Hacker News Morning Brief: 2026-05-23
A Saturday morning mix of logistics perseverance, AI cost reckonings, spacecraft milestones, and a surprising amount of pasta physics. Here are 30 stories that caught HN’s attention overnight.
Other
Shipping a Laptop to a Refugee Camp in Uganda
Summary: A University of London distance-learning student chronicles the multi-week ordeal of mailing a laptop to a refugee named Django in Uganda’s Kyangwali camp. Ugandan customs imposed steep import duties and demanded physical inspection; intermediaries extracted bribes at several handoff points. The laptop ultimately arrived through coordination between DHL, a Kampala fixer, and UNHCR field staff — costing roughly as much in logistics as the hardware itself. Django is now using it to finish his BSc in Computer Science remotely.
HN Discussion: Commenters with Africa logistics experience confirmed that hand-carrying goods on flights remains far cheaper and more reliable than any courier. Several questioned why a local used-laptop purchase wasn’t simpler; others noted scarcity and markups in refugee-camp economies. The thread also catalogued the graft layers: government import tax plus corrupt officials demanding extra payments on top.
Business & Industry
Microsoft reports AI is more expensive than paying human employees
Summary: A Fortune piece examines Microsoft internal reports showing that aggressive AI-tool adoption — driven by OKRs rewarding high token consumption (“tokenmaxxing”) — is costing more than equivalent human labor for many tasks. Microsoft reportedly began restricting Claude Code usage internally, though commenters argue this is competitive positioning for GitHub Copilot rather than pure cost discipline. The article highlights a broader disconnect: enterprises mandate AI use metrics while per-task inference costs for SOTA proprietary models remain high.
HN Discussion: Multiple commenters called the headline misleading — the cost problem stems from manufactured incentives to burn tokens, not from baseline inference pricing. Others pointed out that smaller open models handle most tasks cheaply, and that “tokenmaxxing” OKRs are a management failure, not a technology failure.
Waymo expands pause to four cities as robotaxis keep driving into floods
Summary: Waymo has paused robotaxi service in four cities — Atlanta, San Antonio, and two others — after vehicles repeatedly drove into flooded roads during heavy rain. One vehicle was spotted driving through an Atlanta flood before getting stuck for roughly an hour; the incident follows a recall issued the prior week for the same flooding-behaviour issue. The expansion of the pause signals that the perception system still lacks reliable water-depth estimation.
HN Discussion: Very thin comment thread; one commenter linked a related earlier HN submission about the initial Atlanta flooding incident.
I’m writing again
Summary: Veteran tech journalist Robert X. Cringely announces his return to blogging after a three-year hiatus, during which he co-founded an AI company called 2Brains. He promises an upcoming piece arguing the trillion-dollar bet the AI industry is making may be wrong, touting a patented architectural alternative his team has built. Cringely’s past includes the InfoWorld “Notes From the Field” column, the PBS “Triumph of the Nerds” series, and the book “Accidental Empires.”
HN Discussion: Long-time readers expressed nostalgia for his 1980s–90s InfoWorld columns. Skeptics noted he similarly “returned” in 2023 and wrote only two posts before vanishing again. One commenter sarcastically referenced his past promotion of the OrangeDAO/Web3 fellowship programme.
Why We’ve Filed a Referendum
Summary: StopStratos.org is a community group in Utah that has filed a ballot referendum to halt or reverse the “Stratos Project” — a large data-centre development planned for their area. The group cites concerns about water usage, energy consumption, noise, and environmental impact as reasons to put the development to a public vote.
HN Discussion: Commenters debated the rationality of data-centre opposition; one noted a poll showing people would rather live near a nuclear plant than a data centre. Others pointed out the apparent hypocrisy in the NIMBY pivot from opposing housing to opposing data centres. A pragmatic suggestion was simply to buy the land if you don’t want it developed.
Security & Privacy
Project Glasswing: An Initial Update
Summary: Anthropic reports that Project Glasswing — its collaborative effort with approximately 50 partners to secure critical open-source software — has used Claude Mythos Preview to surface over 10,000 high- or critical-severity vulnerabilities. Of 1,752 findings independently assessed by security firms, 90.6% were true positives and 62.4% were confirmed critical or high. The bottleneck has shifted from finding vulnerabilities to verifying, disclosing, and patching them at scale.
