2026-05-09 Hacker News Top Stories

2026-05-09 Hacker News Top Stories [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#2026-05-09-hacker-news-top-stories)

1. Cloudflare announced a restructuring for the "AI-powered intelligent agent era," resulting in global layoffs of approximately 20% (over 1,100 employees), despite Q1 results exceeding expectations; weak Q2 guidance led to a sharp stock drop and sparked debate over the ethics of "hire-first, fire-later" practices and AI-driven job displacement.

2. Learning platform Canvas was breached by hacker group ShinyHunters, who abused "free teacher accounts" to gain access and threatened to leak 275 million records (affecting 9,000 schools). The company has blocked the exploit and applied patches, restoring most services, but some systems remain affected with no clear timeline for full recovery.

3. Poland’s economy has surpassed $1 trillion, overtaking Switzerland to enter the world’s top 20 largest economies, driven by market reforms, EU integration, and emerging industries—though challenges persist, including aging population, low birth rates, intergenerational and urban-rural income disparities.

4. Given recent high-severity Linux kernel vulnerabilities and rising NPM supply chain attacks, the author recommends pausing new software and dependency installations for about a week, using lock files for reproducible builds, and applying security patches only when necessary to reduce risk.

5. To counteract AI-generated low-quality content diluting community value, the author advocates raising posting barriers, strengthening human moderation, and requiring AI outputs to have clear audiences and polished quality—despite high costs for detection and enforcement.

6. A report reveals “Dirtyfrag” as a universal local privilege escalation vulnerability capable of gaining root access on mainstream Linux systems; currently no patch or CVE exists, and temporary mitigations include disabling esp4/esp6 and rxrpc modules, along with reviewing namespace and kernel configuration to reduce exposure.

7. The article claims Google Cloud Fraud Defense is merely a rebranded version of device remote attestation: it uses QR code scanning to invoke Google/Apple authentication to “prove humanity,” but risks exclusion, abuse, and introduces persistent fingerprinting and cross-site tracking privacy concerns.

8. Project sinceyouarrived.world/taken demonstrates how browsers leak extensive fingerprint data (IP, timezone, Canvas/WebGL, etc.) without user consent and warns of cross-site tracking risks—even though some detection methods aren’t always accurate and can be mitigated via VPNs.

9. Brazil’s central bank-led instant payment system Pix is rapidly eroding card network shares due to low fees and widespread adoption, while expanding new features—drawing pressure from Visa, Mastercard, and U.S. regulators due to its示范效应 (demonstration effect).

10. In celebration of David Attenborough’s 100th birthday, the UK royal family and public figures paid tribute through events and programming, sparking renewed public discussion on conservation and media communication amid debates over AI voice cloning of his legacy.

1. Cloudflare to Cut About 20% of Its Workforce (Cloudflare to cut about 20% of its workforce) [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#1-cloudflare-%e5%b0%86%e8%a3%81%e5%91%98%e7%ba%a6-20-cloudflare-to-cut-about-20-of-its-workforce)

https://www.reuters.com/business/world-at-work/cloudflare-cut-over-1100-jobs-2026-05-07/

Cloudflare announced plans to cut approximately 20% of its workforce, eliminating over 1,100 positions globally, as part of an operational restructuring driven by the rapid adoption of AI tools. The company expects second-quarter revenue between $664 million and $665 million—slightly below Wall Street’s consensus estimate of $665.3 million—and adjusted EPS of 27 cents, in line with expectations. Despite strong Q1 performance exceeding forecasts, shares dropped nearly 19% in after-hours trading.

In a letter to employees, CEO Matthew Prince and co-founder Michelle Zatlyn stated that teams and functions are being redesigned to adapt to the "intelligent agent AI era." This restructuring reflects internal process and role redesign rather than employee performance or short-term cost pressures. Over the past three months, Cloudflare’s internal AI usage has increased by more than sixfold, prompting significant shifts in team operations.

Q1 revenue reached $639.8 million, surpassing analysts’ forecast of $621.9 million, with adjusted EPS at 25 cents—above the expected 23 cents. The stock has risen 30.3% year-to-date.

The layoffs have reignited concerns about AI-driven automation accelerating industry transformation and job losses. Similarly, payment company Block announced in February layoffs exceeding 4,000 employees—about half its workforce—to accelerate AI integration. Goldman Sachs economists predict AI will cause a net loss of 5,000 to 10,000 jobs per month in the most vulnerable U.S. sectors by 2025.

• * *

https://news.ycombinator.com/item?id=48054423

• Cloudflare’s pattern of hiring large numbers of interns quickly followed by mass layoffs highlights contradictions in corporate behavior under the slogan of “building for the future.”
• Some managers engage in large-scale hiring to demonstrate performance, then lay off staff when conditions shift—protecting themselves and their inner circles.
• Amazon has a reputation for “hire-first, fire-later,” which discourages top talent from joining.
• Amazon’s Performance Improvement Plan (PIP) culture is seen by some as a mechanism created by management and HR to generate justifications for termination.
• Employee experience within large companies largely depends on the direct manager’s leadership style.
• Amazon’s leadership principles and “bar raiser” culture are criticized by some as having negative impacts.
• Amazon is no longer widely viewed as a leading tech company but rather as a success story in logistics and infrastructure.
• Firing employees shortly after hiring is considered ethically and morally unacceptable, especially unfair to those with families and financial responsibilities.
• For marginal candidates, unemployed individuals may be easier to hire because the risk of failure affects them less.
• Employees bear economic responsibility personally; employers have no obligation to guarantee economic security.
• Being honest about contract terms and potential for termination is a recruiter’s duty; concealing intent to fire is unethical.
• Some have experienced Amazon’s “seasonal hiring” roles and felt corruption and unreasonable work environments.
• Family ties and favoritism are human tendencies, and cultural attitudes toward them vary significantly.

• * *

2. Canvas Back Online as ShinyHunters Threatens to Leak School Data (Canvas online again as ShinyHunters threatens to leak schools’ data) [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#2-canvas-%e5%86%8d%e6%ac%a1%e4%b8%8a%e7%ba%bf%e9%bb%91%e5%ae%a2%e7%bb%84%e7%bb%87-shinyhunters-%e5%a8%81%e8%83%81%e6%b3%84%e9%9c%b2%e5%ad%a6%e6%a0%a1%e6%95%b0%e6%8d%ae-canvas-online-again-as-shinyhunters-threatens-to-leak-schools-data)

https://www.theverge.com/tech/926458/canvas-shinyhunters-breach

The learning management platform Canvas, owned by Instructure, has resumed operations following a major data breach. The incident exposed student names, email addresses, ID numbers, and messages. The breach originated from a cyberattack by the hacker group ShinyHunters, who left ransom notes in the Canvas system, threatening to publicly release data unless schools negotiated privately with them before May 12. ShinyHunters claimed to have compromised 9,000 schools, affecting 275 million students, teachers, and staff.

Instructure discovered that attackers exploited a vulnerability in its “free teacher accounts.” Out of security concerns, the company temporarily disabled these accounts. It has since applied security patches and taken Canvas offline for investigation. While most users have regained access, Canvas Beta and testing systems remain under maintenance, and some users still face issues logging into student records. Instructure has not yet announced when free teacher accounts will be restored.

ShinyHunters previously targeted companies including Ticketmaster, AT&T, and Rockstar Games. The incident has drawn widespread attention, and Instructure expressed regret, emphasizing its active response efforts.

