Welcome to tonight’s HN briefing. Thirty stories surfaced on the front page today, spanning kernel security primitives, a subquadratic context window claim, PFAS pollution in the American South, and the ongoing tension between government surveillance and press freedom. Here’s what was discussed.

AI & Tech Policy

The Intolerable Hypocrisy of Cyberlibertarianism

Summary: A 14-year tech industry veteran argues that the privacy and freedom principles championed by early Internet pioneers are routinely abandoned when they conflict with commercial interests. The essay traces the shift from a vision of an autonomous, untrackable digital frontier to modern surveillance capitalism and government-aligned platforms. Duggan calls out the gap between rhetorical commitments to liberty and the actual practices dominating today’s tech ecosystem.

HN Discussion: One commenter who personally knew John Perry Barlow agrees with portions of the analysis but defends parts of the Declaration of the Independence of Cyberspace. Others highlight a common startup playbook: do something technically legal, scale massively, then lobby government to criminalize competitors’ behavior—effectively asking regulators for protection. Some also note that cryptography’s promise of individual privacy is complicated by the reality that TLS circuits can still shield exploitative interactions between consenting parties.

LLMs Corrupt Your Documents When You Delegate

Summary: A new arXiv paper introduces DELEGATE-52, a benchmark evaluating how LLMs handle long delegated workflows across 52 professional domains. The study finds that round-tripping documents through LLM-based delegation progressively corrupts content—analogous to repeated JPEG compression degrading intent and precision. Even tool-assisted agentic pipelines failed to prevent the degradation, challenging assumptions about what agentic guardrails can achieve.

HN Discussion: Commenters compare the effect to progressive JPEG corruption: each rewording pass loses nuance and specificity until the text becomes semantically ablated. Some experienced users report mitigating this by treating LLMs as “rendering” passes only, storing knowledge as composable fact files instead of delegating document editing directly. Simonw questions whether the paper’s tool-use test setup was rigorous enough to rule out better agentic designs.

Introduction to Beaver Triples

Summary: An educational article introducing Beaver Triples—a cryptographic pre-processing technique used in secure multi-party computation (MPC). The post explains how secret shares can be used for computing with privacy guarantees, building up from basic MPC concepts to practical application of Beaver Triples. It is written as part of a “MPC Made Simple” series focused on privacy-first application development.

HN Discussion: A reader reports Safari crashing on their iPhone 16 while viewing the site, questioning its mobile performance. The technical depth appears aimed at developers looking to understand MPC foundations rather than practitioners seeking immediate implementation guidance.

The Context Window Has Been Shattered: Subquadratic Debuts a 12M Token Window

Summary: Subquadratic announces a 12 million token context window for its language models, claiming subquadratic attention complexity to make the scale feasible. No technical report or code has been published yet, raising skepticism about whether the claims can be independently verified. The announcement targets use cases requiring processing of entire codebases, long legal documents, or extended multi-document analysis.

HN Discussion: Readers express healthy skepticism given the lack of a technical report, comparing this to previous context-window announcements that lacked substance. One commenter speculates it may use DeepSeek-style sparse attention with content-based granularity, but notes VC-funded companies often withhold details to protect investment narratives. The community recalls prior HN discussions about similar claims, maintaining a watchful eye on the gap between marketing and reality.

---

Security & Privacy

CPanel’s Black Week: 3 New Vulnerabilities Patched After Attack on 44k Servers

Summary: Ten days after ransomware compromised 44,000 cPanel servers, the company released an emergency patch covering three new vulnerabilities—two rated CVSS 8.8. CVE-2026-29201 (arbitrary file read), CVE-2026-29202 (Perl code execution), and CVE-2026-29203 (privilege escalation) were uncovered during a deeper audit triggered by the attack response. This marks cPanel’s second Technical Security Release in 10 days, an unusually rapid cadence for the platform.

