Unlurker|Replay|About
What IAEA docs say about Iran's nuclear program, before the bombs fell (meetdewey.com)
> I downloaded them all and ran exhaustive AI research queries across the full corpus. What follows is what the documents actually say. Missing an /s?
It seems to be serious. This should be treated with extreme skepticism. Probably best to remove this from HN.
I wonder how much more uranium this is than say israel themselves have???
From the IAEA perspective, Israel is not a party to the nuclear non-proliferation treaty so they are not bound by IAEA rules (and in exchange they do not get the benefits of being part of the treaty, which are substantial)
Israel is definitely the darling during the Cold War.
↙ time adjusted for second-chance
An Introduction to Writing Systems and Unicode (r12a.github.io)
The texts in the images claimed to be Simplified Chinese are not really conforming the standard glyph shapes of hanzi as defined by the government of China; they look more like the Japanese standard shapes of kanji.
This site has been a gem for a long time for Unicode and language-related topics. Just as good to link to the top-level, https://r12a.github.io/
Richard is amazing. I briefly worked with him while volunteering on a W3C text layout requirements document. He cares deeply about writing systems, and he has been doing so much valuable work in this space.
AI for American-Produced Cement and Concrete (engineering.fb.com)
Hand-held devices for testing concrete properties would be more useful. Most concrete problems come from a bad mix - too much water, not enough cement, etc. Concrete testing usually involves cutting a core out of the poured slab and sending it to a lab. Something where you stick a probe in the mix and can reject it before pouring would help. Here are some on-site concrete testers.[1] They're heavy and a pain to use. There should be an app for this. But that's so last-decade. [1] https://store.forneyonline.com/concrete-testing-equipment/fresh-concrete-test-sets
I'm surprised the ratios for a given situation isn't standardized by now. Is it just people cutting corners?
Working with multiple tons of material that dries out as you move it around is hard. There are a lot of steps between the concrete being mixed and when it finally reaches the pour. Cutting out a piece of a slab and sending it to a lab is for post-pour validation in serious construction. There are pre-pour tests that are much simpler depending on the seriousness of what you’re building. The slump test is rather simple, for example: https://en.wikipedia.org/wiki/Concrete_slump_test It’s basically a cone with handles and a procedure that’s easy to learn.
I hate April Fools day so much. Is this a joke? I genuinely cannot tell.
The date on the article is March 30th.
Jesus I hope they do proper testing for these experimental mixes and don't trust whatever random garbage AI decides you should mix in. This is exactly the kind of thing AI is absolutely terrible at because it has no logical skills or direct experience or ability to test it. If your AI coded stuff goes belly up, you get to try again. If your multi million dollar cement foundation turns out to be sub-par, thats multi million dollars to tear it out and then millions more to do it again right, and that is a best case scenario. The alternative is people dieing when their apartment building collapses.
Can you at least read the article before criticizing them? They explicitly call out that they use Bayesian Optimization (Gaussian process) thing for this. It is "AI" but not "LLM" like you think it is.
We use Gaussian processes trained on vetted test data from academic and industry partners. We use these predictions to recommend mixes for onsite testing to accelerate finding mixtures with optimal strength-speed-sustainability trade-offs. None of the data and predictions go untested. The blog post goes into this in more detail.
> As a result, producers need a way to rapidly explore and validate new formulations without spending months in the lab. How do you bypass the normal process of pouring test articles and testing them months and years after cure? This is fundamentally a research activity that needs to conduct verifiable science. Not something you can guess at with an LLM.
Somebody needs to coin a new term for the scattershot zero-thought AI griping that is pervasive in online comments these days. Meatslop? Obviously it's going to be more productive for a manufacturer to do a years-long curing test on 100 likely candidates instead of 100 random mixes. They obviously already screen candidates through traditional methods, but if this AI technique improves accuracy, all the better.
hn discourse is not nearly as high-quality as people would like to believe.
It’s very bimodal.
just like everywhere else? reddit has fairly good wheat among the chaff just the same?
I call it pseudo-critique — active stupidity in the name of critical thinking — but that’s too general.
https://danluu.com/cocktail-ideas/
I had to double check that this wasn't an April Fools joke. The GitHub project has commits from 2 weeks ago, so it's not. Looking more closely though, this looks a lot like the Google "AI Cookie" from 2017, which also used Bayesian Optimization: https://blog.google/innovation-and-ai/technology/research/makings-smart-cookie/
Google's "Smart Cookie" indeed also used techniques from Bayesian Optimization. For some technical detail, see their write-up here: https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/46507.pdf Our work on concrete here differs in that the problem is both 1) an inherently time-varying, and 2) multi-objective. See our write-up here for details: https://arxiv.org/pdf/2310.18288
NASA Artemis II moon mission live launch broadcast (plus.nasa.gov)
I'm just SO HAPPY we can talk about something that doesn't involve the Iran war, ICE etc. This is a really historic moment, I hope that the current and future administrations continue investing in space exploration. I've waited my whole life for this as the entire "action" happened before I was born. Hubble/James Webb/ISS are cool but Artemis is something else!
Fingers crossed that this https://idlewords.com/2026/03/artemis_ii_is_not_safe_to_fly.htm doesn't have any effect.
There is a LOC (Loss of Crew) number that is typically calculated for these missions. I'm curious what that is? Early Apollo missions were on the order of 4%.
It is a bit chilling to watch these astronaut profiles having just read yesterday about the heat shield issues observed on the prior mission, and that this will be the first time we can test the heat shield in the actual pressures and temperatures that it will have to endure. Godspeed crew of Artemis II.
There is also a stream on ESA Web TV https://watch.esa.int/
too windy outside for this to happen imo
You better run over there and let them know.
What is your opinion based on?
This opinion may be unpopular here but it's hard to get excited about a colossal waste of taxpayer money after all the damage DOGE did. I don't understand how these NASA missions with questionable scientific value and obscene budgets get off the ground. I mean I do understand, NASA funding is important to oligarchs. But still.
Artemis was already set in stone well before DOGE came about and IMO if the federal government is going to set mountains of cash on fire I'd rather it be to NASA than half the crap the government wastes every year.
Even though you could question the whole Artemis concept, it's still extremely exciting watching the countdown with my son. I just missed the original Apollo flights and had assumed I would never see a moon landing in my lifetime. We may well not have a landing for quite some time yet, but it's still cool to see a Moon bound rocket standing on the launchpad...
Its going to be a first for me and my son as well. Looking forward to tonight to make an even over it.
I don't know if it's feasible for you, but if you can, try to take your kid to see a live rocket launch. The TV is grossly unable to display how awesome these things are in person.
It's even more exciting when you realize that the last crewed mission beyond Low Earth Orbit was 1972 and each person on that spacecraft today are younger than that.
Hopefully, in a few years we will figure out that hydrogen rockets can not reliably launch on time and we'll switch to less leaky fuels. Then maybe we won't need to pull 40 year old engines out of museums to dump in the ocean. I'm all for human spaceflight, but the Senate Launch System seems the best argument for shutting down human spaceflight programs.
Oh, don't worry, we did figure that out. What we haven't figured out yet is how to stop Congress from involving themselves in engineering decisions.
Well, we should have figured that out with the STS. That's what the STS was for - figuring out what technologies made for inexpensive, rapid spaceflight and which technologies don't. Then the senate mandates the new rocket to use specifically the most expensive, problematic, least reliable technology. Completely designed to fail. Have such hopes for the Starship.
Out of curiosity, why do you see this as a worthwhile endeavor? My personal perspective is that the resources are better used for other purposes, but it's possible that I just haven't encountered some compelling reason yet.
Go take a look at how much this costs compared to the rest of the federal budget. I think you'll be surprised by how little money NASA gets. Now, the military...
I want humanity to continue to be explorers. The Moon is a good next thing, then asteroid mining, humans on Mars and Venus, and eventually colonizing the Milky Way.
Do you watch sports, football, the Olympics? If not I'm sure you know someone who does. Same category as this. Each of the 32 NFL team is worth about the cost of 1-2 Artemis launches. The entire league could fund the whole Artemis program nearly twice. Hosting the Olympics is worth about 3-10 launches. Like sports, the objective is ultimately useless except as a showcase of what humanity has to offer, and people like to see that.
I think there is a major difference though. Sports events are not pretending to be anything else. The Artemis mission claims to be advancing science and claims to be a stepping stone for an eventual moon base and a manned mission to Mars. I personally have serious questions about all of these.
You are not the target audience for this sort of presentation. Media directed at the laity is more about being directionally than quantifiably correct, and is full of metaphor and embellishment to capture the imagination rather than communicate something with precision. People who want the actual details and numbers will read.
I firmly believe you can have both exciting, inspiring, and factually correct communication if you make that a priority. The experience of hearing factual things presented with passion and obvious expertise is in itself inspiring. Why settle for less?
