<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: xtajv</title><link>https://news.ycombinator.com/user?id=xtajv</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Fri, 10 Jul 2026 03:44:12 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=xtajv" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by xtajv in "We won $92,337 bug bounty using a single kernel 0-day"]]></title><description><![CDATA[
<p>What do you mean, "no mitigation" and "except for kernel updates"?<p>Somebody made a mistake. Somebody found the mistake, and told the maintainers (and even offered a draft patch). The maintainers fixed the mistake and gave the person who found it a prize.<p>Granted, I'm grouchy about the fact that software engineering is just about the only engineering field which is neither licensed nor bonded nor insured... which sure, makes it more accessible, but also means that software engineering is "like a box of chocolates: you never know what you're gonna get".<p>(Meanwhile, all the other engineering fields say things like "those regulations are written in blood").<p>But of all the subspecialties to complain about, I'm not picking on security research. At least security research has an industry norm of responsible disclosure, plus filing CVEs into a neat database so we can know which bugs impact what, plus an industry norm of bug bounty programs to give awards to security researchers as a thank-you (instead of leaving things open to cybercriminals who will find the same issue and use it for nefarious purposes).<p>To me, that sounds like a model that everybody else should strive for.<p>I suppose we could talk about whether there could have been more testing or linting or something to prevent the mistake from getting out to production in the first place. But 1. this mistake is pretty subtle -- of all the mistakes to happen, this one seems relatively understandable 2. spending more on prevention seems like a great way for businesses to spend less on bug bounty payouts ;)<p>Who knows... someday, we might get to a point where software is actually expected to be defect-free once it reaches production, to the point where patch updates are a rare surprise.<p>That's obviously not the case today, but here's hoping.</p>
]]></description><pubDate>Thu, 09 Jul 2026 22:30:58 +0000</pubDate><link>https://news.ycombinator.com/item?id=48853252</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=48853252</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48853252</guid></item><item><title><![CDATA[New comment by xtajv in "Better Auth is joining Vercel"]]></title><description><![CDATA[
<p>Well... you're not supposed to roll your own cryptography. Like, don't go thinking that you're going to do better than a NIST contest winner if you need a cryptographic primitive.<p>That goes for protocols as well.<p>And security-related "build vs. buy" decisions should always include an element of battle-testing. If you have the option to pick an off-the-shelf TLS library rather than implementing your own, both are gonna be full of bugs but at least the former will have already had CVEs filed and fixed. (That's not, btw, an assumption that one likes to write buggy code, but rather, a choice to operate under the assumption that one can always be surprised. Schneier's Law and all).<p>That said, there comes a point to model your own problem domain, and make sure that your product includes features and components that allow it to meet your information security goals.<p>I think software engineering has done itself a bit of a disservice by making security seem "scary" (and therefore, something to avoid at all costs) rather than a necessary and boring component of any computer system.<p>P.S. If anybody wants resources, I'm a big fan of the way that FIPS-199 -> FIPS-200 -> SP 800-53
breaks down security goals, impact levels, and appropriate control measures. You can pick a goal, assess your impact level, and pick something off-the-shelf pretty quickly.</p>
]]></description><pubDate>Thu, 09 Jul 2026 21:52:04 +0000</pubDate><link>https://news.ycombinator.com/item?id=48852852</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=48852852</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48852852</guid></item><item><title><![CDATA[New comment by xtajv in "Better Auth is joining Vercel"]]></title><description><![CDATA[
<p>It sounds like they just joined Vercel.</p>
]]></description><pubDate>Thu, 09 Jul 2026 21:14:08 +0000</pubDate><link>https://news.ycombinator.com/item?id=48852460</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=48852460</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48852460</guid></item><item><title><![CDATA[New comment by xtajv in "As Amazon lets Mechanical Turk fade, Mercor hits a $2B gross run rate"]]></title><description><![CDATA[
<p>I would consider it, if I were being paid royalties on the end product, rather than a one-time hourly fee.</p>
