HackerTrans
TopNewTrendsCommentsPastAskShowJobs

strenholme

1,433 karmajoined 7 yıl önce
Single parent. Electronic musician. Lua and open source developer. https://samboy.github.io/ — https://github.com/samboy — https://x.com/caulixtla He/Him

  #include<stdio.h>//RadioGatun
  #include<stdint.h>/*32-bit\*/
  #define b(z) for(c=0;c<z;c++)
  uint32_t c,e[42],f[42],g=19,h
  =13,n[45],i,j,k;void m(){j=0;
  b(12)f[c+c%3*h]^=e[c+1];b(g){
  i=c*7%g;k=e[i++];k^=e[i%g]|~e
  [(i+1)%g];j=j+c;n[c]=n[c+g]=k
  >>j%32|k<<-j%32;}for(i=39;i--
  ;f[i+1]=f[i])e[i]=n[i]^n[i+1]
  ^n[i+4];b(3)e[c+h]^=f[c*h]=f[
  c*h+h];*e^=1;}int main(int c,
  char**v){char*q=v[--c];for(;;
  m()){b(3){for(j=0;j<4;){f[c*h
  ]^=k=(*q?255&*q:1)<<8*j++;e[c
  +16]^=k;if(!*q++){b(18)m();b(
  8){j=c;b(4)printf("%02x",(e[1
  +j%2]>>8*c)&255);c=j;if(c%2)m
  ();}return 0&puts("");}}}}}//

comments

strenholme
·3 gün önce·discuss
Exactly! As an open source developer who has a notable-enough-for-Wikipedia 25-year-old project out there (MaraDNS), let me tell you, a lot of “security bugs” found by AI-assisted researchers are anything but security bugs. Just some examples of stuff which ended up in my inbox recently:

- A security “bug” where someone who sends hundreds of millions of spoofed DNS queries could possibly have one come through. This is a problem with the DNS protocol, and it’s a problem with broken servers which drop DNS packets under some circumstances. It’s a long known issue where, in reality, the exploit isn’t incredibly practical (to say the least).

- A security “bug” where someone saw `strcat` in my code and assumed it was automatically a big huge buffer overflow exploit. No, it wasn’t: I did bounds checking in all cases, except one case where the program in question hasn’t been able to even compile since 2022 (and is a side utility which isn’t needed in any way, shape, or form to run MaraDNS).

- A bunch of security “bugs” which were cases where my recursive resolver took a few seconds to fully drop resources used to solve a DNS query if it got various kinds of weird packets. This researcher claimed one bug was a remote packet of death, so I spent an entire afternoon writing a test case creating the packet in question. Nope, no packet of death.

- Finally, one researcher did find a security bug in the TCP code for the recurisve resolver, where an authorized client could disable the TCP server (without affecting the UDP server). Keep in mind that the code doesn’t enable TCP by default, a user would have to go out of their way to enable DNS-over-TCP, and it’s not a “packet of death” because the IP sending the bad TCP packets has to be one already authorized to perform recursive queries.

With the DNS-over-TCP bug, I patched the code and made a new MaraDNS release. With the overflow in the code which hasn’t compiled since 2022, I fixed the bug, patched the code to compile again, then next removed the code completely from MaraDNS (putting it in “MaraDNS-attic”).

As an aside, djbdns users may have observed that, because of the C23 changes, djbdns doesn’t even compile anymore, and I am not aware of anyone besides myself caring enough to post patches. In my own distribution of djbdns, I have instructed people to set CC to "c99 -D_DEFAULT_SOURCE" so that the code can compile again.
strenholme
·7 gün önce·discuss
>Apparently [Brainfuck] is "notable" but Odin is not

Brainfuck has been extensively discussed in the following journal papers:

https://doi.org/10.1080%2F07350198.2020.1727096

https://doi.org/10.7559%2Fcitarj.v9i3.432

If you can find two journal papers which extensively discuss the Odin programming language, I assure you that it will survive any Wikipedia deletion discussion.

I’m saying this as someone who, 13 years ago, had a very stressful week when my tiny little open source project (MaraDNS) was on the Wikipedia deletion block.[1] I added references to the deletion discussion, and as a result, it survived the discussion without a single vote to delete it.

