Tell HN: X is opening any tweet link in a webview whether you press it or not
Comments ⌘ Read more

Tell HN: X is opening any tweet link in a webview whether you press it or not
Just saw the CEO of Substack celebrating traffic from X/Twitter shooting up thinking they stopped suppressing tweets with links[0]. Actually, this traffic is because now any time you open a tweet with a link, the in-app webview loads in the background, and displays when you press the link.

I run an ecom store that gets a lot of its customers from Twitter. I was also shocked to see my traffic double or triple overnight and thought the algorith … ⌘ Read more

**The Great Tenant Mix-Up: How I Accidentally Became Every Company’s Employee **

Image

Free Link 🎈

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/the-great-tenant-mix-up-how-i-accidentally … ⌘ Read more

Four Bulgarians jailed for Paris Holocaust Memorial vandalism linked to Russia ⌘ Read more

**How I Made ChatGPT My Personal Hacking Assistant (And Broke Their “AI-Powered” Security) **

Image

Free Link 🎈

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/how-i-m … ⌘ Read more

**How I Became the Unofficial Company Archivist (And Saw Things I Can’t Unsee) **

Image

Free Link🎈

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/how-i-became-the-unofficial-company-archiv … ⌘ Read more

Introducing fnox: A secret manager that pairs well with mise
The official announcement is at https://github.com/jdx/mise/discussions/6779 but by default, Lobsters policy prevents submitting direct links to Github discussions.

Comments ⌘ Read more

Unlocking cell identity: RNA sequestration in P-bodies directs cell fate transitions
A new study published in Nature Biotechnology shows that stem cell differentiation is linked to cellular structures called P-bodies, providing a potential means of controlling cell identity. Researchers at Baylor College of Medicine, the University of Colorado Boulder and collaborating institutions studied P-bodies in various developmental stages across multiple vertebrate species and found that selective RNA seques … ⌘ Read more

Africa’s air links are poor: Can the G20 push for more direct flights to improve tourism and trade?
In Africa, less than one in five continental airline routes are direct. Air connections are decided by factors like trade levels, diplomatic relations, and whether there’s enough demand to make a route financially worthwhile. Because there are so few direct connections in Africa, getting from one country to another often requires travelers to fly to Europe or the Middle East and transit there. This increases … ⌘ Read more

Key Russian Military Rail Link to St. Petersburg Disrupted by Explosion Near NATO Border ⌘ Read more

Streaming live video as a macOS screensaver using AVFoundation and yt-dlp
I built this to play live HLS streams as a screensaver on macOS. It supports both direct .m3u8 URLs and YouTube
links (via yt-dlp extraction with caching).

The interesting bits:

• Cross-screen synchronization: All displays show the same frame of the video by syncing to a shared timestamp,
  making it feel like one continuous stream across monitors
  
• Handles the unreliable macOS screensaver lifecycle (stopAnimation doesn’t always get called when … ⌘ Read more

Endorsing easily disproven claims linked to prioritizing symbolic strength
Comments ⌘ Read more

**How I Became an Accidental Admin and Almost Got Fired (From Someone Else’s Company) **

Image

Free Link 🎈

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/how-i-became-an-acci … ⌘ Read more

Surprising bacteria discovery links Hawaiʻi’s groundwater to the ocean
A new species of bacteria has been discovered off the coast of Oʻahu, shedding light on how unseen microbial life connects Hawaiʻi’s land and sea ecosystems. ⌘ Read more

Lace: A New Kind of Cellular Automata Where Links Matter
Comments ⌘ Read more

Erlang Solutions: Immersive Esports: The Technology Behind Competitive Gaming
Esports has outgrown local tournaments and now runs on global platforms linking millions of players and fans, powered by immersive esports technology. Communities form around games, teams, and streamers, blending competition, entertainment, and social connection. At this scale, reliability and low latency are non-negotiable to keep matches fair and audiences engaged during spikes.

