Hacker News: msm_

New comment by msm_ in "Google is finally killing uBlock Origin in Chrome for good"

msm_ — Fri, 12 Jun 2026 01:29:38 +0000

uBlock Origin Lite is still working and will continue working (since this is a MV3 issue). It's worse than the original version, but it works.

(I use Firefox, but I've read your post before the linked post and I thought ublock Origin is the one being killed)

New comment by msm_ in "LLMs are eroding my software engineering career and I don't know what to do"

msm_ — Sun, 07 Jun 2026 16:32:24 +0000

>Are people on HN still typing out functions by hand one character at a time?

Well I use tab completion, of course. And I copy-paste snippets from LLM more often than from SO now. But otherwise not much has changed in my career in the last 5 years. Is this different for you?

I'm not fundamentally opposed to code generation, and I use LLMs for some taks, but I don't see myself vibecoding whole pages of production code. I vibecoded a throwaway note-taking app for myself though.

New comment by msm_ in "GitHub and the crime against software"

msm_ — Tue, 02 Jun 2026 02:06:25 +0000

Gitlab is a security nightmare. Self-hosting Gitlab is pain and a lot of work. Or course you can neglect security if you don't expose it to the internet, but it's not exactly a dream.

I'm all for self-hosting btw, we do it at my company. But it's not as easy as you make it sound.

New comment by msm_ in "Please Do Not Vibe Fuck Up This Software"

msm_ — Sun, 31 May 2026 22:33:15 +0000

>the "developer" didn't bother doing the same before committing huge chunks of AI generated code?

This is something that you assume, not something that you have any proof of. To put it a bit more strongly, this is something that you (and hundreds of other people in that github thread) made up in your head. The maintainer is a very experienced OS developer and there's no reason to suspect they didn't review the committed code.

Bugs happen, and the mere existence of bugs is not a proof that someone is doing a poor job. Assuming those bugs even exist. I am inclined to believe they do, but the issue does a poor job of reporting them. Instead of factually reporting regressions, the "issue" is a screenshot of a viral tweet.

Your vicious reaction is not justified, and you should do better in the future.

>The effort put into the issue was roughly the same as was put into the release that caused the issue to be made. Fair is fair.

It is not fair. The rsync maintainer does not owe you anything. You owe them for using their software. How much did you donate to rsync this year?

New comment by msm_ in "Login bypass vulnerability in Polish Social Insurance, Court, and Health systems"

msm_ — Mon, 25 May 2026 21:12:16 +0000

It's a pretty big one, published today. Fortunately it was found and submitted by a legitimate security researcher, and it was (as far as I know) not used in the wild. Pretty scary to think what could happen instead.

Root cause was a shared library (Szafir SDK) used by many Polish commercial and public institutions. It implemented login with Polish e-signature (qualified certificate), but the library API was so convoluted that basically nobody used it correctly (registered as CVE-2026-9058 by Polish CERT: https://cert.pl/en/posts/2026/05/CVE-2026-9058/). This allowed complete login bypass to affected institutions, most importantly ZUS (universal Social Insurance system), official online labor/employment portal, and many online court and universal healthcare systems.

Unfortunately I couldn't find anything about it in English, so you need to use your favourite translator.

Shorter and more to the point version (summary for journalists) is https://zaufanatrzeciastrona.pl/post/podsumowanie-krytyczna-...

Login bypass vulnerability in Polish Social Insurance, Court, and Health systems

msm_ — Mon, 25 May 2026 21:12:16 +0000

Article URL: https://zaufanatrzeciastrona.pl/post/ominiecie-uwierzytelniania-w-zus-ie-i-systemach-e-zdrowia-czyli-o-krok-od-cyberchaosu-cve-2026-9058-badanie-e-podpisow-cz-3/

Comments URL: https://news.ycombinator.com/item?id=48271721

Points: 3

# Comments: 1

New comment by msm_ in "Gnutella: A Protocol Outliving the World That Created It"

msm_ — Mon, 25 May 2026 16:58:51 +0000

And yet it doesn't work without JS (I think it's because cloudflare WAF, but still)

New comment by msm_ in "Recreate famous water profiles using supermarket bottled water"

msm_ — Fri, 22 May 2026 13:18:24 +0000

Yes, in Europe it's standard to charge for tap water. I don't think I ever got water in restaurant for free in Europe (I'm European).

New comment by msm_ in "Map of Metal"

msm_ — Wed, 20 May 2026 23:31:19 +0000

Wow! I didn't expect to see mapofmetal on HN, and I *definitely* didn't expect to see the author's response.

I just wanted to say thank you for making it, it was really important for me when exploring music back in 2010s. It was also great to see the "big picture" of metal genres, and start the long journey down the rabbit hole.

