HackerNews Digest

The author attempted to send a working MacBook to Django, a Congolese refugee in western Uganda, to replace his damaged laptop. Initial shipment via Australia Post was rejected because international air transport of devices with installed lithium batteries is prohibited; the package was returned. A freight service (Pack & Send) provided a $213 AUD quote, repackaged the laptop, and dispatched it despite global freight disruptions. The parcel traversed nine countries, reaching the Netherlands, then faced Ugandan customs: a UGX 95 000 agency fee, tax assessment, and a requirement for an original purchase receipt, which led to temporary seizure. Django, lacking a Tax Identification Number (TIN), undertook a multi‑hour journey to a URA office, secured a TIN after extensive waiting, and paid UGX 127 658 (~$47 AUD) in taxes. Additional customs amendment required UGX 50 000 (~$18.5 AUD). After further rerouting (UK → UAE → Kenya → Uganda) and a failed delivery attempt, the laptop was held in a hardware shop and retrieved by Django on May 13, completing a 42‑day, 36 000 km shipment that cost roughly $407 AUD, comparable to the laptop’s value.

Japanese firms are unusually diversified because their corporate structure—called the “J‑firm” bundle—integrates lifetime employment, seniority‑based promotion, horizontal coordination (e.g., the Toyota andon cord), broad employee training, and insulated financing through main banks and cross‑shareholdings. These interlocking practices reinforce one another, making it efficient for firms to redeploy a stable, generalist workforce into unrelated product lines while retaining expertise (e.g., Toto’s toilets, bathroom tiles, and high‑precision electrostatic chucks for memory‑chip manufacturing). Economists Milgrom & Roberts showed that such complementary practices form a cohesive bundle, and Aoki identified the J‑firm’s horizontal, employee‑centric orientation versus the shareholder‑driven “H‑firm” of the West. Historically, wartime mobilization created a “national defense state” that persisted post‑war, giving Japanese firms patient capital and a focus on incremental refinement rather than rapid disruption. This model enabled rapid catch‑up growth and dominance in precision manufacturing, though it hampers bold innovation in sectors like software or electric vehicles.

Project Glasswing, Anthropic’s collaborative effort to protect critical software from advanced AI‑enabled attacks, has used the Claude Mythos Preview model with ~50 partners to uncover >10 000 high‑ or critical‑severity vulnerabilities in essential systems. Partners report a ten‑fold increase in bug‑finding speed; examples include Cloudflare’s 2 000 bugs (400 critical) and Mozilla’s 271 fixes in Firefox 150 versus prior models. Independent evaluations (UK AI Security Institute, XBOW, ExploitBench/ExploitGym) rank Mythos Preview as the strongest current cyber‑model. Scanning >1 000 open‑source projects yielded 6 202 high/critical findings; 1 752 were triaged, with a 90.6 % true‑positive rate and 62.4 % confirmed as high/critical, projecting ~3 900 such bugs overall. Patch deployment remains the bottleneck: average two‑week fix time, 75 of 530 disclosed high/critical bugs patched so far. Anthropic released Claude Security (beta) for enterprise code scanning, enabling >2 100 patches in three weeks, and launched a Cyber Verification Program and tooling (skills, harness, threat‑model builder). Future plans include expanding partner networks, supporting open‑source maintainers, and eventually releasing Mythos‑class models once robust safeguards are in place.

None

Microsoft has begun scaling back internal AI use after cost overruns. It is canceling most Claude Code licenses for engineers, directing them to GitHub Copilot CLI, while maintaining its larger Anthropic “Foundry” partnership and Azure compute commitments. Uber’s CTO reported that its 2026 AI‑coding‑tools budget was exhausted in four months, despite internal leaderboards incentivizing heavy tool usage. Similar pressures exist at Meta and Amazon, where employees are urged to maximize token consumption. Analyst forecasts predict a 24‑fold rise in token usage by 2030, reaching ~120 quadrillion tokens per month; although token prices are expected to drop 90 % by that time, overall enterprise AI costs may rise because agentic models consume many more tokens per task and savings are not fully passed on. Executives such as Nvidia’s Jensen Huang envision dozens of AI agents per employee, but the disparity between falling unit costs and accelerating consumption could make the AI “agentic” future substantially more expensive than anticipated.

