Hacker News Morning Brief: 2026-05-25
George Hotz declares AI coding agents a costly mistake, Mozilla works around a silent Intel Raptor Lake CPU bug, and research overturns the aerodynamic dogma that smoother always means faster. Meanwhile, DeepSeek slashes already-low prices by 75%, Firefox finally ships Web Serial after five years of resistance, and a Spanish court backs NordVPN over LaLiga’s blocking demands. Here are 30 stories from the morning front page.
AI & Tech Policy
The Eternal Sloptember
Summary: George Hotz argues that AI coding agents are among the most costly mistakes in software history. After six months of using agents to write parts of tinygrad and reverse-engineer a USB-PCIe chip, he consistently found he could have done the work faster and better manually. The problem isn’t that agents produce obvious garbage — it’s that their increasing statistical accuracy makes bugs subtler and harder to catch, creating a front-loaded illusion of progress followed by an endless “slot machine lever” of polish attempts.
HN Discussion: Several commenters reframe AI as an evolution of search — a step up from Stack Overflow and GitHub rather than a replacement for programming skill. tptacek pushes back on Hotz’s AFL comparison, noting that AFL never found vulnerabilities alone and that modern targets are harder than the pre-AFL corpus. Others report a noticeable capability jump in agentic coding earlier this year, with peers now relying on it full-time.
Building Pi with Pi
Summary: Armin Ronacher (Flask creator) reflects on dogfooding Pi — Sentient’s coding agent — to develop Pi itself. The experience reveals how agent-driven development reshapes issue tracker dynamics: issue descriptions now serve double duty as both maintainer communications and agent prompts. A growing class of issues are “5% human and 95% clanker-generated” — vaguely plausible-sounding but fundamentally wrong reports that waste both agent and human time. Ronacher introduces “clanker” as his preferred term for AI agents, arguing that agency should be reserved for humans.
HN Discussion: The “clanker” coinage sparks semantic debate, with others pointing out that “agency” in standard English absolutely applies to machines acting autonomously. One commenter highlights the irony of instructing agents to independently verify issue analysis while humans themselves skip that step. The post earns a pithy summary: “Tool that hastens production of slop experiences downside of hastily-produced slop.”
Green card seekers must leave U.S. to apply, Trump administration says
Summary: The Trump administration issued guidance requiring green card applicants already in the US to leave the country and apply through consular processing abroad, effectively ending Adjustment of Status for many categories. A USCIS internal memo reinterprets existing law rather than passing new regulations, arguing the “ordinary consular process” was always the intended path. Combined with a simultaneous State Department pause on immigrant visa issuance for 75 countries, applicants from those nations face a de facto green card ban.
HN Discussion: Commenters link the USCIS memo and DOS visa pause, noting the combination blocks citizens of Afghanistan, Albania, Algeria, and 72 other countries entirely. A 2023 green card holder describes navigating citizenship timing amid constant policy shifts. One commenter reframes the restriction as a potential long-term benefit to Europe and Asia, repatriating talent that previously fueled American tech innovation.
Security & Privacy
Noroboto: Lying Fonts and Mitigation in Rust
Summary: Tritium’s “Noroboto” is a proof-of-concept attack font that maps Unicode code points to different glyphs than expected — rendering “Maryland” as “Delaware,” for instance — targeting legal-tech AI pipelines that process documents. The exploit leverages the complexity gap between font specifications, imperfect open-source implementations (Tesseract, PDFium, python-docx), and AI document-processing systems that trust rendered text at face value. A Rust-based mitigation tool inspects font files for glyph-to-codepoint mismatches, though ligatures and other substitution mechanisms may bypass the check.
HN Discussion: Multiple commenters argue the attack constitutes fraudulent misrepresentation in legal contexts, potentially nullifying any contract where such a font was used. Others suggest ligatures are a simpler and more effective attack vector, since they natively render character sequences as different glyphs. One commenter points out that LLMs can decode substitution ciphers trivially, and a judge would quickly notice documents where Ctrl+F doesn’t work.
