.ycombinator.com/item?id=48123686https://news.ycombinator.com/item?id=48123686