HN Discussion: Commenters note that millions of servers still run cPanel with inadequate sandboxing, allowing client code to execute with too many privileges. The discussion recalls older vulnerabilities in legacy systems like php-Nuke, highlighting how deeply embedded and long-neglected these codebases remain. Many express surprise that anyone still relies on cPanel given the mounting security incidents.

America’s Carpet Capital: An Empire and Its Toxic Legacy

Summary: An AP investigation traces how carpet mills in northwest Georgia used PFAS-based Scotchgard for decades, releasing “forever chemicals” into the Conasauga River. The article profiles Bob Shaw, CEO of Shaw Industries—the world’s largest carpet company—and his confrontations with 3M over environmental concerns that ultimately led to product reformulation. Local communities bear long-term health and environmental consequences while executives question their culpability only upon retirement.

HN Discussion: Readers express frustration that industry figures waited until retirement to speak out while maintaining innocence, calling it a moral failure across all parties involved. One commenter notes PFAS were known to cause issues for a long time, making the CEO’s surprise at downstream effects seem naive given regulatory pressure already in play. Others flag carpet as a major microplastics source alongside clothing and car tires—a dimension the article omits.

GrapheneOS Fixes Android VPN Leak Google Refused to Patch

Summary: GrapheneOS developed a fix for an Android VPN bypass vulnerability that Google declined to patch in stock Android. The bug allowed system_server—a process with elevated networking privileges—to route traffic outside the VPN tunnel, undermining user privacy regardless of which VPN app was configured. Google authorized public disclosure on April 29 but delayed releasing the fix until May.

HN Discussion: Commenters express disbelief that a VPN leak could be classified as “not a security issue” by Google, questioning how corporate pride survives such classifications. The Android permission model comes under fire: because system_server is exempt from VPN routing restrictions, no app-level VPN can truly guarantee traffic isolation on stock Android. Some praise Google’s eventual disclosure but question the delay between authorization and fix release.

---

Geopolitics & War

First, the FBI Searched Her Home. Then, She Won a Pulitzer.

Summary: Hannah Natanson of the Washington Post wins a Pulitzer Prize after facing FBI investigation into her sources for an explosive article on Kash Patel. The article traces the sequence from home search to press freedom concerns, detailing how federal investigation of a journalist’s home became a flashpoint for media law. It follows earlier incidents including the FBI raid on the Washington Post reporter’s home that drew 946 points on HN.

HN Discussion: Links to related flagged HN discussions about Kash Patel and press freedom concerns surface in the comments as readers trace the broader pattern of government-journalist tension. Readers discuss the chilling effect such investigations may have on sources willing to speak with investigative journalists about sensitive government operations.

US Government Releases First Batch of UAP Documents and Videos

Summary: The US Department of Defense releases its first official batch of Unidentified Anomalous Phenomena (UAP) documents and declassified video footage. The materials include several previously leaked videos, with the official release attempting to contextualize footage that has circulated widely online for years.

HN Discussion: Commenters analyze the released videos, noting several clips clearly show balloons, birds, and missiles viewed through infrared cameras with motion blur artifacts. Skeptics suggest the release timing serves as a distraction tactic following an unsatisfactory war conclusion, speculating about how many such releases might occur before November. One reader recommends Mick West’s YouTube channel for evidence-based UFO analysis as a counterpoint to uncritical consumption of official footage.

---

Tech Tools & Projects

Building the TD4 4-Bit CPU

Summary: An engineer documents building the TD4, a famous 4-bit CPU from Kaoru Tonami’s Japanese book How to Build a CPU, using only 74-series TTL logic ICs. The design features 12 instructions and a 16-byte ROM implemented via DIP switches, operating on 5V powered via USB. The author translated the book themselves, sourced most components locally, and successfully tested swapping 74HC chips for 74LS series.

HN Discussion: Commenters praise the project as an excellent concrete way to illustrate CPU principles, with one recalling a BASIC “PicoProcessor” emulator from 1983 that taught similar concepts. Others mention Ben Eater’s 8-bit computer and the Nand2Tetris course as related learning resources worth exploring. A reader notes Firefox Reader mode is essential for mobile reading due to intrusive popups on the blog.

