Hacker News: kevincox

New comment by kevincox in "Stop the Apple Music app from launching"

kevincox — Mon, 08 Jun 2026 21:33:37 +0000

I think playing something when I hit the play button makes a lot of sense. (The headphones auto-play is a bit less obvious than the keyboard key, I would probably want that to do nothing in this case.)

The issue IMHO is that this is not configurable. Apple Music may even be a reasonable default (being the built-in music player). But it should provide options for Apple Music, whatever other apps I have installed, or nothing.

New comment by kevincox in "The Website Specification"

kevincox — Mon, 01 Jun 2026 12:20:54 +0000

This is true but some sites handle it well. My browser auto-fills the email and password properly even though they are on separate "steps". Other sites the email field doesn't auto-complete in any way (but the password later usually does).

I don't know what the magic is here. If I had to guess they have both fields in the DOM but one is visually hidden. Then if your email is marked as SSO it is just never read.

New comment by kevincox in "Cloudflare Turnstile requiring fingerprintable WebGL"

kevincox — Mon, 01 Jun 2026 10:30:56 +0000

I can only assume that every time I back out of these sites because I don't want to check the box or just don't want to wait a few seconds that is marketed to the site owner as a GREAT VICTORY as I am clearly a EVIL BOT that they have defended the site from.

New comment by kevincox in "Exit IP VPN servers mitigation rollout"

kevincox — Tue, 26 May 2026 19:03:01 +0000

I think the attack looks more like this:

1. I log into service X with account A1 via Mullvad from country C1.

2. I log into service X with account A2 via Mullvad from country C2.

If the service wanted they can calculate how likely it is that A1 and A2 are the same WireGuard key. If you only use one exit server this probability won't be very precise. But the more exits you use the more accurate it will be even if the sets of exits are distinct between the two accounts.

If the egress IPs were assigned randomly all that service X would know is that these were both Mullvad users but the IPs alone wouldn't allow them to correlate the two users further than that.

New comment by kevincox in "Uber president says AI spending is getting 'harder to justify'"

kevincox — Tue, 26 May 2026 14:37:30 +0000

The logic is quite simple. Management thinks that AI can improve productivity, but knows that there will be some resistance and some learning curve. So they force people to use it so that people can 1. develop their skills and workflow and 2. find out where it is useful 3. find out what needs to be improved to make it useful.

As a more obvious example consider that cars were just invented and the post office management thinks that they could improve performance of letter carriers. But right now cars are slow, break down a lot and there isn't much infrastructure for them. Lots of letter carriers will (rightly) think that it is a waste of time because they need to get in, stop, park between every house and they break down so often it isn't worth it and half of their route is unsuitable for a car anyways. But if cars are forced for a while they will find out what routes work well for cars and which don't, improve the cars and related infrastructure to make cars more effective and other improvements to unlock more productivity.

So yes, right now management is wasting money on cars and gas for no increased productivity. And yes, measuring how much gas each employee uses and encouraging to use more is obviously stupid in isolation. But the idea is to force adoption to iron out the kinks and find out where it can improve productivity. It is basically funding a research project.

New comment by kevincox in "CopyFail: From Pod to Host"

kevincox — Wed, 20 May 2026 17:32:27 +0000

The fundamental problem is that the kernel is just too huge of an attack surface. It is probably always going to have exploitable bugs. A VM (especially hardware assisted) is a relatively tiny attack surface and it shows in the amount of bugs found.

I typically say that containers (and any other isolation that shares a kernel) are good for "mostly trusted" workloads, like different teams at the same company. You want isolation against accidents more than intentional attacks.

VMs are good for just about everything if you are careful (for example what devices and hardware are exposed) but if you want ultimate isolation you want completely separate hardware. It is the only way to be sure against hardware bugs and side-channels or VM bugs.

New comment by kevincox in "Bitwarden scrubs 'Always free' and 'Inclusion' values from its site"

kevincox — Fri, 15 May 2026 18:49:12 +0000

It doesn't. All third-party contributions must assign copyright to Bitwarden.

https://contributing.bitwarden.com/contributing/

https://cla-assistant.io/bitwarden/clients

New comment by kevincox in "New arXiv policy: 1-year ban for hallucinated references"

kevincox — Fri, 15 May 2026 11:51:47 +0000

That sounds like way less of a problem than science. If you take bad sources you hurt yourself financially. For science (especially anything medicine related) you can hurt many others physically.

