Hacker News: mtud

New comment by mtud in "Codex Hacked a Samsung TV"

mtud — Thu, 16 Apr 2026 14:00:54 +0000

We’re splitting this across two threads, but if you give Codex access to jadx and the Archer android app you might be able to get something without that problem. The TPLink management protocol has a few different “transport” types - tmpcli uses SSH, but your device might only support one of the other transports.

New comment by mtud in "Codex Hacked a Samsung TV"

mtud — Thu, 16 Apr 2026 13:57:53 +0000

I had been trying to find that again! It was instrumental in some RE/VR I did last year on tmp and the differences between the UDP socket (available without auth) and the TCP socket. Thanks for making that.

I can't remember the details of the scheme, but it also allows you to authenticate using your TPLink cloud credential. If my memory is correct, the username is md5(tplink_account_email) and the password is the cloud account password. If you care, I can find my notes on that to confirm.

New comment by mtud in "Codex Hacked a Samsung TV"

mtud — Thu, 16 Apr 2026 12:31:01 +0000

You should give codex access to the mobile app :) The app, for a lot of routers, connects via an ssh tunnel to UDP/TCP sockets on the router. Would probably give you access to more data/control.

New comment by mtud in "Axios compromised on NPM – Malicious versions drop remote access trojan"

mtud — Tue, 31 Mar 2026 02:54:17 +0000

Supply chain woes continue

Axios compromised on NPM – Malicious versions drop remote access trojan

mtud — Tue, 31 Mar 2026 02:54:17 +0000

Article URL: https://www.stepsecurity.io/blog/axios-compromised-on-npm-malicious-versions-drop-remote-access-trojan

Comments URL: https://news.ycombinator.com/item?id=47582220

Points: 1934

# Comments: 808

Hyrumrand – Golang random number generator based on random map iteration order

mtud — Sun, 14 Dec 2025 05:12:15 +0000

Article URL: https://github.com/micrictor/hyrumrand

Comments URL: https://news.ycombinator.com/item?id=46260917

Points: 2

# Comments: 0

New comment by mtud in "Keeping the Internet fast and secure: introducing Merkle Tree Certificates"

mtud — Sun, 23 Nov 2025 18:16:36 +0000

Sure, but unlike the CRL checks the server gets to directly know how recently the client fetched the update if my understanding is correct. Knowing which landmarks the client has would likely give you a fairly precise picture of the update time, since more frequent landmarks yields smaller MTC proofs.

Spitballing here, would it still meet the needs of the protocol if the client offered which MTCAs it has (no version information), the server sends back some “typical” depth (say, 3 levels up the tree), then the client can decide to either: * Accept the MTC * Request a deeper traversal, following some super linear growth like fib numbers. In that case, they’d communicate “give me up to 5 nodes above your leaf” * Reject the MTC * Request the full certificate for “traditional” validation

The server still has a side channel for “how recently updated is this client” by knowing how many levels of inclusion proofs needed to be shared, but this is much less signal than knowing exactly which landmarks a client has.

New comment by mtud in "Show HN: ShellAI – Local Terminal Assistance with SLM"

mtud — Thu, 06 Nov 2025 21:21:07 +0000

The model file is small enough to have in Git (safetensors is only 600MB) but the Gemma TOS make me unsure if I’m required to have the same “Read and accept the Gemma TOS” limitation that they have on their public huggingface model.

As for ptrace, I use it to inject code into the users shell to present the command in a way that doesn’t require further interaction to run. I wanted it to be more like the “AI terminal” experience without requiring the user to copy-paste the recommended command back into their shell prompt.

Show HN: ShellAI – Local Terminal Assistance with SLM

mtud — Thu, 06 Nov 2025 16:27:59 +0000

Article URL: https://github.com/micrictor/shellai

Comments URL: https://news.ycombinator.com/item?id=45836959

Points: 5

# Comments: 3

New comment by mtud in "Keeping the Internet fast and secure: introducing Merkle Tree Certificates"

mtud — Thu, 06 Nov 2025 16:23:04 +0000

It can't possibly be updating continuously in real time, can it? Especially for battery devices, a constant background thread polling for updates seems untenable.

New comment by mtud in "Keeping the Internet fast and secure: introducing Merkle Tree Certificates"

mtud — Wed, 29 Oct 2025 03:33:25 +0000

> During the TLS handshake, the client tells the server which treeheads it has.

I don’t love the idea of giving every server I connect to via TLS the ability to fingerprint me by how recently (or not) I’ve fetched MTC treeheads. Even worse if this is in client hello, where anyone on the network path can view it either per connection or for my DoH requests to bootstrap encrypted client hello.

New comment by mtud in "Keeping the Internet fast and secure: introducing Merkle Tree Certificates"

mtud — Wed, 29 Oct 2025 03:26:23 +0000

Different machines will need to have variations in when they grab updates to avoid thundering herd problems.

I could see the list of client-supplied available roots being added to client fingerprinting code for passive monitoring (e.g. JA4) if it’s in the client hello, or for the benefit of just the server if it’s encrypted in transit.

New comment by mtud in "Show HN: An Almost Free, Open Source TURN Server"

mtud — Sat, 29 Mar 2025 03:54:25 +0000

You can generate short-lived and single-use credentials for users.

New comment by mtud in "Show HN: An Almost Free, Open Source TURN Server"

mtud — Sat, 29 Mar 2025 03:51:30 +0000

Without TURN, two clients that want to do streaming communication connect directly to each other, letting both ends know things like IP addresses, supported protocols, and other fingerprintable features. This was the norm for a long time - “I got your IP, I know where you live”

New comment by mtud in "Alphabet spins out Taara – Internet over lasers"

mtud — Tue, 18 Mar 2025 13:10:54 +0000

The U.S. Naval Research Lab (NRL) has been deploying this tech - free space optics (FSO) - for about a decade.

https://www.doncio.navy.mil/chips/ArticleDetails.aspx?ID=555...