I Will Not Add Query Strings to Your URLs

Summary: Systems programmer Susam Pal writes a manifesto-like post rejecting query strings in URLs, inspired by Chris Morgan’s earlier article “I’ve banned query strings.” Pal reflects on learning web development as a hobbyist and how studying others’ code led him to adopt practices that were fashionable but not necessarily optimal. He argues that query strings encourage URL pollution and advocates for cleaner, more semantic URL design.

HN Discussion: The absence of comments on this post is notable—readers either agree silently or find the topic too narrow for extended discussion. Some HN users with strong opinions on URL design debate whether banning query strings entirely goes too far, particularly for search parameters and API endpoints.

Show HN: I Wrote a Flight Simulator in My Own Programming Language

Summary: A developer shares a self-contained flight simulator built entirely in a custom programming language of their own design. The project demonstrates practical application of the language’s features—combining concepts from Zig and Rust—in a complete interactive application. It is available as an open-source GitHub repository for others to try and extend.

HN Discussion: Commenters note the clever combination of Zig and Rust-inspired syntax, with one specifically asking about performance characteristics compared to traditional game engines. The project generates genuine interest in the custom language itself—readers want to understand what design problems it was meant to solve and whether it has practical applications beyond toy projects.

Show HN: Mochi.js — Bun-Native High-Fidelity Browser Automation Library

Summary: Mochi.js is a Bun-native browser automation framework built on raw CDP, positioning itself against Playwright and Puppeteer. It generates relationally-coherent browser fingerprints from a seed and profile using a 48-rule dependency graph, claiming to avoid the detection signatures left by conventional automation tools. Features include Chromium-native fetch with real JA4/JA3, behavioral synthesis mimicking human biomechanics via Bezier paths, and configurable bot-detection evasion.

HN Discussion: Critics point out that the homepage and docs are nearly unreadable on mobile despite cheeky marketing language about leaving “no crumbs.” One reader questions whether publishing fingerprint evasion mechanisms publicly defeats their purpose—essentially giving fingerprinting services data to improve detection. The project uses BDD-style English assertions for test readability, which draws mixed reactions from automation developers.

Show HN: Free Tool to Mark Points and Polygon Regions

Summary: Tack is a free, offline-capable web application for marking precise pixel coordinates and drawing polygon regions on images. It supports point placement, polygons, rectangles, ellipses, and bezier-curve shapes with keyboard shortcuts and export to JSON, YAML, or HTML. The tool operates entirely client-side with no server dependency after installation as a PWA.

HN Discussion: A reader points out the irony of “Tack works best on a bigger screen” messaging when the app doesn’t support mobile users—the developer instead shows desktop-only functionality videos. Another user shares using similar image annotation for visualizing light string layouts with AI, finding value in the coordinate-extraction capability. The open-source and offline PWA approach earns positive comments from privacy-conscious users.

Read Programming as Theory Building

Summary: A reflection on Peter Naur’s classic paper “Programming as Theory Building,” arguing that code and documentation are secondary to the mental model of the system being built. Naur’s central thesis: programming is fundamentally about constructing an understanding of requirements, design, and how they relate—the program itself is just a representation of that theory. The author discovered the paper late but considers it the missing conceptual link explaining why writing good software is so difficult.

HN Discussion: Readers emphasize its relevance today as LLM-generated code accumulates—without a mental model of the system, developers are “accumulating more and more code that we don’t understand.” Some critique “theory building” as a name for what they consider effective design decomposition, factoring, and representation work. The Curry-Howard correspondence is cited as making this literally true: programming constructs are proofs about program behavior.

Making Julia as Fast as C++ (2019)

Summary: An article from a university aerodynamics lab walks through optimizing Julia code to match C++ performance in vortex particle method simulations. The author details techniques including explicit type declarations, @fastmath flags, SIMD enforcement, and hand-holding the JIT compiler via annotations. Despite achieving near-C++ speed, the resulting code sacrifices readability compared to idiomatic Julia.