A new way to measure poverty shows the US falling behind Europe (euronews.com)
Is the measure they are using inflation adjusted over time? If not this shows an enormous loss in purchasing capacity over time for the average person, which is certainly how its felt over the past decades as inflation has outrun wages for most people.
Don’t fall for it, this is payed I guess by one of the countless NGOs that serve the official agenda of leftist politicians. Germany’s economy is the worst in Europe since a couple of years. Industrial complex vanish faster than a glassy menu opens on the MacBook Pro series. Bankruptcy is on an all time high, car makers opening new factories in Hungary and close theirs no matter how modern they are in Germany. A pharmacist in Germany begged me to pay with fiat money and not to use Apple Pay nor credit card due to the percentage hit on the invoice - and I bought stuff for roughly 350EUR. Roads look like 1990 in the German Democratic Republic. All that politicians from the Left discuss is higher taxes, higher medical costs higher everything even state debt while service declines and investment disappears. It is dire here. Don’t fall for it, because it is only getting worse. The youth wants to leave Germany with at a percentage rate never seen before: between 20 and 25%. And the net balance is already negative for 3 years if I remember correctly for people moving here and people leaving - and these are folks from Germany and people who’s parents immigrated here generations ago. So called “Knives Prohibition Zones” installed in the last years shall account for the massive increase in knife attacks in the public zones. Christmas markets don’t open as well as many traditional public meet ups closed due to anti terrorist and safety measures they have to pay for - an unheard and unseen phenomenon 10 years ago. I could go on and on - but yeah, Europe is great and such, so cool, that more and more former colleagues who lived here 10 years and more happily leave the country for good.
I’m as frustrated as anybody else with how the economy is going in the US. But we should be skeptical about a new metric with an intuitive name that seems to confirm exactly what we all suspect but is sort of complex to interpret/measure, right? In particular it seems weird that only we had a massive change during COVID. Also seems a little odd that Germany was always better than the US, even in the 90’s when things were pretty good here. Putting it together, we need to have COVID all the time here, so we can match the economic development of Germany immediately post-reunification.
> In particular it seems weird that only we had a massive change during COVID. It is not weird if you were old enough to be aware of the news during that time. Poor people in the US suddenly coming into money and being lifted out of poverty thanks to COVID stimulus checks was front and center in the news cycle as it was happening. The other countries noted did not follow the same "hand out free money" approach. Their safety nets were built around maintaining continuity during COVID. > even in the 90’s when things were pretty good here. Things being good does not necessarily equate to not requiring more time to get $1, which is what we're talking about. For example, the American stereotype is that workers will work every single day of the year if you let them. Whereas the stereotypical German places much greater value on not working. If, hypothetically, an American works 40 hours in a week to get $1,000, and a German works 20 hours in a week to get $501, then the American will present as being worse off by the time to get $1 metric even though in absolute terms someone with $1,000 is better off than someone with $501.
This metric rates very high on my private index Compensation, Obscuring, Paltry, Earnings (COPE)
OK, the idea is interesting, but the numbers seem completely bogus. In what world does it take the average American 63 minutes to earn $1, even one "international" dollar? I get the "international" part - purchasing power. The number still seems way off, though. In a time when minimum wage is $7/hr, how is the average American earning $1/hr? Can anyone make that number make any sense?
Nope, I just spent 15 minutes reading the original paper and can’t make any sense of what he is calculating. International dollars are normalized to USD, so there’s no conversion necessary. The figure he quotes of 63 min per dollar converts to $8343/year. However, his original paper states that he created this measure by inverting income, so the number 8343 is his starting point. The closest guess I have is that is derived from the poverty line for a family of four, $27700 (which divided by four is 6925). If that is the case, what he is really doing is comparing poverty line definitions between countries.
>The “time” refers to a day of life for anyone, at any age and in any circumstance — not just the hours worked by someone with a job. So it's how much you earn per day divided by 24, or maybe by yearly earnings and hours per year
I would guess this is because places like Germany having incredibly low annual working hours.[1] The bottom of the list is populated by all European countries. [1] https://en.wikipedia.org/wiki/List_of_countries_by_average_annual_labor_hours
Being at the bottom of that list is very desirable, because it means high quality of life, while being at the top of that list means very low quality of life.
> The $1 is measured in international dollars. This means it buys the same amount of goods and services in any country as a US dollar does in the United States. It is often used alongside purchasing power parity (PPP) data. The “time” refers to a day of life for anyone, at any age and in any circumstance — not just the hours worked by someone with a job. So IIUC this "average poverty" (measured in time per international dollar) includes people living off social welfare? Otherwise, if it only included the working population, wouldn't we have average poverty ≝ (average yearly income* of the working population / 1yr)⁻¹ and so it should be inversely proportional to the average yearly income* metric mentioned in the article? *) Adjusted for purchasing power, i.e. measured in international dollars.
From a linked article: >For these purposes, income includes earnings from work, government benefits and other sources of money, and it is averaged among all family members. Yes, it is supposed to include income from all sources. https://theconversation.com/measuring-poverty-on-a-spectrum-instead-of-an-arbitrary-line-conveys-a-more-accurate-picture-of-inequality-271912
This seems like a quite nice way to measure poverty.
I believe this is the paper https://ora.ox.ac.uk/objects/uuid%3A501e8eb8-3ce7-4ac0-9d09-03b7cecfd16b?utm_source=chatgpt.com
Great intro that quickly explains the reasoning for the proposed new measure: > Virtually everyone would agree that a 20-meter tree is twice as tall as a 10-meter tree. Conversely, everyone would agree that the 10-meter tree is twice as short as the 20-meter tree. There is no threshold or “shortness line” above or under which these relationships cease to hold: a 5-meter tree is twice as short as a 10-meter tree, a 1-meter tree is twice as short as a 2-meter tree, and so on. This reasoning remains valid when considering other multiples: a 1-meter tree is three times shorter than a 3-meter tree. To be sure, when assessing the height of a single tree, different people may disagree whether it is short or tall, as their judgment will depend on the benchmark they use for their assessment. However, when comparing two different trees, virtually everyone would make similar cardinal comparisons. In mathematical terms, shortness is the reciprocal of tallness. [...] In this paper, I apply the same logic to define a new poverty measure
it feels counterintuitive to me that US "average poverty" dropped more than 50 percent in covid, while european stayed absolutely untouched.
It is not counterintuitive at all, unless you misunderstand the income levels of the poor. Sending everyone $1400 massively increased the income of the poorest Americans.
I felt the same. But I think the reason is similar to how your fuel economy is absolutely destroyed by sitting still. When you average in a speed of zero the calculation goes haywire. People in the US are so close to financial disaster that in order to avert disaster the US had to heavily subsidize those out of work. Many people got healthcare and unemployment benefits that would not have been otherwise available. This meant money for zero hours of work. When you average in $1/0 hours it does crazy things to the graph. The reality is: During Covid the US rapidly adopted similar safety nets to EU countries and, in effect, aligned with their levels of poverty. Once the emergency measures ended we snapped back to our previous, precarious, poverty level. Just my theory.
Politicians are judged by these metrics, so they all get gamed.
They are not, sadly. Or rather, many voters care about many different things and the resulting metric is not that sensible.
Different responses to the COIVD shutdowns. The US government gave stimulus money directly to the people, for many bringing an increase to one's income during that period. The European response was focused more on helping people keep their jobs so their incomes remained stable.
Extremely doubtful that the stimmy was enough to meaningfully reduce the real poverty level. The people who already live paycheck to paycheck spent that almost as soon as they got it (hopefully on something that meaningfully improved their lives, like deferred car or home repairs, but if we're being real a lot of people blew it on gambling apps.)
Incorrect. https://www.nationalacademies.org/news/federal-tax-credits-in-2021-lifted-more-than-2-million-children-out-of-poverty-says-new-report
The metric in question measures how much time it takes to get $1 in income. When, over a set period of time, your income increases (in this case because the government started paying you more than you were getting before), the time to get $1 goes down. When the government stops paying and you go back to the way things were then the time to get $1 goes back up.
How much of that could be the lack of real social nets in the US compared to Europe? In addition, anecdotally, everyone I know in the EU that had a job pre covid has a job today. I can't say the same thing about folks in the US.
That's not my experience in Finland. The unemployment rate passed 10% a few months ago. Youth unemployment is now over 20%.
The curious data point is that on this graph poverty seems to have strongly reduced during covid. Less poor.
Huge amounts of cash were given to many Americans during Covid.
Why does this surprise you? There were large, direct transfers to initially children, then everyone. This was the largest and most effective American anti-poverty program of all time.