]]></description><pubDate>Thu, 09 Jul 2026 21:02:57 +0000</pubDate><link>https://news.ycombinator.com/item?id=48852333</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=48852333</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48852333</guid></item><item><title><![CDATA[New comment by xtajv in "Has_not_been_viewed_much"]]></title><description><![CDATA[
<p>"Don't judge a book by its cover" :)</p>
]]></description><pubDate>Thu, 09 Jul 2026 20:56:40 +0000</pubDate><link>https://news.ycombinator.com/item?id=48852257</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=48852257</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48852257</guid></item><item><title><![CDATA[New comment by xtajv in "Reframing smart glasses as 'pervert glasses'"]]></title><description><![CDATA[
<p>Wearing smartglass in the first place is creepy.<p>I have nothing against people who want to wear a bodycam but it becomes creepy when you intentionally hide one in an innocuous-looking object.</p>
]]></description><pubDate>Thu, 09 Jul 2026 20:41:48 +0000</pubDate><link>https://news.ycombinator.com/item?id=48852089</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=48852089</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48852089</guid></item><item><title><![CDATA[New comment by xtajv in "DKIM2 and DMARCbis Have Landed"]]></title><description><![CDATA[
<p>I think about software engineering as virtual construction.<p>In the physical world, we can have police that go after criminals who break down doors. But builders also have a responsibility to install locks.<p>And negligently failing to build a lock is actually not a great look if you want police to give you the time of day.</p>
]]></description><pubDate>Thu, 09 Jul 2026 20:28:16 +0000</pubDate><link>https://news.ycombinator.com/item?id=48851934</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=48851934</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48851934</guid></item><item><title><![CDATA[New comment by xtajv in "Emacs 31 is around the corner: The changes I'm daily driving"]]></title><description><![CDATA[
<p>Regarding emacs-style kbds in firefox -- I use vimium to remap most actions, and occasionally resort to an additional global keybinding helper app (e.g. BetterTouchTool on macOS).</p>
]]></description><pubDate>Sun, 21 Jun 2026 06:42:22 +0000</pubDate><link>https://news.ycombinator.com/item?id=48616271</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=48616271</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48616271</guid></item><item><title><![CDATA[New comment by xtajv in "Cleaning up after AI rockstar developers"]]></title><description><![CDATA[
<p>I've said it before, I'll say it again, I'm convinced LLMs will be the thing to convince software engineers to get it together and create a licensing board.<p>Somebody wake me up when the ABET SWE PE is back.</p>
]]></description><pubDate>Tue, 09 Jun 2026 15:17:28 +0000</pubDate><link>https://news.ycombinator.com/item?id=48462240</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=48462240</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48462240</guid></item><item><title><![CDATA[New comment by xtajv in "Cloudflare CEO on how he chooses which employees to replace with AI"]]></title><description><![CDATA[
<p>I expect LLM slop to be the thing that finally convinces software engineers to create a licensing board.</p>
]]></description><pubDate>Thu, 21 May 2026 18:46:32 +0000</pubDate><link>https://news.ycombinator.com/item?id=48227269</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=48227269</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48227269</guid></item><item><title><![CDATA[New comment by xtajv in "Python 3.15: features that didn't make the headlines"]]></title><description><![CDATA[
<p>Too much syntactic sugar causes cancer of the semicolon.</p>
]]></description><pubDate>Thu, 21 May 2026 14:24:04 +0000</pubDate><link>https://news.ycombinator.com/item?id=48223152</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=48223152</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48223152</guid></item><item><title><![CDATA[New comment by xtajv in "Police used AI facial recognition to wrongly arrest TN woman for crimes in ND"]]></title><description><![CDATA[
<p>Heh, I wasn't suggesting that AI would actually replace decision-making. Rather, I wonder whether attempts to use AI in this way would result in such publicly-embarassing and catastrophic outcomes that software engineers might decide to organize professional guardrails about it.<p>I fully agree, this seems like a legal liability issue waiting to happen.</p>
]]></description><pubDate>Mon, 30 Mar 2026 16:03:57 +0000</pubDate><link>https://news.ycombinator.com/item?id=47576034</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=47576034</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47576034</guid></item><item><title><![CDATA[New comment by xtajv in "Claude Code runs Git reset –hard origin/main against project repo every 10 mins"]]></title><description><![CDATA[