HN Discussion: Readers warn that any experience reports using Julia versions prior to 1.10 (current LTS) are obsolete given significant maturity improvements over the years. One commenter notes the irony of rewriting Julia to look “almost identical to C++” with disabled safety checks just to get competitive performance, suggesting a fundamental tension in the language’s design goals. Another observes that Python+NumPy syntax is more cumbersome than Julia or MATLAB, challenging the common characterization of Julia as “Pythonic.”

An Introduction to Meshtastic

Summary: Meshtastic is a community-driven, open-source project that uses inexpensive LoRa radios to create long-range off-grid mesh communication networks. It requires no phone or existing communications infrastructure, operates on unlicensed frequencies, and supports encrypted messaging with optional GPS location sharing. Messages rebroadcast through the mesh network automatically, enabling decentralized peer-to-peer communication.

HN Discussion: A sailor in the South Pacific shares using Meshtastic daily between boats with solar-powered repeaters on masts, requiring no SIM cards or subscriptions. One user describes being surprised by how little mature technology existed for truly public, decentralized off-internet communication compared to their expectations. Longtime users compare the early Meshtastic community experience to the early internet of the 1990s—small, exploratory, and full of potential.

Serving a Website on a Raspberry Pi Zero Running in RAM

Summary: A developer serves a public website from a Raspberry Pi Zero v1.3 running Alpine Linux entirely from RAM, using only 512MB of memory with roughly 40MB consumed by the OS. The setup uses darkhttpd for HTTP serving and offloads TLS termination to a cloud VPS, balancing CPU constraints on the Pi Zero with internet-facing security requirements. The entire filesystem is diskless after boot, loaded from microSD via rsync and Alpine’s lbu tool.

HN Discussion: Some readers question why this generates excitement, viewing it as a trivial sysadmin exercise that any competent engineer could replicate. Counterpoints note the elegance of running entirely from memory on such constrained hardware, with one commenter sharing experience of booting Pi Zeros into RAM and surviving unplugged card removal mid-operation without filesystem corruption.

---

System Administration

Killswitch: Per-Function Short-Circuit Mitigation Primitive

Summary: Sasha Levin proposes a “killswitch” kernel patch that adds a per-function short-circuit mechanism to mitigate security vulnerabilities immediately. Instead of waiting for patched kernels to be built and deployed, admins can disable specific buggy functions at boot time with a simple configuration line. The primitive allows fleets to remain protected against known-vulnerability exploits during the window between disclosure and full patch deployment.

HN Discussion: Readers praise both the elegance of the approach and the high code quality of Linux kernel patches, dispelling fears that kernel source is too complex for regular developers to read. A commenter asks whether BPF could achieve similar functionality more flexibly. Some note this closes the barn door after the horse has left, but counter that having it built into the kernel for future vulnerabilities is genuinely valuable.

Removing fsync from Our Local Storage Engine

Summary: FractalBits describes building a single-node key-value storage engine that eliminates fsync from its durable write path for PUT and DELETE operations. The approach uses fixed-size preallocated files, pre-zeroed extents, O_DIRECT writes, and an SSD-aligned journal whose commits match the device’s atomic-write unit. In benchmarks on AWS NVMe, the fsync-free engine achieved roughly 65% higher throughput than ext4 with O_DIRECT and fsync.

HN Discussion: Several commenters question whether SSDs truly guarantee atomic writes at the device level, given internal caching and write-reordering that OS-level semantics cannot observe. One raises the concern that without fsync, WAL blocks may not be persisted in order, potentially leaving holes during power loss that cause incorrect recovery. Another points out the POSIX requirement that parent-directory sync is needed for new file creation durability, questioning claims in the article about dirent behavior.

