Hacker News Morning Brief: 2026-05-26
A curated sweep of Monday’s Hacker News front page: AI coding workflows that prioritise quality over speed, a kernel vulnerability found by Claude, California backing away from OS-level age verification, and Mullvad patching VPN exit fingerprinting. Plus Ferrari’s divisive first EV, sovereign Norwegian LLMs, smart home disillusionment, and the enduring power of taking a walk.
AI & Tech Policy
Using AI to write better code more slowly
Summary: Nolan Lawson pushes back on the assumption that LLM coding tools are only good for spraying out low-quality code at high speed. He describes a workflow where multiple models—Claude for implementation, Codex for independent review—systematically scan pull requests for bugs before a developer validates, documents, and refines. Lawson argues that agents like Mythos are particularly effective at finding bugs in unscrutinised codebases, and that slowing down to use AI as a deliberate thinking partner produces better outcomes than treating it as a slop cannon.
HN Discussion: Several commenters describe their own lengthy back-and-forth review loops, sometimes spending more time than hand-writing code. Others share multi-agent pipelines where different models play distinct roles—implementation, review, and critique. Some push back on Lawson’s strawman, noting most developers don’t intentionally produce bad code with AI; the low quality emerges anyway. Cloudflare’s code review stack is cited as evidence that AI review can augment thinking rather than deskill workers.
Norway’s 2 petabytes of Huawei flash storage and LLM training
Summary: Norway’s National Library is building a sovereign Norwegian-language LLM using 2 PB of Huawei OceanStor Dorado flash storage in its training pipeline. The library argues that no commercial LLM provider is developing models with sufficient Norwegian cultural, historical, and news context from local-language sources. Norway’s Ministry of Culture tasked the library with this sovereign AI initiative to preserve national digital autonomy in an English-dominated LLM landscape.
HN Discussion: Commenters debate whether major LLM providers already train on all available languages, questioning whether the linguistic disadvantage premise holds. Others clarify the real motivation is sovereign AI—the ability to build and serve models independently—rather than competing with OpenAI or Anthropic. A Norwegian user praises the National Library’s existing text search interface as genuinely excellent for historical research.
California moves to exempt Linux from its age-verification law after backlash
Summary: California is amending its age-verification law to exempt Linux and most open-source operating systems after significant backlash over the original bill’s requirement that operating systems collect users’ ages. The amendment, proposed by the same lawmaker who wrote the original legislation, reflects the broad unintended scope of the first draft, which would have forced OS-level age verification and raised serious concerns about privacy and open-source viability.
HN Discussion: Commenters argue the legislation shifts regulatory burden onto consumers because institutions have lost the capacity to hold platforms directly accountable. Questions are raised about who actually drafts California Internet legislation and whether tech companies were consulted. Some suggest the solution should be a simple browser-level parental control check rather than OS-level mandates.
Security & Privacy
How Shamir’s Secret Sharing Works
Summary: Ente publishes an accessible explainer on Shamir’s Secret Sharing, a cryptographic scheme that splits a secret into shares distributed among participants, where a threshold number can reconstruct it using polynomial interpolation over finite fields. Any k points uniquely determine a degree k−1 polynomial, making the scheme information-theoretically secure. Ente provides a live implementation at 2of3.ente.com for hands-on experimentation.
HN Discussion: Commenters note the technique is teachable at secondary-school level as a compelling application of polynomials. Discussion covers practical variants: encrypting the payload and distributing only key shares versus using Reed-Solomon encoding with an all-or-nothing transform. A question is raised about whether DNS root key holders use Shamir’s scheme or rely on physical safe-based backups.
Exit IP VPN servers mitigation rollout
Summary: Mullvad VPN is rolling out a mitigation across 13 exit servers in Australia, Canada, Germany, Finland, France, Ireland, Norway, Sweden, and the US to address a recently discovered exit IP fingerprinting technique that can de-anonymise traffic despite VPN use. The mitigation follows a prior blog post detailing the vulnerability. The affected servers span Mullvad’s major geographic coverage areas.
HN Discussion: Commenters praise Mullvad’s rapid response, contrasting it with larger tech companies that move slowly on privacy issues. Using Mullvad Browser with built-in proxies is suggested as an alternative, since it avoids WireGuard and offers per-site IP rotation. One commenter advocates standardising browser fingerprinting profiles across all users rather than spoofing random data.
CVE-2026-28952: Apple macOS 26.5 Kernel Vuln found by Claude
Summary: Apple patched CVE-2026-28952 in macOS Tahoe 26.5, a kernel vulnerability discovered by Anthropic’s Claude AI model. The vulnerability affects multiple Apple OS releases including iOS 18.7.9, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, and macOS Tahoe 26.5. This marks one of the first publicly credited cases of an LLM finding a real-world kernel vulnerability in a major commercial operating system.