In a fun turn of events, I showed this to my wife just a few days ago, to show what I was up to when I was younger. And now less than a week later this is submitted to HN. Fun coincidence.

New comment by msm_ in "Frontier AI has broken the open CTF format"

msm_ — Sat, 16 May 2026 20:32:56 +0000

In addition to what others have said, this usage is very common in the CTF world. "The challenge has no solves", "We just got the first solve" etc are very idiomatic. It would actually look weird to me if this was "solution".

New comment by msm_ in "Frontier AI has broken the open CTF format"

msm_ — Sat, 16 May 2026 20:09:43 +0000

I don't know what to tell you. If you don't know what "CTF" is you're not the target of this blog post. It's like stumbling upon article "What's new in HTTP/2" and complaining that "HTTP" acronym is not explained.

I don't mean that everyone must know what CTF is, but sometimes it's OK to write things just for your community (CTF community in this case), not for general population.

New comment by msm_ in "If AI writes your code, why use Python?"

msm_ — Tue, 12 May 2026 21:20:50 +0000

The second form has no built-in meaning, but is frequently used in the wild. Often in local variables to avoid shadowing builtin types (`id_ = get_id()`) and in various libraries. Out of the top of my head, ORMs also use it to mangle reserved names.

edit: I googled a bit and PEP8 explicitly says "Thus class_ is better than clss". and "single_trailing_underscore_: used by convention to avoid conflicts with Python keyword, e.g..."

The fourth form is the mangling used for __x names internally (__x field in class Foo is actually _Foo__x

I don't know where GP saw sixth form, but considering all other forms are from real-world usage, someone probably uses it too.

New comment by msm_ in "Security through obscurity is not bad"

msm_ — Sun, 03 May 2026 17:18:13 +0000

No this is not what GP said, and I don't get how you reached this conclusion. This is like saying that AES is security through obscurity because it relies on key being secret. See [1] (linked in the OP) to understand the difference better.

I am pretty sure everyone who works in security agrees that obscurity is not security.

[1] https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle

New comment by msm_ in "Uber wants to turn its drivers into a sensor grid for self-driving companies"

msm_ — Sat, 02 May 2026 19:10:24 +0000

Do you mean in the API? I live in an European country and I don't think I ever saw an asphalt road without paint lines. This varies a lot between countries though.

New comment by msm_ in "Tinypki: Easy to use software for local CA/PKI management"

msm_ — Sat, 18 Apr 2026 23:12:25 +0000

I always wanted to setup my local CA, but it was pretty annoying and hard to do. This is a wrapper for Step CA (written by my friend) that finally makes this experience bearable.

Tinypki: Easy to use software for local CA/PKI management

msm_ — Sat, 18 Apr 2026 20:45:19 +0000

Article URL: https://github.com/icedevml/tinypki

Comments URL: https://news.ycombinator.com/item?id=47819391

Points: 2

# Comments: 1

New comment by msm_ in "I've been writing ring buffers wrong all these years (2016)"

msm_ — Fri, 19 Dec 2025 15:16:00 +0000

I thought you're joking, but then I opened https://www.fieggen.com/shoelace/grannyknot.htm

New comment by msm_ in "Pricing Changes for GitHub Actions"

msm_ — Tue, 16 Dec 2025 20:59:27 +0000

Come on, editorializing the post title is against HN guidelines, but making it illegal is a bit too harsh.

New comment by msm_ in "Vanity activities"

msm_ — Sun, 07 Dec 2025 22:38:23 +0000

This page - a bit of barely styled text on a plain background - also doesn't work without JS at all. Even though this is not a SPA, the essay text is just there in HTML response. I know I'm yelling at the clouds here, but I find this slightly annoying (why do I need to run code to read this?).

New comment by msm_ in "The state of Schleswig-Holstein is consistently relying on open source"

msm_ — Sun, 07 Dec 2025 20:26:34 +0000

>EDR/AV is basically unnecessary, when you only mount things either writable or executable

Sounds good, except:

* scripting languages exist. The situation is even worse on Linux than on Windows (because of the sysadmin focus). You need at least /bin/sh installed and runnable on any POSIX system. In practice bash, python, perl and many more are also always available.

* exploits exist. Just opening a pdf file may execute arbitrary code on a machine. There is no way to avoid that by just configuring your system. And it will happen sooner or later, especially if nation states are involved.

The idea that your systems are somehow unhackable because you... mount everything W^X is... not based in reality. Of course it's a great idea, but in practice you need defense in depth, and you need to have a way to Detect and Respond to inevitable Endpoint breaches. I don't love EDR/AVs, but they mitigate real attacks happening in the real world.