Hacker News: mccr8

New comment by mccr8 in "Project Glasswing: Securing critical software for the AI era"

mccr8 — Wed, 08 Apr 2026 02:50:10 +0000

No, they stopped paying bounties.

New comment by mccr8 in "Hardening Firefox with Anthropic's Red Team"

mccr8 — Sat, 07 Mar 2026 03:10:13 +0000

You should generally assume that in a web browser any memory corruption bug can, when combined with enough other bugs and a lot of clever engineering, be turned into arbitrary code execution on your computer.

New comment by mccr8 in "Hardening Firefox with Anthropic's Red Team"

mccr8 — Fri, 06 Mar 2026 17:15:06 +0000

Google already has an AI-powered security vulnerability project, called Big Sleep. It has reported a number of issues to open source projects: https://issuetracker.google.com/savedsearches/7155917?pli=1

New comment by mccr8 in "Hardening Firefox with Anthropic's Red Team"

mccr8 — Fri, 06 Mar 2026 17:06:52 +0000

The bugs that were issued CVEs (the Anthropic blog post says there were 22) were all real security bugs.

The level of AI spam for Firefox security submissions is a lot lower than the curl people have described. I'm not sure why that is. Maybe the size of the code base and the higher bar to submitting issues plays a role.

New comment by mccr8 in "Facebook is cooked"

mccr8 — Fri, 20 Feb 2026 23:53:21 +0000

I think the trick to making the "shorts" feature stop showing scantily clad women is to use it actively a bit, and only watch the videos that are decidedly something else. I did that for awhile and now my videos are like "let's see what happens when you pour lava on some soda bottles" which I'm not sure I care that much about but at least it isn't embarrassing.

New comment by mccr8 in "C++ std::move doesn't move anything: A deep dive into Value Categories"

mccr8 — Sun, 11 Jan 2026 15:02:35 +0000

Rust did exist in some form in 2011. Source: I ate lunch with part of the Rust team in 2011.

New comment by mccr8 in "Brave overhauled its Rust adblock engine with FlatBuffers, cutting memory 75%"

mccr8 — Tue, 06 Jan 2026 02:27:53 +0000

Each tab can be a dozen or more processes nowadays, thanks to site isolation.

New comment by mccr8 in "I think nobody wants AI in Firefox, Mozilla"

mccr8 — Fri, 14 Nov 2025 21:33:18 +0000

One longstanding issue with gradients was fixed recently.

https://bugzilla.mozilla.org/show_bug.cgi?id=627771

New comment by mccr8 in "Where's Firefox going next?"

mccr8 — Tue, 15 Jul 2025 23:52:30 +0000

In my personal opinion, while the flexibility of the old XUL addons was amazing, the two big issues are compatibility and performance.

Compatibility: these addons could be broken very easily because they could depend on almost anything, and with the monthly release cycle, it is very difficult for mod authors to keep up. For instance, some addons would work by taking a core browser function written in JS, convert it to a string, run a regular expression to edit the string, then use eval to create a new function to replace the old one. In some release, the syntax of the "convert a function to a string" output changed slightly and it broke these addons, because it broke the regexp they were using.

Performance: XUL addons could do all sorts of things that are horrible for performance, and there was no real way for a user to tell what was causing it, because the addon wasn't isolated in any way. I ran into somebody who was having severe performance issues because the browser was generating colossal amounts of garbage for no reason. It eventually turned out that on a whim they'd installed a "LaTeX the World" addon, which would look for LaTeX typesetting instructions on pages and replace it with the nice looking output. The problem was, the way it worked was that every 10 seconds or so it would convert the entire contents of every single tab you had open into a zillion strings, search those strings, then throw them out.

New comment by mccr8 in "OpenAI to release web browser in challenge to Google Chrome"

mccr8 — Wed, 09 Jul 2025 20:57:34 +0000

The article says: "OpenAI's browser is built atop Chromium, Google's own open-source browser code, two of the sources said."

New comment by mccr8 in "Blasting Past WebP - An analysis of the NSO BLASTPASS iMessage exploit"

mccr8 — Fri, 28 Mar 2025 01:37:22 +0000

rlbox is used for more than one library: "Now, we’re bringing that technology to all supported Firefox platforms (desktop and mobile), and isolating five different modules: Graphite, Hunspell, Ogg, Expat and Woff2"

https://blog.mozilla.org/attack-and-defense/2021/12/06/webas...

New comment by mccr8 in "Eliminating Memory Safety Vulnerabilities at the Source"

mccr8 — Thu, 26 Sep 2024 13:10:29 +0000

Their concern is not with theoretical vulnerabilities, but actual ones that are being exploited. If an attacker never tries to find a vulnerability in some code, then it might as well not have it.

New comment by mccr8 in "Fixing a bug in Google Chrome as a first-time contributor"

mccr8 — Tue, 27 Aug 2024 22:09:51 +0000

Firefox uses unified builds, where a bunch of .cpp files are globbed together and compiled at once. That helps a lot, but a build still takes a bit of time unless you are on an absurdly fast machine. Chrome used to also support this, called "jumbo builds", but they didn't want to deal with the maintenance overhead. Presumably all of the Chrome developers employed by Google are using some kind of massive distributed build infrastructure so there's little impact of slower builds on individual developer productivity, so the use case of building on a single computer is not as prioritized.

New comment by mccr8 in "Make Firefox Private Again"

mccr8 — Thu, 22 Aug 2024 15:14:16 +0000

That's the CTO, not the CEO.

New comment by mccr8 in "For advertising, Firefox now collects user data by default"

mccr8 — Tue, 16 Jul 2024 21:04:43 +0000

According to news stories, Apple received $20 billion dollars in 2022 from Google to make Google the default search in Safari.

https://www.theverge.com/2024/5/2/24147007/google-paid-apple...

New comment by mccr8 in "Some notes on Rust, mutable aliasing and formal verification"

mccr8 — Thu, 16 May 2024 21:41:59 +0000

Firefox also uses reference counting plus a trial deletion based cycle collector to manage C++ DOM objects (and cycles through JS). In fact, Graydon was responsible for the initial implementation.

New comment by mccr8 in "Speedometer 3.0: A shared browser benchmark for web application responsiveness"

mccr8 — Mon, 11 Mar 2024 22:10:23 +0000

I got 35.7 ± 2.3 on a MacBook Pro M3, Chrome 122.

New comment by mccr8 in "Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224"

mccr8 — Thu, 25 Jan 2024 17:00:31 +0000

That commit says it is for 1515930. The Chrome releases page says that CVE-2024-0519 is associated with 1517354, which is what I linked to. There may be a connection between CVE-2024-0519 and CVE-2024-0517, but none is mentioned on the Chrome releases page which is what I'm going by.

New comment by mccr8 in "Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224"

mccr8 — Wed, 24 Jan 2024 16:38:03 +0000

If you are running untrusted code in Node, subtle JIT bugs are probably the least of your problems.

New comment by mccr8 in "Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224"

mccr8 — Wed, 24 Jan 2024 16:36:05 +0000

There's not a lot of context in this submission, but presumably it is being linked because the release notes for this CVE says "Google is aware of reports that an exploit for CVE-2024-0519 exists in the wild."

https://chromereleases.googleblog.com/2024/01/stable-channel...