Tonight’s Hacker News brief leans into the places where technical work meets incentives: public archives, zero-click exploits, AI adoption quotas, distributed code forges, and privacy fights over cars, banks, and legal workflows. The strongest discussions were practical rather than abstract, with readers testing demos, questioning deployment details, and asking who pays the verification cost when tools become easier to generate than to review.

AI & Tech Policy

Image-blaster: Creates 3D environments, SFX, and meshes from a single image

Summary: Image-blaster is a GitHub project that presents an image-to-world skillset for Claude, turning a single source image into 3D environments, effects, and meshes. The pack frames it as a developer tool rather than a polished hosted service, sitting inside a fast-moving pipeline where vision-language models interpret an image and pass structured prompts or assets to scene and mesh generators. Its appeal is strongest for games, visualization, and rapid prototyping, because it starts from one picture instead of a full photogrammetry set.

HN Discussion: Commenters compared the idea with Microsoft’s old PhotoSynth, but noted the larger jump from reconstructing a scene from many photos to inferring one from a single image. Technical replies pointed to World Labs as a likely key scene component, mentioned Meshy for mesh work, and discussed texturing, rigging, and pixel-grounded vision models as the pieces that make the pipeline plausible.

Show HN: Watch a neural net learn to play Snake

Summary: tinyppo-snake is an in-browser demonstration for training a neural network to play Snake with PPO. The interface exposes training and watch modes, live weights, grids of environments, run comparison, multi-seed presets, and learning-rate sweeps, so the demo is closer to a small lab bench than a static visualization. Users can watch rolling score averages, recent episode results, rollout speed, policy and value metrics, entropy, gradient norm, KL, and trained-policy playbacks without installing a separate machine-learning stack.

HN Discussion: Readers tested the trainer live and reported concrete failure modes, including score drops after switching between train and watch views. Several people saw averages plateau around the same range or collapse after strong runs, turning the thread into a useful discussion about implementation bugs, PPO instability, and randomness across seeds.

The sigmoids won’t save you

Summary: Scott Alexander critiques the AI-debate slogan that all exponentials eventually become sigmoids. He agrees that growth cannot continue forever and uses epidemics and airspeed records as examples of curves that eventually flatten, but argues that this observation alone does not answer the important questions. A useful forecast has to say when the curve bends, at what capability level, and because of which constraint; otherwise, invoking a future sigmoid can become a way to dismiss uncomfortable extrapolations without modeling the limit.

HN Discussion: Commenters debated Lindy’s Law as a heuristic for trends whose limits are not understood, and whether it gives any useful confidence interval for continuation. The AI-specific thread turned to Moore’s Law, hardware inefficiency, and skepticism about vague capability axes that make benchmark graphs look more precise than they are.

Claude for Legal

Summary: Claude for Legal is an Anthropic GitHub project described as a suite of plugins for legal workflows. The pack does not expose detailed plugin names or coverage, so the concrete artifact is the repository and its positioning around reusable assistant components for legal work. That framing alone places it in a high-risk domain: legal tasks involve privilege, confidentiality, professional responsibility, and adversarial consequences, so the boundaries around who uses the tool and what data enters it matter as much as the automation itself.

HN Discussion: Lawyers in the thread focused on attorney-client privilege, warning that non-lawyers using an AI system for legal advice may not get protected communications. Accountability was the other major theme, with readers asking who carries malpractice risk, whether errors-and-omissions insurance applies, and how courts will treat AI chat histories if they become evidence.

Aperio Lang

Summary: Aperio is introduced as a programming language designed for LLM-era software development rather than the traditional tradeoff between human cognitive effort and machine execution. Its introduction argues that older languages impose hidden costs on AI-assisted workflows through tokens, retries, latency, and repeated translation between a user’s system model and the language’s structural shape. Aperio proposes a recursive hypergraph of typed, lifecycled units called loci, claiming that code and mental model can share one substrate.

HN Discussion: Early commenters found the locus abstraction novel, but the reaction was not uniformly enthusiastic. One reader wished for languages that LLMs would avoid instead of languages optimized for them, turning the thread into a small debate over whether programming-language design should now center AI agents or resist that pressure.

