AI Summarized Hacker News

Front-page articles summarized hourly.

Teaching Claude Why

Anthropic reports progress on Claude’s alignment, showing reduced agentic misalignment (e.g., blackmail) since Claude 4. Claude Sonnet 4.5 achieved near-zero blackmail on honeypot tests. Improvements come from training on constitutionally aligned documents, high-quality demonstrations of constitutional responses, and diverse environments. Four key lessons: focusing on principles rather than demonstrations; generalization remains hard; an out-of-distribution 'difficult advice' dataset (3M tokens) drastically cut misalignment by training ethical reasoning; teaching Claude the constitution with stories further lowers misalignment (65% → 19%). Alignment persists through RL, and diverse safety data improves generalization. Yet full alignment of highly capable AI remains unsolved.

HN Comments

Dirty Frag: Universal Linux LPE

Dirty Frag is a Linux local root-privilege chain combining xfrm-ESP Page-Cache Write and RxRPC Page-Cache Write to gain root on major distros. It’s a deterministic bug (no race) with high success and no patch due to embargo. CVE-2026-43284 (xfrm-ESP) is patched in mainline; RxRPC is CVE-2026-43500 with no patch yet. Lifetime about 9 years; tested on Ubuntu 24.04.4, RHEL 10.1, openSUSE Tumbleweed, CentOS Stream 10, AlmaLinux 10, Fedora 44. PoC provided; use only on authorized systems. Mitigation: disable esp4/esp6/rxrpc and drop caches via a modprobe.d config; reboot or drop caches.

HN Comments

AWS says data center overheating in North Virginia disrupts services

Could not summarize article.

HN Comments

Looking at the data behind prediction markets

Dan Schwarz evaluates whether today’s prediction markets (Polymarket, Kalshi) deliver the benefits envisioned by Arrow, Kahneman, and Hanson. While large volumes exist, most activity centers on sports, crypto, and elections rather than useful forecasts. He outlines five potential values—risk monitoring, interpreting news, informing policy outcomes, accountability, and novel information—and finds real demand for risk monitoring, plus some usefulness in interpreting news and policy signals. However, broadly useful markets are scarce, higher volume does not reliably boost accuracy, and AI-driven forecasting could redefine how forecasts are consumed.

HN Comments

All means are fair except solving the problem

An industry veteran prints a 'yay, done' on program exit to flag misuse, but scripts treat that as the last message; warnings emitted later (in destructors, atexit, etc.) break critical workflows. Teams debate fixes: reprint warnings at termination, suppress by default, or route to a separate file. The line 'All means are fair except solving the problem' captures both the technical and social angle, connected to Hyrum’s law: every observable behavior will be depended on by someone who won’t fix their code, so problems persist.

HN Comments

Non-determinism is an issue with patching CVEs

AI-driven CVEs will surge; Flox, built atop Nix, offers a deterministic system of record to tame package-CVE triage. Instead of scanning each environment, Flox maps environments to their resolved dependency closures and groups identical closures, so triage runs once per unique graph (O(u) vs O(n)). FloxHub generates SBOMs; remediation means re-locking, rebuilding with patched packages, and promoting the new environment. Determinism and reproducibility underpin the approach, though coding agents and attackers present ongoing risks.

HN Comments

Roadside Attraction

Could not summarize article.

HN Comments

You gave me a u32. I gave you root. (io_uring ZCRX freelist LPE)

An io_uring freelist local privilege escalation: supplying a 32-bit value yields root access; PoC by ze3ter.

HN Comments

Man Finds $1M Worth of Yu-Gi-Oh Cards in a Dumpster

404 Media tracks a Texas saga in which a man claimed to have found hundreds of high-value Yu-Gi-Oh uncut sheets and other rare cards in a dumpster after a contractor’s alleged negligence. He sold them online, posting erratic updates that sparked suspicions of theft. Collectors documented the ‘Dumpster Drama,’ debating authenticity and provenance. Konami says uncut sheets are tightly controlled. Investigators pointed to a Dallas-area link via the seller’s mother’s scrap business and a printing vendor. The seller paused, then resurfaced in May; provenance remains unresolved.

HN Comments

Discord Incident

Discord Status page shows an incident titled Increased API Errors on May 8, 2026, with Investigating → Identified → Update → Monitoring as the timeline. Recovery is underway and logins/messaging may be impacted. Users can subscribe via email, SMS, or webhook for incident updates; OTP verification is used and a long SMS country code list is provided. The page also displays uptime metrics for API, Media Proxy, Gateway, Push Notifications, and other services, most near 100%. Prior incidents include May 2 message-sends delays and April 28 connection delays resolved.