• * *

https://news.ycombinator.com/item?id=48055913

• Canvas system unavailability disrupted exams and grade submissions, putting some teachers at risk of losing data due to heavy reliance on Canvas gradebooks.
• School communications were limited, with teachers instructed to ask students to submit assignments directly via email—indicating low confidence in system recovery timelines.
• Some teachers prefer using local gradebooks to avoid full dependence on Canvas, but many educators and institutions now rely entirely on Canvas for assessment and grading management.
• If the system remains down long-term, institutions may need to revert to pass/fail grading, similar to pandemic-era approaches.
• Students typically cannot resubmit assignments via email because coursework is completed within Canvas and no local copies exist.
• Canvas allows students to enable email notifications for grade updates, but emails only indicate new grades are available—not the actual scores.
• Schools do not send grades directly via email primarily due to legal privacy risks under FERPA regulations, avoiding violations.
• Some argue schools use various regulations as excuses to deny certain features, but the real reasons are risk aversion and cost considerations.
• School lawyers advise against including grade details in emails to minimize litigation risk—even if this causes inconvenience, it's not malicious or otherwise motivated.

• * *

3. Poland Now Among the 20 Largest Economies (Poland is now among the 20 largest economies) [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#3-%e6%b3%a2%e5%85%b0%e7%8e%b0%e5%b7%b2%e8%b7%bb%e8%ba%ab%e5%85%a8%e7%90%83%e4%ba%8c%e5%8d%81%e5%a4%a7%e7%bb%8f%e6%b5%8e%e4%bd%93%e4%b9%8b%e5%88%97-poland-is-now-among-the-20-largest-economies)

https://apnews.com/article/poland-economy-growth-g20-gdp-26fe06e120398410f8d773ba5661e7aa

Poland’s economy has surpassed Switzerland, with annual output exceeding $1 trillion, making it the 20th largest economy in the world.

Poland’s success stems from multiple factors, not just one. Economists point out that Poland established early institutional frameworks conducive to business development—including relatively independent courts, antitrust mechanisms, and banking regulation—that helped prevent economic capture by corruption and oligarchs. EU membership proved decisive: Poland received substantial EU funding and gained access to the European single market.

Data shows Poland’s per capita GDP rose from $6,730 in 1990 to $55,340 in 2025—reaching 85% of the EU average. Since joining the EU in 2004, Poland’s economy has grown at an average rate of 3.8% annually, far outpacing Europe’s 1.8%.

The article uses Joanna Kowalska, a Poznań-based engineer, as an example. She worked at Microsoft in the U.S. before returning to Poland, citing rapid progress in AI and a stronger sense of purpose. Her organization, the Poznań Supercomputing and Networking Center, is building Poland’s first AI factory, integrating quantum computing.

Another example is Solaris, an electric bus manufacturer founded in 1996. Today, it is one of Europe’s leading producers, holding around 15% market share. The case illustrates another Polish economic trait: entrepreneurial spirit, willingness to take risks, and leveraging the EU market for expansion.

However, the article also notes ongoing challenges: aging population, low birth rates, wages still below EU averages, numerous small and medium enterprises but few global brands. Additionally, urban-rural disparities, housing affordability, young people’s costs of starting families, and how best to integrate Ukrainian and other migrant labor forces remain key issues for the future.

• * *

https://news.ycombinator.com/item?id=48062117

• Poland was the first country to transition peacefully from a bankrupt Soviet satellite state, with economic transformation and integration into NATO and the EU driving sustained high growth.
• Poland's reform started earlier than in Czechoslovakia and endured a more severe economic crisis, after which it achieved the fastest growth rate among Central and Eastern European countries.
• Although GDP per capita has limitations, in a diversified industrial economy like Poland’s, GDP growth reflects improvements in the living standards of ordinary citizens.
• Economic conditions vary significantly across age groups in Poland: the elderly are relatively poorer, while younger people face considerable financial pressure, indicating clear intergenerational disparities.
• Living costs in Poland remain relatively high compared to Western Europe, placing economic strain and intense competition on younger generations.
• Poland’s economic growth has led to significant improvements in quality of life, safety, and healthcare security, with the Gini coefficient remaining stable—social inequality has not drastically increased.
• While there is a gap between average and median economic data, overall trends show steady improvement in Poland’s economic strength and living standards.
• Poland’s transition model provides a valuable example for other Central and Eastern European countries, with peaceful negotiation and political dialogue laying the foundation for change.
• Most former Soviet satellite states in Eastern Europe have achieved peaceful and sustained economic growth since 1991, except those occupied by Russian forces.

• * *

4. Maybe you shouldn’t install new software for a bit [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#4-maybe-you-shouldnt-install-new-software-for-a-bit)

https://xeiaso.net/blog/2026/abstain-from-install/

The article primarily warns users that multiple Linux kernel vulnerabilities have recently emerged, including “Copy Fail 2: Electric Boogaloo” and “Dirty Frag.” The author notes that we are currently in a high-risk period for supply chain attacks via NPM, and recommends pausing the installation of new software for about a week unless it comes from official Linux kernel patches provided by distributions.

• * *

https://news.ycombinator.com/item?id=48056227

• Supply chain attack risks due to heavy reliance on third-party packages have long existed but were overlooked due to convenience—now these issues are becoming apparent.
• Different companies vary widely in their approach to dependency management and security: some enforce strict version control and review processes, while others frequently update dependencies, leading to security risks and technical debt.
• Some teams use lock files during development but reinstall dependencies during deployment, causing version mismatches and potential vulnerabilities.
• Early versions of npm made using lock files inconvenient, so many developers failed to use or commit them properly; modern npm now defaults to generating package-lock.json, which has improved this issue.
• Retagging packages causes checksum failures and does not silently update—problems stem more from build tools defaulting to npm install instead of npm ci.
• npm ci ensures installation matches the lock file exactly, preventing version drift, but it is not widely adopted or well-documented in some automated environments.
• Building production code without lock files is considered highly unprofessional; the correct practice is to use npm ci or pnpm install --frozen-lockfile.
• Lock files were introduced to prevent unintended dependency updates and ensure deterministic versions—similar to fixing dependency versions rather than using floating version numbers.
• Vendorizing dependencies (bundling them directly into the source repository) may cause issues with build scripts or local binary modules; Yarn Plug and Play offers an alternative solution.
• Introducing dependency management tools should come with clear justifications and trade-off explanations—not blind adoption—and must be able to articulate the problem solved and associated costs.
• AI might perform better at standardizing project dependencies and CI configurations, avoiding odd human errors.

• * *

5. AI slop is killing online communities [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#5-ai-slop-is-killing-online-communities)

https://rmoff.net/2026/05/06/ai-slop-is-killing-online-communities/

Written by rmoff, this article titled *“AI Slop Is Killing Online Communities”* explores the negative impact of AI-generated content on online communities. The author is not opposed to AI technology—it’s seen as an inevitable part of historical progress—but expresses disappointment and concern over the rampant spread of low-quality, meaningless AI-generated content.

The article points out that many people, upon discovering AI tools, rush to publish AI-generated projects, blogs, videos, and other content across various platforms without thoughtful consideration or real value. These outputs often lack originality or practical utility, resembling “garbage written by AI,” contributing no knowledge while increasing noise and degrading information quality within communities.

The author emphasizes that sharing content should serve a clear purpose and provide value—not merely because something is “cool” or “new.” Truly valuable work requires repeated refinement, thorough documentation, and resilience against community scrutiny and feedback. Otherwise, such AI-generated “slop” spreads like weeds, eroding community vitality, driving away users, and potentially leading to dead, inactive forums.