It is not intuitive at all to me. From the article, I can see that there's some sort of penalty by having more billionaires in the country, and that somehow leads to "the time needed to earn $1 is 63 minutes in the US", which doesn't really line up with the fact that minimum wage per hour ranges from $7-$18 depending on the state. The "old" way was to measure median net PPP per capita, which makes more sense to me: https://upload.wikimedia.org/wikipedia/commons/8/85/Annual_median_equivalised_disposable_income_per_person%2C_by_OECD_country.png
The figure you linked to is particularly unintuitive. It shows income per household, divided by square root of household size. There are plenty of complex and unpredictable interactions with heuristics like that. For example, if housing becomes more affordable, young people may move out sooner. Then there will be more small households with low incomes, which may bring the reported income down.
This time is a global average, including non working people or part time people.
Some people have a gut reaction to take any bad news about America as slander or manipulated science; choosing to reject the truth as their dear leader tells them to.
A novel way of measuring poverty is something you should be really skeptical of!
What Is Copilot Exactly? (idiallo.com)
developers are far too pedantic to make a mistake like that sometimes imposter syndrome is completely because you are an interloper I question this 10x dev that OP was talking to
the naming problem is real but it is also a symptom of shipping the autocomplete product before having a coherent agent story. github copilot was a code completion tool for 2-3 years before the ‘AI assistant everywhere’ branding happened. now the name has to cover everything from tab completion to autonomous coding agents to M365 assistants, and the only thing they have in common is they all send something to an LLM. hard to name a category that broad in a way that means anything.
Everything MS does can be summed up in one word: "Clippy" I've been using their data reporting product for ever. It's not fancy but you'll be amazed at how many data people use it. Back then it used to be called "SQL Server Reporting Services" or "SSRS". It is now called Power BI Paginated Reports. Over the years, the product has gradually become worse . Publishing, subscriptions, several features are now hard to use. All in the service of Clippy and the Cloud.
I too love Copilot 365 OneDrive Fabric for Business E5 powered by Yammer P2.
The gap between "AI autocomplete" and "AI agent with tool use" keeps widening. Copilot is still in the first camp.
Copilot cli isn’t as good as Claude but it’s not just fancy autocomplete either. Copilot cli seems to be converging with the rest and you can use mcp servers, skills, launch fleets of agents that use tools etc.
This is weird to me because I don't think I talk to anyone regularly who even uses Cursor anymore, let alone Copilot. It's Claude and Codex now, and then people with more interesting/oddball TUI agents or async web agents.
I use Copilot pretty much exclusively because it's our "approved AI solution" at the office and they block access to Claude. Since I'm so used to Copilot at work, I just end up using it all the time.
I use Github Copilot because it's what my job provides to me. But 95% of my usage is via OpenCode (which is officially supported [0]), not copilot-cli or their IDE plugins. The rest is autocomplete in the IDE. I actually find it to be a great deal, especially because they charge by request rather than token. So if you provide detailed prompts a lot of work can get done for very little cost. [0] https://github.blog/changelog/2026-01-16-github-copilot-now-supports-opencode/
Do you regularly talk to anyone in a Microsoft shop (like most enterprises)? If you work in a ms ”partner” company there’s rarely a choice between the Microsoft product and something else. Azure over AWS is a given etc.
Which component is the bombardier?
That’s Finance. They don't fly the plane; they just wait for the right moment to drop the bill for those premium tokens.
It feels like the Microsoft version of "IBM Watson", where they renamed seemingly unrelated projects to Watson.
MS has done this for years. The have had several overall brands. Visual, live, .net, direct, Active, X, etc etc etc. They will even sometimes have a couple in flight at the same time. Right now now it seems to be copilot and m365. I probably even forgot a couple.
ActiveX
Nah. DotNet.
> "Actually, I made a mistake. I meant Cursor." ROFL
A 10x engineer who doesn't even know what tools they are using?
Amazing ending. I have been told "no one should be using copilot" - and I agree!
I genuinely don't understand how one company can be so bad at naming products for multiple decades. It makes Sony's names for its headphones seem downright catchy.
This is dumb enough that it can’t be accidental. I genuinely believe the strategy is to create vague but recognizable brands but avoid labeling _products_ with recognizable names. Microsoft seem to think that it’s better to have some names we all know like 365, Azure, Copilot snd then the products are just floating around under those brands. That’s the only conclusion I can draw but I have no idea why they would want this.
↙ time adjusted for second-chance
Show HN: Zerobox – Sandbox any command with file and network restrictions (github.com/afshinm)
I trust sandbox-exec more, or Docker on Linux. Those come from the OS, well tested and known. MITM proxy is nice idea to avoid leaking secrets. Isn’t it very brittle though? Anthropic changes some URL-s and it’ll break.
Thanks for sharing that. Zerobox _does_ use the native OS sandboxing mechanisms (e.g. seatbelt) under the hood. I'm not trying to reinvent the wheel when it comes to sandboxing. Re the URLs, I agree, that's why I added wildcard support, e.g. `*.openai.com` for secret injection as well as network call filtering.
the credential injection via MITM proxy is the most interesting part to me. the standard approach for agents is environment variables, which means the agent process can read them directly. having the sandbox intercept network calls and swap in credentials at the proxy layer means the agent code has a placeholder and never sees the real value -- useful when running less-trusted agent code or third-party tools. the deny-by-default network policy also matters specifically for agent use: without it there is nothing stopping a tool call from exfiltrating context window contents to an arbitrary endpoint. most sandboxes focus on filesystem isolation and treat network as an afterthought.
Thanks and agreed! Zerobox uses the Deno sandboxing policy and also the same pattern for cred injection (placeholders as env vars, replaced at network call time). Real secrets are never readable by any processes inside the sandbox: ``` zerobox -- echo $OPENAI_API_KEY ZEROBOX_SECRET_a1b2c3d4e5... ```
Do you know if there's a widely shared name for this pattern? I've been collecting examples of it recently - it's a really good idea - but I'm not sure if there's good terminology. "Credential injection" is one option I've seen floating around.
Technical debt is not always bad. Deliberate technical debt taken on with eyes open to ship faster is a legitimate business strategy. The problem is accidental technical debt from poor decisions compounding silently.
This looks really good - the CLI interface design is solid, and I especially like the secrets / network proxy pattern - but the thing it needs most is copiously detailed documentation about exactly how the sandbox mechanism works - and how it was tested. There are dozens of projects like this emerging right now. They all share the same challenge: establishing credibility. I'm loathe to spend time evaluating them unless I've seen robust evidence that the architecture is well thought through and the tool has been extensively tested already. My ideal sandbox is one that's been used by hundreds of people in a high-stakes environment already. That's a tall order, but if I'm going to spend time evaluating one the next best thing is documentation that teaches me something about sandboxing and demonstrates to me how competent and thorough the process of building this one has been.
> There are dozens of projects like this emerging right now. They all share the same challenge: establishing credibility. Care to elaborate on the kind of "credibility" to be established here? All these bazillion sandboxing tools use the same underlying frameworks for isolation (e.g., ebpf, landlock, VMs, cgroups, namespaces) that are already credible.
The problem is that those underlying frameworks can very easily be misconfigured. I need to know that the higher level sandboxing tools were written by people with a deep understanding of the primitives that they are building on, and a very robust approach to testing that their assumptions hold and they don't have any bugs in their layer that affect the security of the overall system. Most people are building on top of Apple's sandbox-exec which is itself almost entirely undocumented!
Simon! Thanks. I appreciate your comment and totally agreed. I will improve the docs as well as tests.
You should probably add a huge disclaimer that this is an untested, experimental project. Related, a direct comparison to other sandboxes and what you offer over those would be nice
I agree to some extend. I'm using the OpenAI Codex crates for sandboxing though, which I think it's properly tested? They launched last year and iterated many times. I will add a note though, thanks!
Again, it’s blacklisting so kind of impossible to get right. I’ve looked at this many times, but in order for things to properly work, you have to create a huge, huge, huge, huge sandbox file. Especially for your application that you any kind of Apple framework.
That's interesting, thanks for sharing that. Could you elaborate a bit more? I'd like to understand the use case is a bit better.
This doesn't look like it's blacklisting to me. It's an allowlist system: --allow-net=api.openai.com # Explicitly allow access to that host --allow-write=config.txt # Explicitly allow write to that file
That's correct. The pattern is: reads allowed, write and network I/O blocked by default. ``` zerobox -- curl https://example.com Could not resolve host: example.com ```
Oh so it allows ALL file reads? I'd feel safer with default-deny on reads as well, but I know from past experience that this gets tricky fast - tools like Node.js and uv and Python all have a bunch of files they need to be able to read that you might not predict in advance. Might still be possible to do that in a DX-friendly way though, if you make it easy to manually approve reads the first time and use that to build a profile that can be reused on subsequent command invocations.