New comment by kevincox in "Hardware Attestation as Monopoly Enabler"

kevincox — Sun, 10 May 2026 23:57:46 +0000

Yes, these are the most clearly corrupt laws that exist. It is like outlawing hammers because you may hit someone with it. It is just giving up freedom for the benefit of a few fortune 500 companies.

New comment by kevincox in "CVE-2026-31431: Copy Fail vs. rootless containers"

kevincox — Tue, 05 May 2026 15:12:07 +0000

If any security relevant file from the host is mounted into the container this could be exploited quite easily. It is definitely a viable tool for escaping containers but it would require a bit of an attack chain and some containers may not be vulnerable.

New comment by kevincox in "Google Chrome silently installs a 4 GB AI model on your device without consent"

kevincox — Tue, 05 May 2026 14:10:44 +0000

I find models of this size (not tested this one specifically) at being very good at simple data extraction from user input. Think about things like parsing date and time of an event from a description or parsing a human-typed description of a repeating event rule.

New comment by kevincox in "Automatic Brightness in Plasma"

kevincox — Mon, 04 May 2026 17:22:19 +0000

I'm using LineageOS (which I assume is basically just ASOP) and the automatic brightness is great. I almost never touch it after about a week with the phone. I think it does some sort of basic learning. IDK if Samgsung did something worse somehow.

New comment by kevincox in "Introduction to Atom"

kevincox — Mon, 04 May 2026 17:17:02 +0000

Kind of. It is now really just a caching proxy making it mostly useless.

Although I have found it occasionally useful for sites that have over-active bot-blocking on their feeds because Feedburner is often whitelisted.

New comment by kevincox in "Introduction to Atom"

kevincox — Mon, 04 May 2026 17:15:53 +0000

That's a good point. Podcasts are still (almost?) exclusively RSS 2.0. IDK if this is just momentum or Apple rules but I don't think I've ever seen an Atom podcast.

But many podcast clients actually still support Atom (probably using a feed library that supports various formats?) and basically all non-podcast feed readers support Atom.

New comment by kevincox in "Introduction to Atom"

kevincox — Mon, 04 May 2026 17:13:52 +0000

The channel pages still have auto-discovery links. So if you paste a channel URL into your feed reader it should find the feed easily.

New comment by kevincox in "VS Code inserting 'Co-Authored-by Copilot' into commits regardless of usage"

kevincox — Sun, 03 May 2026 10:28:41 +0000

Nah, they are both unacceptable spam. Don't put words in my mouth and don't hijack my communication for marketing.

New comment by kevincox in "Full-Text Search with DuckDB"

kevincox — Thu, 30 Apr 2026 23:37:30 +0000

Thanks for the link. Good to know that they are at least signed by a key. But I really like my software not changing on me at all. I'd rather have all of the modules I need locally and static.

Also creates fun situations like getting on a plane then realizing that your extension isn't available!

It seems that nixpkgs at least fails to run the extension but more by luck than design. I hope they find a way to vendor the extensions locally.

New comment by kevincox in "Full-Text Search with DuckDB"

kevincox — Thu, 30 Apr 2026 21:40:52 +0000

It seems that DuckDB by default downloads and runs extensions at runtime when you use certain features? This seems unnecessarily risky.

https://duckdb.org/docs/current/extensions/overview#autoload...

I would love to have more detail on this mechanism.

New comment by kevincox in "Claude Code refuses requests or charges extra if your commits mention "OpenClaw""

kevincox — Thu, 30 Apr 2026 19:52:47 +0000

It can't be legal that they randomly charge extra usage with no user consent.

New comment by kevincox in "Warp is now open-source"

kevincox — Tue, 28 Apr 2026 17:28:08 +0000

Yeah, it would have been a great job for an LLM. Although if you find something in the history you then need to make the annoying choice of history rewriting or just leaving it in.