Xiaomi MiMo Reasoning Model (github.com)

151 points by thm 4h ago 46 comments

U.S. Economy Contracts at 0.3% Rate in First Quarter (wsj.com)

37 points by bko 13m ago 3 comments

Finland Bans Smartphones in Schools (yle.fi)

340 points by freetonik 3h ago 230 comments

The Leaderboard Illusion (arxiv.org)

57 points by pongogogo 4h ago 13 comments

Jepsen: Amazon RDS for PostgreSQL 17.4 (jepsen.io)

472 points by aphyr 22h ago 112 comments

Chain of Recursive Thoughts: Make AI think harder by making it argue with itself (github.com)

487 points by miles 19h ago 218 comments

I created Perfect Wiki and reached $250k in annual revenue without investors (habr.com)

199 points by sochix 5h ago 120 comments

You Wouldn't Download a Hacker News (jasonthorsness.com)

208 points by jasonthorsness 11h ago 95 comments

Secret Deals, Foreign Investments: The Rise of Trump’s Crypto Firm (nytimes.com)

50 points by watchdogtimer 1h ago 19 comments

I use zip bombs to protect my server (idiallo.com)

772 points by foxfired 1d ago 354 comments

What It Takes to Defend a Cybersecurity Company from Today's Adversaries (sentinelone.com)

117 points by gnabgib 9h ago 51 comments

Retailers will soon have only about 7 weeks of full inventories left (fortune.com)

32 points by andrewfromx 1h ago 5 comments

New atomic fountain clock joins group that keeps the world on time (nist.gov)

13 points by austinallegro 1d ago 2 comments

The True Size Of (thetruesize.com)

81 points by thunderbong 3d ago 35 comments

Linux in Excel (github.com)

106 points by radeeyate 9h ago 38 comments

My sourdough starter has twins (brainbaking.com)

127 points by Tomte 1d ago 43 comments

Researchers are studying how to minimize human impact on public lands (undark.org)

20 points by droptext 17h ago 1 comments

Sycophancy in GPT-4o (openai.com)

337 points by dsr12 9h ago 260 comments

An illustrated guide to automatic sparse differentiation (iclr-blogposts.github.io)

101 points by mariuz 1d ago 17 comments

Bamba: An open-source LLM that crosses a transformer with an SSM (research.ibm.com)

179 points by shallow-mind 19h ago 61 comments

Show HN: Beatsync – perfect audio sync across multiple devices (github.com)

341 points by freemanjiang 19h ago 91 comments

Everything we announced at our first LlamaCon (ai.meta.com)

192 points by meetpateltech 19h ago 99 comments

WorldGen: Open-source 3D scene generator for Game/VR/XR (worldgen.github.io)

96 points by ziyangxie 1d ago 16 comments

It's School time: Adventures in hacking an old Kindle (samkhawase.com)

139 points by FlyingSnake 1d ago 38 comments

Performance optimization is hard because it's fundamentally a brute-force task (purplesyringa.moe)

272 points by todsacerdoti 1d ago 123 comments

Statewide fluoride ban for tap water passes in Florida (miamiherald.com)

19 points by geox 1h ago 39 comments

Mission Impossible: Managing AI Agents in the Real World (medium.com)

29 points by dtagames 22h ago 2 comments

Show HN: A Chrome extension that will auto-reject non-essential cookies (blog.bymitch.com)

261 points by mitch292 1d ago 158 comments

Programming languages should have a tree traversal primitive (blog.tylerglaiel.com)

258 points by azhenley 1d ago 174 comments

Modern Realty (YC S24) Is Hiring (workatastartup.com)

1 points by greenfish6 15h ago 0 comments

Show HN: An MCP server for understanding AWS costs

88 points by StratusBen 4d ago 16 comments

Only Teslas exempt from new auto tariffs thanks to 85% domestic content rule (fuelarc.com)

558 points by abduhl 15h ago 561 comments

Dataframely: A polars-native data frame validation library (tech.quantco.com)

26 points by sito42 9h ago 7 comments

We need more optimistic science fiction (craig-russell.co.uk)

94 points by craig552uk 2d ago 149 comments

ArkFlow: High-performance Rust stream processing engine (github.com)

158 points by klaussilveira 22h ago 33 comments

Firefox tab groups are here (blog.mozilla.org)