HN Discussion: A security researcher clarifies this bug is unrelated to their separate MIE kernel memory corruption attack, which remains unpatched. Google’s Chrome security effort is compared favourably—225 of 302 recent vulnerabilities found internally—while Apple’s internal research transparency is questioned. Frustration surfaces over Apple’s update process: a 64GB iPhone needs 13.2 GB free to install iOS 26.5, tying critical security patches to massive storage requirements.
Microsoft Copilot Cowork Exfiltrates Files
Summary: PromptArmor reports that Microsoft Copilot’s Cowork feature can be exploited via prompt injection to exfiltrate files from a user’s environment. The attack uses a minimal malicious Copilot skill—just five lines—that instructs the agent to read and send files to an external endpoint. The vulnerability stems from Copilot’s agent architecture executing skills with broad file access privileges without sufficient sandboxing.
HN Discussion: Some argue this is “works as expected”—giving an LLM agent arbitrary skill execution is inherently equivalent to piping untrusted input to a shell. Critics target enterprises that rushed Copilot integrations to appear “AI native” without evaluating security implications. Discussion references OpenAI’s Atlas browser-hardening approach as a potentially better security model for agent architectures.
Motorola phones have started hijacking the Amazon app to insert affiliate codes
Summary: Motorola phones are intercepting the Amazon Shopping app at the OS level to inject affiliate codes into purchases, even on the $1,900 Razr Fold. The behaviour parallels the Honey browser extension scandal, where PayPal-owned Honey replaced creators’ affiliate links with its own. 9to5Google reports this happens through system-level software rather than a separate app, making it difficult for users to detect or disable.
HN Discussion: Commenters immediately link the behaviour to Motorola’s Chinese ownership under Lenovo, saying such tactics are common from Chinese brands. At least one user abandons plans to buy a Motorola device for GrapheneOS because of the practice. A contrarian suggests that if Amazon—a company critics view as anti-worker—is being fleeced, it is hard to feel sympathetic.
Yoti age checks share facial photos and device fingerprints with third parties
Summary: Georgia Tech cybersecurity research reveals that Yoti, one of the world’s leading age verification providers, collects and shares facial photos and device fingerprints with third parties through its real-time API architecture. The study also finds that most websites requiring age verification don’t consistently enforce the policy. Zero-knowledge proof alternatives exist that can verify age without exposing personal data, but adoption is lagging.
HN Discussion: The study’s third-party data broker list is extensive, with the real-time API creating per-query links between user events and every broker in the chain. Commenters draw parallels to government accountability: politicians who mandate age verification but tolerate corrupt enforcement become part of the problem. Frustration is expressed that most people have adopted a fatalistic “they already have my data” attitude.
Business & Industry
Ferrari Luce
Summary: Ferrari has unveiled the Luce, its first fully electric four-door, five-seat grand tourer, designed in collaboration with Sir Jony Ive and Marc Newson at LoveFrom. The car features all-wheel drive, Ferrari-engineered electric motors, and a Torque Shift Engagement system offering five power levels and five regenerative braking levels via steering wheel paddles. Ferrari claims it is the most spacious and versatile car they have ever produced without compromising performance.
HN Discussion: The exterior design receives overwhelmingly negative feedback, called an “amorphous blob” indistinguishable from other EVs—critics expected far more from Ive. Disappointment centres on Ferrari’s own Chief Design Officer Flavio Manzoni being passed over for someone who has never designed a car. The interior and paddle-based Torque Shift system receive some praise, but the consensus is the exterior fails to evoke Ferrari’s heritage.
Toshifumi Suzuki, founder of Seven-Eleven Japan, has died
Summary: Toshifumi Suzuki, who transformed Japanese retail by building Seven-Eleven Japan into a world-class convenience store operation, has died. Suzuki revolutionised Japan’s previously inefficient retail sector through data-driven inventory management and franchise logistics. Under his leadership, Ito-Yokado eventually acquired the American 7-Eleven parent company—a remarkable reversal of the original licensing direction that brought the concept to Japan.
HN Discussion: Commenters share personal experiences of Japanese 7-Eleven as a genuinely pleasant daily routine—good coffee, egg sandwiches, and Muji co-branded items. Observation that Japanese and Taiwanese convenience stores serve as safe community spaces where even schoolchildren gather is contrasted with US locations. The corporate history reversal—7-Eleven originated in Dallas, Texas, before Japan acquired the parent company—is noted as remarkable.
