Hacker News: dunder_cat

New comment by dunder_cat in "GitLab announces workforce reduction and end of their CREDIT values"

dunder_cat — Tue, 12 May 2026 00:12:07 +0000

After CVE-2023-7028 (account takeover via password reset, IIRC you just had to add a semi-colon between the correct email and the attacker email and it'd email both) was exploited against my cluster, the boasting about fully-automated changes and reviews scares me. I hope I'm far from the only one that hasn't forgotten issues like this.

I'm aware that the defective code was not written by AI but nonetheless, GitLab is what stands between many small organizations and their most precious resources. I was fortunate that 2FA stopped the damage, but what's going to happen the next time? What if my organization is permanently damaged because we taught the machines to go fast and break things, too [1]?

[1] VPN is an option but we're a non-profit with a number of non-technical users, so admittedly we're caught in a balance between making it harder to do things. As much as WireGuard is awesome, there's still a barrier.

New comment by dunder_cat in ""Dirty Frag" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days"

dunder_cat — Sat, 09 May 2026 20:50:55 +0000

Also, meant to share some interesting readings. In the Kubernetes world, my RSS feed lit up with their blog post about user namespaces being generally available in k8s 1.36.

They actually provided some example CVEs that wouldn't have been possible if in addition to containers, they were also using user namespaces https://github.com/kubernetes/enhancements/tree/217d790720c5.... The first example talks about "CVE-2019-5736: Host runc binary can be overwritten from container. Completely mitigated with userns." So it seems like getting root in a regular container gives you more of an attack surface, but if user namespaces are deployed, then it's even harder to do anything useful with it. I am looking forward to the aforementioned writeups since user namespace escapes usually mean another kernel bug.

New comment by dunder_cat in ""Dirty Frag" (CVE-2026-43284): The Second Linux Root Exploit in Eight Days"

dunder_cat — Sat, 09 May 2026 20:45:27 +0000

Your understanding is fine. In many environments, you can still do a lot of damage just by popping a shell and being able to access the database/sensitive environment variables/sensitive code. Getting to root would just be the icing on the cake.

That being said, it's pretty common for non-containerized processes to drop permissions to a low-privileged service account (like nginx running as `nobody`), so it definitely thwarts defense-in-depth in those setups.

In containerized environments, my understanding is their use of namespaces means you still need something more clever than just "patch out the authentication logic in su via the page cache" to escalate permissions in the system to break out of the container. That doesn't mean it's impossible in these exploits (the original copyfail writeup alluded to a second writeup coming to this effect - distinct from dirtyfrag though), but it does mean you're not going to be able to just spam the PoCs floating around.

New comment by dunder_cat in "Google Cloud fraud defense, the next evolution of reCAPTCHA"

dunder_cat — Thu, 07 May 2026 01:37:00 +0000

Doesn't have to even be that advanced, people get conditioned to stuff like reCAPTCHA and friends & Cloudflare's interstitial landing page (when "I'm under attack" mode is on) and they won't bat an eye. That's how we get people piping `curl | bash` into their terminal to "solve" fake challenges.

As a side note though, I recently have tried to turn CSP on a website I run and the amount of garbage I see in the reports is astonishing. There's some noise from things like OpenDNS intercepting YouTube or Social embeds for people using the work-friendly or family-friendly options, but the sheer amount of things attempting to phone home to random URLs and random extension scripts injecting ads into the site would astonish you. My mental model of "toolbar hell" from the Windows XP days being gone has completely shattered.

New comment by dunder_cat in "Google Cloud fraud defense, the next evolution of reCAPTCHA"

dunder_cat — Thu, 07 May 2026 01:22:18 +0000

Is the QR code check mandatory and if not, is it the default?

The bulletpoint as-is just says:

> AI-resistant challenge: As we identify potentially fraudulent behavior from agents, we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop using the new QR code-based challenge. This AI-resistant mitigation challenge to prove human presence is designed to make automated fraud economically unviable.

Followed by

> Existing reCAPTCHA customers are automatically Fraud Defense customers, with no migration required, no action needed, and no change to pricing. Your existing site keys and integrations remain exactly as they are today.

