Hacker News: gamer191

New comment by gamer191 in "Show HN: Continue? Y/N: A 60-second game about AI agent permission fatigue"

gamer191 — Thu, 28 May 2026 17:41:25 +0000

But also why would Claude need to run `rm -rf node_modules && npm install`? Without the context of seeing what changes it’s made, I’d be inclined to assume that Claude has added a new dependency, which I definitely don’t wanna blindly trust it to install

New comment by gamer191 in "RedSun: System user access on Win 11/10 and Server with the April 2026 Update"

gamer191 — Fri, 17 Apr 2026 13:17:13 +0000

Interesting. If that’s possible (I haven’t tested it, but I’m sure it is) then you wouldn’t even need to log the password. You could just alias sudo to a bash script that runs your malicious payload using the real sudo. Then the user would run the command, be prompted for their password by the real sudo, and be none the wiser that a malicious script has just been executed

For what it’s worth, Windows’ security model says it’s not an exploit that programs can grant themselves admin rights if the user is an admin (https://github.com/hfiref0x/UACME). But afaik Linux doesn’t have that model so it is a bit of an issue that this is possible

New comment by gamer191 in "SETI@home is in hiberation"

gamer191 — Wed, 21 Jan 2026 12:35:06 +0000

Well it led to the creation of BOINC, a distributed computing system that probably has led to scientific advances in other fields

So I wouldn’t say it was all for nothing, but it’s main benefit was the idea, and not the results it generated

New comment by gamer191 in "cURL removes bug bounties"

gamer191 — Wed, 21 Jan 2026 07:18:56 +0000

Agreed, although the reimbursement should be based on whether a reasonable person could consider that to be a vulnerability. Often it’s tricky for outsiders to tell whether a behaviour is expected or a vulnerability

New comment by gamer191 in "We can't have nice things because of AI scrapers"

gamer191 — Tue, 13 Jan 2026 23:39:52 +0000

Companies wouldn’t send it because they know that most websites would block them

New comment by gamer191 in "Grok is enabling mass sexual harassment on Twitter"

gamer191 — Sat, 03 Jan 2026 15:26:41 +0000

Rubbish. That analogy is like comparing a gun manufacturer to a hitman service.

Elon Musk is willingly allowing Grok to be used to harass women (and children). He could easily put in safeguards to prevent that, but instead he chooses to promote it as if its a good thing.

Practically no one defends websites that host AIs to remove clothing from photos of women, or put them in bikinis. The few people who do defend them are usually creeps who need their hard drive searched. Same goes for anyone defending this

New comment by gamer191 in "You can make up HTML tags"

gamer191 — Mon, 29 Dec 2025 12:52:50 +0000

Not sure about you, but I personally prefer my websites not to be able to be plagiarised by AI

New comment by gamer191 in "Show HN: Ez FFmpeg – Video editing in plain English"

gamer191 — Sat, 27 Dec 2025 12:09:55 +0000

Thanks, will definitely check this out

Has anyone else been avoiding typing FFmpeg commands by using file:// URLs with yt-dlp

New comment by gamer191 in "Running Unsupported iOS on Deprecated Devices"

gamer191 — Thu, 27 Nov 2025 01:15:29 +0000

Sadly not, those devices don’t have an exploit afaik

New comment by gamer191 in "Yt-dlp: External JavaScript runtime now required for full YouTube support"

gamer191 — Wed, 12 Nov 2025 14:39:03 +0000

> It would be great if we could download the solver manually with a separate command

Download a random video and then copy ejs from yt-dlp’s cache directory (I think it’s in /home/username/.cache)

> being able to package it up together with the solver

`make yt-dlp-extra`

New comment by gamer191 in "Yt-dlp: Upcoming new requirements for YouTube downloads"

gamer191 — Thu, 25 Sep 2025 05:12:49 +0000

Youtube’s tv app is actually just a website (youtube.com/tv, although you need a tv user agent). So yeah, I think most tvs are using JavaScript and the rest are using the tvlite api which has less formats than web_safari (which will continue to work in yt-dlp without Deno if you’re willing to accept 1080p downloads with inferior codecs)

New comment by gamer191 in "Yt-dlp: Upcoming new requirements for YouTube downloads"

gamer191 — Thu, 25 Sep 2025 01:23:48 +0000

"Attack vectors" is a very interesting choice of words. Yt-dlp is literally using a public API for its intended purpose (accessing videos). The only difference is how yt-dlp is delivering the videos to the user. Probably as much of an "attack" as user-agent spoofing or using browser extensions.

