I keep seeing this pattern in articles: "Did you know that if you point the gun at your foot and pull the trigger, yOu ShOoT yOuRsElF iN tHe FoOt??!? I couldn't believe it myself!! What a discovery!!1!"

Are people really this oblivious or are these articles written about non-issues just to have written 'content'?

Moby-Dick

Herman Melville

> SSH3 is probably going to change its name. It is still the SSH Connection Protocol (RFC4254) running on top of HTTP/3 Extended connect, but the required changes are heavy and too distant from the philosophy of popular SSH implementations to be considered for integration. The specification draft has already been renamed ("Remote Terminals over HTTP/3"), but we need some time to come up with a nice permanent name.

    All Watched Over By Machines Of Loving Grace

    I like to think (and
    the sooner the better!)
    of a cybernetic meadow
    where mammals and computers
    live together in mutually
    programming harmony
    like pure water
    touching clear sky.

    I like to think
    (right now, please!)
    of a cybernetic forest
    filled with pines and electronics
    where deer stroll peacefully
    past computers
    as if they were flowers
    with spinning blossoms.

    I like to think
    (it has to be!)
    of a cybernetic ecology
    where we are free of our labors
    and joined back to nature,
    returned to our mammal
    brothers and sisters,
    and all watched over
    by machines of loving grace.

    https://allpoetry.com/All-Watched-Over-By-Machines-Of-Loving-Grace

- Gets the rainwater or any other hazardous material in.

- Extremely easy to check out what's inside for a thief.

- Can slide out easily and fall when toppled.

Terrible overall. Could make it to Top 10 Worst Laptop Bags though.

Just use a Tom Bihn that uses a separate, rigid, harder to access sleeve inside your backpack for laptops.

The only substantive argument I can see is that the technology is immature:

> Well...without exposing our services to the public internet and forcing our friends to signup for our weird app

Which, yeah, of course the tech is, there's only like a dozen people doing this. The exact hurdle named is hardly insurmountable: in the standards, OIDC overcomes this¹, or guest links. I don't want my family signing up for my weird app either.

One of the other big hurdles is that ISPs like to sell "Internet access", but only deliver half the deal. If you're not getting IPv6 connectivity in the year 2025, I'm sorry, that's a crippled product that your ISP was defunct and didn't properly inform you of when they sold it. (It's a lot easier to self-host on the v6 Internet. Some of my personal services are v6 only b/c of that, and that it works well enough in all but the most extreme or temporary locations.)

(¹but the half-baked OIDC implementations out there might require you to pre-register your app with them. That, rightly, might be a PITA.)

They calculate a random domain name based on the timestamp (so it’s constantly changing every X days in case it gets seized), and have some validation to make sure commands are signed (to prevent someone name squatting to control their botnet).

I don't know a lot about law, but I at least know that ruling on what the "actual law is" is selective, and usually selective in a way that is beneficial for the rich and powerful.

For example, I often bring up images of card catalogs when explaining database indexing. As soon as people see the index card, and then see that there is a wooden case for looking up by Author, a separate case for looking up by Dewey Decimal et. cet. the light goes on.

https://en.wikipedia.org/wiki/Library_catalog

Oh well. At least there will probably be good money in cleaning up after these bozos.

How does this achieve “remote code execution” as the article states? How serious is it from a security perspective?

> I'm not sharing a PoC yet, but it is an almost trivial modification of an exploit for CVE-2024-32002. There is also a test in the commit fixing it that should give large hints.

EDIT: from the CVE-2024-32002

> Repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a .git/ directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed.

So a repository can contain a malicious git hook. Normally git hooks aren’t installed by ‘git clone’, but this exploit allows one to, and a git hook can run during the clone operation.

The experience with `c2rust` is particularly interesting. It reminds me of a similar shift I saw years ago with automatic code translators between other languages. They're incredible for getting a project off the ground and proving feasibility, just as the author found, but you often end up with code that's completely "un-idiomatic" for the target language. The decision to throw it all away and do a manual port, while surely gut-wrenching, was the right call. You just can't automatically translate the intent of the original C code into safe, idiomatic Rust.

The "Interesting Bugs" section gave me flashbacks. Bug #2, with the mismatched struct layout due to a missing `*`, is a classic FFI (Foreign Function Interface) nightmare. I once spent the better part of a week debugging a similar issue between C++ and C# where a single change in struct packing alignment was silently corrupting data downstream in very subtle ways. It's one of those bugs that makes you question your sanity. Finding that requires some serious debugging grit, so kudos to the author.

This project is a great case study in the real-world challenges of modernizing critical infrastructure code. The author mentions the next big goal is to convert the codebase from `unsafe` to safe Rust. I'm really curious about the strategy for that.

Refactoring away the raw pointers and complex control flow (like the `goto` patterns) into safe, idiomatic Rust without breaking everything seems like it would be even more challenging than the initial port. Will the approach be to introduce lifetimes and the borrow checker module-by-module? And what's the plan for the intrusive data structures? Replacing them with standard library collections like `BTreeMap` is the obvious choice, but I wonder if that will have performance implications that the original intrusive design was meant to avoid.

In any case, amazing work. Thanks for sharing the journey in such detail. I'll be following this project on GitHub for sure.

To see our latest news, click here, or click here if you want to request a catalog. The latest board minutes can be found by clicking here. Click here for product documentation. If you have any comments about our web site, click here to email us, or click here to call. If you were confused by this click here, or click here to let us know it met your expectations. Click here to see how many people have visited our internet web site.