The article also distinguishes between “good” and “bad” AI content: good AI-assisted content results from humans using AI tools to achieve contributions previously impossible, marked by care and responsibility; bad AI content consists of meaningless spam, attention-seeking noise, or pointless posts.

The author calls for basic aesthetic and ethical standards when sharing—understanding the audience and intent behind each post—and urges against blindly spreading low-quality AI output. In closing, the author quotes friend Gunnar Morling, emphasizing that AI is a tool—the key lies in human thought, guidance, and oversight. Only projects that are carefully designed and long-term invested in can truly add value to communities, avoiding becoming part of the “AI slop” problem.

• * *

https://news.ycombinator.com/item?id=48053203

• Banning AI-generated content aims to protect community quality, but identifying and banning AI accounts is labor-intensive and costly.
• Methods to detect fake AI accounts include complex registration processes and administrator monitoring, along with user reporting mechanisms.
• Complex registration processes can block bots but may also deter genuine users.
• For users who violate no rules but exhibit toxic behavior, warnings followed by temporary bans are appropriate; repeat or severe offenders should face permanent bans.
• Administrators should retain final discretion but use it cautiously to avoid turning the community into an echo chamber.
• Determining malicious intent requires administrators’ intuition and experience—borderline behaviors should be punished incrementally.
• If most community members agree a user is toxic and managing them is costly, consider removing them.
• Address toxic users promptly and remain open to misjudgments, willing to apologize and correct course.
• Allow users to report toxic behavior, use reported incidents to generate toxicity scores, and let scores decay over time to reflect behavioral improvement.
• Clearly define community rules and specify which behaviors are harmful—this aids in managing and guiding user conduct.
• Combining invisible bans (hellbans) with gradual permission restoration mechanisms effectively maintains community order.
• User-driven reporting systems have flaws and can be abused, leading to false flagging of high-quality content; introducing limited moderator permissions is recommended.
• Allow some degree of eccentric or provocative behavior, but treat malicious attacks targeting individuals or small groups seriously.

• * *

6. Dirtyfrag: Universal Linux LPE [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#6-dirtyfrag-universal-linux-lpe)

https://www.openwall.com/lists/oss-security/2026/05/07/8

This page contains a technical report on the “Dirty Frag” vulnerability—a universal Linux local privilege escalation (LPE) flaw capable of granting root access on all major Linux distributions. Similar in impact to the previous “Copy Fail” vulnerability, this exploit chains two kernel-level bugs.

The report notes that due to broken disclosure timelines and confidentiality agreements, no distribution has yet released patches or assigned CVE identifiers. To prevent exploitation, users are advised to disable specific kernel modules (esp4, esp6, rxrpc) via targeted commands.

The page also includes complete exploit code: a 192-byte x86_64 ELF-format root shell that leverages the vulnerability to overwrite target files (e.g., /usr/bin/su) and escalate privileges. The code details the shellcode’s functionality—including setting group ID and user ID to 0, executing /bin/sh, and configuring environment variables to avoid terminal-related errors.

Additionally, the code implements creation and configuration of user namespaces and network namespaces to ensure proper environmental setup during exploitation. The report provides links to related kernel patches and technical details for reference by security researchers and system administrators.

Overall, this page offers a detailed technical disclosure of a Linux kernel security vulnerability, covering background, scope, mitigation advice, and full exploit code—ideal for security professionals and system operators seeking deep understanding and response strategies.

• * *

https://news.ycombinator.com/item?id=48053623

• Relying on LLMs for vulnerability research may limit exploratory thinking and creativity, making it easy to miss nearby potential issues in code.
• Researchers who discovered the “Copy Fail” vulnerability did so by noticing anomalies and combining AI scanning with manual code review—manual inspection alone could have found similar flaws.
• Both vulnerabilities involve the same root cause: ESP-related issues in the authencesn module; the RxRPC vulnerability stems from a different underlying problem.
• AI models typically focus narrowly on direct targets and struggle to naturally explore context or think broadly like humans.
• Adjusting prompts to encourage “curiosity” can enhance AI’s exploration ability, but gains are limited and hard to scale significantly.
• Widespread use of LLMs may lead to homogenized development styles, reducing diversity and innovation.
• AI-generated code often favors Python or Java patterns—explicit instructions are needed to align with specific language or project conventions.
• Occasionally, AI identifies overlooked correlated changes that help prevent introducing new problems, especially prominent in complex legacy codebases.
• Using high-reasoning-capacity models with all relevant files fed in one prompt enables broader resolution of complex design challenges, whereas tool-based, exploratory approaches suit targeted implementation tasks.
• Including “follow coding standards of the current edited file” in prompts helps AI pay attention to surrounding code and offer more reasonable suggestions.

• * *

7. Google Cloud Fraud Defence is just WEI repackaged [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#7-google-cloud-fraud-defence-is-just-wei-repackaged)

https://privatecaptcha.com/blog/google-cloud-fraud-defence-wei/

This page introduces Google’s 2026 launch of “Google Cloud Fraud Defense,” a device-authentication-based anti-fraud mechanism described as the next evolution of reCAPTCHA. Users must scan a QR code via their phone to prove they are human. This system relies on Google Play Services’ device authentication API, meaning only modern Android devices or Apple devices with Google Play Services installed can pass verification.

The article reviews Google’s 2023 proposal for “Web Environment Integrity” (WEI), which required browsers to use hardware signatures to verify devices weren’t tampered with—this sparked controversy over privacy and centralized control of the open web, leading Google to withdraw it. The 2026 Fraud Defense service directly commercializes a similar device authentication mechanism, bypassing public discussion and review.

The mechanism has clear flaws: attackers can use cameras to capture screen displays and automate bypassing QR code verification. Moreover, regular users struggle to distinguish authentic Google verification QR codes from phishing ones, posing serious security risks.

The article notes that Apple’s App Authentication operates differently—it functions within a closed ecosystem, whereas Google’s approach imposes hardware authentication on open internet access without explicit user consent or clear usage boundaries.

(This is part 3 of 9 — maintain consistent translation style)

This authentication mechanism excludes many privacy-conscious users, such as those using Android custom ROMs like GrapheneOS or LineageOS that lack Google Play Services, as well as users of the Firefox browser, who cannot pass verification due to lack of support for Google’s authentication architecture.

Finally, the article emphasizes that this mechanism not only restricts access but also sends device access signals to Google, creating persistent device identity markers and raising serious privacy and tracking concerns, questioning its legality and impact on user rights.