---

Security & Privacy

A 0-click exploit chain for the Pixel 10

Summary: Google Project Zero describes adapting a previously published Pixel 9 zero-click-to-root exploit chain to the Pixel 10. The first stage uses the Dolby parsing vulnerability CVE-2025-54957, with much of the port involving updated offsets for the Pixel 10’s version of the library. A mitigation change forced a more interesting pivot: the Pixel 10 used RET PAC where the earlier route depended on overwriting __stack_chk_fail, so the researcher instead targeted overwriteable initialization code in dap_cpdp_init.

HN Discussion: Readers focused on the larger attack surface created when phones pre-decode message media for search and AI features before a user opens anything. The patching discussion compared Google’s sub-90-day driver fix with broader Android vendor response, while another branch asked whether AI changes the economics for spyware vendors or simply makes their work more visible.

U.S. DOJ demands Apple and Google unmask over 100k users of car-tinkering app

Summary: The report says the U.S. Justice Department subpoenaed Apple, Google, Amazon, and Walmart for personal data tied to EZ Lynk’s Auto Agent app and related hardware. The requested information reportedly includes names, addresses, phone numbers, and purchase histories for a very large pool of drivers. The demand is part of a Clean Air Act case first brought in 2021, alleging that EZ Lynk sold defeat-device tools for bypassing diesel emissions controls through an app and OBD dongle, allegations the company denies.

HN Discussion: Privacy-focused commenters questioned why investigators should identify every user in order to find witnesses instead of pursuing narrower evidence. Others prioritized emissions enforcement and argued that disabled controls impose health costs on bystanders, creating a sharp tradeoff between bulk platform subpoenas and public-interest regulation.

Removing the modem and GPS from my 2024 RAV4 hybrid

Summary: Arkadiy Tetelman documents physically removing the modem and GPS from a 2024 Toyota RAV4 Hybrid to reduce vehicle telemetry and tracking. The post argues that modern cars collect default-on data including location, speed, fuel level, sudden acceleration or braking, camera footage, driver-attention signals, microphone input, and many other measurements. It cites risks from remote-car vulnerabilities and insurance data sharing to internal misuse of camera footage and broker monetization, then treats hardware disconnection as more trustworthy than app opt-outs.

HN Discussion: Commenters supplied their own evidence that car data can escape despite privacy settings, including a Volkswagen mileage anecdote involving Carfax validation. A technical branch asked whether Bluetooth pairing lets the car use the phone as an internet path while wired CarPlay behaves differently, and others weighed privacy against safety and insurance discounts tied to emergency-call systems.

OpenAI is connecting ChatGPT to bank accounts via Plaid

Summary: The article says OpenAI is allowing ChatGPT users to connect bank accounts through Plaid, the financial-data bridge used by many banks and brokerages. Once connected, the report claims ChatGPT can see balances, transaction histories, and spending patterns in order to power financial-assistant features. The mechanism matters: delegated account access through Plaid is more persistent and revealing than a user manually uploading a statement, because transactions can expose relationships, politics, habits, and counterparties.

HN Discussion: The thread was strongly privacy-negative, with several readers saying they refuse Plaid because it creates low-friction third-party access to bank data. Practical mitigation stories included using a throwaway account with a token balance when Plaid is unavoidable, while broader comments warned against connecting critical personal systems to AI agents by default.

We are retiring our bug bounty program

Summary: Turso is retiring a bug bounty that paid for any demonstrated bug leading to data corruption. The company says the program became a magnet for AI-generated low-quality reports and pull requests that claimed to find corruption bugs without supplying useful evidence. Maintainers were spending days closing slop instead of evaluating real reports or improving the database. Turso says open contribution remains part of its identity, but the cash reward distorted incentives enough to make this narrow bounty unsustainable.

HN Discussion: Commenters used the case to argue that generating code or reports is not the bottleneck; reading, understanding, and verifying them is. Suggested mitigations included refundable submission fees, proof-of-work through full simulator runs, and bot-honeypot repositories, all aimed at making the submitter bear some of the verification cost.