High-spe … ⌘ Read more

How I Found a $250 XSS Bug After Losing Hope in Bug Bounty

Image

📌 Free Link

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/how-i-found-a-250-xss-bug-after-losing-hope-in-bug-bounty-8ab557df4d1d?source=rss—-7b722bf … ⌘ Read more

Poorer health linked to more votes for Reform UK, 2024 voting patterns suggest
Poorer health is linked to a higher proportion of votes for the populist right wing political party, Reform UK, indicates an analysis of the 2024 general election voting patterns in England, published online in the open access journal BMJ Open Respiratory Research. ⌘ Read more

Don’t Look Up: Sensitive internal links in the clear on GEO satellites [pdf]
Article URL: https://satcom.sysnet.ucsd.edu/docs/dontlookup_ccs25_fullpaper.pdf

Comments URL: https://news.ycombinator.com/item?id=45575391

Points: 501

# Comments: 120 ⌘ Read more

Chemists reveal new insights into protein linked to amyotrophic lateral sclerosis
Using advanced techniques in biophysical chemistry, a team led by Meredith Jackrel, an associate professor of chemistry, has achieved unprecedented views of a protein that may play a pivotal role in some cases of amyotrophic lateral sclerosis (ALS) and the related disorder frontotemporal dementia (FTD). Their work could open doors to new approaches for treatment and prevention. ⌘ Read more

Report shows action to improve gender equity linked to career gains and better business performance
A new report out today shows that companies taking action for gender equality see lower staff turnover, more women in leadership and better shareholder value. ⌘ Read more

There are five types of sleep – here’s what that means for your health
Scientists have identified five sleep profiles, each of which is linked to distinct mental health symptoms and brain activity patterns ⌘ Read more

Kremlin-linked media mogul dies in mysterious 21-meter fall ⌘ Read more

Trauma in a puppy’s first six months linked to adult aggression, says new study
As many dog owners can attest, their four-legged companions are delightful and loving. But for others, their animals have an aggressive side, such as biting and attacking strangers, which may ultimately lead to them having to be euthanized. But why do some dogs turn out this way? ⌘ Read more

@zvava@twtxt.net

(#abcdefghijkl https://example.com/tw.txt#:~:text=2025-10-01T10:28:00Z), because it can be simply hacked in to clients currently on hashv1 and provides an off-ramp to location-based addressing

I like that property (an off-ramp to location-based addressing), so I think I could live with that approach. ✅

(I’m not sure why we’re using text fragments, though. Wouldn’t that link to the first occurence of 2025-10-01T10:28:00Z? That’s not necessarily correct. And, to be proper URLs that Firefox and Chromium understand, it would also need to be written as 2025%2D10%2D01T10:28:00Z. The dash carries meaning, sadly. I think all this just creates needless complication. How about we just go with https://example.com/tw.txt#2025-10-01T10:28:00Z?)

@movq@www.uninformativ.de I got an empty line through the table, similarly to one of the linked bug reports, just at a different location:

https://lyse.isobeef.org/tmp/screenshot-2025-09-27-13-56-13.png

I would personally rather see something like this:

2025-09-25T22:41:19+10:00	Hello World
2025-09-25T22:41:19+10:00	(#kexv5vq https://example.com/twtxt.html#:~:text=2025-09-25T22:41:19%2B10:00) Hey!

Preserving both content-based addressing as well as location-based addressing and text fragment linking.

@prologic@twtxt.net I know we won’t ever convince each other of the other’s favorite addressing scheme. :-D But I wanna address (haha) your concerns:

1. I don’t see any difference between the two schemes regarding link rot and migration. If the URL changes, both approaches are equally terrible as the feed URL is part of the hashed value and reference of some sort in the location-based scheme. It doesn’t matter.

2. The same is true for duplication and forks. Even today, the “cannonical URL” has to be chosen to build the hash. That’s exactly the same with location-based addressing. Why would a mirror only duplicate stuff with location- but not content-based addressing? I really fail to see that. Also, who is using mirrors or relays anyway? I don’t know of any such software to be honest.

3. If there is a spam feed, I just unfollow it. Done. Not a concern for me at all. Not the slightest bit. And the byte verification is THE source of all broken threads when the conversation start is edited. Yes, this can be viewed as a feature, but how many times was it actually a feature and not more behaving as an anti-feature in terms of user experience?

4. I don’t get your argument. If the feed in question is offline, one can simply look in local caches and see if there is a message at that particular time, just like looking up a hash. Where’s the difference? Except that the lookup key is longer or compound or whatever depending on the cache format.

5. Even a new hashing algorithm requires work on clients etc. It’s not that you get some backwards-compatibility for free. It just cannot be backwards-compatible in my opinion, no matter which approach we take. That’s why I believe some magic time for the switch causes the least amount of trouble. You leave the old world untouched and working.