708 points by TangerineDream 21h ago 402 comments

Show HN: AgenticSeek – Self-hosted alternative to cloud-based AI tools (github.com)

104 points by Fosowl 3d ago 15 comments

LibreLingo – FOSS Alternative to Duolingo (librelingo.app)

747 points by hyperific 1d ago 337 comments

China's Clinical Trial Boom (asimov.press)

144 points by surprisetalk 1d ago 94 comments

Finding paths of least action with gradient descent (2023) (greydanus.github.io)

59 points by E-Reverance 4d ago 12 comments

Can LLMs do randomness? (rnikhil.com)

57 points by whoami_nr 1d ago 49 comments

Show HN: An interactive demo of QR codes' error correction (qris.cool)

98 points by Xiione 5d ago 8 comments

O3 beats a master-level GeoGuessr player, even with fake EXIF data (sampatt.com)

423 points by bko 20h ago 288 comments

Indian court orders blocking of Proton Mail (techcrunch.com)

372 points by impish9208 20h ago 186 comments

AirBorne: Wormable zero-click remote code execution (RCE) in AirPlay protocol (oligo.security)

89 points by throw0101a 23h ago 11 comments

Ask HN: What are you working on? (April 2025)

385 points by david927 2d ago 1144 comments

Duolingo will replace contract workers with AI (theverge.com)

138 points by donohoe 1d ago 95 comments

Try Switching to Kagi (daringfireball.net)

656 points by Ch00k 1d ago 442 comments

Qwen3: Think deeper, act faster (qwenlm.github.io)

832 points by synthwave 1d ago 382 comments

The last masters of Afro-Colombian machete fencing (globalvoices.org)

54 points by PaulHoule 21h ago 19 comments

AirBorne: Wormable zero-click remote code execution (RCE) in AirPlay protocol

89 throw0101a 11 4/29/2025, 1:09:04 PM oligo.security ↗

Comments (11)

Roguelazer · 12h ago

Running a parser for a network protocol as root seems like a pretty unnecessarily dumb thing to do. I can't really imagine why any part of airplay would need to run as root; maybe something to do with DRM? Although the DRM daemon `fairplayd` runs as a limited-privilege user `_fpsd`, so maybe not. So bizarre that Apple makes all these cool systems to sandbox code, and creates dozens of privilege-separated users on macOS, and then runs an HTTP server doing plists parsing as an unsandboxed root process.

Mindwipe · 6h ago

Apple have reworked Airplay so many times at this point the entire thing is just a massive pile of technical debt piled on another massive pile of technical debt, piled on a bunch of weird hacks to try and keep all the devices built for previous versions afloat.

throw0101a · 23h ago

CVE-2025-24252 and CVE-2025-24132 are two examples. Doing a search for "Oligo" in release notes gives various other results, e.g.,

* https://support.apple.com/en-ca/122374

Apple fixed their stuff, but third-parties who used their SDK will have to issue updates as well.

m463 · 13h ago

macos is pretty promiscuous, and I've noticed random airplay displays (like the neighbors) showing up in the mirroring dropdown in the dock.

wonder if this is a way to get into the stack.

greyadept · 8h ago

This behaviour always made me feel a bit suspicious about airplay but I reassured myself that Apple surely had it locked down. But these 17 CVEs show that my trust was misplaced.

abhisek · 20h ago

Very curious about the exploitation of CVE-2025-24252, a use-after-free (UAF) using which they achieved zero-click RCE on MacOS. This is inspite of ASLR and heap exploitation mitigations in place to mitigate such vulnerability classes

https://security.apple.com/blog/towards-the-next-generation-...

hammock · 16h ago

On ASLR: you might use the UAF to access memory regions you shouldn’t have access to. By reading the contents, they can potentially leak pointers to a critical library (e.g., libc), allowing them to calculate the offsets to bypass ASLR.

On heap protection: if you spray the heap with predictable data patterns you can improve your chance of landing a useful address, even with ASLR in place

RainyDayTmrw · 8h ago

I understand heap sprays in theory. In practice, how do they avoid clobbering something important and crashing the app? It seems like a typical app has a lot of state to clobber.

No comments yet

RainyDayTmrw · 9h ago

Oof. It's parsing and memory corruption again.

rubatuga · 16h ago

Good thing I'm still on macOS 12

slama · 15h ago

macOS 12 is EOL and is no longer receiving security updates.

There’s a strong chance it’s vulnerable, too