New Nginx Exploit

Summary: The linked repository publishes an exploit for CVE-2026-42945, referred to as Nginx-Rift. Discussion describes the issue as serious but dependent on configuration: an affected setup uses a rewrite directive with a question mark in the replacement string and then a later set directive referencing an unnamed regex capture such as $1. The public proof of concept reportedly assumes ASLR is disabled, while the writeup claims a reliable ASLR bypass path exists. F5’s quoted mitigation is to use named captures instead of unnamed captures until patched packages are available.

HN Discussion: Security practitioners pushed back on dismissing the bug merely because the published exploit does not bypass ASLR, treating ASLR as defense-in-depth rather than a fix. Operators traded concrete rewrite examples and worried about vulnerability scanners lagging behind, especially where container images and distro packages are involved.

Welcome to the Strip Mining Era of OSS Security

Summary: Metabase argues that open-source security is entering a strip-mining phase where attackers can systematically extract vulnerabilities at scale. The available excerpt is mostly site navigation, but the title and discussion make clear that the concern is AI-assisted discovery and exploitation of flaws in widely distributed software. The underlying claim is about attacker economics: readable, common code becomes easier to mine once automated analysis improves, forcing projects and commercial users to invest in security processes rather than hoping obscurity or informal review will hold.

HN Discussion: Commenters debated whether closed-source software may be just as exposed, because LLM-assisted reverse engineering can turn binaries and patches into readable clues. Others argued that openness about the problem is healthier than denial, while a distribution-focused thread noted that every popular package, integration, and deployment channel becomes another window for attackers.

---

Tech Tools & Projects

I designed a nibble-oriented CPU in Verilog to build a scientific calculator

Summary: This project builds a scientific calculator from FPGA gates upward instead of emulating a conventional general-purpose processor. Its central design decision is a 4-bit, nibble-oriented CPU, because decimal calculator arithmetic naturally stores BCD digits one per nibble. The author argues that byte-oriented chips such as the Z80 or 6502 constantly fight that layout, while a custom nibble machine lets the architecture match the data model. The repository is also an exploration of how classic HP-style calculators could work at the gate level.

HN Discussion: The visible discussion is mostly the author’s architectural explanation rather than a broad critique. The concrete theme is design fit: a CPU width can be chosen around the problem domain, and for decimal arithmetic that can be cleaner than forcing every operation through a byte-oriented machine.

O(x)Caml in Space

Summary: Thomas Gazagnaire reports that Borealis, a pure-OCaml CCSDS protocol stack, booted in low Earth orbit on April 23, 2026. It runs inside DPhi Space’s ClusterGate-2 payload module and provides encrypted command and control with post-quantum key rotation. The post argues that OCaml is attractive for satellite payloads because untrusted code in orbit is dangerous, and because OCaml 5 and OxCaml offer ways to combine memory safety with performance tuning. One highlighted packet-dispatch optimization reduces allocation pressure by moving hot-path data onto the stack.

HN Discussion: A commenter noted an earlier OCaml-in-space deployment on GHGSat-D in 2016, complicating any simple first-in-space framing. The technical thread dug into garbage-collector pressure, stack allocation, and whether safer languages can meet tight latency goals, while another branch questioned whether CCSDS encourages too much bespoke protocol work.

Explore Wikipedia Like a Windows XP Desktop

Summary: Wikipedia File Explorer turns Wikipedia and Wikimedia Commons into an XP-styled desktop with folders, document icons, media viewing, and a Notepad readme. Wikipedia categories become folders and articles become documents, aiming to make nearly every categorized page reachable through file-explorer navigation. The Commons side adds a media-category explorer, including a right-click option to set an image as the desktop background. The readme also previews a geofile explorer that would represent places on Earth as folders accepting images and notes.

HN Discussion: Commenters connected the interface to the early Microsoft Network idea of browsing online information like a local filesystem. Several readers liked the folder/container metaphor for knowledge organization and contrasted it with flatter web-app patterns, while product feedback centered on wanting Start-menu search and fine-tuning the XP-era visual style.