It is probably me being a literal reader but "we enable application providers to deter and mitigate malicious requests by requesting humans to be in the loop" feels like it can be read as "Good news: by using reCAPTCHA, we're now interfering with agents that can solve the regular challenges" or "there's now a flag the application developer can set". This is the difference between me swapping off reCAPTCHA ASAP or just editing my configuration. I have to imagine someone somewhere anticipated the kind of reactions a number of us are collectively feeling (I too don't want to use my phone to browse the web more than I already do) and it feels irresponsible to publish a feature announcement without covering basic information like this for site administrators. Maybe they thought the second line about existing reCAPTCHA customers being moved over clears this up, but "Your existing ... integrations remain exactly as they are today" feels like again, literally, you won't have this new attestation requirement being presented to your users... but then why am I Fraud Defense customer!

New comment by dunder_cat in "An AI agent deleted our production database. The agent's confession is below"

dunder_cat — Sun, 26 Apr 2026 23:21:54 +0000

A more direct source (possibly the original source?) I know of is a YouTube video entitled "LISA11 - Fork Yeah! The Rise and Development of illumos" which detailed how the Solaris operating system got freed from Oracle after the Sun acquisition.

The whole hour talk is worth a watch, even when passively doing other stuff. It is a neat history of Solaris and its toolchain mixed with the inter-organizational politics.

YouTube link: https://www.youtube.com/watch?v=-zRN7XLCRhc

Direct link to lawnmower quotes (~38.5 minute mark): https://youtu.be/-zRN7XLCRhc&t=2307

New comment by dunder_cat in "YouTube users get option to set their Shorts time limit to zero minutes"

dunder_cat — Thu, 16 Apr 2026 01:14:35 +0000

Instagram needs to do this for Reels, too. I got quite addicted to these short-form videos during the pandemic and after I finished college things went immediately downhill once a lot of my mental activity could be somewhat "deferred". I could make up for the productivity hit by crunching but my life would be better without them. I remove things from my phone or put services into Pi-Hole but eventually I capitulate. Something about having the option to remove the most addicting parts of a service but not cutting yourself off completely has more success.

Edit: also to be somewhat objective, Instagram also offers a time limit. However, I've found that just by exiting the app (or it getting killed in the background), it basically clears the lockout so you don't even have to make the effort to click the "ignore" button.

New comment by dunder_cat in "I ported Mac OS X to the Nintendo Wii"

dunder_cat — Thu, 09 Apr 2026 00:47:19 +0000

Chiming in as well to say to the author when the victory lap here is over: please consider adding the RSS feed! I want to see whatever you do next, regardless of how long it takes.

New comment by dunder_cat in "Further human + AI + proof assistant work on Knuth's "Claude Cycles" problem"

dunder_cat — Sat, 28 Mar 2026 21:13:43 +0000

> Edit: This is going to have huge ramifications for the tech security industry as these systems will be able to break security systems as easily it solved the proof. The sooner the good guys, if there are any left, understand this the better it will be for everybody.

What can the good guys do? Fire up Claude to improve their systems? Unless you have it working fully autonomously to counter-act abuse, I don't see how you can beat the "bad guys". There may be some industries where this is a solved problem (e.g. you can do all the validation server-sided, religiously follow best practices to prevent and mitigate abuse), but a lot of stuff like multiplayer video games will be doomed unless they move to a "you must use a locked down system we control" model. I honestly don't consider it liberating as someone that has various hobby projects, that now in addition to plain old DDoS I'll also have people spin up layer 7 attacks with just their credit card. It almost makes me want to give up instead of pushing forward in a world where the worst of the worst has access to the best of the best.

New comment by dunder_cat in "How we rebuilt Next.js with AI in one week"

dunder_cat — Wed, 25 Feb 2026 03:01:04 +0000

I am curious, have you attempted to do this to any binary packed with commercial obfuscation/"virtualization" schemes (e.g. Orean's Themida/Code Virtualizer and VMProtect)?

New comment by dunder_cat in "Discord cuts ties with identity verification software, Persona"

dunder_cat — Tue, 24 Feb 2026 14:54:01 +0000

Seems to be down for me. https://web.archive.org/web/20260220192124/https://vmfunc.re...

New comment by dunder_cat in "Wikipedia deprecates Archive.today, starts removing archive links"

dunder_cat — Fri, 20 Feb 2026 20:46:54 +0000

Ah good to know. My pi-hole actually was blocking the blog itself since the ublock site list made its way into one of the blocklists I use. But I've been just avoiding links as much as possible because I didn't want to contribute.

New comment by dunder_cat in "Wikipedia deprecates Archive.today, starts removing archive links"

dunder_cat — Fri, 20 Feb 2026 20:36:35 +0000

https://news.ycombinator.com/item?id=46624740 has the earliest writeup that I know of. It was running it via a script and intentionally using cache busting techniques to try to increase load on the hosted wordpress infrastructure.

