Hacker News: nofriend

New comment by nofriend in "I’ve banned query strings"

nofriend — Mon, 11 May 2026 03:58:55 +0000

>If a url parameter would've been a vulnerability because something lower down the stack misinterprets it

By assumption, you are using this url parameter. So you have a bug where you've forgotten to allow this parameter, which will quickly be discovered in your logs and fixed. Then the vulnerability, which you are thus far unaware of, will quickly be exposed. Those url parameters you are not using cannot hurt you.

New comment by nofriend in "I’ve banned query strings"

nofriend — Sun, 10 May 2026 02:23:02 +0000

>It’s possible that the teams you work with expect fuzzy behaviour from the website but that’s a choice, not a practice.

This is how the vast majority of websites work. The practical reason is obvious: when we model the behaviour our code depends on, we want to create the simplest possible model that allows our code to work as expected. Placing requirements on it that our code doesn't actually depend on is useless, unneeded, complexity.

> As a web developer, you’re the like the guy standing with a clipboard outside a fancy club checking if people requesting entry are allowed or not. Basically, level 1 security.

there is no security benefit to filtering out unneeded url parameters.

New comment by nofriend in "I’ve banned query strings"

nofriend — Sun, 10 May 2026 01:27:17 +0000

Standards are just commonly accepted behaviour that somebody chose to write down somewhere. There are a great number of commonly accepted behaviours that nobody's ever bothered to encode into a formal standard, but where failure to follow the accepted practice will result in widespread breakage. There are also a great many "standards" that you would be a fool to follow to the letter. In the OP case, the only thing that will break is people trying to visit their site, who will presumably simply press the back button on their browser and go about their day. They can decide for themselves if that is an acceptable casualty. But it isn't definitionally acceptable because no standard says it isn't (nor would is suddenly become unacceptable because a standard said it was...)

New comment by nofriend in "I’ve banned query strings"

nofriend — Sun, 10 May 2026 01:22:13 +0000

> It should be immediately obvious that in that scheme 404 is indeed the correct answer to unknown query parameters

That's not obvious at all. If I receive json data that contains a property I'm not aware of, i don't reject the entire document for that reason. In the case of query strings, extra query parameters might be used by other parts of the stack besides yours, so rejecting the entire document because someone somewhere else is trying to pass information to itself is the wrong approach.

New comment by nofriend in "Forking the Web"

nofriend — Sun, 10 May 2026 00:40:01 +0000

The reason is that clients, even under xhtml, expect to be able to build webpages via templating. You need to reject that assumption and demand that servers build pages from an ast so that the backend guarantees that the page parses. It isn't hard to do, it's just the xhtml never got far enough to try it.

New comment by nofriend in "RSS feeds send me more traffic than Google"

nofriend — Thu, 07 May 2026 18:32:52 +0000

the only reason anyone would be interested in this result is because of the implication that it generalizes to other sites.

New comment by nofriend in "RSS feeds send me more traffic than Google"

nofriend — Thu, 07 May 2026 18:30:49 +0000

There are rss aggregators that poll every feed occasionally, then combine them into a single feed for each person to consume.

Nostr works on a similar basis but you push to the aggregator instead of them pulling.

New comment by nofriend in "I am worried about Bun"

nofriend — Mon, 04 May 2026 21:16:15 +0000

> We understood (and knew for a long time) that the large AI labs are not monetarily profiting from subscription users that make heavy use of their subscription.

"profit" is a weird concept in the software business. it might be true that there is an opportunity cost to these users, either because they displace other potential users by using up capacity, or because they would be willing to pay more if forced. but I don't believe that anyone is losing money on inference costs on any of their plans.

> At some point they have to price their product fairly

they are competing in a market. if most of their costs were inference then this would be a good thing, because everyone would have roughly the same prices, so as long as they had the best model they would win. in fact model development costs eclipse the cost of inference, and is something that non frontier labs get for much cheaper by distilling from the frontier companies.

> They will have to compete on merit alone, and that is much less profitable.

that's not really true. google won search on merit alone, and were massively successful as a result. the trick is that everyone from the poorest shmuck to the richest businessman uses google, so they win through scale. in ai, google and openai are making a bet that they can do the same thing. there's only really room for one winner at this game, even two is stretching it, so anthropic has to win by being the smartest model that only high end businesses use. that's a very risky bet.

