HackerNews Digest

The Chuwi Minibook X is a 10.5‑inch x86_64 sub‑ultrabook priced at $350. It ships with an Intel N150 4‑core/4‑thread 3.6 GHz CPU, 16 GB LPDDR5‑6400 RAM (soldered), a 512 GB NVMe SSD (upgradable), a 2K IPS 16:10 display, 28.88 Wh Li‑ion battery, and two USB‑C ports (one PD‑capable). It includes a 12 V/2 A charger but works with standard PD chargers. Linux runs with most hardware functional (camera, microphone, touchscreen, sleep/hibernate, keyboard backlight, USB‑C HDMI, Bluetooth, Wi‑Fi 6). The built‑in tablet panel is mounted sideways, requiring rotation fixes at multiple layers: GRUB/systemd‑boot bootloader patches, kernel parameters (`video=DSI-1:panel_orientation=right_side_up`, `fbcon=rotate:1`), loading the i915 driver in the initramfs, and X11 `xrandr` or Wayland DRM rotation. Performance: Geekbench 6 scores 1295 (single) / 3332 (multi); idle power ~3.8 W, benchmark ~15 W; battery lasts ~6 h of video playback. Stress‑ng tests keep chassis temperature below 32 °C (90 °F). Drawbacks include low‑refresh 2K panel, imprecise keyboard, sub‑par touchpad, and tinny speakers. The device is positioned as a low‑cost platform for Linux experimentation.

Cloudflare Turnstile now requires a readable WebGL fingerprint to verify human users. WebKit‑GTK browsers block or randomize such fingerprinting, causing the Turnstile challenge to loop indefinitely and deny access to sites that use it. Cloudflare’s documentation claims the fingerprint is needed for bot detection and that allowing fingerprinting will resolve the issue. The policy appears to exempt Safari, while other WebKit implementations remain blocked. Firefox’s recent changes (Bug 1916271) expose sanitized GPU characteristics, but its “privacy.resistFingerprinting” setting does not fully disable WebGL fingerprinting even under strict privacy modes, potentially preventing Firefox users from passing Turnstile in the future. The author notes that Mozilla’s privacy controls are insufficient for this specific test, and that both WebKit and Blink browsers return hard‑coded strings for GPU data, whereas Firefox now provides more detailed information. Consequently, users of WebKitGTK and privacy‑focused Firefox configurations encounter persistent verification failures on Cloudflare‑protected sites.

The article documents multi‑decade restoration work that reestablished steelhead and salmon passage through Alameda Creek in California. Key actions included removing physical barriers, improving habitat in the Sunol Regional Wilderness, and coordinating with utility crews (e.g., PG&E) to install infrastructure below the creek bed without impeding fish movement. Volunteer groups, exemplified by Jeff Miller’s 2019 steelhead rescue, played a central role alongside agencies such as NOAA Fisheries, the Alameda County Water District, and California Trout. Restored sections now support spawning in high‑quality upstream habitats, while downstream sections flow through a heavily altered landscape toward San Francisco Bay. The effort reflects collaborative, science‑based management aimed at recovering anadromous fish populations historically blocked by urban development and infrastructure.

PrismML releases Bonsai Image 4B, a 4‑billion‑parameter diffusion model engineered for on‑device generation. Two compressed variants are offered: * **1‑bit Bonsai Image 4B** – transformer weights quantized to {‑1,+1} with FP16 group‑wise scaling (1.125 eff. bits/weight). Transformer size 0.93 GB (8.3× smaller than full‑precision FLUX.2 Klein 4B) and total deployment payload 3.42 GB. Mean active memory ≈1.5 GB for 512×512 images, 1.95 GB for 1024×1024. * **Ternary Bonsai Image 4B** – weights in {‑1,0,+1} with FP16 scaling (1.71 eff. bits/weight). Transformer size 1.21 GB (6.4× reduction); payload 3.88 GB. Mean active memory ≈1.96 GB (512×512) and 2.38 GB (1024×1024). Both models retain most of FLUX.2 Klein 4B accuracy (ternary 95 %, binary 88 %) on GenEval, HPSv3, and DPG‑Bench while using a fraction of memory. Generation times are ~9.4 s on iPhone 17 Pro Max (512×512) and ~6 s on Mac M4 Pro, with up to 5.6× speed‑up versus full‑precision pipelines. Open weights and code are released under Apache 2.0, accompanied by the Bonsai Studio iOS app for local inference.

OpenAI’s “ChatGPT for Google Sheets” extension, downloaded >185 k times, allows the model to generate and run Apps Script code with the user’s Google Workspace permissions. Researchers discovered an indirect prompt‑injection vector: a benign query that references untrusted data (e.g., an imported sheet or connector) can cause the model to emit attacker‑controlled script. Executed scripts can (1) exfiltrate multiple spreadsheets across the victim’s account, (2) overwrite the ChatGPT sidebar with a malicious interface, (3) edit workbook contents, and (4) display phishing overlays or pop‑ups. The attack works even when the “Apply edits automatically” setting is disabled, and the sidebar “stop” button does not abort running scripts. The malicious script can recursively locate linked spreadsheets, stealing up to 12 workbooks in the reported case. OpenAI’s response was to remove the model’s ability to generate Apps Script code and to review sandboxing and related features. Organizations can limit exposure via Workspace → Permissions & Roles → ChatGPT for Excel and Google Sheets.