New comment by dunder_cat in "Windows: Prefer the Native API over Win32"

dunder_cat — Wed, 18 Feb 2026 17:31:11 +0000

One thing that is amusing about the prevalence of advanced anti-cheat in Windows gaming is it's actually causing said API/ABIs to undergo ossification. A good data point is the invention of Syscall User Dispatch^1 on Linux which would allow a program to basically install a syscall handler when they originate from various regions of memory. I do not know how usable this is in practice, admittedly -- but I think the fact it was contributed at all speaks to the growing need.

^1 https://docs.kernel.org/admin-guide/syscall-user-dispatch.ht...

New comment by dunder_cat in "News publishers limit Internet Archive access due to AI scraping concerns"

dunder_cat — Sat, 14 Feb 2026 19:09:59 +0000

This exists although not in the traditional BOINC space, it's Archiveteam^1. I run two of their warrior^2 instances in my home k3s instance via the docker images. One of them is set to the "Team's choice" where it spends most of its time downloading Telegram chats. However, when they need the firepower for sites with imminent risk of closure, it will switch itself to those. The other one is set to their URL shortener project, "Terror of Tiny Town"^3.

Their big requirement is you need to not be doing any DNS filtering or blocking of access to what it wants, so I've got the pod DNS pointed to the unfiltered quad9 endpoint and rules in my router to allow the machine it's running on to bypass my PiHole enforcement+outside DNS blocks.

^1 https://wiki.archiveteam.org/

^2 https://wiki.archiveteam.org/index.php/ArchiveTeam_Warrior

^3 https://wiki.archiveteam.org/index.php/URLTeam

Windows Notepad App Remote Code Execution Vulnerability

dunder_cat — Tue, 10 Feb 2026 23:18:31 +0000

Article URL: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-20841

Comments URL: https://news.ycombinator.com/item?id=46968445

Points: 23

# Comments: 4

New comment by dunder_cat in "The switch to Linux and the beginning of my self-hosting journey"

dunder_cat — Tue, 10 Feb 2026 22:12:28 +0000

There's nothing new or original in a lot of things that get posted here. Reading about someone starting a journey provides an interesting catalyst for discussion. What they did right, what they did wrong, other things to try, or even just providing a push to someone else to also try.

I'll take my turn on the soapbox to say I hope people keep posting about their adventures and misadventures in trying something new. I'd much rather be reading that than seeing yet another post on LLM-based agentic startups or pelicans riding bicycles.

New comment by dunder_cat in "The Holy Grail of Linux Binary Compatibility: Musl and Dlopen"

dunder_cat — Mon, 26 Jan 2026 16:18:43 +0000

Related discussion (the actual project is mentioned in the issue): "Detour: Dynamic linking on Linux without Libc" https://news.ycombinator.com/item?id=45740241

New comment by dunder_cat in "IPv6 is not insecure because it lacks a NAT"

dunder_cat — Wed, 21 Jan 2026 05:53:54 +0000

In theory, IPv6 Privacy Extensions (https://datatracker.ietf.org/doc/html/rfc4941) could mitigate this. In practice, I imagine when you bind to `[::]:port`, that also means that the randomized addresses would work for new inbound connections, too. Not sure how long they typically last, but you'd be fighting against the clock at least before a new randomized address.

That being said, on a slightly less common note: it is quite possible to have each individual service running on a /128. E.g. on IPv6 k8s clusters, each pod can have a publicly addressable /128, so activities like NTP would require the container to have an NTP client in it to expose in that way. That'd mitigate a good chunk of information exposure -- that being said, I agree with the larger point about security via obscurity being insufficient.

New comment by dunder_cat in "Verizon starts requiring 365 days of paid service before it will unlock phones"

dunder_cat — Wed, 21 Jan 2026 05:42:20 +0000

I'm glad I stumbled across this: life circumstances have allowed me go abroad for a trip the past two years. One thing I had forgotten about since the last trip were some of my group being unable to get one of the cheap prepaid data eSIMs because their phone was still locked to the carrier. I've been tempted to replace my aging iPhone SE 2022 (^1) with a trade-in deal and get a new phone, but it never occurred to me that would mean being forced to use AT&T's $10/day (capped at $100 in one billing cycle) "International Day Pass" during future trips until it had been paid off for long enough.

(^1) I wish I wasn't so tempted after ~4 years, but the battery health has dropped to 75% and the performance has suffered dramatically. A new battery is on the table I suppose, but I am split between just putting that money towards a new phone.