Radicle: Sovereign {code forge} built on Git

Summary: Radicle positions itself as an open-source, peer-to-peer code collaboration forge built on Git rather than a centralized hosting platform. Repositories are replicated among peers, while code and social artifacts use cryptographic identities and public-key signatures for authenticity. The site advertises Radicle 1.8.0, shell installation, source builds, a desktop client, and support for Linux, macOS, and BSD variants. Its protocol combines Git for data transfer with a custom gossip layer for repository metadata.

HN Discussion: Commenters compared Radicle with other distributed-forge efforts and praised its local-first approach and private-repository story. The most practical complaint was deployment: people want small local-only or on-prem-style networks that behave like decentralized GitLab without the scripting burden of joining or avoiding the broader Radicle network.

Show HN: Sx – an open-source package manager for AI skills, MCPs, and commands

Summary: sx is an open-source package manager aimed at AI coding assistants rather than traditional libraries. A maintainer explains that it packages skills, MCP server configs, slash commands, agents, hooks, and rule files as versioned artifacts. Packages can live in a local folder, Git repository, or hosted backend, then be installed into the correct assistant-specific locations. The design includes lockfiles for reproducibility and scope levels for organization, team, repository, or individual usage, with the CLI translating across assistant formats.

HN Discussion: The visible thread is mostly the maintainer’s launch explanation, but the concrete themes are useful: reproducibility, governance, and interoperability for AI-assistant configuration. Teams increasingly need to share prompts, tools, and server configs without turning each workstation into a hand-maintained snowflake.

RTX 5090 and M4 MacBook Air: Can It Game?

Summary: Scott’s post tests whether an NVIDIA RTX 5090 can be attached to an M4 MacBook Air through a Thunderbolt eGPU setup and used for gaming and AI inference. The writeup goes deep on Thunderbolt PCIe tunneling, Linux driver behavior, and the engineering needed for PCI passthrough on macOS. It covers PCI BAR mapping, DMA on Apple Silicon, an NVIDIA alignment quirk, mapping coalescing, scheduling, and memory-ordering issues before getting to game and inference benchmarks. The practical question is whether a small Mac can borrow a very large GPU.

HN Discussion: Commenters were excited that GPU passthrough worked at all, including one Apple Silicon Mac Pro veteran who had wanted official VM passthrough for years. Many found the local-LLM inference angle more important than gaming, especially because Macs have abundant unified memory but can struggle with prompt-prefill speed.

---

History & Science

Project Gutenberg – keeps getting better

Summary: Project Gutenberg presents itself as a free digital library of more than 75,000 ebooks, focused on older works whose U.S. copyright has expired. The homepage emphasizes multiple access paths: epub and Kindle downloads, online reading, Top 100 lists, main categories, volunteer reading lists, and search by author, title, or subject. Recent releases in the pack range from adventure fiction and pulp series to Nigerian fertility-cult studies and older medical writing, showing how broad the collection is. The project still foregrounds volunteer digitization and proofreading rather than a commercial catalog model.

HN Discussion: A Project Gutenberg programmer said the site has been improved substantially in recent months, with more changes planned. Readers reflected on the project’s longevity since 1971, thanked the volunteers, and wondered why ebook-reader vendors do not offer a frictionless Gutenberg storefront instead of pushing users through Kindle workarounds or Calibre.

ASCII by Jason Scott

Summary: The guard could not retrieve the article body because the TLS handshake timed out, so the available context is the linked ASCII/Textfiles site and the HN comments. The story points to Jason Scott’s long-running work around textfiles, manuals, and computer-culture preservation. Commenters quote a passage about 13,000 manuals living on the Internet Archive, implying that the linked post discusses a major public manual-preservation effort. One reader also supplied a newer archived snapshot for the May 10 post, suggesting the live or cached link had drifted.

HN Discussion: The thread was mostly appreciative, with readers praising Jason Scott, Archive Team, and the Internet Archive for keeping old technical information available. One commenter translated the manual collection into a decade-long pace of several manuals per day, emphasizing that archival work is slow, sustained labor rather than a one-off upload.

