HackerNews Digest

In September 1979, two East German families escaped to West Germany in a homemade hot‑air balloon after 18 months of design, testing, and fabrication. Electrician Peter Strelzyk and bricklayer Günter Wetzel calculated a payload of ~750 kg and required a 2 000 m³ envelope heated to 100 °C. After initial failures with porous cotton, they sourced taffeta fabric, sewed three envelopes, and built a gondola with an iron frame, cloth sides, and a propane burner powered by inverted tanks for increased pressure. The first July 1979 launch reached 2 000 m but landed 180 m short of the border, prompting a Stasi investigation. They enlarged the balloon to 4 000 m³, repaired the burner, and launched on 15 September 1979. Despite a torn envelope and intermittent burner relighting, the balloon crossed the inner German border, descending near Naila, Bavaria, after 28 minutes; only Wetzel broke his leg. The escape led to tightened East German border controls, arrests of relatives, and later media adaptations (films Night Crossing 1982, Balloon 2018). The balloon is displayed in Regensburg.

Astro Technology Company, creator of the Astro web framework, has become part of Cloudflare. All full‑time Astro employees are now Cloudflare staff, but Astro will stay open‑source under the MIT license, retain its open governance, and continue supporting multiple deployment targets beyond Cloudflare. The partnership provides additional resources so the team can focus exclusively on framework development, especially the upcoming Astro 6 release and the 2026 roadmap. Astro originated in 2021 to address performance issues of JavaScript‑heavy sites, emphasizing “content‑driven” websites rather than data‑driven applications. It quickly gained adoption, with ~1 million weekly downloads and usage by large platforms such as Webflow, Wix, Microsoft, and Google. Prior attempts to launch paid hosted services (e.g., Astro DB, e‑commerce layer) were discontinued to avoid distraction from core framework work. Cloudflare’s long‑standing support aligns with Astro’s goals: delivering fast, secure, globally distributed web experiences while preserving the project’s openness and community‑driven development.

Mandiant is publishing a full set of Net‑NTLMv1 rainbow tables to demonstrate the protocol’s continued insecurity and to accelerate its deprecation. Net‑NTLMv1, known to be vulnerable since at least 1999 and publicly deprecated, still appears in active environments, allowing trivial credential theft and privilege escalation via authentication‑coercion attacks (e.g., recovering a domain‑controller machine‑account hash to obtain DCSync rights). The tables are stored in Google Cloud Storage (gs://net‑ntlmv1‑tables/tables) and can be downloaded with gsutil; SHA‑512 checksums are provided for verification. They are usable with traditional rainbow‑table tools such as rainbowcrack, RainbowCrack‑NG, or GPU‑accelerated forks after preprocessing Net‑NTLMv1 hashes to DES components via ntlmv1‑multi. Attackers typically capture Net‑NTLMv1 hashes using tools like Responder (‑‑lm ‑‑disable‑ess) with a static challenge (1122334455667788) and then coerce authentication from privileged hosts. The released dataset enables key recovery in under 12 hours on consumer hardware (~$600). The post emphasizes disabling Net‑NTLMv1 and Extended Session Security to prevent these attacks.

The handbook addresses the challenge that large language models (LLMs) sometimes produce malformed structured data (e.g., JSON, XML, code) due to their probabilistic generation, which hampers programmatic uses such as data extraction, code generation, and tool calling. It provides developers with a comprehensive guide covering: the internal mechanisms of LLM output generation; the most effective tools and techniques for enforcing deterministic, well‑formed outputs; criteria for selecting appropriate methods; strategies for building, deploying, and scaling such systems; and approaches to minimize latency and cost while improving output quality. The document is intended as a regularly updated reference, usable either as a full read‑through or as a lookup resource. It is authored by the maintainers of Nanonets‑OCR models (vision‑language models for converting documents to structured Markdown) and the docstrange open‑source document‑processing library. A newsletter offers bi‑monthly updates on developer insights, breakthroughs, and tools.

Let’s Encrypt now offers two new certificate types that are generally available: - **Short‑lived certificates**: valid for 160 hours (≈6 days). They are obtained by selecting the “shortlived” profile in an ACME client. The reduced lifespan forces more frequent domain validation, limiting the impact of compromised private keys and mitigating the unreliability of revocation, which previously left certificates vulnerable for up to 90 days. These certificates are optional; they are not the default, and adoption depends on fully automated renewal processes. - **IP‑address certificates**: enable TLS authentication for servers accessed via IPv4 or IPv6 addresses rather than hostnames. They are required to be short‑lived because IP addresses tend to be more transient, necessitating more frequent validation. The default certificate lifetime will be lowered from 90 days to 45 days over the coming years. Development was supported by the Open Technology Fund, Sovereign Tech Agency, and other sponsors.