If these are general concerns, I’m completely with you. But I don’t think that they only apply to location-based addressing. That’s how I interpreted your message. I could be wrong. Happy to read your explanations. :-)

Here is just a small list of things™ that I’m aware will break, some quite badly, others in minor ways:

1. Link rot & migrations: domain changes, path reshuffles, CDN/mirror use, or moving from txt → jsonfeed will orphan replies unless every reader implements perfect 301/410 history, which they won’t.
   
2. Duplication & forks: mirrors/relays produce multiple valid locations for the same post; readers see several “parents” and split the thread.
   
3. Verification & spam-resistance: content addressing lets you dedupe and verify you’re pointing at exactly the post you meant (hash matches bytes). Location anchors can be replayed or spoofed more easily unless you add signing and canonicalization.
   
4. Offline/cached reading: without the original URL being reachable, readers can’t resolve anchors; with hashes they can match against local caches/archives.
   
5. Ecosystem churn: all existing clients, archives, and tools that assume content-derived IDs need migrations, mapping layers, and fallback logic. Expect long-lived threads to fracture across implementations.

@alexonit@twtxt.alessandrocutolo.it Personally, I find the reversed order of URL first and then timestamp more natural to reference something. Granted, URL last would be kinda consistent with the mention format. However, the timestamp doesn’t act as a link text or display text like in a mention, so, it’s some different in my opinion. But yeah.

Great. Yet another messed up plain text e-mail part. The URL was actually HTML-escaped. Took me five attempts to figure this out, because of course it had to be several kilometers long. In fact, the e-mail stated: “Please do not be surprised that the link is particularly long. It contains your personal configuration.”

A normal person is completely lost (that’s why I got involved). Visting the broken URL opens a popup dialog suggesting to deactivate script blockers. Which I had already done upfront as a matter of prudence.

Fun bonus on top: The JWT in the link has identical iat (issued at) and exp (expiry) claims. The expiry is definitely not checked, it’s well in the past.

Medical software just has to be horrible. It’s a law.

@zvava@twtxt.net I never used any of the social media platforms, that’s why I’m probably ignorant.

I don’t understand the concept of a retwt. Just quote the (relevant) parts from whereever and comment on that. Or post a link instead of a quote. Sounds simple enough. :-) That’s also has the benefit that it works with every source, no matter what. Since it’s called retwt, I’d imagine this to only work (well) with whatever messages the system itself offers. But I could be wrong. What would be the benefit of having a dedicated message type or structure for “hey, look at that” messages in your opinion?

Hmm, what’s a content warning?

@bender@twtxt.net Cool, the PDF doesn’t have the navigation links between each section, that’s indeed a tad nicer. Thanks!

@kat@yarn.girlonthemoon.xyz Oh dear, nobody needs bot attacks. :-( Luckily, the web server responding a hell lot quicker today than the last two days.

Now that’s interesting. Some of these bots start crawling at URLs like this:

https://uninformativ.de/projects/lariza/NetTracer-Scenes/GPUTracer/multipass/xlonitor/http-collect/getpw

That is obviously completely wrong. But I can explain it. Some years ago, I screwed up my nginx rewrite rules, and that’s how these broken URLs came to be.

It all redirects to /git now, which is why that endpoint sees so much traffic lately.

But what does that mean? Why do they start there? I can only speculate that this company bought an old database of web links and they use that to start crawling. And it was probably a cheap one, because these redirects have been fixed for quite a long time now.

@movq@www.uninformativ.de Got a link to this

ESC/P standard.

There is a missing feature I’ve been intending to add to though, which is that any link that looks like a URL that might be an image, for example, ends with .png or .jpg or whatever, we should just render that as an image and not expect users to wrap it in Markdown image links ![](...)

@movq@www.uninformativ.de @kat@yarn.girlonthemoon.xyz I also wondered for a very long time why nobody improved the man experience in the terminal. I’d love to see links and more colors.

37C3 and New Year’s Eve 2023
Another one from the vaults. The 37C3 conference took place in
December, 2023. This report was mostly written in January, 2024.
Mostly finished it at night in my cottage between 28 and 29th
December, then edited and added some stuff in July, 2025. So… Only
1.5 years late?

It was a little ironic, and a little sad, that I was finishing the
37C3 report during 38C3. I didn’t manage to get any tickets for me and
#3 for 38C3 and had to make do with watching the stream.