[1] https://en.wikipedia.org/wiki/Wikipedia:Articles_for_deletio...
strenholme
·7 gün önce·discuss
>Odin is a proprietary language

What do you mean by “proprietary language”? To me “proprietary” means closed source, where one can only download binaries, not source code. “proprietary” can also have source code available, but with a license which is not open-source.

Odin, however, is an open-source language with an open-source license:

https://github.com/odin-lang/Odin/blob/master/LICENSE
strenholme
·9 gün önce·discuss
I’ve seen a lot of blog entries using typography so horrible, I had to use reader view to read the page—there was a trend in the mid-2010s to use pencil-thin fonts and there is now and then still a blog out there using one of those unreadable pencil-thin fonts.

However, this blog uses a very readable font called “Atkinson Hyperlegible” and I had no problem reading it. If the color scheme bothers you, click on “eInk” in the theme switcher on the top.

Disclaimers: No relationship to the owner of this blog. No AI used in this posting; I have the em-dash (—) in my custom keyboard layout.
strenholme
·24 gün önce·discuss
AI is a huge bubble, just as dot-com was a huge bubble (I remember when people spent huge amounts of money to have key .com domains; as much as people paid for linux.com back then, the domain essentially went nowhere), and just as buying houses for too much money with loaned money was a huge bubble.

Just as with the two previous bubble, we’re seeing companies hemorrhaging huge amounts of money, and when the dust settles the market is going to crash big time like it did with the two previous bubbles.

Unlike previous bubbles, this bubble isn’t giving people high paying jobs until everything crashes (programmers with the dot-com bubble; construction people during the real estate bubble), but it very annoyingly is making memory and SSD storage cost far too much causing computers to cost about 150% as the cost two years ago before the AI bubble was in full force, forcing Apple to make a “MacBook Neo” model with the absolute minimum of ram and SSD storage space.

Like the dot-com bubble, we will have very few winners left (with dot-com, the big winners were Amazon and Google) but unlike the previous bubble, it’s incredible how political this particular bubble is (i.e. the controversy around Grok).
strenholme
·29 gün önce·discuss
The solution is simple: If using an AI-assisted scanner and a guardrail gets hit, then the code is obviously malicious and needs to be automatically flagged (and refuse to run the code!).

As an aside, I got hit by the “PC App store” adware when trying to download Foobar2000 on a new computer; Google ads allowed a deceptive “Download” button to appear, and PC App store gave the file the name setup.exe. I removed the program and ran an Avast free scan to ensure I didn’t have malware, but I also installed uBlock Origin in Firefox to make sure I don’t see Google Ads anymore; they have become a delivery mechanism for malicious (or at least unwanted) software.
strenholme
·geçen ay·discuss
The Southwest thing is confirmed: https://archive.ph/20250311162848/https://www.cnbc.com/2025/...

“Southwest has been under increasing pressure to raise revenue and improve returns after activist hedge fund Elliott Investment Management took a stake in the airline last year and pushed for changes to the carrier’s business model.”
strenholme
·geçen ay·discuss
This looks interesting, and it’s good to have alternatives to Lua in the embedded space, although MiniScript is an awful lot like Lua on first glance (e.g. using keywords instead of brackets to end loops and conditionals).

The things which slightly rub me the wrong way:

• C++ instead of C. There’s still places where one has a pure C language project.

• cmake instead of Posix-compatible make. This makes the project depend on a non-standardized tool with only one implementation.

I’m curious what advantages MiniScript has over Lua, though—when I had the problem of “let’s use a tiny embedded language” [1], Lua5.1 made the most sense to me:

• No need to worry about a Javascript, Moonscript, Kotlin, or Go language port—people have already made all of those. [2]

• People already made libraries I needed (e.g. a “spawner” library so I could run Stockfish from my Lua script)

• It’s a standard embedded scripting language which people are more likely to already know (e.g. people making Roblox games already know Lua)

• It compiles in a pure C environment.

[1] https://samboy.github.io/MaraDNS/coLunacyDNS/

[2] It would be nice to have a Rust port of Lua
strenholme
·2 ay önce·discuss
xz is pretty universal across POSIX and clones though. It comes with any modern Linux distro, Busybox even has an .xz decompressor, so `tar xvJF file.tar.xz` does the right thing in *NIX land, which I presume includes MacOS with Brew.

For Windows systems, 7-zip (.7z, similar compression to .xz) is a free download for Windows 10, and Windows 11 can open up a .7z file with a simple double click.