I agree and you can deny all reads like this: ``` zerobox --deny-read=/ -- cat /etc/passwd ``` That being said, what the default DX shouldl be? What paths to deny by default? That's something I've been thinking about and I'd love to hear your thoughts.
That's a really tough question. I always worry about credentials that are tucked away in ~/.folders in my home directory like in ~/.aws - but you HAVE to provide access to some of those like ~/.claude because otherwise Claude Code won't work. That's why rather than a default set I'm interested in an option where I get to approve things on first run - maybe something like this: zerobox --build-profile claude-profile.txt -- claude The above command would create an empty claude-profile.txt file and then give me a bunch of interactive prompts every time Claude tried to access a file, maybe something like: claude wants to read ~/.claude/config.txt A) allow that file, D) allow full ~/.claude directory, X) exit You would then clatter through a bunch of those the first time you run Claude and your decisions would be written to claude-profile.txt - then once that file exists you can start Claude in the future like this: zerobox --profile claude-profile.txt -- claude (This is literally the first design I came up with after 30s of thought, I'm certain you could do much better.)
Very interesting. I just started researching this topic yesterday to build something for adjacent use cases (sandboxing LLM authored programs). My initial prototype is using a wasm based sandbox, but I want something more robust and flexible. Some of my use cases are very latency sensitive. What sort of overhead are you seeing?
I added a benchmark test (Apple M5) and on average I'm seeing 10ms overhead. I added a benchmark section to the repo as well https://github.com/afshinm/zerobox?tab=readme-ov-file#performance Also, I'm literally wrapping Claude with zerobox now! No latency issues at all.
The text says that it uses OS-level tools, specifically bubble wrap on Linux.
That's right. It uses the same kernel mechanisms as Docker, the runtime is different though (bwrap on linux, seatbelt on mac, etc.)
Cool project, and I think there would be a lot of value in just logging all operations.
Agreed. I added the `--debug` flag this morning. It does simple logging including the proxy calls: ``` $ zerobox --debug --allow-net=httpbin.org -- curl 2026-04-01T18:06:33.928486Z CONNECT blocked (client=127.0.0.1:59225, host=example.com, reason=not_allowed) curl: (56) CONNECT tunnel failed, response 403 ``` I'm planning on adding otel integration as well.
↙ time adjusted for second-chance
Playing Wolfenstein 3D with one hand in 2026 (arstechnica.com)
Creating a Wolfenstein-style engine is a great programming project if you're learning a new language or graphics library. You can smash out a flat shaded version in an afternoon, or go crazy adding all kinds of features and take it as far as you want to go. https://youtu.be/gYRrGTC7GtA?si=o6-l7XAPpw3z_36t
Ceiling and floor casting is tricky, and pretty expensive at times. Getting vertical panning to work too is tricky but well worth it.
Interestingly enough, the Mac version (done by Burger Bill/Becky) was a port of the Super NES version (which was done by iD) https://github.com/Blzut3/Wolf3D-Mac
That caused me to go down a rabbit hole. The //GS version was released 3 years after the computer was discontinued and you basically had to have a sound card. I remember it running OK on my LCII with a 68030/40Mhz accelerator and later on a PowerMac 6100/60.
Here's an awesome free wolfenstein game series based on DOOM source port https://boa.realm667.com/ ..... This is also fun, more arcadey, like an updated version of the original, also using DOOM source port. https://www.moddb.com/mods/brutal-wolfenstein-3d ..... and if u still want more there's this https://www.moddb.com/mods/wolfendoom
I just noticed their April's Fools joke, nice! https://boa.realm667.com/?view=article&id=270:blade-of-agony-supports-dlss5&catid=8
EmDash – a spiritual successor to WordPress that solves plugin security (blog.cloudflare.com)
Will you look at it. Another Wordpress “killer”. Wordpress has that market share because it can be easily installed in a wide variety of servers and because of its plugin ecosystem of dozens of thousands of plugins and huge flexibility/customizability. Wordpress is one of the most flexible pieces of software out there and none of the competition seem to get why Wordpress is so popular.
"solve security" - that's an April Fools joke if I ever heard one.
EmDash on Apr 1 come on guys
I am not sure if this is an April fool joke anymore in the age of AI.
deployed it on vercel for lolz - it works!
Spiritually bankrupt, that should just be considered marketing material.
the plugin security problem in WordPress was never really a code quality problem - it was a trust model problem. any developer could publish a plugin and any site owner could install it with one click, with no vetting layer in between. TypeScript and serverless doesn't change that dynamic unless the trust model changes too. curious how EmDash handles third-party plugin permissions at the API boundary.
It runs each sandboxed plugin inside its own dynamic worker, with a separate bridge worker to enforce permissions. The worker only has access to its permitted APIs.
Serious question: Who actually builds stuff on Cloudflare workers? I mean large software projects / services, and not just side projects where the ability to scale-to-zero is perhaps more important than the scale-to-infinity direction. I feel like Cloudflare keeps pushing workers with its full force yet I fail to see the appeal.
I'm building a commercial SaaS product on Workers. So far it's been great. The value proposition is effectively the same as serverless compute in general. Note that Workers is just one (albeit very important) part of their platform: https://developers.cloudflare.com/directory/?product-group=Developer+platform
It's always seemed like a solution looking for a problem.
Convince me this isn’t vibeslop. If Cloudflare really have radically changed their software development philosophy lately, this would actually be an interesting project, being based on Astro and coming with some APIs for programmatic management. Them being so happy about the „cost of software development“ and not going very deep into ecosystem, community or project management doesn’t convince me that this is going to be a worthwhile project, even if, unlike their previous vibe coding demos, this one actually works.
I'm the main engineer on this. I've also been on the Astro core team for two years, so I do think I understand real open source software and community. As the post implies, I did use a lot of agent time on this, but this isn't a vibe-coded weekend project. I've been working full time on this since mid-January.
So EmDash is 100 % compatible with the Wordpress data model? Damn. I mean impressive that we can do that but this will essentially kill commercial open source from smaller players (not saying Wordpress is a small player but compared to Cloudflare they are) as the big players can just buy tokens and churn out copycats of any popular framework or tool, of course "not rewriting it" but just copying its APIs and user interface and general design, then use their popularity and market power to push their own tool over the existing solution. I'm not excited for that.
Malus is (well crafted) satire.
https://fosdem.org/2026/schedule/event/SUVS7G-lets_end_open_source_together_with_this_one_simple_trick/
A WordPress spiritual successor backed by Cloudflare sounds great in theory, but the headline feature, plugin isolation via Dynamic Workers, only works on Cloudflare's runtime. On any other host it's just a TypeScript CMS without the security model that justifies its existence. Open source but architecturally locked in.
> Open source but architecturally locked in. You hit the nail on the head. Cloudflare's new business model is to find popular OSS projects, create a vibe coded alternative that only runs on Cloudflare's infrastructure.
Last time I checked Wordpress was completely fine living in a couple of PHP files on a webspace. That’s like the pinnacle of „serverless“, is it not?
mysql/mariadb and the shared filesystem requirements are a bit different than what lambda/etc provides. So not really, but it's all solvable clearly.
The issue with static sites is they can't do comments.
I bet 99.9% of live Wordpress sites no longer have comments enabled.
Astro would call that an island: https://docs.astro.build/en/concepts/islands/ I guess this is our answer to the question of why Cloudflare acquired it in the first place.
They can - it’s just more complex. You just put the comments into something like firebase/supabase etc or use one of many off the shelf solutions. Free tier is fine.
"Just" sure is doing a lot of heavy lifting in this sentence.
I can assure you this is not an April Fools. Cloudflare does not do that. It should. I miss the days when tech was interesting and fun. Even Steve Jobs, for all his later-day revisionist hard-assed reputation, enjoyed the occasional Easter egg, inside joke, or April Fool's joke.
I appreciate a good April Fools joke, I also appreciate CloudFlare's approach of "we're extra serious today, here's some useful stuff for ya"
I hated that shit. I'd load Slashdot and there was no real content or it was difficult to find real news amongst all the crap. It's not funny. It's annoying.
> wordpress is valuable because it allows very bad developers / marketing people to write very bad code and get away with it, driving extremely low cost solutions for clients who are cost concious. You've sort of nailed it, but this isn't a bad thing. An alternative for these customers does not exist. There's another vertical which is organizations that have armies of writers churning out content. Any kind of publisher or advertiser, basically. There is no better CMS for this. Large organizations like NYT, etc chose to write their own.
>> wordpress is valuable because it allows very bad developers / marketing people to write very bad code and get away with it, driving extremely low cost solutions for clients who are cost concious. > You've sort of nailed it, but this isn't a bad thing. An alternative for these customers does not exist. Yes! I'm locked into WordPress, which I hate, because it's the only platform that will allow a non-developer to maintain it if I get hit by a bus.
yep. we like it because with shopify or other platforms, you run into limitations. with Wordpress I can literally just whip it into whatever shape i want.