I built Zenith: a live local-first fixed viewport planetarium

Summary: Zenith is a real-time fixed-view planetarium that shows the stars currently overhead, using a highly zoomed-in field of view to make Earth’s rotation visible. The author sets the view to the amount of sky that rotates past in about 30 seconds, described as a patch roughly the size of a grain of rice held at arm’s length. The motion is not time lapse; it is the same real movement made obvious through magnification. The page uses that to explain why high-magnification telescopes need motorized tracking.

HN Discussion: Readers liked that the project makes Earth’s rotation feel immediate without requiring a telescope. Suggestions were concrete and product-shaped: add search for a star or coordinate, support manual location entry for people blocking geolocation, and consider ceiling projection as an ambient room display.

---

Academic & Research

High dimensional geometry is transforming the MRI industry (2017) [pdf]

Summary: The linked 2017 PDF presentation is about how high-dimensional geometry and related mathematics affected MRI practice, although the guard could not extract the PDF text. HN commenters characterize it as an example of compressed-sensing-style mathematics moving from abstract research into medical imaging. The important story is not only the math, but the cost-benefit case: relatively small federal spending on mathematical research can influence tens of millions of MRI scans and large healthcare costs. It connects sampling and reconstruction theory with faster or more informative scans.

HN Discussion: Readers focused on public-research funding, using MRI as a concrete example of long-tail returns from basic mathematics. Technical replies touched on high-dimensional neural signals, compressed sensing, and scan designs that maximize information gain rather than simply generating one fixed contrast image.

Building ML framework with Rust and Category Theory

Summary: “Category Theory for Tiny ML in Rust” is a working-draft book that builds a small machine-learning system through Rust types and category-theoretic structure. The authors describe domain objects as Rust types, morphisms as typed transformations, composition as executable program structure, and training as repeated transformation of model state. The goal is to make abstract compositional ideas concrete in tiny ML systems rather than treating category theory as decorative terminology. The draft is explicitly unfinished and invites public feedback on chapters, diagrams, examples, code, and references.

HN Discussion: Several commenters questioned whether category theory is doing real engineering work here, asking for clearer definitions of objects and morphisms or a denotational semantics. Even mathematically trained readers said they often see category theory invoked around ML without understanding the payoff, while others noted Rust’s lack of higher-kinded types as a constraint on categorical modeling.

---

Business & Industry

A new book on Steve Jobs at NeXT

Summary: IEEE Spectrum’s article, titled “Steve Jobs Next Computer: His Forgotten Exile Years,” points to a new book about Jobs’s NeXT period. The extract available to the guard is mostly page scaffolding, but comments quote the article discussing NeXT’s use of object-oriented libraries and an early app-store-like software distribution idea. The larger frame is that NeXT was not just a failed hardware detour; its software environment, people, and culture later fed directly into modern Apple. The book appears to revisit those years as a period of technical experimentation and management growth.

HN Discussion: Commenters challenged simplified claims about object-oriented programming and app stores, suggesting that the article may overstate Jobs’s novelty in 1988. Others emphasized that post-1997 Apple inherited much of NeXT, making Apple’s turnaround partly a NeXT acquisition story rather than a clean return to old Apple.

Amazon workers under pressure to up their AI usage are making up tasks

Summary: Fast Company reports that some Amazon workers feel pressured to increase AI-tool usage and are creating extra tasks to satisfy that pressure; the guard could not fetch the article body because of a 403. The core claim is about metric-driven adoption, where tool consumption becomes something employees must demonstrate rather than a choice guided by usefulness. Based on the title and discussion, the behavior includes burning tokens or inventing low-value work so dashboards show activity. It is a management failure mode: measuring usage can crowd out measuring productivity, quality, or customer outcomes.

HN Discussion: Commenters compared AI-token pressure to absurd travel-spend incentives: if leadership rewards consumption, employees will optimize for waste. Anecdotes ranged from large token-use numbers being treated as a flex to dashboards arising from rumor rather than official policy, while environmental and budget concerns made needless compute use feel especially perverse.