• * *

https://news.ycombinator.com/item?id=48063199

• Computers are better than humans at cracking CAPTCHAs, and humans can be bribed or recruited into botnets, rendering IP whitelists ineffective. Existing fingerprinting and behavioral analysis methods also face government-imposed restrictions.
• Methods for verifying human identity are limited, and most involve privacy-sensitive authentication processes. In the long term, the open internet may become locked behind mechanisms requiring identity proof.
• Apple and Google have introduced remote attestation technologies in browsers to combat automation tools, but these are currently focused on specific scenarios and can still be bypassed via click farms and similar tactics.
• CAPTCHAs were originally a variation of the Turing test, but with advances in AI, their effectiveness has declined significantly; they are now mostly used as "proof-of-work" mechanisms.
• Large language models (LLMs) can only pass limited Turing tests and perform poorly over extended interactions. Due to low labor costs, CAPTCHAs remain difficult to fully replace.
• Current CAPTCHA providers largely rely on non-privacy-preserving auxiliary verification methods—such as Google’s voice CAPTCHAs and hCaptcha’s accessibility cookies—some of which limit user experience.
• Some CAPTCHA designs use dynamic animations that make recognition easy for humans, but are unfriendly to visually impaired users.
• Low-cost human-powered CAPTCHA cracking services exist in the market, proving that AI is not the only method of circumvention.
• QR code-based authentication can bind device IMEI, but is vulnerable to spoofing; fraudsters may trick users into scanning codes to bypass verification.
• Remote attestation on non-rooted devices is hard to forge, increasing security.
• Botnets obtain residential IPs through various means, including SDK partnerships, hidden clauses in VPNs, malware, and bandwidth sharing. Passive income schemes yield relatively low monthly returns.
• Existing technology enables mobile farming: using low-cost devices and control software to manage large numbers of Google accounts, significantly scaling up attack efficiency and volume.

• * *

8. A web page that shows you everything the browser told it without asking (A web page that shows you everything the browser told it without asking) [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#8-%e4%b8%80%e4%b8%aa%e6%97%a0%e9%9c%80%e8%af%a2%e9%97%ae%e5%8d%b3%e5%8f%af%e5%b1%95%e7%a4%ba%e6%b5%8f%e8%a7%88%e5%99%a8%e5%91%8a%e7%9f%a5%e4%bd%a0%e7%9a%84%e4%b8%80%e5%88%87%e4%bf%a1%e6%81%af%e7%9a%84%e7%bd%91%e9%a1%b5-a-web-page-that-shows-you-everything-the-browser-told-it-without-asking)

https://sinceyouarrived.world/taken

This webpage showcases content from a project titled “Since You Arrived · Vol. IV,” highlighting the personal device and environmental information automatically leaked by the browser when a visitor opens the page.

The page emphasizes that this information is disclosed automatically without user consent, and can be uniquely identified across websites using multiple technical methods—including WebGL fingerprinting, font fingerprinting, and browser fingerprinting—enabling cross-site tracking. It also notes the legality and prevalence of these techniques, pointing out that most websites use similar methods to collect user data, though few openly disclose them.

Additionally, the page details the sources and technical background, including IP geolocation services, standard browser APIs, font detection techniques, Canvas fingerprinting, and battery status tracking research. It clarifies that these are all publicly available and widely adopted standard practices. While more invasive techniques—such as detecting login status via favicon loading—are not used here, the page acknowledges their existence and legal status.

Overall, this is a deep exploration of online privacy and browser fingerprinting technology, aiming to help users understand the personal information automatically leaked by browsers during everyday web usage and the associated privacy risks. Through concrete examples and technical explanations, the article urges users to pay attention to how browsers and websites collect information and calls for greater awareness around privacy protection.

• * *

https://news.ycombinator.com/item?id=48062178

• Browser fingerprinting exists, but real-world application is not as simple or comprehensive as demonstrated on showcase websites.
• The information displayed on this site is sometimes inaccurate—for example, location and screen resolution—which may give users a false sense of security.
• Disabling JavaScript prevents the page from showing leaked browser information, but data leakage still occurs.
• The site detects users’ dark mode preferences but does not actually respect or apply the setting, resulting in poor reading experience.
• Using a VPN (such as Apple’s Private Relay) can effectively hide true geographic location, reducing the risk of precise tracking.
• Information like time zone provided by browsers is not a privacy threat but rather intended to enhance user experience.
• Some users have irregular sleep schedules, making it difficult for browser fingerprinting to accurately infer work and sleep times.
• Developers of fingerprinting technologies have released open-source libraries, indicating that the technology itself is not complex—its power lies in application and data integration.
• Internet connectivity is fundamentally client-server interaction; information exchange is normal and unavoidable.
• Concerns about browser fingerprinting and privacy leaks should be grounded in reality, avoiding exaggeration that could mislead users.

• * *

9. Brazil’s Pix payment system faces pressure from Visa and Mastercard (Brazil’s Pix payment system faces pressure from Visa and Mastercard) [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#9-%e5%b7%b4%e8%a5%bf%e7%9a%84-pix-%e6%94%af%e4%bb%98%e7%b3%bb%e7%bb%9f%e9%9d%a2%e4%b8%b4-visa-%e5%92%8c-mastercard-%e7%9a%84%e5%8e%8b%e5%8a%9b-brazils-pix-payment-system-faces-pressure-from-visa-and-mastercard)

https://www.elciudadano.com/en/brazils-pix-payment-system-faces-pressure-from-visa-and-mastercard/04/04/

This article describes how Brazil’s instant payment system, Pix, rapidly rose to become one of the world’s leading digital payment platforms within just five years, surpassing Visa and Mastercard in transaction volume in the U.S. Pix was developed and managed by Brazil’s Central Bank and launched in 2020, enabling real-time transfers 24/7. Users can pay via phone number, email, ID number, or randomly generated codes issued by the system—simple, fast, free for individuals, and with fees for businesses far lower than credit cards.

In 2025, Pix processed approximately 3.53 trillion reais (around $6.7 trillion), a 33.7% year-on-year increase, with cumulative transaction value reaching $16 trillion—more than seven times Brazil’s GDP that year. Over 180 million users are registered, covering 93% of Brazil’s adult population, with participation from 930 financial institutions. Pix holds a 49% share of Brazil’s payment market, far exceeding debit and credit cards at 14%, while cash usage has dropped sharply to just 6%.

Pix’s success has triggered strong pushback from Visa and Mastercard, which suffered significant losses as their market share eroded. In 2025, the U.S. government launched a commercial investigation into Pix, accusing it of unfair competition and attempting to restrict its growth. In response, Brazilian President Lula publicly supported Pix, launching a nationwide campaign called “Pix Is Ours,” emphasizing its openness and role in promoting competition.

The Brazilian Central Bank continues to drive innovation in Pix, introducing features like automatic billing, offline contactless payments, international transactions, and installment plans, while strengthening security measures—such as a special refund mechanism implemented in 2026 to prevent fraud. Pix has not only transformed Brazil’s payment ecosystem but also sparked intense competition and geopolitical tensions in the global payments market.

• * *

https://news.ycombinator.com/item?id=48052371

• Visa and Mastercard fear Pix might inspire other countries to follow suit, despite current high barriers to entry, mainly limiting Pix to local Brazilian users.
• Pix is highly user-friendly for locals—free and fast—with support from most banks—but inconvenient for foreigners.
• Supporting national payment systems reduces dependence on foreign firms, lowers costs, and strengthens domestic economies.
• Europe already has several alternative card systems, but banks resist giving up control over existing infrastructure, preventing unified standards.
• Projects like Digital Euro are progressing, but Europe faces fragmentation across multiple fintech initiatives, making widespread adoption difficult.
• Visa and Mastercard benefit from market dominance and stringent security and compliance requirements, making them hard to displace by new competitors.
• Small businesses generally dislike credit card fees and are eager for lower-cost payment solutions.
• Platforms like Wise enable cross-border Pix payments, but face account limitations and usability issues.
• Pix is gradually supporting contactless payments, though adoption rates and anti-fraud mechanisms still need improvement.
• Canada’s Interac system is similar to Pix and suitable for small transactions, but less practical for large or unfamiliar merchants.
• Apple refuses to support Pix in Apple Pay, reflecting major tech companies’ commitment to traditional payment ecosystems.