.zip and .gz no longer need to be used here in 2026.
strenholme
·2 ay önce·discuss
For people who are interested, here is the solution. In standard PGN, the solution is:

1. e4 e5 2. Nf3 Nf6 3. Nxe5 Nxe4 4. Qe2 Nxd2 5. Nc6+ Ne4 6. Nxd8 Kxd8 7. Qxe4 a6 8. Bg5+ Be7 9. Qxe7#

In the Stockfish notation this engine uses, White’s moves are:

1. e2e4 2. g1f3 3. f3e5 4. d1e2 5. e5c6 6. c6d8 7. e2e4 8. c1g5 9. e4e7

Here is a Lichess analysis of this game:

https://lichess.org/WnMF3LpX

(In terms of Regexes, Javascript has a very rich Turing complete Regex library; it’s an open question whether Lua 5.1’s regexes are Turing complete, but they are good enough for the text processing I do)
strenholme
·2 ay önce·discuss
Very good question. I can tell you why I chose Lua 5.1 for MaraDNS:

• Lua 5.1 is smaller than Lua 5.4

• Lua 5.1 is LuaJIT compatible; Lua 5.4/5.5 isn’t as compatible

LuaJIT is a version of Lua 5.1 which is an incredibly fast scripting language because it, in real time, compiles Lua 5.1 code in to native instructions. The only wart LuaJIT has is that its RISC-V port is incomplete, but that will undoubtedly change as RISC-V slowly gets more popular.

The other reason to stick to Lua5.1 is because Lua changes its syntax between versions; e.g. bitwise operations in Lua 5.4 are very different than how they are done in Lua5.1, to the point it’s difficult to make a polyglot library which can do bitwise operations in both Lua 5.1 and Lua 5.4. I am of the opinion Lua 5.3 should had been named Lua 6.0 for the simple reason that having native integers in Lua is a pretty significant backwards compatibility breaking change.

Since Lua (well, Lunacy) is the only tool in MaraDNS which isn’t standardized (e.g. MaraDNS uses only POSIX-comatible shell scripts, it uses “make” because that’s a standardized tool with multiple implementations, C is also a standard with multiple implementations, etc.), sticking to Lua5.1 allows me to use a version of Lua with multiple implementations and, as such, is informally standardized.
strenholme
·2 ay önce·discuss
>>>uses dummy accounts to bend the voting and discussion<<<

This is a false accusation with no evidence to back it up. Let me state this clearly: I am not using sockpuppet accounts nor am I stacking the vote.

Ycombinator is a secure site and @dang does not allow sockpuppets nor stacked voting.

What you are seeing is the hacker spirit of the Ycombinator community: Hackers believe in software diversity, and strongly oppose monoculture, so welcome people who bring up and discuss alternative software.
strenholme
·2 ay önce·discuss
This list is very useful; Vile isn’t quite Vi, but it’s close enough, and it includes a Windows32 binary which works with CP-1252 [1] (albeit in a separate window), and fits in under 700k (7-zip compressed).

What I wish existed was a fork of Busybox Vi which fully supports UTF-8. I’ve looked at the code and it would require a considerable rewrite to make it UTF-8 compatible, so I can see why it hasn’t been done.

[1] https://en.wikipedia.org/wiki/Windows-1252
strenholme
·2 ay önce·discuss
“The software has to present a worthwhile target (ie have a substantial long term userbase) before anyone will bother to look for exploits”

MaraDNS is a worthwhile target; two people have been auditing it this year, in fact:

https://github.com/samboy/MaraDNS/pull/137

https://github.com/samboy/MaraDNS/security/advisories/GHSA-c...
strenholme
·2 ay önce·discuss
Apologies for being confrontational; accusations of there being security holes are serious accusations in my book, and need to be backed up with solid facts. Yes, that’s how seriously I take security with the software I make available on the Internet.

That number is a 32-bit number in the C code, but it’s converted in to a 16-bit number. I used “int” to have it interface with other Lua code, but safely assume “int” can fit 16 bits, and yes I do convert the number to a 16-bit one before passing it off to other Lua code:

https://github.com/samboy/LUAlibs/blob/master/rg32.c#L77

Here, I assume lua_number can pass 32 bits:

https://github.com/samboy/LUAlibs/blob/master/rg32.c#L45

https://github.com/samboy/MaraDNS/blob/master/coLunacyDNS/lu...

https://github.com/samboy/lunacy/blob/master/src/lmathlib.c#...