A New Hash Table for Lwan

Summary: L. Pereira describes replacing Lwan’s heavily modified kmod hash table with a new implementation inspired by Rust’s hashbrown and Google’s SwissTable. The design uses linear probing for portability across C environments without requiring SIMD instructions, making it suitable for a lightweight web server. Go adopted a variation of this approach as its default hash table starting in 2025, signaling broader industry adoption.

HN Discussion: Readers reflect on how hash tables represent a step-function insight in computer science understanding—once grokked, they illuminate algorithmic thinking broadly. The technical depth appeals to systems programmers who appreciate the trade-offs between cache locality, collision handling, and cross-platform compatibility.

---

Web & Infrastructure

Forking the Web

Summary: The Dillo browser project publishes informal notes on building an alternative HTML specification that prevents the Web’s accumulated drawbacks while preserving its strengths. Proposed goals include constraint-based specification length (1.44 MiB compressed), semantic versioning of the spec, and a non-ambiguous formal grammar for compliance testing. The author acknowledges XHTML’s enforcement model as a cautionary tale but argues that a streamlined, well-scoped alternative standard could serve security-focused use cases.

HN Discussion: Readers debate whether the Web’s bloat is a fundamental problem solvable through specification reform or an inevitable consequence of its role as an application platform. One commenter draws parallels to Gemini protocol design—document-only by nature, inherently more secure—as inspiration for what a stripped-down web standard might look like. HN’s commercial bias toward profitability and economic value is questioned, with some arguing the project’s value lies in creative exploration rather than business viability.

---

History & Science

PipeDream on the Acorn Archimedes

Summary: A detailed retrospective on running PipeDream—a radical productivity suite—on the Acorn Archimedes with RISC OS. The article explores how CPU, operating system, and application formed a “complete computing dead-end” while each separately achieved unexpected longevity. PipeDream’s design deliberately rejected conventional notions of what a productivity suite should be, combining word processing, spreadsheets, and database tools in an unconventional interface paradigm.

HN Discussion: Former PipeDream users from the Cambridge Z88 describe it as a moonshot ahead of its time, noting parallels to modern tools like the Affinity Suite. Nostalgic memories surface of playing Lemmings on school RISC OS machines, with the Icon Bar remaining a widely recognized Risc OS forum name decades later. A commenter flags Ublock telling them the Ghost-hosted site is on a badware list, raising questions about its legitimacy.

How LEDs are Made (2014)

Summary: A 2014 SparkFun tour of the YunSun LED factory in Shenzhen documents the step-by-step manufacturing process for light-emitting diodes. The article covers basic parts, die assembly, wire bonding, and packaging with photography captured during a closed Saturday at the factory. It serves as a detailed visual guide to semiconductor device fabrication from one angle.

HN Discussion: Readers praise the format—detailed photo articles that can be read at leisure without video commentary—as something increasingly rare online. One commenter notes the alarming worker metric of 80 LEDs aligned per minute and worries about physical toll on factory workers’ eyes, referencing concerns echoed from years earlier. Others wanted more coverage of the semiconductor wafer fabrication process itself.

David Attenborough’s 100th Birthday

Summary: Sir David Attenborough celebrates his 100th birthday with tributes from King Charles III and Queen Camilla, who shared archival photos of the broadcaster with young Prince Charles and Princess Anne. A special concert is scheduled at the Royal Albert Hall in London, and Attenborough has said he was “completely overwhelmed” by messages received ahead of the milestone. The royal tribute includes a 1958 photo from BBC Zoo Quest where Attenborough introduced Cocky the cockatoo to the royal siblings.

HN Discussion: Readers share powerful personal stories about how Attenborough’s early documentaries—Life on Earth, The Living Planet—shaped their worldview and career choices. One contributor describes wearing out VHS copies of Trials of Life as a child and building a hard drive collection spanning nearly his entire filmography since college. A fun fact shared: Attenborough at the BBC suggested switching tennis balls from white to yellow for better TV visibility, leading to the standard we see today.