• * *

10. David Attenborough’s 100th Birthday (David Attenborough’s 100th Birthday) [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#10-%e5%a4%a7%e5%8d%ab%e9%98%bf%e6%bb%95%e4%bc%af%e5%8b%92%e7%99%be%e5%b2%81%e7%94%9f%e6%97%a5%e5%ba%86%e5%85%b8-david-attenboroughs-100th-birthday)

https://www.bbc.com/news/articles/cp3pww9g0p5o

King Charles III and Queen Camilla celebrated Sir David Attenborough’s 100th birthday, sharing a photo of him with Prince Charles and Princess Anne from their younger days. As a renowned broadcaster and environmentalist, Attenborough expressed deep emotion upon receiving birthday messages and thanked everyone for their support.

Prince Charles paid tribute to Attenborough in a video message for the Earth Award, calling him someone who continuously inspires him. The Duke of Sussex, Prince William’s brother, described Attenborough as a “secular saint,” highlighting his contributions to climate change awareness. Former England football captain Beckham called him a “national treasure,” while actress Joanna Lumley sent birthday wishes via video.

Natural history presenter Chris Packham praised Attenborough’s immense contribution to human history in an article for *The Big Issue*. WWF released a birthday tribute video featuring voices from multiple well-known actors, paired with Louis Armstrong’s classic song “What a Wonderful World.” Renowned composer Hans Zimmer and actor Ian McKellen also expressed their admiration.

The celebration culminated in a 90-minute special concert at London’s Royal Albert Hall, broadcast on BBC One and iPlayer. Hosted by Kirsty Young, guests included Michael Palin and Steve Backshall, who reflected on Attenborough’s life and legacy. Live music was performed by the BBC Concert Orchestra, featuring iconic excerpts from *Planet Earth II* and *Frozen Planet II*, alongside performances by Bastille and Sigur Rós.

BBC dedicated the entire week to celebrating Attenborough’s centenary, including retrospectives of the documentary *Life on Earth* and the premiere of a new series, *Secret Gardens*. BBC Content Director Kate Phillips hailed Attenborough as an “extraordinary individual.” Additionally, the Natural History Museum in London named a parasitic wasp species after him in honor of his legacy.

• David Attenborough lives in Richmond Hill, London, a beloved local figure whose signed books are available at local bookstores.
• Richmond Hill is a wealthy area of London with notable geographical and cultural recognition.
• Attenborough’s documentaries have inspired countless people to take an interest in natural sciences, especially biology, with multiple species named after him.
• His passion for nature and his efforts to spread awareness have fostered reverence and appreciation for the natural world.
• Attenborough once worked at the BBC and suggested changing tennis balls to yellow for better visibility on television broadcasts—a change that remains in use today.
• His work has had a profound impact on science and engineering, nurturing many professionals in these fields.
• His documentaries are rich in content, ranging from European birds to remote islands, showcasing a vast natural world.
• Google created a special tribute page for him, reflecting public respect and admiration.
• His voice is highly iconic and a defining symbol of natural history documentaries.
• Online users reminisce about his early documentaries, such as *Blue Planet*, which have had lasting influence.
• Attenborough’s influence extends beyond science communication—it also includes cultural education and raising awareness about environmental conservation.
• His siblings also lived long lives; family genetics and lifestyle may be contributing factors to longevity.
• AI technology is beginning to imitate his voice, opening new avenues for dissemination but also sparking debate.
• Some argue that his documentaries sometimes give the impression that natural environments remain abundant, while reality shows ecosystems facing severe threats.
• Others point out that natural wilderness areas in developed countries are increasing, but this does not necessarily indicate ecosystem health—many areas are secondary forests or regions lacking ecological function.
• Ecological health cannot be measured solely by wilderness area size or emission trends; attention must be paid to ecosystem integrity and functional recovery.

• * *

Hacker News Highlights and Translations [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#hacker-news-highlights-and-translations)

Cloudflare to cut about 20% of its workforce [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#cloudflare-to-cut-about-20-of-its-workforce)

https://news.ycombinator.com/item?id=48056536

This is awkward.

Exhibit A - September 2025 - “Help build the future” - Cloudflare hires 1111 interns to “help build the future” [ https://blog.cloudflare.com/cloudflare-1111-intern-program/ ]

Exhibit B - May 2026 - “Building for the future” - Cloudflare lays off 1100 people, about 20% of their workforce to “continue building the future” [ https://blog.cloudflare.com/building-for-the-future/ ]

I’ll finish on this quote: “The future ain’t what it used to be.” — Yogi Berra

AloysB

This is awkward.

Evidence A – September 2025 – “Help build the future” – Cloudflare hired 1,111 interns to “help build the future” [https://blog.cloudflare.com/cloudflare-1111-intern-program/]

Evidence B – May 2026 – “Building for the future” – Cloudflare lays off 1,100 people, about 20% of its workforce, to “continue building the future” [https://blog.cloudflare.com/building-for-the-future/]

I’ll end with this quote: “The future ain’t what it used to be.” — Yogi Berra

• * *

Rumors of my death are slightly exaggerated [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#rumors-of-my-death-are-slightly-exaggerated)

https://news.ycombinator.com/item?id=48063509

Thank you for the update, Cliff. I will update your Wikipedia page to show that your death is currently under dispute.

hoppyhoppy2

Thank you for the update, Cliff. I’ll update your Wikipedia page to reflect that your death is currently disputed.

• * *

Cloudflare to cut about 20% of its workforce [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#cloudflare-to-cut-about-20-of-its-workforce-1)

https://news.ycombinator.com/item?id=48054924

The packages for departing employees will include the equivalent of their full base pay through the end of 2026. Healthcare coverage is different across the globe, and if you’re in the United States, we’ll continue to provide support through the end of the year. We are also vesting equity for departing team members through August 15th, so they receive stock beyond their departure date. And, if departing team members haven’t hit their one-year cliffs, we are going to waive those and vest their pro-rated equity through August as well.

The announcement reads as pretty heartless to me, but this is a very, very nice departure package

ggoo

The severance packages for departing employees will include full base salary equivalent through the end of 2026. Healthcare coverage varies globally, and if you're in the U.S., we'll continue providing support through the year's end. We're also accelerating equity vesting for departing team members through August 15th, meaning they'll retain stock beyond their departure date. Additionally, if departing employees haven't yet met their one-year vesting cliff, we'll waive that requirement and vest their prorated equity through August as well.

The announcement sounds quite cold, but this is actually an exceptionally generous severance package.

• * *

Cloudflare to cut about 20% of its workforce [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#cloudflare-to-cut-about-20-of-its-workforce-2)

https://news.ycombinator.com/item?id=48054727

Welp, looks like I’m affected. If anyone is looking to hire a systems engineer with distributed systems and load balancing experience, shoot me an email at <anything>@piperswe.me :/

I’ll update this with a resume link tonight…

piperswe

Well, looks like I’m affected too. If anyone’s hiring a systems engineer with experience in distributed systems and load balancing, feel free to email me at <anything>@piperswe.me :)

I’ll update this with a resume link later tonight…

• * *

Rumors of my death are slightly exaggerated [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#rumors-of-my-death-are-slightly-exaggerated-1)

https://news.ycombinator.com/item?id=48064055

Dear Cliff,

I’m terribly sorry to hear of your passing, but am pleased that you have since gotten better.

Cheers!

