Hacker News: jcgl

New comment by jcgl in "Show HN: I made Google Trends for Hacker News by indexing 18 years of comments"

jcgl — Thu, 25 Jun 2026 22:50:13 +0000

Agreed. That would make this way more insightful. Otherwise most searches will basically be a version of https://xkcd.com/1138/ during periods of site growth.

New comment by jcgl in "What we call "age verification" is actually mass surveillance"

jcgl — Tue, 23 Jun 2026 20:53:55 +0000

> This is covered by allowing for single-use credentials. IIRC the EU personal IDs will use this. Basically, the wallet requests a batch of single-use eIDs that all use different device key-pairs. Each credential is only used for one request and then deleted.

But this then means that the issuers and the verifiers can trivially collude to deanonymize holders/users.

New comment by jcgl in "Google Hits 50% IPv6"

jcgl — Sun, 21 Jun 2026 09:08:23 +0000

Citation needed. These numbers are quite consistent with the growth pattern that started well before usable LLMs were even a thing.

New comment by jcgl in "U.S. science is in chaos"

jcgl — Thu, 18 Jun 2026 08:35:11 +0000

First of all, multi-party democracy needn’t be slow. Parliamentary systems in multi-party countries often react faster than the US. This is due in part to legislation being systematically easier to pass.

Second of all, winner-take-all presidential mechanics don’t imply a four-year cycle of funding instability for research. That only happens if the president has sufficient control of funding. Which, through the administrative state (which is supposed to basically be a delegate of congressional authority), really is supposed to be insulated in large part from presidential, partisan politics. With increased centralization of power in the president (which, imo, is largely just an ~evolutionary response to Congress’ sclerosis), this insulation is lost, exposing research more to the four-year cycle of heavily partisan presidential politics.

New comment by jcgl in "GrapheneOS has been ported to Android 17"

jcgl — Wed, 17 Jun 2026 10:51:31 +0000

How do you reconcile that position with what Graphene OS lists as requirements for support, as linked by another commenter? https://grapheneos.org/faq#future-devices

I’m not an expert, but all the listed points there sound reasonable. If indeed only the Pixels support them, well, it’s too bad there’s not other, similarly secure hardware out there.

New comment by jcgl in "A €0.01 bank transfer could compromise a banking AI agent"

jcgl — Sun, 14 Jun 2026 17:37:28 +0000

I’m no expert, but as long as they’re represented by tokens in the end, they’re just tokens. Even if you train the transformer to treat them specially, a token is a token, and there’s no free lunch. At best, you’re going to be trading off between paying attention to this would-be security boundary and delivering high-quality results; the more you focus on one, the more you lose on the other.

New comment by jcgl in "Leaving Mozilla"

jcgl — Sat, 13 Jun 2026 16:51:07 +0000

Case-in-point: just started a new chat with a new person (we had a previous room in common)--My desktop client, NeoChat, shows "This message is encrypted and the sender has not shared the key with this device." for all of their messages. FluffyChat on my phone shows their messages correctly.

Welcome to Matrix. It's the best option there is, and it's not very good.

New comment by jcgl in "Leaving Mozilla"

jcgl — Sat, 13 Jun 2026 12:24:48 +0000

> has good clients

So far, I've only found clients with different bugs. Calling them good would be a stretch. Passable, perhaps. But the scene as a whole is more of a choose-the-bugs-to-live-with situation than choose-a-good-client.

New comment by jcgl in "The Future of Email"

jcgl — Sat, 13 Jun 2026 06:50:00 +0000

You’re mistaken: DKIM always signs the entire From field. Signing is done on the MTA, so yes, it is “the reputation of the server” like you say, but “server” can be a relatively granular thing here, using different DKIM selectors for different addresses, MTAs, etc.