Waymo suspends all freeway rides over safety issues
Summary: Waymo has paused all freeway service across the US while it updates software to better navigate construction zones at highway speeds. The suspension follows a separate recall of thousands of vehicles that drove into flooded roadways they couldn’t traverse. Before the pause, freeway rides were available in San Francisco, Los Angeles, Phoenix, and Austin.
HN Discussion: A rider recounts a Waymo jumping across solid white lines during a lane closure near a highway merge because it was programmed to always seek the right lane. Others report erratic driving and being dropped blocks away from their destination. Recent incidents involving flooded roads further undermine trust in the service at high speeds.
Tech Tools & Projects
Earthion: A New Mega Drive-Style Shoot-Em-Up
Summary: Earthion is a newly released shoot-em-up game styled after Sega Mega Drive and Genesis aesthetics and gameplay. The project targets retro gaming enthusiasts with authentic 16-bit-era visual design and side-scrolling shooter mechanics.
HN Discussion: Discussion had not yet developed at the time of collection.
Show HN: Write your BPF programs in Go, not C
Summary: gobee transpiles a subset of Go to BPF C and generates typed cilium/ebpf Go bindings, enabling developers to write eBPF programs in Go rather than C. Since the Go compiler lacks an LLVM-based BPF backend, gobee emits C and reuses clang’s BPF backend for mature codegen, BTF, and CO-RE relocations. The tool targets Go developers already working with cilium/ebpf user-space code who want a single-language workflow.
HN Discussion: Skeptics argue that eBPF inherently involves C kernel interfaces, restricted control flow, and no goroutines—Go’s core advantages don’t transfer to the BPF context. TinyGo is suggested as an alternative path since it uses LLVM and could theoretically target BPF directly. Several commenters argue Rust via Aya is a more natural fit for eBPF than Go, given Rust’s LLVM foundation.
Performance of Rust Language [pdf]
Summary: A slide deck analysing Rust’s runtime performance compared to C and C++, covering bounds checking, memory model constraints, and compiler optimisation gaps. The key finding is that Rust is roughly as performant as C, but modern C++ can be notably faster due to superior compile-time expressiveness and template metaprogramming. Specific optimisation losses from Rust’s bounds checking are identified, with discussion of whether hoisted or delayed checks could recover performance.
HN Discussion: The consensus estimate is that Rust sacrifices roughly 3% average performance versus C++ for memory safety, with worst-case paths around 15%. Rust’s lack of stable internal IR contracts makes it difficult to preserve high-level semantics through optimisation passes. The prospect of proof-based bounds-check elimination is discussed but deemed unlikely in the near term given the language’s existing complexity.
Show HN: OpenBrief – Local-first video downloader/summarizer
Summary: OpenBrief is an open-source, local-first tool that downloads videos and generates AI-powered summaries without sending data to cloud services. It combines yt-dlp for video extraction with local transcription and summarisation, keeping everything on the user’s machine. The project is designed for researchers and learners who want to extract key information from video content without watching it in full.
HN Discussion: A commenter shares their own similar project (tldw_server) that has grown beyond its original purpose of summarising conference talks. Concerns are raised about yt-dlp’s declining reliability as Google appears to be cracking down on video extraction. The question of whether YouTube’s built-in transcripts make local transcription redundant is debated, though auto-generated transcripts vary significantly in quality.
A Comma and a Question Mark
Summary: The author built a roughly 100-line zsh integration that uses a locally running Qwen3.6 27B model via llama.cpp as a terminal assistant. Typing a comma followed by plain English returns a list of suggested commands with one-line explanations; a question mark triggers a conversational answer. The setup uses JSON Schema for structured outputs and grammar tricks to constrain model responses to valid command prefixes. The author notes the total hardware cost was $7,000 for an M5 Max MacBook Pro with 128GB unified memory.
HN Discussion: Confusion over whether the $7k refers to hardware or token costs—it means the MacBook, prompting debate on whether “local-first” is undermined by expensive hardware requirements. Requests to share the script publicly, with suggestions to use the Pi /share command. A commenter argues the tool should teach users commands rather than just suggesting them, to build lasting terminal knowledge.
Web & Infrastructure
Hacker News front page as a site
Summary: The Front Page presents the Hacker News front page as a newspaper-style editorial site with AI-generated story summaries. Each story receives a multi-paragraph summary capturing key arguments with attribution to original sources, compiled into a daily volume with visual hierarchy. The site launched as a more readable alternative to the traditional HN list view.