But to answer your question, no, there aren't any suitable APIs (I've looked into it). They all either require JavaScript (youtube.com and the smart tv app) or require app integrity tokens (Android and iOS). Please let me know if you know something I don't?

New comment by gamer191 in "Yt-dlp: Upcoming new requirements for YouTube downloads"

gamer191 — Thu, 25 Sep 2025 01:12:27 +0000

yt-dlp dev here

The Android app uses an API which does not require a JS runtime, but it does require a Play Integrity token. The iOS app uses an API which is assumed to require an App Attest token.

Also, neither API supports browser cookies, which is a necessity for many users.

New comment by gamer191 in "Hezbollah pager explosions kill several people in Lebanon"

gamer191 — Wed, 18 Sep 2024 07:00:58 +0000

> How come they needed to replace their pagers AT ONCE recently?

Hezbollah recently switched to using only pagers for communication, because they were worried about Israel hacking their phones. It's likely they all bought pagers at the same time because of that, because I doubt any of them would have owned pagers already

New comment by gamer191 in "GitHub was down"

gamer191 — Wed, 14 Aug 2024 23:42:52 +0000

Use https://xcancel.com/ (eg https://xcancel.com/githubstatus)

New comment by gamer191 in "Tell HN: Twitter/X is inaccessible to all Firefox users by default"

gamer191 — Thu, 16 May 2024 06:38:19 +0000

It doesn't say anything about CORS in the networking tab: https://i.imgur.com/yeH6bGi.png

It correctly identifies that Twitter is trying to load a tracking site, which Firefox blocks by default (with an allowlist). Instead of hating on Firefox, hate on Chrome and other browser vendors that don't go to the effort of maintaining a blocklist to protect their customers privacy (or implementing support for an existing blocklist, in the case of Brave)

New comment by gamer191 in "Backdoor in upstream xz/liblzma leading to SSH server compromise"

gamer191 — Sat, 30 Mar 2024 07:13:58 +0000

> some binary test files were added later that are probably now suspect

That's confirmed

From https://www.openwall.com/lists/oss-security/2024/03/29/4:

> The files containing the bulk of the exploit are in an obfuscated form in

> tests/files/bad-3-corrupt_lzma2.xz

> tests/files/good-large_compressed.lzma

> committed upstream. They were initially added in

> https://github.com/tukaani-project/xz/commit/cf44e4b7f5dfdbf...

New comment by gamer191 in "Backdoor in upstream xz/liblzma leading to SSH server compromise"

gamer191 — Sat, 30 Mar 2024 07:09:47 +0000

This PR from July 8 2023 is suspicious, so it was very likely a long con: https://github.com/google/oss-fuzz/pull/10667

New comment by gamer191 in "Backdoor in upstream xz/liblzma leading to SSH server compromise"

gamer191 — Sat, 30 Mar 2024 02:13:42 +0000

> That's quite backwards. Governments are far more likely to deploy a complex attack against a single target (see also: Stuxnet); other attackers (motivated primarily by money) are far more likely to cast a wide net.

Governments are well known to keep vulnerabilities hidden (see EternalBlue). Intentionally introducing a vulnerability doesn’t seem that backwards tbh

New comment by gamer191 in "Backdoor in upstream xz/liblzma leading to SSH server compromise"

gamer191 — Sat, 30 Mar 2024 02:10:41 +0000

Where does that comment mention the other maintainer (Lasse Collin)?