Oh I am slow lol Is this an April fools?
Name is a joke, but the project is real
That used to be a major selling point because hosts enabled PHP for a directory devs would FTP things into, but those days are thankfully long gone. I don't think it's any more difficult to host a JS, TS, or anything else, app than it is to host a PHP app today. In fact, PHP is probably more difficult than something like Netlify.
With PHP you can still drop a single file on shared hosting and be up in minutes, with no build step or CDN proxy in the mix. npm deps adds plenty of attack surface on its own. Netlify is fine until you need custom binaries or persistent storage, then it gets weird fast. PHP has plenty of warts, but the ops path stays flatter than Node for the boring case most sites need.
The OpenAI Graveyard: All the Deals and Products That Haven't Happened (forbes.com)
Before he left I use to enjoy enraging a manager several layers above me. In one instance I explained that asking us to cut a few corners to get things done was fine, usually we can figure out acceptable ways of doing it. But then, it is your job to take those fake numbers and figure out how we are doing. No matter how much effort you make if bullshit goes in you know what will come out. Now imagine an entire economy working like that. Like say, LLM's are good enough to run entire companies but you don't get to run a company because you are good at it. LLM's can perfectly manage employee schedules but the real job is more like marriage counseling or group therapy. Somewhere along the road we forgot which jobs make the economy go. They are probably the ones with the lowest salaries as those lack the effort of conjuring the job into existence. Humanity needs obvious things cloths, food, housing, transportation etc but that isn't where the money is. The people cooking the books have the money and they are looking for something like a book cooking book. The market for openAI will be in lying convincingly for the benefit of the investor. Reality must be auctioned off like domain names or search engine placements. Altman is really the perfect guy for the job no one wants. ha-ha Alternatively we could humble ourselves, ask the Chinese how reality works and attempt to steal their fu. It's just a thought.
Unfortunately I would bet OpenClaw will be on the list soon
Unfortunately I would bet OpenClaw is going to be on the list soon
"Disney’s then-CEO Bob Iger... was sold on Sora, too. He lauded Altman’s ability to “look around corners”..." WTF is that supposed to mean? I'm sorry, maybe I'm being dense. I can't figure out what "look around corners" is supposed to mean. "Think outside the box," I guess? Why "look around corners?" I mean, maybe I do get it. Altman has a weird face that looks like you can't predict where his eyes are based on where his head is. "Shifty," one might say. But I doubt that's what Iger meant. It's dumb. It's dumb corporate speak. I'm so sick of this kind of stuff getting a pass. We used to bully people over using the word "synergy." Let's make america anti-corporate-weasel again.
It's missing the voice mode that never reached the level they demoed, and then gradually went to shit from that.
The bubble bursting has almost become eschatological for deniers. Keep praying that it will happen. It won't.
That's also what NFT hypebros said.
And if Forbes is reporting this, that means the actual movers and shakers were talking about this months ago.
I’m not a mover and a shaker. I just have critical thinking skills.
This is important context in the wake of yesterday’s “raise” announcement. A lot of this stuff seems to just quietly never happen once the ink on the PR puff dries. The AI industry increasingly looks in scramble mode to keep the hype going as those storm clouds of financial and business reality get darker and darker on the horizon.
All the “raises” consist of “committed capital” and all of the revenue is annualized. Welcome to dot com 2.0
The circular deals are getting old - it's like rearranging the chairs on the Titanic's deck.
For a company bringing a new technology from zero to mainstream, I think it's pretty normal that there will be a lot of failed attempts at productization. The thing that isn't normal is the degree of experimentation relative to company valuation. Normally once a company reaches $700 B+ valuation, they've figured out their product and monetization strategy. ChatGPT is clearly still iterating heavily on that - not normal for a company that size.
And not normal for a company that has been at it this long. The Apple II went on sale on June 10th, 1977. Visicalc went on sale October 17th, 1979- 860 days separate the two. ChatGPT was opened to the public on November 30th, 2022, which was 1219 days ago- almost 50% more time has elapsed than between the Apple II and Visicalc.
4 years is nothing. I'd expect it to take 10+ years of trial and error until we fully understand every way in which LLMs are (and are not) useful from a go to market perspective. I don't know what to make of your apple comparison. But 4 years from basically 0 users to 100M++ users is insanely fast. And an insanely small amount of time to iterate on the product relative to the rate of user growth.
Anthropic does look healthier, with their enterprise focus. Or am I missing something?
Relative to OAI they are healthier. That isn’t saying much.
> especially when said fancy new thing isn’t retuning value I think this is the key element. Either they can't measure the value, or it's far far lower than anyone wants to believe, or both. I think the problem is less that it makes some coding tasks XX% faster, but that the end to end of a SWEs roles tasks is only improved by some much smaller Y%. If a CTO sets $10k/year spend limits on $500k SWEs.. they must not believe any of the hype.
The problem is that AGI fantasy aside, CTOs at companies are expected to deliver results today and tomorrow. Better to let somebody else hold the bag and train models, then once it finally works as advertised you can ease on the brakes.
Any examples of bad ones? I find them perfectly fine for my queries.
Search for anything mechanically car related and the results are terrible or wrong.
Do you have a concrete example I can reproduce? I searched for things like how to change the filter of X make and model and it seems correct, not sure if that's what you meant.
Ask HN: Who is hiring? (April 2026)
MONUMENTAL | https://www.monumental.co/ | Amsterdam, The Netherlands | Full Time | Onsite We make robots that autonomously construct buildings. We are currently developing and manufacturing our autonomous bricklaying system in the beautiful centre of Amsterdam. And our robots are already earning real revenue operating on construction sites all over the Netherlands. We're looking for experienced software engineers for many roles. You can help us solve problems like: - Data sync and analytics queries across a fleet of robots (that can be offline for hours at a time) - Modelling buildings in code and finding the right UI for operators to edit them - Designing systems for robots to drive safely and fully autonomously around a building site Check out the progress we've already made on Atrium, our operating system for robotics: https://www.monumental.co/atrium We're rapidly scaling up operations and we need experienced engineers who can build the systems that manage all of that complexity. If you think that 'full-stack' could reasonably mean debugging firmware, mixing buckets of mortar _and_ writing React components, we are looking for you. Robotics experience not required! https://www.monumental.co/jobs
Higharc | REMOTE | Full-time | https://higharc.com Thousands of homes have been built with Higharc since 2022. We’re changing the way homebuilders design, sell, estimate, and build, resulting in better, more affordable homes. I’m starting a new Labs team focused on rapid experimentation, to expand our platform and explore new markets in residential construction. I’m looking for a few rare, entrepreneurial founding members: * Staff Software Engineer - https://jobs.ashbyhq.com/higharc/c620be3c-6529-4776-9f02-da16e4117507 * Senior AI Engineer - https://jobs.ashbyhq.com/higharc/4cedbfac-f0ad-42c0-abed-3f161fca27ef * Senior Design Systems Engineer - https://jobs.ashbyhq.com/higharc/26f3d61d-5027-44c8-bd17-b3b748e0cc38 This is an exceptional opportunity to work on something with real-world impact, with a team of talented & passionate folks across a wide range of domains. We are ~200 people across the world (mostly US) and growing quickly. You can reach out to me with questions at "moc.crahgih@yeffamretep".split('').reverse().join('') We are also hiring across all teams (creative tooling, ML, computational geometry, integrations, etc.): https://jobs.ashbyhq.com/higharc
Archer Aviation | San Jose, CA | iOS & Python | Full-Time | https://archer.com Archer is an aerospace company building an all-electric vertical takeoff and landing aircraft with a mission to advance the benefits of sustainable urban air mobility. We're pushing the envelope in aviation software products. We have production aircraft, we own our own airport, and we have a dream of a better future in the sky. We're looking for exceptional engineers who want to push the boundaries of CoreML, low latency peripheral integration, big data and safety critical UI. Reach out to jholt@archer.com and mention HN if you want to build the next chapter in aviation.
Hacker News Post - Who is hiring? QUOBYTE | Santa Clara, CA and Berlin, Germany | Full-time / Remote | ONSITE | https://www.quobyte.com/ At Quobyte we are working on a highly scalable and fault-tolerant software storage system built around a parallel file system core. Our customers use us for large scale AI and HPC clusters in the enterprise and research, k8s and OpenStack infrastructures, and as a scalable backend for SaaS products. There are Quobyte clusters which span tens of thousands of machines and slurp 100s of GB/s! Under the hood, we have built a full-stack fault-tolerant parallel file system, with everything from kernel development over our own replicated database system design to distributed algorithms (Paxos!) and performance. In short: lots of real-world challenging and fun problems! We work as a highly efficient engineering team, ship frequently, do code reviews, and have lots of unit and integration testing. If you’re passionate about systems, we might be the right place for you! Berlin, Germany: * Infrastructure/Support Engineer (40-80k EUR) For detailed job descriptions please and application process, please visit https://www.quobyte.com/company/careers or write to work at quobyte.com.