New comment by nofriend in "UAE to leave OPEC"

nofriend — Wed, 29 Apr 2026 18:22:40 +0000

That was pretty clearly what happened with iran. Dunno if netanyahu is a zionist or not.

New comment by nofriend in "GoDaddy gave a domain to a stranger without any documentation"

nofriend — Mon, 27 Apr 2026 01:01:28 +0000

The bad publicity is all in tech spaces and they do ads IRL.

New comment by nofriend in "Harvard students call grading reform 'racist' in petition"

nofriend — Sun, 26 Apr 2026 02:54:55 +0000

Causing your fellow student to do better shouldn't be harmful to you. Students should feel comfortable helping one another without fear of it worsening their own mark.

New comment by nofriend in "Email could have been X.400 times better"

nofriend — Sat, 25 Apr 2026 02:14:50 +0000

Was it actually superior though? The usual treatment is that packet switching works better at the scale of the internet. With voice, hogging a whole line works, but for the internet it makes more sense to slow everybody down when congestion occurs rather than preventing some people from connecting at all. I get why the telecoms would have you waste your bandwidth reserving a connection you don't need, and I get why they would try and sell that as a superior solution because of some nonsense about reliability, but I don't see it as providing much benefit to the user.

New comment by nofriend in "SI Units for Request Rate (2024)"

nofriend — Sun, 19 Apr 2026 06:27:22 +0000

The hertz is formally defined as 1/s, except this leaves open the question of 1 what each second. I've seen it argued that since the numerator is unitless, and radians are also unitless, that the hertz as defined refers to one radian per second, and that it should have instead been defined as rev/s. While this argument might be specious, it suggests to us that even if our numerator is unitless, we should still be clear about what kind of thing we are describing rates of. So say "requests per second" if that is what you are talking about, and things will be clearer for everyone.

New comment by nofriend in "America Lost the Mandate of Heaven"

nofriend — Sun, 19 Apr 2026 04:11:51 +0000

nonsense can have the excuse of being benign, and danger can have the excuse of being well thought out.

New comment by nofriend in "Show HN: PanicLock – Close your MacBook lid disable TouchID –> password unlock"

nofriend — Sat, 18 Apr 2026 04:03:29 +0000

It does offer you legal protection. In the US, the right to not self incriminate protect you from divulging passwords but does not protect you from giving up biometrics. In other countries the rule is different.

New comment by nofriend in "OpenAI's $852B valuation faces investor scrutiny amid strategy shift, FT reports"

nofriend — Wed, 15 Apr 2026 04:39:17 +0000

Index funds won't get in at ipo prices. They wait a year or so before including new stocks, so the price is guaranteed to have settled by then. OpenAI also isn't profitable yet so that's another point against them in terms of being included in index funds.

New comment by nofriend in "Seven countries now generate 100% of their electricity from renewable energy"

nofriend — Mon, 13 Apr 2026 05:06:02 +0000

That's exactly what's going on in africa, people are installing solar panels in order to avoid having their power be out half the time.

New comment by nofriend in "Trump says 'a whole civilization will die tonight' if Iran does not make a deal"

nofriend — Tue, 07 Apr 2026 17:09:10 +0000

International law consists of treaties that have been bilaterally agreed to by several countries, in most cases including the US. Being treaties, they are US laws that are much more difficult for the US to amend than ordinary laws. US law/international law is a false distinction, when we speak of international law in the context of the US, we are generally referring specifically to treaties that the US is party to.

New comment by nofriend in "StackOverflow: Retiring the Beta Site"

nofriend — Sun, 05 Apr 2026 17:37:53 +0000

Be chatbot first ig. I had envisioned a portal where you land on the front page and drop your question in the box. It would do some rag thing over the SO question database then try to answer your question. You could chat back and forth with it. If you figured out your problem then you would have the option to turn it into a question answer pair with help from the ai. If you didn't figure out your problem, then it would turn it into just a question, which would then show up for the experts of SO to answer. Something like that.

New comment by nofriend in "Memo: A language that remembers only the last 12 lines of code"

nofriend — Fri, 03 Apr 2026 02:33:37 +0000

It's a noun too