The piece from the Temerty Faculty of Medicine reviews how extensive, multi‑decade research on sleep physiology and disorders culminated in the development of a newly approved medication for obstructive sleep apnea. It traces the evolution of foundational studies on respiratory control during sleep, the identification of therapeutic targets, and the progression from pre‑clinical findings to human clinical trials. The article highlights the drug’s mechanism of action, its regulatory approval process, and the anticipated impact on patient management, emphasizing how long‑term scientific inquiry translated into a novel treatment option for a prevalent sleep‑related breathing disorder.

Blood is pumped from the heart to the horse’s hoof via arteries, while venous return relies on a mechanical “pump” within the hoof because lower‑leg muscles are absent. A venous plexus surrounds each lateral cartilage and the sensitive structures of the hoof. During weight‑bearing, the plantar cushion and coffin bone compress these veins, forcing blood upward against one‑way venous valves and creating a hydraulic cushion that dissipates concussion. When the foot is lifted, the compressed veins reopen; arterial pulse and gravity fill the plexus, and the stored pressure pushes blood up the leg. This cyclical compression‑decompression acts as a “second heart,” maintaining circulation and protecting the coffin bone. The mechanism depends on vein valves, the coffin bone’s contact with the hoof wall, and the alternating phases of loading and unloading during gait.

The document outlines three candidate designs for a password‑reset mechanism: - **Single‑use JWT**: Uses an HS256‑signed JSON Web Token, valid for 15 minutes and intended for one‑time use. - **Database‑stored opaque token**: A random token persisted in a database, expires after 1 hour, and can be revoked manually. - **Magic‑link only**: No explicit token; the reset link itself is sent to the user’s verified email and serves as the authentication step. The author notes that trade‑offs among these options will be explained subsequently, and seeks clarification on which design aligns with the target security requirements.

Lawmakers have pressed the Cybersecurity and Infrastructure Security Agency (CISA) for details after a contractor with admin rights to CISA’s code platform posted a public GitHub repository (“Private‑CISA”) containing plaintext AWS GovCloud keys and other internal credentials. The repo, created in November 2025, was discovered by security firm GitGuardian and reported by Krebs on Security on May 18. Commit logs show the contractor disabled GitHub’s secret‑detection feature. CISA acknowledged the leak but has not disclosed its duration; it claims no sensitive data was compromised. Senators Maggie Hassan and Representative Bennie Thompson have demanded answers, citing CISA’s reduced workforce and leadership turnover. Truffle Security’s Dylan Ayrey noted an RSA private key granting full access to CISA’s GitHub organization remained active after initial notification, though it was later invalidated. Additional leaked credentials tied to critical agency technologies have yet to be rotated. CISA says it is coordinating with vendors to invalidate exposed secrets, while experts warn that both adversaries and cyber‑crime groups monitor such public disclosures.

The article documents four hand‑written LZ4 decompression implementations for legacy CPUs (Zilog Z80, Intel 8080/8086, and MOS 6502) and analyzes how each architecture’s features affect the algorithm. LZ4’s block format consists of sequences of literals followed by a back‑reference, encoded in a single length byte (high nibble = literal length, low nibble + 4 = back‑reference length) plus a two‑byte little‑endian offset; extended lengths use extra bytes of 0xFF. The author’s variation relies on two decoder constraints: the final sequence is literals only and offsets are never zero, allowing termination with a zero‑offset pair instead of full frame data. For the Z80, the LDIR instruction efficiently copies blocks, and only two long‑lived pointers (source, destination) are needed, with occasional stack swaps to handle extended back‑reference lengths. The 8080 mirrors the Z80 code but replaces LDIR with manual loops and substitutes SBC HL,BC with byte‑wise subtractions, increasing accumulator use and register saves. The 8086 exploits its richer register set and string instructions (LODSB, STOSB, MOVSB, REP) to avoid stack usage, handling far pointers and segment registers for 1 MiB address space. The 6502, lacking multi‑register pointers and block‑copy ops, uses zero‑page scratch space and a helper routine to emulate LDIR, incurring heavy accumulator traffic and RAM‑based temporary storage. The article also outlines each CPU’s API conventions (register or memory‑based pointers, calling‑convention preservation) and notes how historical decoder constraints simplify implementation.