Scammers are abusing an internal Microsoft account to send spam links
Summary: Scammers exploited a loophole allowing them to create new Microsoft accounts and send emails from an internal Microsoft address normally reserved for legitimate account alerts. The abuse persisted for months, with spam appearing to originate directly from Microsoft’s own infrastructure, making it extremely difficult for recipients to distinguish from genuine notifications. Microsoft acknowledged the issue but the exact mechanism remains unclear.
HN Discussion: Commenters criticize Microsoft’s chaotic domain portfolio — microsoftonline.com and dozens of others — making it impossible for users to know which domains are legitimate. A domain owner reports routinely receiving Microsoft and Google account notifications for addresses they never created. Microsoft Authenticator’s security is also questioned: one commenter receives push notifications for logins from random locations, yet the login history page shows nothing.
CBP Directive 3340-049B: Border Search of Electronic Devices
Summary: CBP Directive 3340-049B, issued January 2026, updates the agency’s policy on searching electronic devices at US borders. The directive states officers may not use passcodes to access remotely stored information, but includes broad national-security exceptions that effectively override most privacy protections. Basic searches can be conducted without suspicion; advanced searches (connecting to external equipment) require reasonable suspicion but are still administratively approved internally.
HN Discussion: International travelers report that the US now feels equivalent to China for device security — burner devices and full nuke-on-return are becoming standard practice. Commenters note the policy dates back to 2009 in earlier forms, but the 2026 update preserves broad national-security carve-outs. A key provision — passcodes cannot access only-remote information — is questioned as nearly meaningless when modern devices blur the line between local and remote data.
Spanish court declines to fine NordVPN over LaLiga piracy blocking order
Summary: A Spanish court refused to impose coercive fines on NordVPN for non-compliance with a February order requiring it to block pirate LaLiga football streams via IP address filtering. The court accepted that a genuine technical dispute exists over feasibility, and NordVPN argued the dynamic injunction would cause massive overblocking of legitimate services. Both NordVPN and ProtonVPN questioned the Córdoba court’s jurisdiction over companies incorporated outside the EU; the original order was granted without hearing from the defendants.
HN Discussion: A developer in Spain reports that indiscriminate IP blocking from LaLiga injunctions has made GitHub intermittently inaccessible without a VPN. Commenters note that blocking unrelated IPs violates EU common market regulations. Privacy advocates frame this as an early-stage battle for digital rights, warning that complacency will lead to broader VPN regulation.
Tech Tools & Projects
Show HN: Audiomass – a free, open-source multitrack audio editor for the web
Summary: Audiomass is a browser-based multitrack audio editor that runs entirely client-side with no installation or account required. It supports multiple audio formats including FLAC import, provides a waveform-based editing interface with effects processing, and is built with vanilla JavaScript using old-school patterns (closures, sequential var declarations). The tool is fully open-source.
HN Discussion: Commenters compare the UX favorably to Cool Edit Pro 2 before Adobe’s acquisition, praising its intuitive design. Multiple users request collaborative cloud features — track checkout, branching, and merging — for remote jamming sessions. The codebase’s old-school JavaScript style triggers nostalgia among experienced developers.
Migrating from Go to Rust
Summary: Matthias Endler’s migration guide focuses on backend services, where Go’s strengths (small static binaries, networking-focused standard library) overlap most with Rust’s target domain. The core tradeoff is correctness guarantees and runtime behavior versus developer ergonomics — not raw speed or type systems, which both languages already provide. The guide covers how Go patterns map to Rust idioms, including error handling and concurrency models.
HN Discussion: tptacek argues the real decision is simply managed runtime versus no runtime, criticizing a generation of Rust programmers for treating “managed runtime” as inherently bad. Several commenters flag dependency management as Rust’s biggest practical weakness compared to Go’s deliberately minimal dependency trees. One commenter identifies AI-writing tells in the article, citing repeated use of “genuine” as a qualifier.
C constructs that still don’t work in C++
Summary: Josh Lospinoso’s 2026 sequel to his 2019 survey catalogues C constructs that remain invalid or behave differently in C++, updated for C23 and C++20/23 changes. C++20 added designated initializers and repaired malloc/object-lifetime edge cases; C23 changed the empty-parameter-list rule where void f() meant different things in each language. The article emphasizes that “valid C” and “valid C++” are no longer precise enough — you must specify the language mode when discussing compatibility.