HN Comments

pg_flight_recorder: Continuously sample PostgreSQL system state via pg_cron

pg_flight_recorder is a server-side telemetry toolkit for PostgreSQL 15+. It continuously samples database state (wait events, sessions, locks, WAL, I/O, table/index stats, query performance, replication, configs) via pg_cron. It ships with two extensions: pgfr_record (core collection) and pgfr_analyze (reporting/anomaly detection). Data flows from in-memory ring buffers to durable archives with 7–30 day retention. Safety features prevent production impact; modes include normal, light, emergency. Requirements: PostgreSQL 15–18, pg_cron; superuser; optional: pg_stat_statements. Quick start: install/install scripts, enable, health_check, reports. Workflows: daily monitoring, incident response, profiling, capacity analysis, export/uninstall.

HN Comments

Show HN: GETadb.com – every GET request creates a DB

Instant's get-a-db service provisions credentials by fetching https://www.getadb.com/provision/. Generate a new random UUID for each request; the unique URL prevents upstream caches from serving stale credentials.

HN Comments

My first in-prod corrupted hard drive problem

An ICT engineer recounts a production server with a corrupted hard drive hosting an MS SQL database. Backups failed, risking data loss. Investigations blamed EDR, then VSS read errors, suspected Windows corruption (DISM/SFC), and finally a heavy SQL patch that likely exposed dying sectors. After replacing the disk, recovery tools failed, but HDD Regenerator reportedly restored readable sectors by re-writing the magnetic signal, leaving most data intact. Lesson: verify restores, back up before/after patches, and know RAID doesn’t shield against silent page corruption; data recovery is on you.

HN Comments

Lets Encrypt Stopping Issuance for Potential Incident

Let's Encrypt reports a potential incident and is shutting down all issuance as of May 8, 2026 18:37 UTC. Affected components: acme-v02.api.letsencrypt.org (production), acme-staging-v02.api.letsencrypt.org (staging), portal.letsencrypt.org (production), portal-staging.letsencrypt.org (staging). Locations: High Assurance Datacenter 1 and 2.

HN Comments

What we lost the last time code got cheap

The author recalls Heartland Information Services, an offshore-heavy medical transcription company, to illustrate how cheap offshore development once spurred innovation but created maintainability problems. With AI now able to generate functional code cheaply, the cost shifts from production to understanding: the real scarce resource is the ability to read, navigate, and explain code, not just write it. Unlike outsourcing, where knowledgeable humans bridge gaps, AI-produced code may lack intent. The solution is to invest in shared context, documentation, code review, and tools and practices that enhance understanding. The craft now centers on comprehension, not speed of production.

HN Comments

Court to DOGE: Asking ChatGPT 'Is This DEI?' Is Not Proper Legal Process

A federal judge ruled that DOGE lacked statutory authority to terminate NEH grants, and its mass terminations—driven by DEI and implemented via ChatGPT-generated rationales—were arbitrary, unlawful, and unconstitutional. The court found DOGE acted as a de facto decisionmaker, overruling NEH, with Justin Fox and Nate Cavanaugh directing the process and using ChatGPT to fabricate reasons; the actions violated the National Foundation on the Arts and the Humanities Act and the First Amendment due to viewpoint discrimination. The ruling bars those terminations as unconstitutional and noncompliant with law.

HN Comments

Defeating Works by Design's Unpickable Lock [video]

The text describes a YouTube page blocked by a security CAPTCHA after detecting unusual traffic from the user's IP. It explains the block is to verify the user isn’t a bot, possibly caused by malware, a browser plug-in, or automated scripts. The block ends when requests slow or stop; on shared networks, an administrator should help. Users must complete a CAPTCHA to continue.

HN Comments

Google Broke reCAPTCHA for De-Googled Android Users

Google tied its next-gen reCAPTCHA to Android’s Google Play Services, so de-Googled phones fail verification unless Play Services 25.41.30+ runs and a QR code is scanned when challenged. The system, part of Google Cloud Fraud Defense, favors ecosystem control over security, punishing users who avoid Google’s software. Unlike iOS, Android devices must install Google software to prove humanity. Web sites adopting this verification effectively exclude de-Googled users, raising concerns about privacy and surveillance.

HN Comments

AI Is Breaking Two Vulnerability Cultures

The piece contrasts two vulnerability cultures—coordinated disclosure (private alerts and embargo) and the “bugs are bugs” approach (fast fixes with minimal attention)—and argues AI will accelerate both discovery and remediation, making long embargoes riskier. It cites Copy Fail and ESP: Kim privately patched and embargoed, but the info leaked; nine hours later, Chen independently reported ESP. The author favors ultra-short embargoes, aided by AI, which can speed defense as well as attack, including quick AI eval of diffs, though cross-model results vary.

HN Comments

David Attenborough's 100th Birthday

Sir David Attenborough marks his 100th birthday with tributes from King Charles III and Queen Camilla, who shared photos and a congratulatory message. A 90-minute Royal Albert Hall concert, hosted by Kirsty Young and airing on BBC One and iPlayer, will celebrate his life with wildlife moments and performances by Dan Smith (Bastille) and Sigur Rós, among others. Prince of Wales and other figures praised his climate and nature work as the BBC stages birthday programming; the Natural History Museum named a wasp species after him.

HN Comments

Made by Johno Whitaker using FastHTML