HN Discussion: Readers praise the summaries for surfacing stories they’d otherwise skip, but criticise the masonry-style layout as more artistic than practical—crucial information scattered chaotically. The AI-generated self-description failed to capture its own identity as an HN content aggregator. Suggestions include adding period-appropriate filler content like 19th-century quack medical advertisements for visual authenticity.
Why the Smart Home Bubble Popped
Summary: A Hackaday analysis traces the smart home’s collapse over the past decade: abandoned IoT devices, forced subscriptions, injected advertisements, privacy violations, and an increasingly congested 2.4 GHz spectrum shared by WiFi, Zigbee, and Bluetooth. The article contrasts the reliable 1975 X10 protocol era with the fragmented IoT explosion of the 2010s, where each manufacturer demanded its own app, cloud service, and ecosystem.
HN Discussion: Commenters blame manufacturer arrogance: 20 apps for 20 devices with no interoperability, driving consumers to opt out entirely. A Home Assistant user argues most home automation is unnecessary—only heating control and energy optimisation justify the complexity. The pragmatic view: the smart home is actually here, but as a thousand separate small solutions (cat feeder, Roomba, automated blinds), not a single unified platform.
Does Anybody Actually Like React?
Summary: jsx.lol curates a cherry-picked collection of React criticisms, including CVE-2025-55182 (a CVSS 10.0 remote code execution vulnerability in React Server Components), hydration overhead, and JS-heavy performance degradation over time. Specific technical complaints include SSR hydration costs, the React Compiler failing to address fundamental re-rendering issues, and the useMemo semantics controversy.
HN Discussion: A veteran JS developer offers the Churchill defence: “React is the worst framework except all the others we’ve tried”—preferring it over Angular 1, Backbone, and jQuery soup. HTMX/Hotwire advocates share frustration that even basic browser back-button logic required spreading code across HTML, controllers, and JavaScript. A hooks enthusiast misses Angular 1’s explicit watch expressions, arguing React makes performant code harder to write.
History & Science
Taking a walk may lead to more creativity than sitting, study finds (2014)
Summary: A 2014 APA study found that walking—whether indoors on a treadmill or outdoors—significantly increased creative output compared to sitting. Participants produced more novel and appropriate analogies during and shortly after walking. The effect persisted even when walking indoors, suggesting the act of walking itself rather than environmental stimulation drives the creative benefit.
HN Discussion: Commenters share personal routines of 30-60 minute daily walks during COVID that boosted problem-solving and well-being. Walking, showering, and sleeping are cited as effective “incubation” activities—provided no podcasts or distractions interfere with the brain’s background processing. Shigeru Miyamoto’s Star Fox inspiration from walking through shrine archways is referenced as a concrete example of environmental input sparking creative ideas.
Squares in Squares
Summary: David Ellsworth’s interactive resource compiles the best-known packings of n unit squares into the smallest possible enclosing square. The site features SVG visualisations with an edit mode allowing users to drag, rotate, and delete squares to explore packing arrangements. It covers n up to 324 with both tilted and trivial packings, including polynomial root forms for optimal side lengths where closed-form expressions don’t exist.
HN Discussion: The triangular table view draws comparisons to the periodic table, with speculation about number-theoretic families governing optimal packing strategies. The case n=11 is called out as the smallest where optimality remains unproven—offered as an open challenge. The packing for n=130 is singled out as surprising: it looks like a simple 2-wide strip but actually requires an 8th-degree polynomial solution.
A successful Japanese trial of a ramjet engine designed for Mach‑5 aircraft
Summary: JAXA, working with Waseda University, the University of Tokyo, and Keio University, has completed a successful ground combustion trial of a ramjet engine designed for Mach-5 hypersonic flight. The engine is intended for aircraft that could fly from Tokyo to Los Angeles in under two hours at roughly 6,000 km/h. This is a ground test milestone; ramjets require the aircraft to already be travelling at supersonic speeds before the engine can sustain combustion.
HN Discussion: A practical question is raised about how the aircraft reaches Mach 5 for the ramjet to engage—likely requiring a solid-fuel rocket booster that detaches after acceleration. Childhood nostalgia for ramjets surfaces through Knight Rider and SR-71 Blackbird references. A frequent transatlantic traveller expresses enthusiasm for the technology’s potential to cut long-haul flight times.
Designing for and against the manufactured normalcy field (2012)
Summary: Venkatesh Rao’s “Manufactured Normalcy Field” concept explains how people adopt new technology by forcing it into a familiar mental framework, changing behaviour the minimum amount necessary. Greg Borenstein’s 2012 post recounts a FOO Camp session with Matt Webb exploring how designers can work with or against this normalcy field. The Field operates through stories and metaphors that map strange experiences back to the known, and through incremental behavioural adjustments that absorb novelty.