HN Discussion: Commenters add unmentioned incompatibilities: _Atomic(T) versus std::atomic<T>, _Noreturn versus [[noreturn]], and persistent differences in inline semantics. The restrict keyword is called out as the sharpest edge — a performance-critical C promise that C++ deliberately refuses to adopt. The author clarifies the focus is on philosophical divergence, not declaring one language superior.
Build Adafruit projects right from Firefox
Summary: Firefox 151 introduced Web Serial API support, enabling direct browser-to-hardware communication for Adafruit boards and other serial devices without desktop software. Chromium-based browsers have had Web Serial for five years; Firefox was the last holdout among major browsers, previously citing security concerns about raw device access. The Adafruit partnership page positions Firefox as a one-step path from idea to connected hardware project.
HN Discussion: Commenters dig up Mozilla’s 2020 position statement opposing Web USB, Web Bluetooth, and Web Serial as presenting “intractable” security risks — a stance they’ve now reversed. Educational robotics programs (FIRST, VEX) rely heavily on Web Serial for Chromebook-based coding, making Firefox support meaningful for mixed device fleets. The five-year implementation gap is noted as unusually long for a widely-adopted web API.
Getting an old Computer online with Android Ethernet tethering
Summary: A practical guide to connecting Windows 9x/XP-era computers to the internet using a USB-C Ethernet adapter plugged into an Android phone with Ethernet tethering enabled. Old machines typically have no WiFi or only WEP-capable adapters that can’t connect to modern WPA networks. The setup requires only a cheap USB-C Ethernet adapter and an Android phone — no downgrading WiFi security or setting up dedicated legacy networks.
HN Discussion: Commenters point out that plain USB tethering (no Ethernet adapter needed) also works, with the phone appearing as a network device and keeping itself charged. Old-timers recall the era of Ethernet crossover cables, noting that modern Auto MDI-X has eliminated that hassle. Alternative approaches include WiFi bridges using Raspberry Pis and running modern Linux on 2010-era hardware.
Defeating Git Rigour Fatigue with Jujutsu
Summary: The article addresses “Git rigour fatigue” — the exhaustion of maintaining clean, well-scoped commit histories when real development produces messy, overlapping changesets. Jujutsu’s jj absorb and jj squash -i help assign changes to the right commits, but absorb can misattribute based on file-touch recency rather than logical ownership. The author proposes a workflow using Jujutsu’s native change-creation model to iteratively build the idealized commit series.
HN Discussion: A Jujutsu contributor corrects the article: jj absorb matches based on actual diffs, not just which commit last touched the file. Skeptics argue Jujutsu’s branch management is still cumbersome for multi-developer repos. One commenter cuts through the debate: “I have finally embraced squashing PRs and realized I wasted my youth trying to write Good Commits.”
Time to talk about my writerdeck
Summary: Veronica converted a six-year-old System76 Galago Pro into a “writerdeck” — a dedicated writing device running console-only Debian with no desktop environment. The setup includes kmscon for TTY font rendering, tmux for status bar and tiling, neovim with vimwiki for a personal wiki, and syncthing for backup and sync. The goal is eliminating modern internet distractions to focus on writing.
HN Discussion: Commenters note the irony of “solving your attention problem” by spending a day customizing an OS from scratch — the setup itself becomes the distraction. Someone with ADHD recognizes the pattern of hyperfocusing on building the perfect system rather than actually writing. A simpler alternative: Ctrl+Alt+F3 drops into a TTY console on any Linux system, no custom setup required.
Sales and Dungeons: Thermal printer TTRPG utility
Summary: Sales & Dungeons turns thermal receipt printers into TTRPG companion devices, printing handouts, magic item cards, spells, and quick-reference sheets during tabletop sessions. The app supports random generators (names, items, encounters, dungeons), session grids for organizing prints, and LLM integration for auto-generating or translating content. It runs on all major OS including Raspberry Pi, with network-share features letting players trigger prints from their phones.
HN Discussion: The thermal paper health debate dominates: BPA-free paper typically substitutes BPS, which studies show is equally harmful to the endocrine system. One commenter pushes back, noting cashiers handle thermal paper eight hours daily without the same concern. The project creator shows up in the thread, pleased by the influx of GitHub stars.