Trade Dollars with other startups. Book it as revenue

Summary: The guard could not fetch the live site because of a TLS handshake failure, but commenters identify RevSwap as satire. Its premise is that startups trade equivalent-dollar services with one another and book the swaps as revenue. A quoted FAQ joke says the platform takes 2% of every swap and then swaps its own revenue with another platform, making the circularity explicit. The satire works because services-in-kind can be legitimate, but reciprocal trades become misleading when they are used mainly to manufacture growth numbers.

HN Discussion: Commenters distinguished ordinary barter among cash-strapped small businesses from startup metric inflation. Several readers compared the idea with VAT carousel fraud, where circular invoices and refunds create legal exposure, while others treated the page as a pointed joke about platform fees and revenue games.

Ask HN: How to be SOC2 Type 2 compliant as a solo-entreprenuer?

Summary: The Ask HN poster is a solo entrepreneur behind Perfect Wiki whose customers are asking for certification and trust evidence. They ask whether SOC 2 Type 2 compliance is possible without spending more than $20,000 on auditors. The business problem is familiar for small vendors selling into larger organizations: procurement teams want a recognizable security assurance signal before adoption. Because this is an HN-native post, the source is the question itself rather than a separate article.

HN Discussion: The dominant advice was to avoid SOC 2 until the business is large enough for the enterprise security handshake to be worth the cost. Commenters noted structural mismatches for solo operators, such as needing separation between code author, reviewer, operator, and internal auditor, while risk-management veterans said customers can often work around formal certification when they truly want the product.

---

Geopolitics & War

We don’t know why Malawi is poor

Summary: Deena Mousa argues that Malawi’s persistent poverty is hard to explain cleanly, which makes growth forecasting more fragile than it appears. The piece contrasts Malawi with Rwanda: in 1994, Malawi was poor but functioning after a peaceful democratic transition, while Rwanda had just suffered genocide and state collapse. Thirty years later, Rwanda’s GDP per capita is roughly twice Malawi’s, and Kenya and the sub-Saharan African average have pulled far ahead as well. Malawi is presented as unusual even among poor countries, with recent per-capita decline and severe poverty despite no single obvious explanatory story.

HN Discussion: Commenters proposed corruption, export composition, and political organization as competing explanations. One thread contrasted Malawi’s tobacco, legumes, sugar, tea, and cotton exports with Rwanda’s minerals and other goods, while another credited Rwanda’s centralized developmentalist state and asked whether Malawi’s poverty numbers imply a sharp rural-urban or class divide.

---

Web & Infrastructure

NanoTDB – Golang Append-Only Time Series DB

Summary: NanoTDB is a small Go time-series database designed for long-running sensor data on modest hardware. Its append-only design fits timestamped measurements and can simplify writes, storage layout, and durability compared with mutable database models. The repository pitch suggests an embedded or lightweight infrastructure niche rather than a full analytics warehouse. It is aimed at situations where predictable ingestion and historical retention matter more than broad query surfaces or transactional features.

HN Discussion: Commenters immediately compared it with Home Assistant’s time-series storage needs and mentioned ClickHouse and DuckDB as alternatives with different read and ordering tradeoffs. The design challenge was phrased simply: what makes this more than a log file, and what happens when bad sensor data later needs deletion or correction?

Omnisearch – A lightweight metasearch engine written in C

Summary: OmniSearch is described as a modern lightweight metasearch engine with a clean design, written in C. Its documentation asks that the code not be hosted on GitHub, SourceForge, or other proprietary platforms, framing that as respect for both developer and user. Setup revolves around a config.ini file and dependencies including libxml2, libcurl, and beaker, with package-install notes for several Linux and BSD-adjacent environments plus NixOS. The project appears self-hostable and source-first, aimed at people comfortable configuring and building C services.

HN Discussion: A commenter found the README insufficient for understanding how the metasearch engine is meant to be used, asking whether code reading is required. The useful theme is documentation quality: even lightweight self-hosted tools need clear usage, configuration, and operational examples if they want adoption beyond people willing to infer behavior from source.