On the plus side, there was actual useful content on the web, rather than the content-free designs that popped up in the Web 2.0 era.

Obvious: while the agent can multiply the amount of work I can do, there's a multiplicative reduction in quality, which means I need to account for that (I have to add "time doing curation")

I built this about 8 years ago on a whim, and it blew up. Only recently did I learn there was a memory leak, after getting a big traffic spike that caused an OOM.

Over the years it’s burned through several TB of bandwidth per month.

I built ascii.live to support different animations for fun, although I don’t have as much time to review PRs as I’d like.

Separate instructions is a bit awkward, but does allow mixing general instructions with specific instructions. Like I can concatenate output-specific instructions like "voice lowers to a whisper after 'but actually', and a touch of fear" with a general instruction like "a deep voice with a hint of an English accent" and it mostly figures it out.

The result with OpenAI feels much less predictable and of lower production quality than Eleven Labs. But the range of prosidy is much larger, almost overengaged. The range of _voices_ is much smaller with OpenAI... you can instruct the voices to sound different, but it feels a little like the same person doing different voices.

But in the end OpenAI's biggest feature is that it's 10x cheaper and completely pay-as-you-go. (Why are all these TTS services doing subscriptions on top of limits and credits? Blech!)

I'm not so sure that's really the case; it's more that for many animals there simply isn't any pressure to evolve (or retain) this trait.

It's not like the natural selection process has a feature list it can tick off. It operates with zero foresight and an incredibly dumb principle: whatever helps procreation.

Cows are not dying due to tetrodotoxin poisoning in significant numbers, as far as I know, so there is no reason for them to evolve resistance to it. The same applies to most animals, including the snakes outside that area.

Your dog can synthesise their own vitamin C and will never develop scurvy. Most animals can do this – humans and some other primates are the exception. An ancestor lost the trait for vitamin C synthesis by chance, and because these primates were living in trees eating lots of fruit with vitamin C, evolution simply didn't notice. There is no disadvantage to being able to synthesise vitamin C, and no advantage in dropping the trait. It didn't affect procreation (at the time). Now we're all stuck with it.

Now, maybe all of this does have a cost for the snakes. But it's far from a given that there is one.

The gist of it is that he had interesting ideas on political systems in the past, but that his current ideas are nonsense, and in fact his old work explains exactly why his new work is nonsense.

The machines are all FAR too small and fancy/expensive to really make much sense. I've seen some more practical offshoots from PP that design larger machines with recycled materials etc, and consequently they have sustainable businesses around the world.

So, most of all, as is clear from the post, they never really even tried - in over a decade - to make it a viable, self-sustaining enterprise, of any sort.

Also, what's conspicuously missing from the post is their Portugal-based Precious Plastic Camp boondoggle, which always struck me as a hipster commune more than anything.

They also suddenly deleted the original forums, which contained lots of fantastic info.

So, I don't have much faith that throwing more good money after bad would help at all. I'm grateful for the inspiration and excitement that they brought into the world, but it's time for them to be recycled.

And, yet, I expect they'll con someone into helping revive them for version 5, 6 and beyond. That's the way of the non-profit world.

I'll also use this post to wish that more people would edit Wiktionary. It has such a good mission (information on all words) and yet there are only like 80 people editing on any given day or whatever. In some languages, it's even the best or most updated dictionary available. The barriers to entry and bureaucracy are really not high for HN audience types.

I became a lot happier with myself when I stopped chasing that and just decided to post the things that I like and the projects I wanted to do. These days I like to think of my website as part of the “old, good internet”: No ads, no demands, just whatever I like and wanted to write.

It’s worth recognizing that that comfort came around/after I was making decent enough money that I wasn’t also trying to figure out a side hustle. It feels to me like “do the things you like” is a luxury of someone who isn’t anxious about paying all their bills.

My lovely horse (My lovely horse) Running through the field (Running through the field) Where are you going, with your fetlocks blowing in the wind? (All Summer)

I want to shower you with sugar lumps And ride you over fences Polish your hooves every single day And bring you to the horse dentist

(My lovely, lovely, lovely horse)

My lovely horse, (My lovely horse) You're a pony no more (You're a pony no more) Running around with a man on your back Like a train in the night... like a train in the night (I Love You Anyway) My lovely, lovely, lovely horse

Thus for this one, use:

    archive.is/https://www.washingtonpost.com/investigations/2025/03/22/family-secrets-jfk-files-cia-assets/

This is more of a post on explaining the idea of React Server Components where they represent component trees as javascript objects, and then stream them on the wire with a format similar to the blog post (with similar features, though AFAIK it’s bundler/framework specific).

This allows React to have holes (that represent loading states) on the tree to display fallback states on first load, and then only display the loaded component tree afterwards when the server actually can provide the data (which means you can display the fallback spinner and the skeleton much faster, with more fine grained loading).

(This comment is probably wrong in various ways if you get pedantic, but I think I got the main idea right.)

The author is clearly curious and leads in knowing a lot to begin with.

The work-behind-the-work is looking up data sheets for the chips involved, desoldering them without damaging them, in the case of memory resoldering with hookup wire and hopefully its access is slow enough that it can work fine over the length of the wire, following hunches, trying things, and knowing (for next time) the possibility of using a pinhole camera or something of the sort when drilling shallow holes and looking through for tamper traces to avoid in further drills, if so desired be.

As others have mentioned, it would be interesting if the author stuck in and got past the tamper checks to see if it would work as normal. Oh well!