But it works without issue:

  rg32.randomseed("shakna3")
  print(string.format("%x",rg32.rand32()))
One sees “b0e6725c”, i.e. a 32-bit unsigned number

Likewise:

  rg32.randomseed("shakna3")
  print(string.format("%x %x",rg32.rand16(),rg32.rand16()))
Gives us “b0e6 725c”.

Vendoring Lua 5.1 was forced; since I wanted to use Lua 5.1 (for reasons described above, e.g. LuaJIT compatibility), I had to use code which hasn’t been updated upstream since 2012.
strenholme
·2 ay önce·discuss
Agreed, it made a lot more sense to write MaraDNS in C in 2001 though.

The main advantage of writing in C over Rust here in 2026 is that C has two different Lua interpreters, and there isn’t a port of Lua to Rust yet; [1] yes, there are ways to use the C version of Lua in Rust, but that’s different.

If I were to write a new server today, I could very well write it in Go, then use GopherLua for the Lua engine:

https://github.com/yuin/gopher-lua

Although, even here, the advantage of C is that I could increase performance by using LuaJIT:

https://luajit.org/luajit.html

[1] If I were to use Rust, I would consider using Rune as an embedded language as per https://rune-rs.github.io/
strenholme
·2 ay önce·discuss
The point of djbdns and qmail was this: It allowed administrators to run a local DNS server securely without needing to constantly patch the code. They were limited in scope, but were perfect for admins who valued security over features.

In an era when DNS was otherwise a monoculture, djbdns was a welcome breath of fresh air.

https://lwn.net/2001/0208/
strenholme
·2 ay önce·discuss
>>>The patch landing in 2021, instead of 2014, being one of those concerns.<<<

What makes you think I was using Lua in 2014? Seriously, do you even know how to use “git log”?

I added Lua to MaraDNS in 2020:

https://github.com/samboy/MaraDNS/commit/2e154c163a465ee7ead...

I patched it on my own in 2021:

https://github.com/samboy/MaraDNS/commit/efddb3a92b9cee30f11...

>>>you might want to recheck your assumption of how big 'int' will be

uint32_t is always 32-bit:

https://en.cppreference.com/c/types/integer

And, yes, this can be easily checked with a tiny C program:

  #include <stdint.h>
  #include <stdio.h>

  int main() {
    uint32_t foo = 0xfffffffd;
    uint64_t bar = 0xfffffffd;
    uint32_t a = 0;
    for(a=0;a<20;a++) { printf("%16llx:%16llx\n",foo++,bar++); }
    return 0; 
  }
If there’s a system where uint32_t is 64 bits, that’s a bug with the compiler (which isn’t following the spec), not MaraDNS.

Are you going to make any other negative false implications about MaraDNS? Because you’re making a lot of very negative accusations without bothering to check first.

Edit: Here’s a version of the above C program which works in tcc 0.9.25:

  #include <stdint.h>
  #include <stdio.h>

  void shownum(uint64_t in) {
    int32_t a;
    for(a=60;a>=0;a-=4) {
      int n = (in >> a) & 0xf;
      if(n < 10) {printf("%c",'0'+n);}
            else {printf("%c",'a'+(n-10)); }
    }
    return;
  }

  int main() {
    uint32_t foo = 0xfffffffd;
    uint64_t bar = 0xfffffffd;
    uint32_t a = 0;
    for(a=0;a<20;a++) { 
      shownum(foo++); 
      printf(":"); 
      shownum(bar++); 
      puts(""); }
    return 0;
  }
strenholme
·2 ay önce·discuss
A lot of security and other audits have been performed against it though; MaraDNS, after all, is notable enough to have a Wikipedia page and hundreds of GitHUB stars.

For example, when the Ghost Domain Name DNS vulnerability was discussed, MaraDNS was audited and named (MaraDNS was immune to the security bug, for the record)

https://web.archive.org/web/20120304054959/https://www.isc.o...
strenholme
·2 ay önce·discuss
It’s useful for things like 10.1.2.3.ip4.internal style queries, or having a DNS server that always returns a given IP for any query given to it.

More discussion is on the coLunacyDNS overview page:

https://samboy.github.io/MaraDNS/coLunacyDNS/