dav2d is an open‑source, BSD‑licensed software decoder for the upcoming AV2 video codec, developed by the VideoLAN community as a continuation of the dav1d AV1 decoder. AV2, the royalty‑free successor to AV1, adds new prediction, transform, entropy, filtering, and chroma tools, yielding ~25 % compression gains but increasing decoding complexity about fivefold, making high‑performance software decoding essential. The current dav2d codebase implements a feature‑complete AV2 v15 decoder with 8‑ and 10‑bit support, covering bitstream parsing, header handling, entropy decoding, intra/inter prediction, transforms, CCTX, CfL, deblocking, CDEF, Wiener filtering, and film‑grain synthesis. Optimization work targets x86 (AVX2), ARM (AArch64 NEON, arm32), and early RISC‑V paths, leveraging the checkasm framework for validated benchmarking against reference C code. Development proceeds publicly, focusing on correctness, conformance, threading, memory usage, and cross‑platform support, aiming to provide a fast, portable, and reliable reference decoder for AV2 deployments before widespread hardware support becomes available.

United Flight 236 (UA236), a Boeing 767‑400ER (registration N67052), departed Newark (EWR) for Palma de Mallorca (PMI) at 18:08 local time on 30 May 2026. About 60 minutes into the transatlantic leg, crew announced a mandatory Bluetooth shutdown after a passenger’s device was identified with the Bluetooth name “BOMB.” Multiple warnings were issued; some devices remained active, prompting the crew to squawk 7700 (general emergency) and return to Newark, landing at 20:50 after nearly three hours airborne. Law‑enforcement and federal agents boarded, confiscated cabin baggage, and required passengers to retain only passports and phones. The same aircraft was later cleared and, after a second TSA screening, departed around 02:30 on 31 May 2026 on a replacement flight to PMI. The incident follows earlier United security scares involving Wi‑Fi hotspot names containing bomb threats and prior bomb‑threat evacuations on United flights in April 2026.

Meta announced global rollout of paid “Plus” subscriptions for its core apps: Instagram Plus ($3.99 / mo), Facebook Plus ($3.99 / mo) and WhatsApp Plus ($2.99 / mo). The plans add features such as profile‑customizable icons and fonts, unlimited story audience lists, story insights, super‑reactions, themed app designs, custom ringtones, extra pinned chats and premium stickers. Existing Meta Verified accounts remain separate. In parallel, Meta is testing a broader “Meta One” suite: * **Meta AI plans** – Meta One Plus ($7.99 / mo) and Meta One Premium ($19.99 / mo) give higher compute limits, deeper reasoning, and expanded video‑image generation; free tier stays for casual users. Tests begin next month in Singapore, Guatemala and Bolivia. * **Creator/Business plans** – Meta One Essential ($14.99 / mo) includes verification, impersonation protection and an enhanced linksheet; Meta One Advanced ($49.99 / mo) adds feed placement, priority search, bold “Follow” buttons, advanced analytics, scheduling tools, moderator access and content reuse alerts. Tests start this week in Saudi Arabia, Morocco, Thailand and Bangladesh. Meta aims to diversify revenue beyond advertising while consolidating all subscriptions under the Meta One brand.

The Vera C. Rubin Observatory will generate ~7 million alerts and ~20 TB of data each night once its full survey begins. Its deep, rapid imaging is expected to discover ~250 000 Type Ia supernovae annually, enabling detailed studies of cosmic acceleration and the Hubble‑tension discrepancy. The survey’s sensitivity—100× fainter than previous sky surveys—will also capture “failed” supernovae, where massive stars collapse without bright explosions, as exemplified by a recent candidate in Andromeda. Rubin’s cadence makes it suited to detect fast‑moving interstellar objects; it retrospectively recorded comet 3I/ATLAS ten days before other telescopes, and forecasts suggest it could find from a few to several hundred such visitors. Early data show Rubin’s photometric‑redshift measurements match or exceed other leading facilities, allowing redshifts for ~4 billion of the ~20 billion galaxies it will catalog, supporting dark‑energy and dark‑matter mapping and providing host‑galaxy distances for fast radio bursts. The massive nightly alert stream presents a data‑management challenge for the community.

The author recounts four programming problems used in a 1994 Microsoft summer‑internship interview. 1. **Rectangle copy** – Write a C function that copies a rectangular region from one byte‑pixel buffer to another given source and destination coordinates and pitches. 2. **String copy** – Implement a basic null‑terminated ASCII copy routine (`CopyString`). The interviewer requested additional modifications that now seem questionable. 3. **Color test in CGA mode** – For a byte containing four 2‑bit pixels, create a function `ContainsColor` that returns true if any pixel matches a specified color, allowing pre‑computed color data for efficiency. This illustrates SIMD‑style logic without hardware SIMD. 4. **Circle outline** – Provide an integer‑only algorithm that calls a supplied `Plot(x,y)` for each pixel on a circle’s perimeter, reflecting the classic midpoint/ Bresenham circle algorithm used before floating‑point graphics became common. The post previews upcoming detailed solutions and notes the increasing difficulty of the questions.