Paths where pedestrians and bikers (and other light transportation vehicles) are mixed are overwhelmingly common.

At some point you need to keep quite a large context in memory to have both decent performance and useful features (that aren't unbearably slow to use). lnav seems to land at a reasonable middle ground.

Comments URL: https://news.ycombinator.com/item?id=47090276

Points: 2

# Comments: 0

Comments URL: https://news.ycombinator.com/item?id=46809836

Points: 6

# Comments: 1

Comments URL: https://news.ycombinator.com/item?id=46512674

Points: 39

# Comments: 1

Project that I did a few years ago. You might also be interested in the retrospective where I detail what all went wrong: https://blog.nns.ee/2025/04/01/modem-blog-retrospective/

Comments URL: https://news.ycombinator.com/item?id=46049981

Points: 68

# Comments: 7

Seems pretty straightforward. They hook DirectInputCreateA() and pass their own device enumeration wrapper with the offending flag removed.

Interesting article, thank you.

From the post:

> then i found this one:

> https://juice.hackclub.com/api/get-roommate-data?email=dont@...

> yep. no auth. just an email parameter. and what did it return?

> full names. emails. phone numbers. flight receipts. all just by passing an email address in a URL.

> i reported it through their security bounty program, made a bug fix pr (because apparently that's how you get things done around here), and maybe made the slight mistake of sharing the vulnerable endpoint in that group chat - which less than 10 people saw, for what that's worth.

The author then proceeds:

> their security bounty program states minimum payouts for this kind of thing start around $150. but exposing passport numbers (which are classed as government documents) should bump it up significantly. apparently "responsible disclosure" means "don't tell anyone, even in a private chat" so they docked the entire payout.

I'm not sure why they're being seemingly sarcastic about responsible disclosure. Yes, responsible disclosure absolutely means that you disclose this to the vendor before disclosing it to anyone else. As someone who works as a penetration tester and security researcher (both at work and in my free time), in my opinion, there should be no confusion about what responsible disclosure is. You disclosing the vulnerability in public before the vendor has had the chance to fix or apparently even triage it is not "responsible disclosure" or a "slight mistake".

[1] - https://kys.llc/blog/oops-leaked-your-passport

Comments URL: https://news.ycombinator.com/item?id=45797984

Points: 8

# Comments: 0

Some devices do this more securely than others. If you're able to inject newlines, it's highly likely that you can already achieve command execution by injecting directives. I wrote a bit about this technique here: https://blog.nns.ee/2025/07/24/dnsmasq-injection-trick/ (sorry for the self-plug). I think it's up to the device vendor to do this securely and not a concern for dnsmasq.

However, in this case, I feel like the concern is elsewhere and not the sole responsibility of the device vendors. Even if the vendor does templating securely, the vulnerable config options could still trigger the bug in dnsmasq itself and give some advantage to the attacker. Assuming the vulnerabilities themselves are legit, I'm finding it difficult to classify these issues as "bogus".