Cursor’s 2026‑01‑14 blog post “Scaling long‑running autonomous coding” describes experiments with autonomous coding agents running for weeks on large projects. The authors claim they resolved coordination issues, enabling hundreds of agents to work concurrently on a single codebase. To demonstrate, they directed the system at building a web browser from scratch, reporting that agents produced over 1 million lines of code across ~1 000 files in a week and linking to the GitHub repository . However, the post provides no evidence of a functional browser: the repository fails to compile (multiple CI runs report dozens of errors and warnings), no commit compiles cleanly, and an open issue notes the build problems. No reproducible demo, build instructions, or verified release tag is offered. The article concludes optimistically about scaling autonomous coding, but the only concrete outcome is a large, non‑compiling codebase, not a working browser capable of rendering even simple HTML.

FLUX.2 [klein] is a new family of compact diffusion models focused on real‑time visual generation and editing. Key attributes include: - **Sub‑second inference** (≤0.5 s) for text‑to‑image, single‑reference I2I, and multi‑reference generation on consumer GPUs (≈13 GB VRAM, e.g., RTX 3090/4070). - **Model sizes**: a 9 B flagship (distilled to 4 inference steps) and a fully open‑source 4 B variant (Apache 2.0). Both support unified generation/editing; base (undistilled) versions are provided for fine‑tuning and research. - **Performance**: matches or exceeds larger models (≈5× size) in quality while using far less latency and memory; outperforms comparable Qwen and Z‑Image systems. - **Quantization**: FP8 and NVFP4 variants deliver 1.6–2.7× speed gains and 40–55 % VRAM reduction, optimized with NVIDIA. - **Licensing**: 4 B models under Apache 2.0; 9 B models under the FLUX Non‑Commercial License. - **Applications**: intended for interactive design tools, agentic visual reasoning, and real‑time content creation. The release includes an API, open weights for local deployment, and documentation for development and fine‑tuning.

The article reports that “The Torment of Saint Anthony,” a small easel painting created when Michelangelo was about 12‑13, has been authenticated as his work. The piece, based on a known engraving, was sold at Sothe by’s in 2008 and examined by the Metropolitan Museum, where cleaning revealed a palette and brushwork resembling Michelangelo’s later Sistine‑Chapel style. Infrared reflectography showed correction marks, indicating an original composition rather than a copy. The Kimball Art Museum in Fort Worth acquired the painting, noting it as the only Michelangelo easel work in the Americas and one of only four such attributions in his career—an era when he largely rejected oil painting. Subsequent analysis led art historian Giorgio Bonsanti to endorse the attribution, though some scholars remain skeptical. The article includes brief biographical notes on the author, Colin Marshall, and links to related art‑history content.

Just the Browser is an open‑source project that applies hidden group‑policy settings to mainstream browsers (Google Chrome, Microsoft Edge, Mozilla Firefox) to disable AI features, telemetry, sponsored content, default‑browser prompts, first‑run experiences, and startup‑boost mechanisms while leaving crash‑reporting intact. Configuration files and installation scripts are provided for Windows, macOS, and Linux (Chrome/Edge on Linux unsupported). Installation is performed via a PowerShell command on Windows or a curl‑based bash command on macOS/Linux; manual guides are also available. The settings are applied through policies intended for enterprise environments, so browsers display “managed by your organization.” Users can view active policies at about:policies (Firefox) or chrome://policy (Chrome/Edge) and can remove or edit the configurations via the provided guides or the automated script. The project does not include ad‑blockers, nor does it support mobile devices; support for Android and iOS/iPadOS is pending. Compatibility depends on browsers maintaining the underlying policy options.

The article argues that the software industry’s slowdown stems from reliance on high‑level stacks that hide essential design choices. Using Reddit as a case study, it shows how a React + Redux frontend incurs 200 ms latency to collapse a comment versus 10 ms in the older DOM‑based version, because global state updates force unnecessary re‑renders. The author contends that low‑level programming is valuable not as an end but as a means to select appropriate tech stacks—whether alternative JavaScript frameworks, direct DOM manipulation, WebGL/Wasm, or native solutions like Qt or SDL. Low‑level expertise expands the pool of innovators who can build better foundations, yet current low‑level tools and documentation are fragmented and difficult, discouraging adoption. By improving low‑level tooling and creating new high‑level abstractions built on solid, efficient bases, the Handmade community can bridge the gap, enabling higher‑quality software without the performance penalties of today’s popular frameworks.