Hengefinder: Finding when the sun aligns with your street
Summary: Hengefinder generalizes Manhattanhenge to any location: it computes when the sunset aligns with a given street’s bearing by matching solar azimuth to road angle. Built at the Recurse Center, the tool uses Python’s Astral library (based on Jean Meeus’s astronomical algorithms) with 0.01 arc degree accuracy. The web app lets users enter any street and find the exact dates of solar alignment, with a companion mobile app built by a fellow Recurser.
HN Discussion: Commenters recommend The Photographer’s Ephemeris and NASA’s Horizons ephemeris as alternative tools for planning solar-alignment photography. One user wants the inverse problem solved: an app predicting sun exposure and building shadows for routing walks through shade. The Astral library’s use of Meeus’s equations is praised, with the caveat that they ignore gravitational perturbations from other planets.
My I3-Emacs Integration
Summary: The author unifies keybindings between i3 (tiling window manager) and Emacs, solving the conflict where both systems claim the same navigation shortcuts for different purposes. An initial approach using xdotool and emacsclient proved too slow — 30-100ms script latency plus unexplained additional lag. The final solution uses a shared keybinding layer that routes commands to the right system based on context, avoiding EXWM’s limitations with graphical applications like Steam.
HN Discussion: Commenters note this is a classic tension: Emacs introduced many users to tiling-window-manager concepts before they ever used one, creating inevitable binding collisions. An alternative project, ewm (Emacs Window Manager), is recommended for unified window management. One commenter dreams of building a Guile-based Emacs successor with modern bindings, built-in concurrency, and graphics from the ground up.
History & Science
A fundamental principle of aeronautical engineering has been overturned
Summary: Research overturns the long-held assumption that smoother surfaces always produce less aerodynamic drag on airfoils. Micro-roughness on wing surfaces — similar to golf ball dimples — can actually reduce drag in the laminar-to-turbulent transition zone by altering boundary layer behavior. The application method is reportedly as simple as sandblasting, suggesting a potentially cheap retrofit for existing aircraft to improve fuel efficiency.
HN Discussion: Competitive sailors note that underwater surfaces have long benefited from fine-grit sanding for laminar flow, making it surprising that aerospace took this long to apply the same principle. Commenters question the net improvement figures, noting claimed percentages may only apply in the narrow transition zone. Multiple people express frustration that the Wired paywall obscures the actual quantitative results.
Microsoft open-sources “the earliest DOS source code discovered to date”
Summary: Microsoft released the earliest known DOS source code — pre-acquisition 86-DOS — originally written by Tim Paterson at Seattle Computer Products before Microsoft purchased it for the IBM PC deal. The code was so old it only existed on paper printouts; a “DOS Disassembly Group” led by historians transcribed it using OCR, struggling with modern OCR’s poor handling of dot-matrix printouts. The release includes the assembly source, documentation, and development notes.
HN Discussion: Commenters express nostalgia for an era when a few thousand lines of assembly was enough to launch a dominant software company. Microsoft’s contemporaneous BASIC code — which is what Gates and Allen actually cared about — is also noted as open-sourced. The OCR transcription effort from physical printouts draws admiration, with details about the dot-matrix formatting challenges.
LAN-LOK: The Antarctic DOS Sabotage Game Lost for 34 Years
Summary: AlphaPixel documents the recovery and reconstruction of LAN-LOK, a DOS-era sabotage game set in an Antarctic research station that was lost for 34 years. The game featured a nemesis called “Evil Al” (not AI — the font makes it ambiguous) and was developed for local networks at Antarctic research stations in the early 1990s. The reconstruction involved digging through legacy code and storage media, using the same processes AlphaPixel applies to commercial recovery projects.
HN Discussion: Commenters call out the article as AI-generated slop — repetitive and padded — while still finding the underlying subject matter genuinely interesting. The “Evil Al” versus “Evil AI” ambiguity in the game’s font is flagged by multiple readers. A playable browser version is available on the Internet Archive for those who want to skip directly to the game.