Authentik Security | Security Engineer | US | REMOTE (anywhere) | Full-time Authentik Security ( https://goauthentik.io ) is the company behind authentik ( https://github.com/goauthentik/authentik ), an open source identity provider with 1M+ unique installations. Help us replace Okta/Auth0, Ping Identity, and Microsoft Entra with modern, secure identity for all! We are a small remote team, looking to scale up with experienced software engineers, primarily with a backend security focus. Bonus points if you have significant experience with identity/SSO standards and/or Django/Python. To apply, please use: https://forms.gle/NYXH4E19LUohbpmJA
Mechanize | San Francisco, CA (Onsite) | Junior SWE ($300k + equity), SWE ($350k + equity) Applying takes <2 min: https://jobs.ashbyhq.com/mechanize We build environments that frontier AI labs use to train their models to do real-world software engineering. Team of ~25. We have more demand than we can keep up with, so we're hiring fast. Backed by Nat Friedman, Daniel Gross, and Patrick Collison.
Stellar | Amsterdam, the Netherlands | Onsite (2 days remote OK) | €70-100k + equity | https://stellarcs.ai Hey, I'm one of Stellar's founders. We're building AI for large contact centers, our primary product is voice. Everyone thinks contact centers are boring. They're wrong. It's the last place where companies actually talk to their customers. We listen to calls every week and it's fascinating. AI here helps real people: shorter wait times, 24/7 support, lower cost. We’ve helped companies go from 60 to 98% pickup rate in weeks. We're bootstrapped, 10 FTE, cash-flow positive, and growing fast with household names in the Netherlands and Belgium. Doubling our volume every month for the last 4 months. We’re all builders. Everybody in our company still writes code. We have 2 roles open: 1. We need product minded engineers who can jump between our Go and TS backends and React frontend. 2. We need implementation leads that love working with clients. FDEs welcome as well. This role is perfect if you: * Want massive ownership at a small team * Actually enjoy solving hard problems (real-time audio at enterprise scale) * Think making AI sound human in niche dialects is a fun challenge Find the full vacancies here: https://www.stellarcs.ai/careers EU work authorization is required. No visa sponsorship available. Apply: e-mail is in my profile, please indicate HN in your e-mail.
LiveMap | Geospatial Engineers (Data & Routing) | Full-Time | Switzerland or Remote (CH, EU, UK) Visa sponsorship is not provided. LiveMap is a funded startup with a vision to build the next generation of mapping apps (think hyper-personalised Google Maps). How that looks is still being explored so we're building prototypes, getting them into customer hands and iterating quickly. We're looking to bring on a couple of people to help accelerate this development process. As a data engineer you'll set up a data pipeline, work with product to identify relevant datasets, connect, persist and expose that data. Working on the routing engine you'll extend off the shelf routing engines (Graphhopper) to take into account dynamic run-time preferences & attributes (think temporal). Please find more information and application forms at the links: • Geospatial data/backend engineer - https://tally.so/r/68vdyB • Routing engineer - https://tally.so/r/obdAY1 Happy hacking
Tandem Health | Software Engineers | On-site in Stockholm, Sweden | Full time At Tandem Health we're building a clinician copilot to allow clinicians to focus on care rather than administration. We’re building, launching and iterating quickly, and are already rolling out across some of the largest care chains across Europe, including most of the NHS. Our first product listens in to the patient-clinician encounter to generate medical records, allowing clinicians to save 5-10 minutes per patient. No longer do clinicians have to catch up on administration after hours. We’re expanding our Stockholm team with exceptional builders in a wide range of roles. More info at https://tandemhealth.ai/about/careers Feel free to reach out to john.moberg@tandemhealth.ai if you have any questions!
FUTO | Software Engineers | Austin, TX | Remote or Onsite | Full Time FUTO is an organization dedicated to developing, both through in-house engineering and investment, technologies that frustrate centralization and industry consolidation. Our work consists of a combination of in-house engineering projects, targeted investments, generous grants, and multi-media public education efforts. We are hiring for a few of our projects, Immich and Grayjay. Immich is on a mission to provide a secure and private home for your most precious memories through our high-performance, self-hostable photo and video backup solution. Grayjay is a privacy first media application that lets users follow creators, not platforms. The app aggregates content from multiple video sources including YouTube, Rumble, Twitch, PeerTube, Odysee, and more, into a single unified experience. Grayjay gives users full control over their viewing experience. Roles currently available: Mobile Developer - Immich : https://futo.tech/jobs/mobile-developer-immich Android/iOS Mobile Engineer - Grayjay : https://futo.tech/jobs/mobile-engineer-grayjay Plugin Engineer - Grayjay : https://futo.tech/jobs/plugin-engineer-grayjay More details and job postings here: https://futo.tech/jobs To apply, send your resume and cover letter to jobs at futo dot org.
ReadWorks (YC-backed nonprofit - Imagine K12 F'14) | REMOTE (US) | Contract, part-time (~20 hrs/week) | $70–110/hr ReadWorks is a nonprofit that provides free, research-based reading comprehension resources to 11M+ K–12 students and teachers — focused on under-resourced communities. We're looking for a Senior Data Engineer to help us design and build a scalable, event-driven data pipeline. You'll be a key technical voice in shaping our data infrastructure — evaluating tradeoffs, establishing patterns, and guiding migration from our legacy system to a modern data architecture. Stack: Python, AWS Lambda, DynamoDB, S3, SQS, Redshift, EventBridge, AWS CDK You're a good fit if you have: - Experience designing event-driven ETL pipelines at scale - Data warehouse experience (Redshift or similar) - Comfort working with and debugging distributed data systems - Nice to have: Ruby (to read the legacy jobs you're replacing) Apply: Email your details (CV/Resume, Cover Letter, or any other info we should know about you) to engineering at readworks.org More details about ReadWorks: https://about.readworks.org/ More about the role: https://about.readworks.org/careers.html
Zed Industries | North America, South America, Europe REMOTE | https://zed.dev/ Zed is a company for developers, by developers. All 3 of our founders have spent years in the trenches writing software and still do it almost every single day. We've raised $42M to support our ultimate vision, a new way to collaborate on software, where conversations about code remain connected to the code itself, instead of being tied to aging snapshots or scattered across different tools. The first step was creating a high-quality editor to serve as the user interface. Now this new investment lets us expand to tackle the next phase of our plan. We're developing a new kind of operation-based version control that incrementally tracks the evolution of your code with edit-level granularity, and we're integrating it into Zed to make collaboration, both with agents and teammates, a first-class part of the coding experience. What we look for and how we build - https://zed.dev/blog/hiring Rust Engineer - https://zed.dev/jobs/rust-engineer AI Rust Engineer - https://zed.dev/jobs/ai-engineer Product Designer - https://zed.dev/jobs/product-designer Open Source Engineer - https://zed.dev/jobs/open-source-engineer
Pango | Senior Software Engineer - Full Stack, Technical Lead / Software Engineer | On-site (hybrid) in Stockholm, Sweden (Visa Sponsorship possible) | Full time Pango is building the world's first Agentic Operating System for e-commerce logistics. Our vision is to create the AI e-commerce employee of the future. We are forming our core team in Stockholm and are looking for exceptional engineers. We have achieved a product-market fit and are growing rapidly. You are a good fit if: * You are comfortable maintaining, expanding and operating a substantial chunk of a B2B SaaS platform with a high sense of ownership. * You are happy to take on work that in a large company is divided into multiple roles, and execute it all at an excellent level. * You are unafraid of any technology. If we need a desktop app and you haven't done one before, you will study the documentation of Electron.js and build one. If a model for predicting delivery times is needed, you will do a literature review to find the right architecture and train one. * You have strong proficiency in any backend language or platform, with a strong willingness to dive deep into PHP/Laravel OR strong proficiency in JS/React. * E-commerce (Shopify, Magento, other platforms, shipping carrier integrations) experience is a plus. * Extra points if you write the initial email - however short - using your own words. You will take a key role in shaping the product and company, with ability to make an impact and advance career limited only by your aptitude and interest. Reach out to lukasz@pango.ai if you are interested or have any questions. We review applications immediately and move quickly.