New comment by jcgl in "If you are asking for human attention, demonstrate human effort"

jcgl — Fri, 12 Jun 2026 16:54:40 +0000

This is mostly what it is for me too. We're all awash in an information deluge, and we need heuristics to keep from drowning. Human effort, proof-of-work if you will, is a heuristic that helps with the AI-generated part of the deluge.

New comment by jcgl in "CEOs who think AI replaces their employees are just bad CEOs"

jcgl — Wed, 10 Jun 2026 12:05:52 +0000

That's not something that is known how to do in a reliable fashion, right? It sounds quite like the problem where transformers are unable to be updated/taught over time.

New comment by jcgl in "CEOs who think AI replaces their employees are just bad CEOs"

jcgl — Wed, 10 Jun 2026 08:56:12 +0000

That may very well be the case. In fact, I'm nearly certain that you're right. But it doesn't change the fact that open weight models are altogether insufficient on a number of important dimensions regarding freedom and transparency. And so often (such as the comment I replied to, I think), even technical people seem to just ignore the difference. Open weights are just weights. No amount of open-washing changes that.

New comment by jcgl in "CEOs who think AI replaces their employees are just bad CEOs"

jcgl — Wed, 10 Jun 2026 02:59:38 +0000

I don’t see how that helps, unless you actually mean open source, rather than open weights like most people do. Without everything that goes into the model, including training data, these things are opaque.

New comment by jcgl in "IPv6 zones in URLs are a mistake"

jcgl — Tue, 09 Jun 2026 09:01:27 +0000

No, because in a context where you'd have a port number, the address is surrounded with brackets: [2001:db8::]:80

New comment by jcgl in "IPv6 zones in URLs are a mistake"

jcgl — Mon, 08 Jun 2026 10:08:40 +0000

Beyond the :: stuff, I can only think of IPv4-mapped IPv6 addresses, where you can represent a trailing 32 bits as dotted decimal (e.g. 2001:db8::192.0.2.1). And the :: stuff also exists in IPv4 in the same way, just using dots instead of colons.

ULA is equivalent to RFC1918.

LL also exists in IPv4 (PIPA), but I take your point that it's not common in most environments.

Yes, privacy addressing is different.

But, the context that you were commenting in was about the representation of addresses, not the semantics themselves ("what is a valid IPv6 string"). And there doesn't seem to be any greater complexity other than the IPv4-mapped IPv6 addresses thing. Which doesn't seem all that complex, especially if you see it as a tradeoff to escape the DNS name ambiguity of IPv4.

New comment by jcgl in "IPv6 zones in URLs are a mistake"

jcgl — Sat, 06 Jun 2026 14:08:24 +0000

Outside of interface identifiers, what is so complex about them? I think they end up being purely simpler than IPv4 addresses since they can’t be mistaken for DNS names.

New comment by jcgl in "Is "colorectal cancer" rising in "young people"?"

jcgl — Wed, 27 May 2026 08:43:23 +0000

How do you make sure you’re getting enough iodine?

New comment by jcgl in "Exit IP VPN servers mitigation rollout"

jcgl — Tue, 26 May 2026 08:01:05 +0000

> Zero days for chrome will cost more than zero days for Firefox because Chrome takes security more seriously

They may cost more for Chrome, but it needn’t be because Chrome takes security more seriously; Chrome’s greater market share alone would be enough to account for this.

Not that I’m denying the overall conclusion. Just this bit of reasoning.

New comment by jcgl in "Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised"

jcgl — Wed, 20 May 2026 06:43:19 +0000

Damn, good call. Really reinforces the need for sandboxing.

Still doesn’t negate the value of OpenSwitch, since the majority of malware won’t do that. But really good to keep in mind.

New comment by jcgl in "Mini Shai-Hulud Strikes Again: 314 npm Packages Compromised"

jcgl — Tue, 19 May 2026 19:43:13 +0000

Excellent example, thank you. This is the kind of stuff that skeeves me out and is entirely within the model of threats that I want to guard against. Sandboxing + OpenSnitch is good stuff. And, ofc, npm bad.