HN Discussion: Commenters debated Mythos’s real added value over existing fuzzers and static analysis; curl maintainer Daniel Steinberg noted it didn’t outperform prior tools on his project. Several developers shared positive hands-on experience with Codex Security integration, calling it roughly 90% accurate. The thread highlighted the irony that many codebases haven’t even adopted basic linters yet, let alone AI-powered audit tools.
CISA tries to contain data leak
Summary: A CISA contractor published AWS GovCloud keys and other agency secrets on a public GitHub account (“Private-CISA”), reportedly disabling GitHub’s built-in secret-scanning protections. KrebsOnSecurity reports the repo was active from November 2025 and contained plaintext credentials to dozens of internal systems. Congressional lawmakers in both chambers are demanding explanations; CISA is still working to invalidate the leaked credentials.
HN Discussion: Commenters mocked CISA’s claim that “no sensitive data was compromised” despite the exposed secrets. Thread drew parallels to earlier government breaches like the OPM SF-86 leak. Some speculated on political timing, noting the leak coincided with personnel changes at the agency.
FBI director’s Based Apparel site has been spotted hosting a ‘ClickFix’ attack
Summary: FBI Director Kash Patel’s personal merchandise site (BasedApparel.com) was compromised with a “ClickFix” social-engineering attack — a fake CAPTCHA prompt tricking macOS visitors into pasting a Terminal command. The malicious payload targeted Chromium-based browser credential stores and cryptocurrency wallet data, archiving and exfiltrating them to an attacker-controlled domain.
HN Discussion: Commenters explained that the site predated Patel’s FBI appointment; the compromise underscores that no personal web property is too small to attract attackers. Thread discussed why Chromium browsers are particularly vulnerable to credential-theft payloads — stored cookies in SQLite databases with predictable paths.
A blueprint for formal verification of Apple corecrypto
Summary: Apple published formally verified implementations of the post-quantum ML-KEM and ML-DSA algorithms in corecrypto, along with mathematical proofs of correctness against the FIPS 203 and FIPS 204 specifications. The verification uses the SAW toolchain and Cryptol specification language; Apple is releasing both the implementations and the verification libraries/tools for independent audit. A notable early bug — a missing step in ML-DSA that only manifested on rare inputs — exemplifies why formal methods catch what testing and code review cannot.
HN Discussion: Commenters praised SAW/Cryptol as unusually approachable formal-methods tools, lamenting that C++ still dominates high-assurance code despite worse safety tooling. Some argued Apple should apply similar rigour to parser security rather than relying on Lockdown Mode as a mitigation.
GitHub introduces staged publishing and new install-time controls for NPM
Summary: GitHub has made staged publishing generally available for npm: package tarballs are uploaded to a stage queue and a maintainer must explicitly approve before the version becomes installable, enforcing proof-of-presence on every publish. New CLI flags (—allow-file, —allow-remote, —allow-directory) join the existing —allow-git, giving teams fine-grained control over which install sources are permitted. Both features require npm CLI 11.15.0 or newer.
HN Discussion: Sparse comments; one commenter hoped the staged publishing workflow would mitigate recent npm supply-chain attacks.
Tech Tools & Projects
Sp.h is the standard library that C deserves
Summary: sp.h is a 15,000-line single-header C99 library that bypasses libc entirely, calling syscalls directly on Linux, Windows, and macOS. It eliminates null-terminated strings in favour of length-prefixed slices, removes malloc/free with a custom allocation interface, and compiles under MSVC, TCC, MinGW, Cosmopolitan, and WASM. The author argues libc is “actively harmful” and that C’s value lies in simplicity, which a lean standard library should preserve.
HN Discussion: Commenters debated whether bypassing libc is sound on non-Linux platforms where syscall interfaces aren’t officially stable. The “no heap” claim drew confusion since sp.h defines its own allocation interface anyway. Several praised the hyper-opinionated design, while others found the sample programs visually noisy and better suited as a compiler target than for direct human use.
Open source Kanban desktop app that runs parallel agents on every card
Summary: KanBots is an MIT-licensed desktop Kanban app that dispatches Claude Code or Codex coding agents on separate git worktrees for each card, enabling parallel autonomous work. An autopilot mode assigns persona-based agents to split tasks, execute them, and self-review output overnight. The tool is local-first: all state lives in a .kanbots/ directory with SQLite, no cloud account or telemetry required.