SneakyMission

Dear Cliff,

I’m truly sorry to hear about your passing, but I’m glad to know you’ve recovered since then.

Cheers!

• * *

Canvas online again as ShinyHunters threatens to l… [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#canvas-online-again-as-shinyhunters-threatens-to-l)

https://news.ycombinator.com/item?id=48057659

Perspective from the trenches: I teach at a university that uses Canvas. We are in our final exams period right now.

We got our first email (from Academic Affairs) notifying us that it was down at 5:17pm EDT this afternoon, with little info; follow-up emails were sent at 6:24 and 6:57 with more info, but mostly about how we would be compensating for it and not about what actually was going on (other than, “nationwide shutdown” and “cybersecurity attacks”, no further detail). I don’t get a sense that they know much more than that, not that I would expect them to.

A perhaps telling detail: they’re instructing us to have students email us directly with any work that had been submitted via Canvas. That suggests they have no particular confidence that it will come back up soon.

I personally am only slightly affected; as a CS professor, a lot of my students’ work is done on department machines, and submitted that way, and I do the actual exams on paper. More importantly, I’ve never liked or trusted Canvas’s gradebook, and so although I do upload grades to Canvas so students can see them, my primary gradebook is always a spreadsheet I maintain locally.

(This is part 5/9 — please maintain consistent translation style)

But I have a lot of colleagues for whom this is catastrophic at the level of “the whole building burnt down with all my exams and gradebooks in it”—even many who teach 100% in person have shifted much or all of their assessment into Canvas (using the Canvas “quiz” feature for everything up to and including final exams), and use the Canvas gradebook as their source-of-truth record. We’ve been encouraged to do so by our administration (“it makes submitting grades easier”). For faculty in that situation, they have few or zero artifacts that students have produced; students themselves don’t have the artifacts to resubmit via email because they were created within Canvas from the start, and they have no record of student grades or even attendance (because they managed all of that inside Canvas). I suppose they might still have access to the advisory midterm grades from March, if they submitted them (most do, some don’t), but that might be it.

My gut feeling is that this will either be resolved in hours (they have air-gapped backups and can resume work as soon as new servers are spun up), or take weeks (if not). Very little in between. And if that’s true and we wake up tomorrow to find this unresolved, I genuinely have no idea what a large number of professors at my university—and across the country—will do to submit fair and reasonable grades. In the extreme case, they may have to revert to something we did during the pandemic semester (and before that, at my school, during the semester when two major academic buildings actually burned down a week before finals): allow courses that normally count toward a grade to simply submit pass/fail grades instead. Because what else can you do?

(Well, one thing you *could* do is avoid putting all your eggs in one basket and stop trusting “the cloud” quite so much—but that ship has already sailed. I do wonder whether anyone will learn any lessons from this in the long run…)

UPDATE: As of 11:45pm EDT, my university’s Canvas instance is back online! Here’s hoping it stays stable (but I’ll be downloading some data just in case…).

blahedo

Firsthand perspective: I’m a professor at a university that uses Canvas. We’re currently in finals week.

At 5:17pm EDT today, we received our first email from Academic Affairs informing us that Canvas was down—very little information provided. Then two more follow-up emails at 6:24pm and 6:57pm offered additional details, but mostly focused on how we should respond rather than what actually happened (beyond mentioning “nationwide outage” and “cybersecurity incident,” there was little else). I suspect they didn’t know much more than we did, and I certainly don’t expect them to.

One telling detail: they instructed us to have students submit assignments directly via email—even though those assignments were originally created and submitted through Canvas. That suggests they don’t believe the system will come back quickly.

Personally, I’m affected very little. As a computer science professor, most of my students’ assignments are completed and submitted on departmental machines, and exams are paper-based. More importantly, I’ve never trusted Canvas’s gradebook—I upload grades to Canvas for student access, but my primary record remains a locally maintained spreadsheet.

But many of my colleagues are facing disaster—like “the entire building burned down with all my exams and gradebooks inside.” Even many instructors teaching 100% in person have moved most or all of their assessments into Canvas (using the Canvas “quiz” feature for everything up to and including final exams), and rely on Canvas’s gradebook as their single source of truth. Our administration has actively encouraged this (“it makes submitting grades easier”). These faculty members now have little or no physical artifacts produced by students, students can’t resubmit anything via email because the work was done entirely within Canvas, and they have no records of student grades—or even attendance (since all of that was managed inside Canvas). They might still have access to the advisory midterm grades from March, if they submitted them (most did, some didn’t), but that’s likely all.

My instinct is that this will either be fixed in hours (they have air-gapped backups and can resume operations as soon as new servers are up), or take weeks (if not). There’s almost no middle ground. And if that’s true and we wake up tomorrow to find this still unresolved, I truly have no idea how many professors at my university—and across the country—will manage to submit fair and reasonable grades. In the worst-case scenario, they may have to go back to what we did during the pandemic semester (and even earlier, at my school, during the semester when two major academic buildings actually burned down a week before finals): let courses that normally carry credit just issue pass/fail grades. Because what else can you do?

(Well, one thing you *could* do is avoid putting all your eggs in one basket and stop relying so heavily on “the cloud”—but that path is already behind us. I do wonder whether anyone will learn anything from this in the long term…)

UPDATE: As of 11:45pm EDT, my university’s Canvas instance is back online! Hoping it stays up (but I’ll still download some data just in case…).

Cloudflare to cut about 20% of its workforce [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#cloudflare-to-cut-about-20-of-its-workforce-3)

https://news.ycombinator.com/item?id=48055375

This really sucks. I loved this job. I’m an EM and I was trying to hire more people because we’re so busy with everything we needed to do. My team’s products are something like 95% profit.

Really going to miss my team—they were wonderful to work with. Secretly hoping they’ll have to rehire.

I refuse to believe it was about AI. Coming from the inside, the bottleneck was never code. Looking at who’s being laid off, especially on my team, it’s the people who make things run.

headinthesky

Cloudflare to cut about 20% of its workforce [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#cloudflare-to-cut-about-20-of-its-workforce-4)

https://news.ycombinator.com/item?id=48060361

I’ve seen managers hiring people with the intent to lay them off when winds change, to protect themselves and their inner circle. I can only imagine they’ve had great KPIs in both cases: first for scaling the team, then for cutting costs.

scott01

Agents need control flow, not more prompts [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#agents-need-control-flow-not-more-prompts)

https://news.ycombinator.com/item?id=48054606

1000% agree. I’m increasingly hesitant to believe Anthropic’s constant drumbeat about “building for the capabilities of future models—they’ll get better.”

We have a QA agent that needs to process, say, 200 Markdown files of requirements in a browser session. It’s a cool system that’s significantly improved our team’s efficiency. For a long time, we tried every trick to get a prompt like this to work: “Look in this directory at the requirements files. For each requirement file, create a todo list item to determine whether the application meets the requirements outlined in that file.” In other words: letting the model manage high-level control flow.

This started breaking down after ~30 files. Sometimes it would miss a file. Sometimes it would triple-test a bundle of files and take 10 minutes instead of 3. An error in one file would convince it it needs to re-test four previous files, for no reason. It was very frustrating. We quickly discovered during testing that there was no consistency to its (Opus 4.6 and GPT 5.4 IIRC) ability to actually orchestrate the workflow. Sometimes it would work, sometimes it wouldn’t. I’ve also tested it once or twice against Opus 4.7 and GPT 5.5; not as extensively; but seems to have the same problems.