Alexander Grothendieck Revolutionized 20th-Century Mathematics
Summary: Quanta Magazine profiles Alexander Grothendieck, whose reconstruction of algebraic geometry in the 1950s-60s created the mathematical foundations still used today across number theory and geometry. The article focuses on his actual mathematical contributions — schemes, topoi, and motivic theory — rather than his later eccentric reclusive life. Grothendieck’s approach was famously abstract: he thought in terms of general structures rather than specific examples, embodied in the anecdote where he considered 57 a prime number.
HN Discussion: Commenters share the famous “Grothendieck prime” story from an AMS obituary. William Stein (SageMath creator) shares his archive of scanned Grothendieck manuscripts, and another commenter provides LLM-translated English versions of EGA and SGA from French. An unexpected link surfaces: Grothendieck’s opinions on kimchi, from his later writings while living in the French Pyrenees.
Academic & Research
Scientists solve 200-year-old puzzle of how tobacco plants make nicotine
Summary: University of York researchers identified the complete biosynthetic pathway for nicotine production in tobacco plants, solving a question that has stood for two centuries. The discovery of the missing enzyme and gene cluster opens the door to engineering nicotine production (or suppression) in other solanaceous plants like tomatoes. The original paper is published in Nature Communications with details on the specific enzyme reactions involved.
HN Discussion: Commenters immediately invoke The Simpsons’ “Tomacco” episode as a now-plausible scenario. One commenter notes nicotine’s potential medical applications, including its ability to displace viral debris from nicotinic acetylcholine receptors — relevant to long Covid treatment. The original Nature Communications paper is recommended over the university press release for readers wanting the actual biochemical mechanism.
Don’t know where your data is from? Bayesian modeling for unknown coordinates
Summary: Christopher Krapu demonstrates Bayesian spatial modeling using PyMC for cases where observation locations are uncertain — a common problem in mineral exploration and geostatistics. The tutorial uses uranium and vanadium concentration data from Walker Lake (Isaaks and Srivastava’s dataset) to show how Gaussian processes can predict values at unknown coordinates. The approach treats uncertain spatial coordinates as latent variables, allowing joint inference over both location and the variable of interest.
HN Discussion: A commenter links to Krapu’s earlier post on thermodynamic scaling and carbon sequestration, suggesting a through-line of applying Bayesian methods to physically-motivated problems. The technical density of the material limits broader discussion.
Web & Infrastructure
White Rabbit – sub-nanosecond synchronization for large distributed systems
Summary: White Rabbit is a CERN-developed protocol providing sub-nanosecond clock synchronization across distributed systems up to 10 km apart, built on gigabit Ethernet physical layer. Unlike standard Ethernet where each NIC runs its own clock, White Rabbit synchronizes all physical layers at Layer 1 so every link shares a common time reference. The technology is open hardware (hosted on OHWR) and was originally designed for CERN’s accelerator complex timing requirements.
HN Discussion: Commenters note that achieving sub-nanosecond sync over 10 km fiber (33 light-microseconds of propagation) requires sophisticated compensation for asymmetric link delays. The project’s hiring links are seen as subtly aspirational — CERN recruiting for deep timing and sync engineering. One commenter flags the absence from GitHub, noting the project lives on CERN’s own GitLab instance.
Using HTTP/2 Cleartext for a server in Go 1.24
Summary: Go 1.24 simplified HTTP/2 cleartext (h2c) configuration to stdlib-only, removing the previous dependency on golang.org/x/net/http2/h2c. The practical use case is Google Cloud Run, which terminates TLS at the frontend but cannot propagate client disconnects to backends over HTTP/1.1 — a problem for long-lived SSE streams with 15-minute lifetimes. HTTP/2 with Prior Knowledge allows Cloud Run to forward traffic as h2c, enabling proper disconnect detection.
HN Discussion: An rclone maintainer shares they migrated for the same reason: the old x/net h2c package was both deprecated and had a security vulnerability flagged by govulncheck. AWS ALB is noted as not supporting h2c — it blindly forwards the upgrade header and fails on the response, creating a trap for multi-cloud setups. Several commenters argue HTTP/1.1 still outperforms HTTP/2 in high-throughput distributed systems.