HN Discussion: Commenters questioned how parallel worktrees handle infrastructure spin-up — each branch ideally needs its own local dev server and URL. Several expressed discomfort with reviewing large batches of autonomous overnight changes, preferring tight human-in-the-loop intervals. Comparisons were made to Vibe Kanban, a similar tool whose developers stopped investing in it.
A Wayland Compositor in Minecraft
Summary: WaylandCraft is a Minecraft mod (and Rust companion) that implements a working Wayland compositor inside the game, letting real Linux GUI applications render as in-game surfaces. The project totals roughly 8,000 lines of code — half Java (Minecraft mod side), half Rust (Wayland protocol handling). Source is available on GitHub under the EVV1E/waylandcraft repository.
HN Discussion: Commenters compared the feat to the “Doom on everything” tradition, calling Minecraft the new playground for absurd technical stunts. One quipped about finally being able to “escape to paradise and work remote” — running real desktop apps inside Minecraft.
Bun support is now limited and deprecated
Summary: yt-dlp has deprecated and limited its Bun runtime support, citing “foreseeable compatibility and security issues” with Bun’s ongoing Zig-to-Rust rewrite. The maintainers argue that a roughly 1 million line codebase rewritten largely via AI assistance is impossible to meaningfully review, making it an unreliable runtime dependency. The deprecation notice is on GitHub issue #16766.
HN Discussion: Commenters debated whether rejecting AI-heavy rewrites is reasonable quality control or unfair discrimination against a runtime. Bun users expressed disappointment about the project’s direction after the Anthropic acquisition and the scale of the automated rewrite. Some wished yt-dlp had cited specific compatibility bugs rather than a general concern.
Thinking in an array language (2022)
Summary: A chapter from an ngn-k tutorial walks through the mental model of array-oriented programming in K — thinking in whole-array operations rather than element-wise loops. Covers idioms like tacit composition, rank-polymorphic verbs, and the use of adverbs to modify verb behaviour, with examples comparing K one-liners to multi-line equivalents in imperative languages.
HN Discussion: Commenters compared K/APL to regexes: extremely terse and powerful for interactive use but potentially write-only in saved code. Discussion of which open-source APL derivatives (BQN, J, ngn/k) have healthy communities and are worth learning.
TorQ: Kdb+ Production Framework
Summary: TorQ (formerly AquaQ, now Data Intellect) is an open-source production framework for kdb+, providing startup/shutdown orchestration, process management, logging, alerting, and configuration layers on top of the raw q language. It targets financial-data and time-series workloads where kdb+ is still common, offering a batteries-included alternative to rolling your own operational infrastructure.
HN Discussion: One former user noted they’ve moved away from kdb+ entirely, using Claude to generate Rust-based tick-processing tools instead — eroding kdb’s traditional use case. Another mentioned kdb’s community-edition licensing flip-flops damaged confidence, and recommended checking compatibility notes before pairing TorQ with the free tier.
Academic & Research
Neutron scattering explains why gluten-free pasta falls apart (2025)
Summary: Researchers at the European Spallation Source and RWTH Aachen used small-angle neutron and X-ray scattering to compare the nanostructure of gluten-free and conventional spaghetti. Gluten forms a resilient protein network that tolerates varied cooking times and temperatures; gluten-free substitutes lack this cross-linked matrix, leading to structural collapse during cooking. The findings, published in Food Hydrocolloids (2025), point toward better hydrocolloid formulations for gluten-free products.
HN Discussion: Thread was mostly light-hearted, with commenters amused by the juxtaposition of neutron-scattering facilities and pasta. One commenter noted the use of D₂O (heavy water) in the scattering experiments and expressed irritation at the D₂O notation obscuring the deuterium chemistry.
Sleep research led to a new sleep apnea drug
Summary: University of Toronto researchers have developed a pharmacological treatment for obstructive sleep apnea, the result of decades of basic neuroscience on respiratory control circuits. The drug targets the hypoglossal motor neurons that keep upper-airway muscles toned during sleep, offering an alternative to CPAP machines that many patients abandon.
HN Discussion: Commenters shared extensive personal experience with CPAP — tips included heated humidifiers, saline sprays, and mask-fitting persistence. Several mentioned fixing posture and nasal breathing as non-device interventions that resolved their apnea. The thread underscored how widespread sleep apnea is and how many sufferers go undiagnosed.