HN Discussion: Commenters connect the concept to creative shorthand like film pitch formulas—“It’s Heat but set in high finance.” Comparison to the Overton Window is made as a parallel framework for shifting what is considered acceptable or normal. The Strange Planet webcomic is cited as an example of reversing the process—making mundane things feel strange and alien.
The Lottery – Shirley Jackson (1948)
Summary: Shirley Jackson’s 1948 New Yorker short story depicts a small-town ritual where a randomly selected resident is stoned to death by their neighbours. The story generated more mail to The New Yorker than any other piece of fiction at the time, with many readers cancelling subscriptions in outrage. Jackson’s spare, matter-of-fact prose deliberately mirrors the banality of the ritual, making the horror more unsettling.
HN Discussion: Readers recall being scarred by the story as teenagers, with one noting it no longer hits as hard but still raises unsettling questions. It is identified as the antecedent to The Running Man and The Hunger Games in the tradition of ritualised-violence fiction. The most praised aspect is how everyone acts completely normal—no villains or speeches, just people treating horror as routine.
Academic & Research
Dehydration’s role in learning and memory
Summary: Cold Spring Harbor Laboratory research explores how dehydration directly impairs learning and memory formation at the neurological level. The study examines the physiological mechanisms linking fluid balance to cognitive function and neural plasticity. Findings suggest even mild dehydration may have measurable effects on cognitive performance and memory consolidation.
HN Discussion: A commenter observes that modern children all carry water bottles constantly, contrasting with their own childhood when this was not the norm. Brief discussion follows on whether previous generations were chronically dehydrated without realising it.
Jensen–Shannon Divergence
Summary: The Jensen–Shannon Divergence measures similarity between two probability distributions, based on the Kullback–Leibler divergence but symmetric and always finite. JSD is the square of a metric, making it suitable for clustering and nearest-neighbour search in probability distribution space. Applications span machine learning, bioinformatics, and physics wherever distributional distance comparison is required.
HN Discussion: An ML researcher connects JSD to a fundamental generative modelling issue: standard pre-training uses forward KL divergence, causing mode-covering behaviour that produces lower-quality samples. A physicist describes using symmetric KL divergence with photon-number-resolving detectors and Gaussian mixture models for cluster analysis during their PhD. At least one commenter admits they clicked expecting news about Jensen Huang’s divorce.
Mathematical Patterns in African American HAIRSTYLEs
Summary: Gloria Gilmer’s ethnomathematics research examines geometric patterns embedded in African American hair braiding and weaving as mathematical structures. The work identifies tessellating hexagons, fractal patterns, and symmetry groups in scalp designs formed by parting and braiding techniques. Gilmer argues these cultural practices provide an accessible entry point for teaching mathematical concepts through familiar community knowledge.
HN Discussion: The thread had not yet developed discussion at the time of collection.
System Administration
Nobody cracks open a programming book anymore
Summary: Computer book sales fell 16.9% year-over-year through the first nine months of 2023, and bookstore programming sections have shrunk or vanished entirely. The essay laments the disappearance of the O’Reilly animal-cover era—thick $50 volumes that were once the primary way to learn a new technology. The author argues the shift to online resources has removed editorial gatekeeping that once ensured programming books were accurate and comprehensive.
HN Discussion: An O’Reilly “Learning Go” author shares concrete sales data: 124–484 paperback copies per month over 13 months, noting sales fluctuate but remain viable. One argument holds that the decline of books removed a constraint on language complexity—Java once needed six volumes, and C++ bloated beyond comprehension. Counter-examples from Rust learners show “The Rust Book” and “Rust for Rustaceans” are still essential for understanding idioms beyond what online tutorials provide.
Other
Everyone Against Us (2023)
Summary: Allen Goodman’s book adaptation in Chicago Magazine recounts his years as a Cook County public defender from 1996 to 2004, describing a system stacked against both the accused and their attorneys. Specific injustices include month-long waits before meeting clients, police fabricating “plain view” claims to bypass warrant requirements, and cash bail used as coercive leverage. Cook County Jail is cited as the largest single-site jail in the US, with some detainees spending over a decade in pretrial detention without conviction.
HN Discussion: A commenter highlights Augustin Toscano, who spent 14 years in Cook County pretrial detention without conviction—far from an isolated case. Police tactics like claiming “plain view” discoveries through conveniently open apartment doors are discussed as systemic patterns the client confirmed were fabricated. Brazilian proverbs about judicial corruption are shared as cross-cultural commentary on systemic bias against the poor.