We ended up creating a super basic deterministic harness around the model. For each test case, trigger the model to test that test case, store results in an array, write results to file. This has made the system a billion times more reliable. But, it’s also made the agent impossible to run on any managed agent platform (Cursor Cloud Agents, Anthropic, etc.) because they’re all so gigapilled on “the agent has to run everything” that they can’t see how valuable these systems can be if you just add a wee bit of determinism to them at the right place.

827a

Totally agree, 100%. I’m increasingly unwilling to believe Anthropic’s repeated claim that “building for future stronger models will make them better.”

We have a Q&A agent that needs to process about 200 Markdown-formatted requirement files within a browser session. The system is genuinely cool and has massively boosted our team’s efficiency. We’ve long experimented with various approaches to get this prompt to work properly: “Review the requirement files in this directory. For each file, create a to-do item and determine whether the application meets the requirements listed in that file.” In other words, let the model manage high-level control flow.

But after processing around 30 files, this approach began to fail. The model would sometimes skip files, sometimes repeatedly test a group of files, taking 10 minutes instead of 3. One file error would cause it to inexplicably re-test four prior files. It was extremely frustrating. During testing, we quickly realized that neither Opus 4.6 nor GPT 5.4 (if I recall correctly) had consistent ability to actually orchestrate the workflow—sometimes it worked, sometimes it didn’t. I’ve tested it once or twice against Opus 4.7 and GPT 5.5; not as thoroughly; but the issues appear to persist.

Eventually, we built a very simple, deterministic wrapper around the model. For each test case, we trigger the model to test that specific case, store results in an array, then write them to a file. This has made the system billions of times more reliable. But it also renders the agent unusable on any managed agent platform (e.g., Cursor Cloud Agents, Anthropic, etc.), because those platforms are so obsessed with “the agent must do everything” that they can’t see how valuable these systems can be when you simply add a little determinism in the right place.

• * *

AI slop is killing online communities [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#ai-slop-is-killing-online-communities)

https://news.ycombinator.com/item?id=48053908

I run a niche creative community, and we outlawed AI-generated content in 2022 as it was easy to see how corrosive it would be to the community.

It hasn’t been easy. We ban fake AI accounts daily and shrug off around 600 AI content creator accounts monthly.

It’s a lot of work, extra work that wasn’t needed before AI content came around, and of course, that is an extra cost.

I fear losing the battle.

CrzyLngPwd

I run a niche creative community, and we banned AI-generated content in 2022 because it was clear how damaging it would be to the community.

It hasn’t been easy. We ban fake AI accounts daily and dismiss around 600 AI content creator accounts monthly.

It’s a lot of extra work—work that didn’t exist before AI content arrived—and of course, it comes with added cost.

I fear we may lose this fight.

• * *

Maybe you shouldn’t install new software for a bit [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#maybe-you-shouldnt-install-new-software-for-a-bit)

https://news.ycombinator.com/item?id=48057488

This was always a nightmare waiting to happen. The sheer volume of packages and the resulting vast attack surface for supply chain attacks was always going to blow up in everyone’s face eventually.

But it was too convenient. Anyone warning about it or trying to limit the damage was shouted down by people who had no experience doing things any other way. “import antigravity” is just too easy to do without.

Well, now we’re reaching the “find out” part of the process, I guess.

marcus_holmes

This was always a ticking time bomb. The massive number of packages and the resulting enormous attack surface for supply chain compromises were bound to backfire eventually.

But it was too convenient. Anyone raising concerns or trying to limit the fallout was drowned out by people who’d never done things differently. “import antigravity” is just too easy to use to resist.

Well, I guess we’re now entering the “find out” phase.

• * *

Hardening Firefox with Claude Mythos Preview [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#hardening-firefox-with-claude-mythos-preview)

https://news.ycombinator.com/item?id=48056110

I work at Mozilla; I fixed a bunch of these bugs.

In general, I’d say our use of “vulnerability” aligns with what jerrythegerbil calls “potential vulnerability.” (In cases with a POC, we’d likely use the word “exploit.”) Our goal is to keep Firefox secure. Once it’s clear a particular bug might be exploitable, it’s usually not worth significant engineering effort to investigate further—we just fix it. We spend a little time eyeballing things to sort them into sec-high, sec-moderate, etc., and help triage incoming bugs, but if there’s any doubt, we assume the worst and move on.

So were all 271 bugs exploitable? Absolutely not. But they were all security bugs according to the normal standards we’ve applied for years.

(Partial exception: some bugs might normally have been disclosed, but were kept hidden because Mythos wasn’t public information yet. But those would have been marked sec-other and excluded from the count.)

So if you think we’re inflating the number of “real” vulnerabilities found by Mythos, remember we’ve also been consistently inflating the baseline. The spike in Firefox Security Fixes by Month is very, very real: https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/

IainIreland

I work at Mozilla; I fixed many of these bugs.

Generally speaking, our use of “vulnerability” matches what jerrythegerbil refers to as “potential vulnerability.” (If there’s a proof-of-concept, we’d typically use “exploit.”) Our goal is to keep Firefox secure. Once it’s clear a bug could be exploited, it’s rarely worth investing major engineering effort to investigate further—we just patch it. We spend a brief moment reviewing them to categorize as sec-high, sec-moderate, etc., and help prioritize incoming bugs, but if there’s any uncertainty, we assume the worst and proceed.

Were all 271 bugs exploitable? Definitely not. But they were all security bugs under the standard criteria we’ve used for years.

(One partial exception: some bugs that would normally have been published were withheld because Mythos wasn’t public yet. But those would have been labeled sec-other and excluded from the count.)

So if you think we’re exaggerating the number of “real” vulnerabilities uncovered by Mythos, keep in mind we’ve also consistently raised the baseline. The surge in Firefox Security Fixes per month is extremely real: https://hacks.mozilla.org/2026/05/behind-the-scenes-hardening-firefox/

• * *

Ask HN: We just had an actual UUID v4 collision… [#](https://supertechfans.com/en/post/2026-05-09-HackerNews/#ask-hn-we-just-had-an-actual-uuid-v4-collision)

This is surprisingly common.

The security of UUIDv4 is based on the assumption of a high-quality entropy source. This assumption is invalidated by hardware defects, normal software bugs, and developers not understanding what “high-quality entropy” actually means and that it is required for UUIDv4 to work as advertised.

It is relatively expensive to detect when an entropy source is broken, so almost no one ever does. They find out when a collision happens, like you just did.

UUIDv4 is explicitly forbidden for a lot of high-assurance and high-reliability software systems for this reason.

jandrewrogers

Cloudflare to cut about 20% of its workforce [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#cloudflare-to-cut-about-20-of-its-workforce-5)

https://news.ycombinator.com/item?id=48054879

I dislike the title because it doesn’t clearly state it’s a layoff. “Building for the future” gave me the impression that it’s about some major new initiative with a roadmap outlining plans.

alyxya

I want to live like Costco people [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#i-want-to-live-like-costco-people)

https://news.ycombinator.com/item?id=48050727

Something about the whole thing always registered to me as, like, lame—too normcore, too boring, perhaps even too cheugy to an informed and taste-driven millennial ur-consumer like me. The kinds of brands I like to buy aren’t what they sell at Costco.

Good example of how people can build identities through their brand choices and purchasing habits.

It’s a foreign concept for many of us who seek out the best product or deals for each purchase and will change brands in an instant if another company releases a better product. Yet the crossover between brands, identities, and lifestyles is deeply held by many people.