The links to the talks go to [C … ⌘ Read more

@prologic@twtxt.net Yeah, it’s not a strong sandbox in jenny’s case, it could still read my SSH private key (in case of an exploit of some sort). But I still like it.

I think my main takeaway is this: Knowing that technologies like Landlock/pledge/unveil exist and knowing that they are very easy to use, will probably nudge me into writing software differently in the future.

jenny was never meant to be sandboxed, so it can’t make great use of it. Future software might be different.

(And this is finally a strong argument for static linking.)

Another example:

$ setpriv \
    --landlock-access fs \
    --landlock-rule path-beneath:execute,read-file:/bin/ls-static \
    --landlock-rule path-beneath:read-dir:/tmp \
    /bin/ls-static /tmp/tmp/xorg.atom

The first argument --landlock-access fs says that nothing is allowed.

--landlock-rule path-beneath:execute,read-file:/bin/ls-static says that reading and executing that file is allowed. It’s a statically linked ls program (not GNU ls).

--landlock-rule path-beneath:read-dir:/tmp says that reading the /tmp directory and everything below it is allowed.

The output of the ls-static program is this line:

─rw─r──r────x 3000 200 07-12 09:19 22'491 │ /tmp/tmp/xorg.atom

It was able to read the directory, see the file, do stat() on it and everything, the little x indicates that getting xattrs also worked.

3000 and 200 are user name and group name – they are shown as numeric, because the program does not have access to /etc/passwd and /etc/group.

Adding --landlock-rule path-beneath:read-file:/etc/passwd, for example, allows resolving users and yields this:

─rw─r──r────x cathy 200 07-12 09:19 22'491 │ /tmp/tmp/xorg.atom

@movq@www.uninformativ.de Yeah, it’s a shitshow. MS overconfirms all my prejudices constantly.

Ignoring e-mail after lunch works great, though. :-)

Our timetracking is offline for over a week because of reasons. The responsible bunglers are falling by the skin of their teeth: https://lyse.isobeef.org/tmp/timetracking.png

1. The error message neither includes the timeframe nor a link to an announcement article.
   
2. The HTML page needs to download JS in order to display the fucking error message.
   
3. Proper HTTP status codes are clearly only for big losers.
   
4. Despite being down, heaps of resources are still fetched.
   

I find it really fascinating how one can screw up on so many levels. This is developed inhouse, I’m just so glad that we’re not a software engineering company. Oh wait. How embarrassing.

we should bring back XFN that is the cutest shit in the world i want to link to my friends and have the internet know they are my friends through the markup!!!!!!!!!!!

@prologic@twtxt.net no, good man. Follow the link, follow eet! :-)

@kat@yarn.girlonthemoon.xyz i linked the normal length edit instead of the full 15 minute music video because i’m not gonna subject you all to that amount of my bullshit

(…15 minute version is a great watch though)

@bender@twtxt.net Yeah, well, it’s a bit like twtxt. There is a Gopher community, but it’s small. I actually don’t like that HTTP is so easily accessible. I don’t like it that much when people post links to my site on HackerNews or something like that. Too much exposure.

Gopher is a small world. It’s slow and cozy.

And much like twtxt, the protocol is simple®, so it’s easier to tinker with it.

Passing of Jean-Raymond Abrial
Jean-Raymond Abrial, father (in particular!) of the Z notation, but also of the B method, and then Event-B, passed away on May 26. I was surprised to see that this piece of news, which may be of some interest to formal method folks, doesn’t seem to be very well known (there’s not much material on the web).

Here are some links (on LinkedIn, sorry):
[by Bertrand Meyer](https://www.linkedin.com/posts/bertrandmeyer_i-am-saddened-to-report-from-todays-print-activity-7335684948974034944-SJf1? … ⌘ Read more

GraphQL Gatecrash: When an Introspection Query Opened the Whole Backend ️

Image

Free Link 🎈

[Continue reading on InfoSec Write-ups »](https://infosecwriteups.com/graphql-gatecrash-when-an-intro … ⌘ Read more

HTML Injection in Traveler Profiles

Image

Free Article Link: Click for free!

Continue reading on InfoSec Write-ups » ⌘ Read more

Radeon Software For Linux Dropping AMD’s Proprietary OpenGL/Vulkan Drivers
Direct link to upstream release notes.

Comments ⌘ Read more

Bill Atkinson Dies From Cancer at 74
Comments ⌘ Read more