Hacker News: maple3142

New comment by maple3142 in "Everything in C is undefined behavior"

maple3142 — Wed, 20 May 2026 08:52:11 +0000

Is this a correct understanding of UB in C? A program P has a set of inputs A that do not trigger UB, and a complementary set of inputs B that do trigger UB. A correct compiler compiles P into an executable P'. For all inputs in A, P' should behave the same as P. However, for any input in B, the is absolutely no requirements on the behavior of P'.

New comment by maple3142 in "Google details new 24-hour process to sideload unverified Android apps"

maple3142 — Fri, 20 Mar 2026 01:21:27 +0000

Will third party apps like bank apps be able to detect whether advanced mode is enabled or not, like how they currently detect if developer options is enabled?

New comment by maple3142 in "AI is a business model stress test"

maple3142 — Sun, 11 Jan 2026 04:31:14 +0000

I think the problem is simply that css is too restricted that you can style a fixed piece of html in any way you want. In practice, achieving some desired layout require changing the html structure. The missing layer would be something that can change the structure of html like js or xslt. In modern frontend development you already have data defined in some json, and html + css combined together is the presentation layer that can't really be separated.

New comment by maple3142 in "Oh My Zsh adds bloat"

maple3142 — Sat, 10 Jan 2026 12:57:28 +0000

This wouldn't work if the script is meant to be sourced (to set environment variables) isn't it?

New comment by maple3142 in "Oh My Zsh adds bloat"

maple3142 — Sat, 10 Jan 2026 06:46:03 +0000

I think `zsh -l` start a login shell, which does not load zshrc so oh-my-zsh don't get initialized. Try `zsh -ic exit` and it should load zshrc before executing exit.

That said, the time of `zsh -ic exit` isn't really meaningful metric for measuring the performance of an interactive shell. See https://github.com/romkatv/zsh-bench#how-not-to-benchmark for details.

New comment by maple3142 in "Sandboxing Untrusted Python"

maple3142 — Tue, 06 Jan 2026 01:26:02 +0000

I don't think it is generally possible to escape from a docker container in default configuration (e.g. `docker run --rm -it alpine:3 sh`) if you have a reasonably update-to-date kernel from your distro. AFAIK a lot of kernel lpe use features like unprivileged user ns and io_uring which is not available in container by default, and truly unprivileged kernel lpe seems to be sufficient rare.

New comment by maple3142 in "XSLT RIP"

maple3142 — Mon, 10 Nov 2025 09:52:55 +0000

To be honest, there are two ways to solve the problem of xkcd 2347, either putting efforts into the very small library or just stop depending on it. Both solutions are fine to me and Google apparent just choose the latter one here.

New comment by maple3142 in "Incus – Next-generation system container, application container, and VM manager"

maple3142 — Sun, 13 Jul 2025 04:21:08 +0000

If being used in a CTF counts, then running latest docker with no extra privilege and non-root user on a reasonably up-to-date kernel meets the definition of secure I think. At least for what I have seen, this kind of infrastructure is pretty common in CTF.

New comment by maple3142 in "'123456' password exposed chats for 64M McDonald's job applicants"

maple3142 — Sat, 12 Jul 2025 03:47:59 +0000

For python specifically, the uuid4 function does use the randomness from os.urandom, which is supposed to be cryptographically random on most platforms.

New comment by maple3142 in "A proposal to restrict sites from accessing a users’ local network"

maple3142 — Thu, 05 Jun 2025 05:39:08 +0000

I think the problem is that some local server are not really designed to be as secure as a public server. For example, a local server having a stupid unauthenticated endpoint like "GET /exec?cmd=rm+-rf+/*", which is obviously exploitable and same-origin does not prevent that.

New comment by maple3142 in "The cryptography behind passkeys"

maple3142 — Thu, 15 May 2025 00:34:46 +0000

Isn't it the same for passkeys? I can put passkeys in password managers like Bitwarden, 1password, ...

New comment by maple3142 in "Trust Me, I'm Local: Chrome Extensions, MCP, and the Sandbox Escape"

maple3142 — Fri, 02 May 2025 03:04:46 +0000

I think the reason is that MCP also works over a pipe (stdio), which does not need authentication.

New comment by maple3142 in "I genuinely don't understand why some people are still bullish about LLMs"

maple3142 — Fri, 28 Mar 2025 01:07:09 +0000

I think many people are just not really good at dealing with "imperfect" tools. Different tools can have different success probability, let's call that probability p here. People typically use tool that have p=100%, or at least very close to it. But LLM is a tool that is far from that, so making use of it takes different approach.

Imagine there is an probabilistic oracle that can answer any question with a yes/no with success probability p. If p=100% or p=0% then it is apparently very useful. If p=50% then it is absolutely worthless. In other cases, such oracle can be utilized in different way to get the answer we want, and it is still a useful thing.

New comment by maple3142 in "Build a Container Image from Scratch"

maple3142 — Fri, 21 Mar 2025 14:24:00 +0000

I really wonder how can use escape a container given a root shell created by `docker run --rm -it alpine:3 sh` without using a 0day? Using latest Docker and a reasonably up-to-date Linux kernel of course.

With the command above it is still possible to attack network targets, but let's just ignore it here. I just wonder how is it possible to obtain code execution outside the namespace without using kernel bugs.

New comment by maple3142 in "Accessibility: Don't Use Fake Bold or Italic in Social Media"

maple3142 — Sun, 09 Mar 2025 00:57:34 +0000

Couldn't screen readers apply unicode normalization based some heuristics, like seeing the continuous presence of those special bold/italic characters? To improve accuracy, it can even check if the normalized text resembles to some English words or phrases or not.

New comment by maple3142 in "Caddy – The Ultimate Server with Automatic HTTPS"

maple3142 — Mon, 17 Feb 2025 01:13:27 +0000

It is still a problem if you want caddy to run outside of docker (e.g. for getting real remote addr).

How (not) to sign a JSON object (2019)

maple3142 — Sun, 09 Feb 2025 14:38:52 +0000

Article URL: https://www.latacora.com/blog/2019/07/24/how-not-to/

Comments URL: https://news.ycombinator.com/item?id=42990948

Points: 54

# Comments: 42

New comment by maple3142 in "Maxima in the browser using Embedded Common Lisp on WASM"

maple3142 — Tue, 28 Jan 2025 18:21:48 +0000

Similar project: PARI/GP on WASM https://pari.math.u-bordeaux.fr/gpexpwasm.html

New comment by maple3142 in "Facebook ban on discussing Linux?"

maple3142 — Tue, 28 Jan 2025 01:18:22 +0000

From my experience, it is obviously not all the packages in Kali Repo will be in Ubuntu (or other regular distro) Repl. Lots of specific pentesting tool can be installed with just `apt install ...` in Kali, which make it a lot more convenient when you need to do pentesting.

New comment by maple3142 in "Microsoft Confirms Password Deletion for 1B Users"

maple3142 — Wed, 18 Dec 2024 09:26:16 +0000

I don't understand how can it really prevents exporting passkeys if it can be implemented by open source implementations like keepass. For example, if keepass do follow the guideline of FIDO Alliance to not implement exporting, but it would still possible to make a fork of keepass that force it to dump the credentials somewhere.