Business & Industry
Memory has grown to nearly two-thirds of AI chip component costs
Summary: Epoch AI data shows memory (HBM and DRAM) now accounts for roughly 63% of AI chip component costs, a dramatic shift driven by massive demand for high-bandwidth memory in training and inference. The cost share has risen sharply as AI models require exponentially more memory bandwidth, making HBM the bottleneck commodity rather than compute silicon. The analysis suggests the AI hardware cost curve could see a roughly 3x reduction simply from DRAM supply catching up with demand, without any technical breakthrough.
HN Discussion: Commenters report real-world RAM price inflation — 96GB that cost $250 two years ago now costs $1,200, with consumers delaying upgrades entirely. RAM capacity grows at 20-25% per year, which multiple people argue is grossly insufficient given AI demand growth. Some users refuse to upgrade from DDR4 systems until prices normalize, creating a downstream drag on CPU and GPU sales.
Why is Vivado 2026.1 dropping Linux support for free tier?
Summary: AMD’s Vivado 2026.1 is removing Linux support from the free (Basic) tier of its FPGA development tools, while keeping Windows support — a move with no clear technical justification. The decision directly affects students, hobbyists, and open-source developers who rely on Linux for FPGA development and cannot justify paid license costs. AMD’s official responses in the support forum have been criticized for addressing tangential questions rather than explaining the reasoning.
HN Discussion: Long-time Xilinx customers report that the AMD acquisition has made licensing progressively worse — even large spenders face bureaucratic hurdles for CI machines and new team members. Lattice is recommended as the alternative: their tools are free for all basic chips, with paid licenses only for higher-end SerDes SKUs. Veteran FPGA engineers note that Xilinx’s strong hobbyist community was a key competitive advantage over Altera, and restricting the free tier risks eroding that ecosystem.
DeepSeek makes the V4 Pro price discount permanent
Summary: DeepSeek permanently cut V4 Pro pricing by 75%, bringing input tokens (cache hit) to $0.003625/M and cache-miss input to $0.435/M — a fraction of US competitor rates. V4 Flash remains even cheaper at $0.14/M input tokens (cache miss), and both models support 1M context length with up to 384K output tokens. The models are open-source and self-hostable, though even the Flash variant’s hardware requirements stretch the definition of “local” for individual users.
HN Discussion: Commenters frame this as a direct challenge: just as US providers raise prices on mini models, DeepSeek slashes already-low prices by 75%. China’s power infrastructure buildout is cited as the structural advantage — one commenter argues token serving will simply be absolutely cheaper in China regardless of subsidies. Users report high KV cache-hit ratios with V4 Pro on coding tasks, making the effective price even lower.
System Administration
Bug 1950764: Work Around Crash on Intel Raptor Lake CPU
Summary: Mozilla engineers discovered a CPU errata on Intel Raptor Lake processors where the movb %ch, [mem] instruction pattern (storing from a high-byte register alias) causes silent 2-byte stores that corrupt adjacent memory. The bug manifested in Firefox’s Huffman decoding code and was tracked to LLVM emitting the problematic instruction when a wide register value needs to store a single byte. Mozilla’s workaround consolidates two single-byte stores into one 2-byte store, but no official Intel errata or microcode fix has been published.
HN Discussion: The same instruction pattern was independently found causing corruption in Oodle 2.9.14’s Huffman coding, detailed in a Fabian Giesen blog post. Commenters express concern that Intel has not been responsive and no official errata exists, meaning the bug may silently affect other LLVM-compiled software. Multiple people call for a compiler-level fix rather than per-application workarounds.
Other
Book Review: On the Calculation of Volume
Summary: Stephen Diehl reviews Solvej Balle’s planned septology about a Danish antiquarian book dealer, Tara Selter, who wakes up to the same November 18th every day — a time-loop premise executed with literary depth across five published volumes. Diehl calls it one of the most original literary projects in years, distinguishing it from Groundhog Day-style treatments by its intimate, philosophical exploration of accumulated experience within repetition. The review covers all five volumes read over a week.
HN Discussion: Readers debate the mechanics of the time loop — specifically how the protagonist can relocate if the day resets, questioning hotel check-in logistics. One commenter notes that LLMs can now summarize books adequately, so they look to human reviewers for unique personal insights rather than plot recap. Recommendations flow for similar time-loop fiction, including the web novel “The Years of Apocalypse.”