History & Science
Blood Pumping Mechanism of the Hoof
Summary: Horse hooves contain a venous plexus that acts as a hydraulic pump: when weight compresses the plantar cushion against lateral cartilages, venous blood is forced up the leg toward the heart. Since the lower leg and hoof have no muscles to assist venous return, this mechanism is essential for circulation during standing and locomotion. One-way valves in the veins prevent backflow, making each step a discrete pumping cycle.
HN Discussion: Commenters drew parallels to the human calf-muscle venous pump that serves the same return function. One asked what happens when the horse is sleeping and not loading the hoof — the thread didn’t fully resolve this.
Comparing an LZ4 Decompressor on Four Legacy CPUs
Summary: Author benchmarks hand-written LZ4 decompression routines on four vintage CPUs — Z80, Intel 8080/8086, and 6502 — exploring how each architecture’s register set and memory model shapes the optimal decompression strategy. The Z80 implementation was most straightforward; the 6502’s limited registers required creative page-boundary tricks; the 8086 benefited from string instructions. Three LZ4 constraints (max 64KB history, no overlapping copy, full-block overshoot) let all implementations avoid expensive branch checks and run at full throughput.
HN Discussion: Sparse comments; one reader noted the key insight that the three LZ4 restrictions eliminate conditional branches via controlled overshooting.
1940 Air Terminal Museum Begins Liquidation
Summary: Houston’s 1940 Air Terminal Museum — housed in a landmark Art Deco municipal airport building — is liquidating its flight-simulator collection and other exhibits as it winds down operations. Items on offer include vintage simulators with TI minicomputer racks, 8-inch floppy drives, and manuals that require applying DeMorgan’s Theorem as part of test procedures.
HN Discussion: Local Houston residents expressed regret at never having visited; commenters questioned why the city’s deep-pocketed aviation and energy sectors couldn’t fund the museum. Hardware enthusiasts spotted a Texas Instruments 980-series minicomputer in one rack and debated its collectible value at the listed $20K price.
SpaceX launches Starship v3 rocket
Summary: SpaceX launched the Starship V3 prototype after a one-day scrub caused by ground water-system issues. The booster lost one engine during ascent and failed its boostback-burn relight, hitting the water harder than intended; the ship itself survived reentry with no visible heat-shield burn-through — a first — and landed on target despite a glowing engine bay. The flight demonstrated improvements in thermal protection and a near-final Starlink deployment mechanism.
HN Discussion: Commenters highlighted the clean reentry footage as a major milestone — previous flights always showed hot spots. Debate on whether the pace of progress supports a 2028 crewed lunar landing, with in-space refuelling and booster recovery still unproven. Praise for the guidance software that achieved an on-target landing despite engine anomalies.
What is the history of the ERROR_ARENA_TRASHED error code?
Summary: Raymond Chen traces Windows error code 7 (ERROR_ARENA_TRASHED) back to DOS’s memory-allocation arena — the linked list of memory blocks that DOS maintained in conventional memory. If a buggy program corrupted the arena’s linked-list pointers, DOS would return error 7 to signal that the heap metadata was destroyed and no further allocations were safe. The error survived into 16-bit Windows and eventually into the Win32 error table, long after the original DOS arena mechanism disappeared.
HN Discussion: No comments on this story; the article is a straightforward historical explainer from the Old New Thing blog.
AI & Tech Policy
New rule requires most green-card applicants to apply from outside U.S.
Summary: A new USCIS policy directive requires most green-card applicants to depart the U.S. and apply through consular processing abroad, ending the long-standing adjustment-of-status pathway for those already in the country on non-immigrant visas. The rule creates a practical dilemma: employment-based applicants must maintain U.S. jobs and valid visa status while living abroad during processing that can exceed a year.
HN Discussion: Commenters on H-1B and F-1 visas described the rule as unworkable — leaving the U.S. voids work authorization, yet the green-card process requires extended overseas stays. Several argued the added friction will drive skilled workers to other countries, weakening U.S. tech talent pipelines. The policy’s interaction with dual-intent visa categories like H-1B remains unclear.