<p>The phrase "don't give them ideas" comes to mind.</p>
]]></description><pubDate>Mon, 30 Mar 2026 15:54:54 +0000</pubDate><link>https://news.ycombinator.com/item?id=47575874</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=47575874</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47575874</guid></item><item><title><![CDATA[New comment by xtajv in "Claude Code runs Git reset –hard origin/main against project repo every 10 mins"]]></title><description><![CDATA[
<p>This is the part where you'd normally pull the junior engineer aside and politely give them a stern talking to until they understood what they did wrong.<p>If anybody has suggestions for how to do this with LLMs (short of maintaining CLAUDE_wall_of_shame.md), please share.<p>Edit: for the record, yes I do run a linter, and generally try not to impose bikeshedding or soapboxes on my peers. It's just that there are certain patterns that I personally am not going to commit under my own username as the engineer of record.<p>Edit 2: I saw another comment recommending "Always confirm with me before doing $x" (and then always denying). Seems like it might work.</p>
]]></description><pubDate>Mon, 30 Mar 2026 15:53:34 +0000</pubDate><link>https://news.ycombinator.com/item?id=47575857</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=47575857</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47575857</guid></item><item><title><![CDATA[New comment by xtajv in "Police used AI facial recognition to wrongly arrest TN woman for crimes in ND"]]></title><description><![CDATA[
<p>It occurs to me that software engineering is just about the only engineering field which is neither licensed nor bonded nor insured.<p>I wonder if AI / shadow IT will change that.</p>
]]></description><pubDate>Mon, 30 Mar 2026 13:34:14 +0000</pubDate><link>https://news.ycombinator.com/item?id=47574103</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=47574103</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47574103</guid></item><item><title><![CDATA[New comment by xtajv in "Police used AI facial recognition to wrongly arrest TN woman for crimes in ND"]]></title><description><![CDATA[
<p>> These dialogs always prompt me to chime in with my solution: make the police be self-insured, backed by their pension fund.<p>I'm curious, what exactly do you mean by "self-insured"?<p>(Is the idea to combine literal insurance underwriting for retirement planning with a monetary incentive system for ongoing work performance)?</p>
]]></description><pubDate>Mon, 30 Mar 2026 13:13:13 +0000</pubDate><link>https://news.ycombinator.com/item?id=47573870</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=47573870</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47573870</guid></item><item><title><![CDATA[New comment by xtajv in "Full network of clitoral nerves mapped out for first time"]]></title><description><![CDATA[
<p>My understanding is that (nonconsensual) circumcision of infants is quite common in some regions of the planet, and that some impacted individuals wish that this decision had not been made for them without their consent.<p>That seems bad.</p>
]]></description><pubDate>Mon, 30 Mar 2026 13:07:13 +0000</pubDate><link>https://news.ycombinator.com/item?id=47573808</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=47573808</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47573808</guid></item><item><title><![CDATA[New comment by xtajv in "Full network of clitoral nerves mapped out for first time"]]></title><description><![CDATA[
<p>Spot to complain that I missed a spot:<p>(P.S. you can also add a new thread)</p>
]]></description><pubDate>Mon, 30 Mar 2026 13:03:25 +0000</pubDate><link>https://news.ycombinator.com/item?id=47573760</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=47573760</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47573760</guid></item><item><title><![CDATA[New comment by xtajv in "Full network of clitoral nerves mapped out for first time"]]></title><description><![CDATA[
<p>Spot to complain about intersex genital mutilation:</p>
]]></description><pubDate>Mon, 30 Mar 2026 13:03:03 +0000</pubDate><link>https://news.ycombinator.com/item?id=47573757</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=47573757</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47573757</guid></item><item><title><![CDATA[New comment by xtajv in "Full network of clitoral nerves mapped out for first time"]]></title><description><![CDATA[
<p>Spot to complain about female genital mutilation:</p>
]]></description><pubDate>Mon, 30 Mar 2026 13:02:56 +0000</pubDate><link>https://news.ycombinator.com/item?id=47573755</link><dc:creator>xtajv</dc:creator><comments>https://news.ycombinator.com/item?id=47573755</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47573755</guid></item></channel></rss>