flaconi | Germany / Berlin | Full Time | https://www.flaconi.de | e-commerce flaconi is an online e-commerce for beauty products, founded in 2011 in Berlin. We are active in 12 countries and expanding to more. We're primarily on AWS, use React, Next.js, Vercel for web, Flutter for our mobile app - you will find more details on the job listings. Note: Visa "sponsorship" takes a while, so ideally you already are in EU / Germany with a work permit. 1. Staff Software Engineer - Frontend - €85.000 - €105.000 EUR - https://grnh.se/kke6q552teu - we will very likely work together. Happy to answer questions. 2. QA Engineer Mobile - €60.000 - €83.000 EUR - https://grnh.se/ad3i2y62teu
Ask HN: Who wants to be hired? (April 2026)
Location: Nashville, TN Remote: true Willing to relocate: boston || nashville Technologies: Python, Django, IaC, Terraform, Golang, CI/CD, Azure/AWS, {ba,z}sh, Lua, Springboot, Redis, Docker, Open Service Broker, {,non}relational & vector dbs, shared services, SOA Email: mvdoster@gmail.com resume: https://linkedin.vdoster.com && http://github.com/vladdoster sr. cloud software engineer @ Mastercard (5 years) Designed and built Platform-as-a-Service for microservice workloads running on Azure and AWS to migrate on-prem workloads to the cloud. The platform operates globally, allowing teams to deploy to several Azure-backed regions worldwide. Helped plan and create regional landing zones in Azure for application teams wanting to perform globally. Designed platform components using Terraform, Go, and Node; developed support tooling using Bash, Python, and Azure CLI. De-risk the platform by addressing security vulnerabilities and ensuring the platform is PCI compliant. api/devops software engineer @ Harvard Medical School (2 years) Worked as part of the DevOps team to manage a 15k core CentOS HPC cluster. Designed and implemented Python-based security scanning pipeline to securely deploy & run Apptainer images via SLURM. Coordinated cross-team emergency patching efforts. Collaborated with researchers and engineers across 3-letter institutions to deliver secure research infrastructure. Built CI/CD Pipelines with GitHub, Jenkins, to automate code builds, testing, and deployments. Wrote Puppet modules to manage configuration of HPC fleet. Wrote custom Puppet module & Python scripts to automatically remediate Tenable findings. full-stack software engineer @ Global Prior Art (3 years) Used Django, Celery, Selenium grid, and AWS API Gateway for IP rotation to scrape USPTO patent PDFs, apply CV for data extraction, and generate reports with relevant claims, saving employees 4-5 hours daily. Wrote E2E black-box/fuzzing unit tests. Automated on-premise deployment via Github Actions and Ansible.
Location: San Francisco / Bay Area Remote: Hybrid pref Willing to relocate: No Technologies: AI, Python/Django/React, JS/Typescript/React/Redux, Art, Music, Vector Graphics Resume/CV: https://drive.google.com/file/d/1wKtqnZUyyBtGGhXzSZSUQptW_JcIaqFc/view?usp=sharing Email: see resume Hi! I'm Graham, a creative technologist, former YC W23 founder, engineer and designer. Especially interested in prototyper/creative technologist roles. Need a technical person who knows how to build things zero to one, has strong backgrounds in both tech and art, and soft skills like marketing and communication? I'm your person!
SEEKING CONTRACT WORK - remote, email in profile. Location: West coast, remote only. I'm a data scientist with more than 15 years experience who has worked with major automakers, shipping companies, and F100 companies, I'm looking for my next project. An ideal fit is a small/medium company with green or brownfield problems that need solving. I'm skilled at building from 0 to 1, I normally do what is now called data engineer, data scientist, and machine learning engineer as one person. My work usually involves finding non-traditional datasources - Once it was USDA data for rural community demographic enrichment, Several times it was getting hands on with people or equipment. If we work together I'll do what I need to in order to solve the problem. Technologies/techniques: Machine learning/AI, LLM's/RAG, All the tools surrounding ML and AI, A whole host of others. Contact me if you have a tough challenge I can gnaw on.
Penetration Tester / Offensive Security Location: Tbilisi, Georgia Remote: Yes Willing to relocate: Yes Technologies: Burp Suite, Metasploit, BloodHound, Cobalt Strike, Frida, Nessus, Nmap, SonarQube, Fortify, Python, Go, Bash, Docker, Kubernetes, Terraform, AWS, Active Directory, OWASP WSTG/MASTG Résumé/CV: https://mrkz.sh/768bff59356a6578.pdf Email: gujamrkz@pm.me
Location: SF Bay Area, California Remote: Open to all Willing to relocate: Open to west coast Technologies: Full stack web dev for over a decade, in recent years been focused on hobby game development projects using Babylon JS/WebGL and working with C++ and Go server-side (for multiplayer stuff). Many years of project and product management as well. I have some cool projects! See my personal site for email and some of those projects: https://brynnbateman.com/ Coolest recent one is probably https://www.idlequest.net/ , which is an idle-game web-based version of classic EverQuest, complete with its original 3D graphics in-browser and a real-time MMO server! Looking largely for product engineering positions, or project/product management style work. Have done both and enjoy both a lot.
New patches allow building Linux IPv6-only (phoronix.com)
Why not just type in "mates-pc" and have functional mDNS and not have to memorize a bunch of numbers? Why not just expect your OS's DNS setup to actually just work?
Because mDNS usually doesn't work and just expecting it to work doesn't change that?
I would like this option, to make it easier to run a CI environment truly IPv6-only. As in socket() to create a v4 socket should fail. seccomp could only do this partially, in that there are other avenues (e.g. io_uring), and I want it to be the case throughout the boot process.
Creating a v4 socket should map to a v6 address lower down, making v6 transparent to v4 only applications.
So run fc00::/7 addresses with IPv6 NAT. That addresses all of your concerns, and you have that option.
Sure you can do that So what's the point in ipv6?
You can do fc00::/7 in addition to public addresses so your lights don't have public address while your phone does.
Why don't you want every device to have a public IP? There seems to be a perception that this is somehow insecure, but the default configuration of any router is to firewall everything. And one small bonus of the huge size of a /64 is that port scanning is not feasible, unlike in the old days when you could trivially scan a whole IPv4 /24 of a company that forgot to configure their firewall. NAT may work fine for your setup, but it can be a huge headache for some users, especially users on CGNAT. How many years of human effort have gone towards unnecessary NAT workarounds? With IPv6, if you want a peer-to-peer connection between firewalled peers, you do a quick UDP hole punch and you're done - since everything has a unique IP, you don't even need to worry about remapping port numbers. Your ISP shouldn't be rotating your /64, although unfortunately many do since they are still IPv4-brained when it comes to prefix assignment. Best practice is to assign a static /56 per customer, although admittedly this isn't always followed. And if you don't need a /48... don't use it? 99.99% of home customers will just automatically use the first /64 in the block, and that's totally fine. There's a ton of address space available, there's no drawback to giving every customer a /56 or even a /48.
My ISP doesn't rotate my /48 However if I change my ISP I get a new one, and that means a renumbering.
> Why don't you want every device to have a public IP? What would be the advantage in it?
Trivially easy do direct connections between devices (if desired), no issues when creating VPNs between networks using private ranges. What would be the disadvantage?
Temporary addresses are enabled by default in OSX, windows, android, and iOS. That's what, like 95% of the consumer non-server market? As for Linux, that's going to be up to each distro to decide what their defaults are. It looks like they are _not_ the default on FreeBSD, which makes sense because that OS is primarily targeting servers (even though I use it on my laptop).
Temporary addresses are used by any Linux distro using NetworkManager (all desktop ones). For server distros, it can differ.
Not every device can run its own firewall. IoT devices, NVR systems, etc should be cordoned off from the internet but typically cannot run their own firewall.
Sure, but they sit on an iot vlan where your firewall prevents access except specificly allowed services
[delayed]
NAT is arguably a very broken solution.IPv4 isn't meant to be doing address translation, period. NAT creates all sorts of issues because in the end you're still pretending all communications are end to end, just with a proxy. We had to invent STUN and all sorts of hole punching techniques just to make things work decently, but they are lacking and have lots of issues we can't fix without changing IPv4. I do see why some people may like it, but it isn't a security measure and there are like a billion different ways to have better, more reliable security with IPv6. The "I don't want my devices to have public, discoverable IPs" is moot when you have literally billions of addresses assigned to you. with the /48 your ISP is supposed to assign you you may have 4 billion devices connected, each one with a set of 281 trillion unique addresses. You could randomly pick an IP per TCP/UDP connection and not exhaust them in _centuries_. The whole argument is kind of moot IMHO, we have ways to do privacy on top of IPv6 that don't require fucking up your network stack and having rendezvous servers setting that up. We may also argue that NAT basically forces you to rely on cloud services - even doing a basic peer to peer VoIP call is a poor experience as soon as you have 2 layers of NAT. We had to move to centralised services because IPv4 made hosting your own content extremely hard, causing little interest in symmetrical DSL/fiber, leading to less interest into ensuring peer to peer connections between consumers are fast enough, which lead to the rise of cloud and so on. I truly believe that the Internet would be way different today if people could just access their computers from anywhere back in the '00s without having to know networking
And the worst part about CGNAT is that you have two bad solutions: Either EIM/EIF (preferably with hairpinning) where you can practically do direct connections but you have to limit users to a really low number of "connections" breaking power users. Or EDM/EDF where users have a higher number of "connections" but it's completely impossible to do direct connections (at least not in any video/voice calling system).