Reviving the IBM Selectric Composer Fonts (2023)

Summary: Type designer Jens Kutílek documents his revival of the IBM Selectric Composer typefaces, which allowed proportionally spaced text on a mechanical typewriter system introduced in 1964. The Selectric Composer assigned letters to seven spacing groups (3–9 units per em), eliminating the need for artificial widening or compression of glyphs that monospaced systems required. The article covers the mathematical challenges, glyph digitization, and font scaling decisions made in creating modern digital interpretations.

HN Discussion: Readers marvel at the purely mechanical proportional spacing solution, noting that software solved this decades later but mechanical implementations remain endlessly fascinating. A former school newspaper editor recalls seeing a Selectric Composer at another high school in 1973, watching typed copy reappear as properly spaced and justified columns. Someone mentions the Selectric’s typing ball features were used in the Killian documents forgery defense—proportionally spaced output from an IBM Selectric couldn’t perfectly replicate certain artifacts that Microsoft Word produced by default.

What Causes Lightning? The Answer Keeps Getting More Interesting

Summary: Physicists armed with new instrumentation are closing in on one of nature’s oldest mysteries—what triggers lightning strikes inside storm clouds. The article describes how small rockets launched into thunderclouds can induce lightning strikes, revealing violent and unexpected phenomena within storms. New theories are emerging that may reframe our understanding of charge separation and discharge mechanisms in atmospheric electricity.

HN Discussion: Readers share a YouTube video of a rocket-induced lightning strike and speculate about the green (and momentarily purple and orange) colors observed in the footage. One commenter draws a philosophical parallel: if new theories hold up, ancient Greek stories of Zeus and Hephaestus striking with bolts may be closer to reality than modern explanations assumed. Some readers express fatigue with Quanta Magazine’s “the answer keeps getting more interesting” framing as a click-bait pattern without substantive new information.

Cartoon Network Flash Games

Summary: The Web Design Museum curates a collection of Cartoon Network Flash games from the golden era of browser gaming, including titles based on The Powerpuff Girls, Dexter’s Laboratory, and Samurai Jack. Games range from 2001 to mid-2000s, featuring interactive experiences like Scooby-Doo: Scooby Snapshot, Food Bash, and Codename: Kids Next Door: Operation S.T.A.R.T.U.P. The collection is playable through Ruffle emulation in modern browsers.

HN Discussion: Readers reflect nostalgically on games that contained nothing but pure content—no DLCs, no seasons passes, no monetization strategies beyond the experience itself. One commenter who worked on CN games in the era hopes more titles get added to the archive. Ruffle emulation failures and Cloudflare false positives are noted by some users trying to play.

CAD and CAM Applications on HP-UX Unix Workstations

Summary: A comprehensive historical catalog documents CAD and CAM software running on HP 9000 PA-RISC workstations with HP-UX from the 1980s through the 2000s. The table covers major products including I-DEAS, CATIA, Unigraphics NX, AutoCAD, Nastran/Patran, and Pro/ENGINEER—tracking their version histories across PA-RISC support. It captures a period when CAD moved from mainframes to Unix workstations dominated by RISC architectures throughout the 1990s.

HN Discussion: Nostalgic readers share memories of working with these systems in engineering environments, reflecting on how HP positioned itself as dominant in MCAD markets. The archival nature of the page draws appreciation from those interested in computing history, particularly the transition from minicomputers to RISC workstations for technical computing.

---

Other

Internet Archive Switzerland

Summary: The Internet Archive has launched a Swiss branch (InternetArchive.ch) as an independent but mission-aligned library. It joins the existing IA Canada and IA Europe as part of a distributed digital library network. The site’s design appears to use generic template text that raises questions about its actual operational depth.

HN Discussion: Commenters note IA Canada operated like a subsidiary despite technical independence—same Slack, same archive.org email domain. Some readers found the Swiss site’s About page using suspicious filler text copied across multiple pages. Discussion centers on whether this represents genuine decentralization or just branding similarity to the US Archive.