I know some will try to turn this into a criticism of Americans, but in my travels and international business experience I wouldn’t even rank Americans in the top 10 for integrating brands and identity. In some countries I had to make a conscious effort to try to wear clothes from acceptable brands and swap my functional laptop bag for something more stylish to avoid letting my purchasing habits become a point of judgment from others. It’s actually refreshing to come back to America where as long as you’ve made some effort to look more or less appropriate for the occasion few people care about the brand of your clothes, laptop bag, or car. Some people are proud of their Audi or designer bag, but I rarely run into situations where I’d be judged for arriving in a sensible Subaru instead of a Mercedes.

Aurornis

I want to live like Costco people [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#i-want-to-live-like-costco-people-1)

https://news.ycombinator.com/item?id=48055261

Feudal Japan had a measurement called the “koku”, which is roughly the amount of rice needed to feed a person for a year: about 330 lb. You can now buy 50 lb. of rice at Costco for $30, which is a few hours of work at minimum wage.

To me, that is a modern marvel. I don’t want people to buy things that they don’t need, and I also don’t like the crowds, but I can’t help but feel grateful for a stocked grocery store that is accessible to basically everyone—isn’t that the dream?

https://en.wikipedia.org/wiki/Koku

austinl

Cloudflare to cut about 20% of its workforce [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#cloudflare-to-cut-about-20-of-its-workforce-6)

https://news.ycombinator.com/item?id=48055394

“We are our own most demanding customer. Cloudflare’s usage of AI has increased by more than 600% in the last three months alone. Employees across the company from engineering to HR to finance to marketing run thousands of AI agent sessions each day to get their work done. That means we have to be intentional in how we architect our company for the agentic AI era in order to supercharge the value we deliver to our customers and to honor our mission to help build a better Internet for everyone, everywhere.”

As an English enthusiast, I’m getting very frustrated at how the language is consistently abused in executive communications to write words without saying anything.

The implication that is NOT said is that suddenly 20% of people were sitting around without any work to do because AI was making everyone so efficient and productive. This does not, however, seem to be the reality, based on conversations within the company. It appears we have yet another case of economic downturn disguised as increasing velocity.

Snoozle

We are our own harshest customers. In just the past three months, Cloudflare’s use of AI has grown by over 600%. Employees across every department—from engineering to HR, finance, and marketing—run thousands of AI agent sessions daily to get work done. This means we must consciously design our company’s architecture for the age of agent-based AI, dramatically increasing the value we deliver to our customers and fulfilling our mission to help build a better internet for everyone, everywhere.

As an English enthusiast, I’m deeply frustrated by the misuse of language in executive communications—using grandiose words with no substance.

Implied content is not stated outright—suddenly 20% of people are idle because AI has made everyone so efficient and productive. Yet based on internal company conversations, this doesn’t seem to be true. It looks like another case of economic downturn disguised as speed improvement.

• * *

Singapore introduces caning for boys who bully others [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#singapore-introduces-caning-for-boys-who-bully-oth)

https://news.ycombinator.com/item?id=48058687

The only effective punishment/threat I saw work on my bullies at school was the threat to remove one of them from the football team and prevent him from playing for the school. He turned around and became okay after that.

It was highly effective because it was a heavier penalty than those for not doing homework, and because it was highly relevant to him personally. It worked because we had only 16 students per class (I was very privileged to be there), and teachers who genuinely cared and took time to understand the problem and think through potential solutions, rather than just applying generic policies.

The problem is most schools don’t do this, would likely argue they don’t have time, and probably also spend a significant amount of resources and time on relatively ineffective anti-bullying measures.

danpalmer

• * *

Inkscape 1.4.4 [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#inkscape-144)

https://news.ycombinator.com/item?id=48043188

I think this is my first contribution to Inkscape in this release. It’s quite a minor feature though, so I don’t see it in the changelog. It allows users to set their default saved file name. I’m tired of drawing.svg :)

darknavi

• * *

A web page that shows you everything the browser tells about you [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#a-web-page-that-shows-you-everything-the-browser-t)

https://news.ycombinator.com/item?id=48064428

• I’m not in that city.

• It’s running a kind of Chrome on a kind of Linux, at a stretch.

• Nobody can infer when I work and when I sleep. That includes me.

• The recent high-end display is actually the screen of a low-end tablet I bought at a supermarket five years ago.

• But yes, browser fingerprinting is annoying.

• Since you can detect light mode, would it kill you to honor it?

card_zero

• I’m not in that city.

• Strictly speaking, it’s running a variant of Chrome on a variant of Linux.

• No one can infer when I work and when I sleep. Not even me.

• The recent high-end display is actually the screen of a low-end tablet I bought at a supermarket five years ago.

• But yes, browser fingerprinting is annoying.

• Since you can detect light mode, wouldn’t it be too much to ask to respect it?

• * *

Poland is now among the 20 largest economies [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#poland-is-now-among-the-20-largest-economies)

https://news.ycombinator.com/item?id=48062558

I love the Poles, but credit where credit is due:

„Poland is the largest beneficiary of EU funds 2014–2020, with one in four euros going to Poland“

https://www.gov.pl/web/funds-regional-policy/poland-at-the-forefront-of-eu-countries-in-terms-of-investing-european-funds2

Update: The comments below this are strange.

What I meant was: „Poland gets money, Poland turns it into more money.“

Is Poland more efficient at this than other countries? I don’t know. Would Poland have generated less without it? Probably. Is an annual investment of 2–3% of GDP into a country a lot? I think so.

niemandhier

• * *

Google Cloud Fraud Defence is just WEI repackaged [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#google-cloud-fraud-defence-is-just-wei-repackaged)

https://news.ycombinator.com/item?id=48065196

Whether it’s AMP or Manifest 3 or Android source shenanigans or attempts to replace cookies with their FLOC nonsense or this… Google is rapidly turning into a malicious force when it comes to the open internet.

Havoc

• * *

Chrome removes claim of On-device AI not sending data [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#chrome-removes-claim-of-on-device-al-not-sending-d)

https://news.ycombinator.com/item?id=48052493

Brave started off incredibly sketchy and with terrible reputation, for example https://news.ycombinator.com/item?id=18734999

I haven’t considered it since, and I assume many others are in the same boat.

plopz

• * *

Grand Theft Oil Futures: Insider traders keep making big profits [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#grand-theft-oil-futures-insider-traders-keep-maki)

https://news.ycombinator.com/item?id=48048891

The worst part is the sharp changes in the price being traded aren’t achieved by magic but rather with guns & actual human suffering

Havoc

The most troubling aspect is that drastic price fluctuations aren't created by magic, but through guns and real human suffering.

• * *

Canvas back online as ShinyHunters threatens to l… [#](https://supertechfans.com/cn/post/2026-05-09-HackerNews/#canvas-online-again-as-shinyhunters-threatens-to-l-1)

https://news.ycombinator.com/item?id=48057818

I'm surprised there are so few comments on this thread. This outage is likely affecting millions of students during one of the most stressful times of the year.

Incidentally, I've always disliked Canvas and probably every other LMS provider, but what's particularly amusing about this current outage is that it's happening precisely when universities are demanding that all professors upload all their materials to Canvas without exception—due to ADA compliance requirements. It's explicitly forbidden for professors to, for example, link to PDFs hosted on personal websites.

Other commenters here seem not to realize that many faculty members also resent being forced to use Canvas.

Gabriel54