Aren't your home addresses assigned by your local router?
the ISP can see 58 different ipv6 addresses sending packets in the last hour With ipv4 it can see one ipv4 address Now sure that 58 could all be on one device with 58 different IPs and using a different one for each connection In reality that's not the case.
Is BGP safe yet? (isbgpsafeyet.com)
Does not take BGPSec[1] into account, just RPKI. [1]: https://en.wikipedia.org/wiki/BGPsec
RPKI doesn't make BGP safe, it makes it safer . BGP hijacks can still happen. RPKI only secures the ownership information of a given prefix, not the path to that prefix. Under RPKI, an attacker can still claim to be on the path to a victim AS, and get the victim's traffic sent to it. The solution to this was supposed to be BGPSec, but it's widely seen as un-deployable.
I think RPKI is good enough. As we have TLS on top it doesn't need to be perfect.
Only with certificate pinning or something similar. Otherwise, the attacker can get valid TLS certificates for any domain hosted on the hijacked IP addresses.
> SCION right now provides the backbone for the Swiss financial network moving 200 billion CHF each day This is a meaningless benchmark - for a small group of trusted big enterprises with insurance policies and mutually signed contracts you could've just as well used OSPF with zero filters. The benchmark would be adoption by an actual large number of parties that don't/can't talk to eachother spread across the world. With a large chunk of them being malicious or incompetent to the point of being effectively malicious.
I'm not claiming that this shows SCION can replace the respective parts of the network stack right now, and you're right that at a global scale this is still an unproven technology. But I would argue that a technology needs a certain level of matureness / is not "snake oil" if it is deployed in a heavily regulated and comparatively conservative sector such as banking.
T-Mobile consists of at least five distinct networks depending on when your carrier was purchased, last time I was talking with some of the network security guys in Factoria. It’s been four years - they may have converged some of them.
Also failing here in the Los Angeles area. Used to be on Sprint before the acquisition. Probably location dependent
Random numbers, Persian code: A mysterious signal transfixes radio sleuths (rferl.org)
For intelligence agencies, it is important to communicate with their spies to gather intelligence,” says John Sipher, a former US intelligence officer Is Sipher really his name. Nominative determinism strikes again. Sifr is also a valid word both in Farsi, I think. An Ironic and cruel pun.
More so if you know the etymology, https://www.etymonline.com/word/cipher (Al Jabr, the translator of Indian Mathematical texts was a Persian IIRC)
You'd be amazed how many firefighters I know called "Burns", even leaving aside Ayrshire where lots of people are not-too-distantly related to a famous poet who, to put it mildly, put it about a bit.
I wonder why they keep using a dedicated numbers station instead of embedding the code in a regular radio broadcast on a traditional channel? I'm sure that even before LLMs one could find a way to create a story where certain numbers / code words would be embedded without altering the underlying story too much. And they could probably get BBC / whatever station to air it. It would be a bit less inconspicuous to listen to BBC than to a dedicated numbers station, even if the message would be undecryptable either way.
> "I'm sure that even before LLMs one could find a way to create a story where certain numbers / code words would be embedded without altering the underlying story too much." It's called steganography , and it's a centuries if not millennia old technique.
I think they do this, too. However, the numbers stations transmissions are never a big secret. They're intentionally powerful so someone can pick them up on simple equipment without raising suspicion. A person can modify an off-the-shelf AM radio to pick up shortwave, for example, even in an oppressive regime. It's a one-time pad, so the encryption is unbreakable.
I can't find it immediately, but I've read about something even sneakier than this. A standard broadcast station was modified such that its carrier signal was modulated by a PSK signal. The intended listener would use e.g., a PSK-31 modem to listen to the carrier signal and would be able to obtain the encoded digital data. Everyday listeners would hear the regular broadcast. The station involved _might_ have been a BBC station, but I don't recall.
You could technically just transmit data via RDS, too. Change a letter here and there and nobody would know whether that’s a decoding error or actual ciphertext. (Would need some kind of checksum or so, of course.) @windytan did a fascinating audio clip highlighting the RDS data stream in a radio recording some while ago: https://soundcloud.com/windytan-1/rds-mixdown
Like the article says, satellite messages can be traced while radio is broadcast to everyone so it's impossible to find out who's listening. Shortwave radios are also cheap and widespread, so it's easy to get one anywhere in the world and if your house gets searched, it won't be suspicious if you have one.
> Like the article says, satellite messages can be traced while radio is broadcast to everyone I don't buy it. Satellite downlinks are broadcast to everyone under a potentially massive footprint. Take a look at the footprint for QO-100 which you could use with very inexpensive equipment that looks pretty much like a normal satellite TV dish. https://jeremyclark.ca/wp/telecom/sdr-for-qo-100-satellite-reception-planning/
Phones usually contain the hardware for radio too, so making sure agents have some set of models for that doesn't sound bad. Even if you had to use a dedicated one having a radio at home isn't that conspicuous? Or in a car, etc
ooh, new fodder for conspiracies about electric cars not having AM radios :-)
It’s simple, reliable, and effective. Shortwave receivers can be made fairly compact. They’re also very prevalent in most countries (every ham transciever), so there’s nothing suspicious to pack. People find numbers stations interesting, so they are often streamed online. One time pads have their logistical shortcomings, but are still the best encryption possible. The OTP can be compromised in known, visible ways, where a phone has myriad invisible ways to be compromised.
You could probably cheat with the one time pad and use a book as a key, pick a pre determined starting point go diagonally down accross the page convert the letters to numbers and xor that against the message. It would be near enough to random and less conspicuous than a pad of random numbers when searched.
The Document Foundation ejects its core developers (collaboraonline.com)
The (top-level only) adversaries in this unfortunate drama: https://www.documentfoundation.org/board/ https://www.collaboraonline.com/about-us/
I was interested in this but the sarcastic and advertorial tone stopped me from getting to the end. It sounds like it describes a real problem but as someone who has not been following the issue it's impossible to separate the facts from the fulmination. I can't tell if something has gone badly wrong with the LibreOffice project or the writer is insinuating as such to promote their own.
This is ironic timing given the OnlyOffice/Euro-Office drama https://www.heise.de/en/news/Euro-Office-OnlyOffice-accuses-of-license-violations-11241334.html
Microsoft really has nothing to fear ...
I'm sorry it's confusing, perhaps an attempt to add humor to a bleak and dramatic change in the LibreOffice project has made it less than clear. The bald facts are fairly simple: The Document Foundation, now ~controlled by its non-programmer staff just ejected its main core code contributors based on complicated and apparently contrived reasons. Lots of non-profits get bogged down in pointless in-fighting that eats away at their purpose sadly.
Hey Michael, that's alright but can you perhaps edit the article to have all the facts clear out there in the manner that Markus has said. There are times to be satirical, don't get me wrong, but those are usually when the dust is settled and maybe a reminiscence on the past. Have a nice day and I hope that something positive comes out of all of it. I always believe that there are only few projects which get to the eyes of the general public enough to get funded, LibreOffice is one of the very few. People trust Libreoffice with donations and money to fight against Microsoft and show a path of freedom. For the document foundation to betray the people who programmed the code in the first place, is also, a betrayal of the people who have funded libreoffice for years, who would love to demand more answers and I hope that in the article, that you can talk _effectively_ to them. It's really sad to see all of this happen and I wish if something happens as I don't wish for people to lose hope in open source foundations with cases like these.
Conversely, I feel like a company with a cracker jack support team to match their sales team could profitably sell support for ALSA if they wanted to.
ALSA?
Haha, imagine it Apache would merge LibreOffice back to OpenOffice, and developers also switched. Would be the circle of the decade. On a different note, this industry used to have so much more fun - just solving puzzles to herd bits - before it was flooded by politics.
> On a different note, this industry used to have so much more fun - just solving puzzles to herd bits - before it was flooded by politics. when was that, in the 80s?
https://community.documentfoundation.org/c/board-discuss/26 Looks like there is rebellion in the forums...
Ah - well, with many staff having been kicked out without a word of thanks or apology after, in some cases, decades of work, tens of thousands of commits, and huge amounts of love and effort poured into the project - it is perhaps fitting that a colleague from the Collabora team publicly thanks them for, and acknowledges at least a little of their contribution to LibreOffice. Do have a read.
 Top