TikTok disproportionately served anti-Democratic videos during the 2024 election
Summary: An NYU Abu Dhabi study published in Nature found TikTok’s recommendation algorithm exposed users to more conservative and anti-Democrat content than liberal material during the 2024 U.S. election, regardless of users’ stated political preferences. Researchers used bot accounts with controlled viewing histories and measured the ideological tilt of subsequently recommended videos. The study suggests algorithmic amplification — not just user self-selection — drives political content asymmetry on the platform.
HN Discussion: Commenters debated whether the imbalance reflects deliberate editorial control by TikTok’s owners or simply the algorithm optimising for engagement — emotionally charged conservative content may score higher on watch-time metrics. Others noted TikTok’s ownership structure — now involving Larry Ellison and Saudi investors — as relevant context.
Models.dev: open-source database of AI model specs, pricing, and capabilities
Summary: Models.dev is an open-source, community-contributed database consolidating AI model specifications, context windows, pricing, and capability metadata in one queryable resource. The project aims to replace scattered provider-specific docs with a single structured dataset that tools and developers can consume programmatically.
HN Discussion: Commenters pointed out the XKCD-standards irony — there are already dozens of similar projects (Helicone, pricepertoken.com, LiteLLM’s registry, OpenRouter’s API). Suggestions included tracking pricing changes over time and adding harness/framework compatibility data alongside model specs.
Web & Infrastructure
Stick – A primitive/fun interactive demo of a tiny rig to animate layout
Summary: An interactive browser demo (“Stick”) shows a stick figure built from CSS exclusion primitives that reassemble on every frame, with surrounding text reflowing around the animated pose. The rig is programmatically controllable — users can trigger wave animations, toggle visual overlays, and reset the figure — all using Layoutmaster’s exclusion-assembly model.
HN Discussion: Very sparse discussion; one commenter noted the technique of using exclusion assemblies as a programmable rig for layout animation.
Wi-Wi is wireless time sync at 1 nanosecond
Summary: Wi-Wi STAMP, developed by Japan’s NICT, uses 900 MHz two-way wireless interferometry to achieve picosecond-level phase sync and millimetre-level distance accuracy in a smartphone-sized device. Current prototypes deliver 20 ps jitter and roughly 30 ns time sync; the next generation targets sub-5 ns in real-world use, with range between 0.2–5 km depending on RF power. Demonstrated at NAB for wireless black-burst camera sync and real-time 20 Hz position tracking via triangulation.
HN Discussion: Commenters noted the headline’s “1 ns” claim is aspirational; current hardware is 30 ns with a roadmap to 5 ns. Discussion of privacy trade-offs versus GNSS: unlike GPS, Wi-Wi’s two-way protocol reveals position to the base station. Home-lab users expressed hope that commercialisation would bring PTP-level accuracy to affordable price points.
System Administration
Blog ran on Ubuntu 16.04 for 10 years. I migrated it to FreeBSD
Summary: After running his blog on an unpatched Ubuntu 16.04 VPS for a decade, the author migrated to FreeBSD on a cheaper Hetzner VM, documenting the full process. The write-up covers FreeBSD Jails with Bastille for service isolation, Caddy for TLS, and load-testing benchmarks comparing old and new stacks. The old DigitalOcean droplet had no package-security updates available since LTS ended years ago, making the migration overdue.
HN Discussion: Commenters shared similar stories of decade-long server neglect; one admitted their teenage-self’s setup was irrecoverable by the time the host retired the VM. Others discussed FreeBSD pain points: PM2 instability, rc.d logging difficulty, and manual firewall configuration. One commenter let an AI agent loose on a similar legacy migration and reported success.
Uv is fantastic, but its package management UX is a mess
Summary: The article praises uv’s speed and Python-version handling but criticises its maintenance-phase UX: there is no uv outdated equivalent, upgrade commands require memorising verbose flags like uv tree --outdated, and uv add omits upper bounds by default. Author compares the experience unfavourably with pnpm and Poetry, noting that routine tasks like checking for outdated packages or upgrading dependencies feel clunky despite uv’s excellent initial-setup flow.
HN Discussion: A uv maintainer responded that default add-bounds can be set in persistent config and explained that omitting upper bounds prevents ecosystem-wide resolution conflicts. Teams with large dependency trees (250+) shared their biweekly uv lock --upgrade CI workflow with AI-assisted PR review as a practical workaround. Mitsuhiko (Rye creator) defended the no-upper-bounds decision, noting Python’s dependency model doesn’t allow diverging resolutions like npm does.