📰 Hacker News Top 10 - 2026-02-25
Hacker News Top 10 - 2026-02-25
以下是过去 24 小时内 Hacker News 上最热门的 10 篇文章。
1. IDF killed Gaza aid workers at point blank range in 2025 massacre: Report
链接: 阅读原文
得分: 1514 分
评论: 572 条
重要评论:
@Qem: Full report: https://content.forensic-architecture.org/wp-content/uploads…
@culi: Forensic Architecture is a truly remarkable work. If anybody is unfamiliar with Eyal Weizman, I would highly recommend checking out more of his work. Including the 2014 series Rebel Architecture and some of his talks. He recently did a presentation called "Conditions of Life Calculated" at the David Graeber Memorial Lecture at CIIS that I think gives a lot of insight into why the work being done at Forensic Architecture is so remarkable. He also talks about his work with David Wengrow and the Nebelivka Hypothesis based on novel archeology of ancient Ukrainian citieshttps://www.youtube.com/watch?v=bfD1y7WZLpMalternative FE: https://yewtu.be/watch?v=bfD1y7WZLpM
@apexalpha: This is very thorough. Thanks for the direct link.The case seems pretty clear, especially since the soldiers tried to hide all evidence.
2. I’m helping my dog vibe code games
链接: 阅读原文
得分: 749 分
评论: 214 条
重要评论:
@cs702: Even a dog can vibe-code! And the apps kinda, sorta work most of the time, like most apps vibe-coded by people!I'm reminded of the old cartoon: "On the Internet, nobody knows you're a dog."[a]Maybe the updated version should be: "AI doesn't know or care if you're a dog, as long as you can bang the keys on on a computer keyboard, even if you only do it to get some delicious treats."This is brilliant as social commentary.Thank you for sharing it on HN.–[a] https://en.wikipedia.org/wiki/On_the_Internet%2C_nobody_know…
@cleak: Thanks for the kind words. I'm blown away by the response and positivity here.There's definitely some social commentary to be had in the whole project. I decided it's best left to the reader to find their own rather than assigning mine to it.
@jwrallie: That makes you think. It’s surely harder to hide your dog identity nowadays than when this was drawn.
3. OpenAI, the US government and Persona built an identity surveillance machine
链接: 阅读原文
得分: 514 分
评论: 161 条
重要评论:
@cloverich: Going to copy paste my comment from today's other thread[3] that linked to this:Note also there's a direct response from Persona's security team here[1], and a lot of back and forth from Rick on Twitter[2].[1]: https://withpersona.com/blog/post-incident-review-source-map…[2]: https://x.com/Persona_IDV/status/2025048195773198385?s=20[3]: https://news.ycombinator.com/item?id=47136036
@cloverich: The author has published part 2 of the series… def worth the read: https://vmfunc.re/blog/persona-2
@kelvinjps10: They did good damage control with that post
4. Firefox 148 Launches with AI Kill Switch Feature and More Enhancements
链接: 阅读原文
得分: 450 分
评论: 378 条
重要评论:
@carschno: The page seems to be a copy from the original Mozilla press release from February 2nd: https://blog.mozilla.org/en/firefox/ai-controls/It was discussed here: https://news.ycombinator.com/item?id=46858492
@stevekemp: Yeah flagged as a spammy source.
@mfru: Please let whoever steers Thunderbird development and road map also steer Firefox.Thunderbird is at the moment the pinnacle of user-centered, focused and down-to-earth development of open-source software.
5. Mac mini will be made at a new facility in Houston
链接: 阅读原文
得分: 430 分
评论: 424 条
重要评论:
@adamgordonbell: Apple is very tied to Chinese manufacturing in a way that is hard to replicate in US.They will agree to make some high margin simple to assemble thing in the US to appease government, but if it goes as well as last time, they will stop as soon as they can.In china they were often able to iterate on designs and have custom screws and other parts made and ramped up in very short times. Something about having the whole supply chain in one place and very motivated and it all fell apart when tried to move to US.So things that took weeks became hard on anytime line.. per Apple in China book.
@ryandrake: > Something about having the whole supply chain in one placeI can't find the source but I thought I read somewhere that the major manufacturing cities in China are all geographically laid out like giant assembly lines. The companies that process the raw materials are located mostly inland, then the companies that form those raw materials into metal and plastic stock are next door, and then the companies that take that stock and make components are next door to them, and the companies that input those components and output subassemblies are next door to them, and so on all the way down to the harbor where the companies that produce finished products output directly onto the loading docks where the ships await.The US can't even zone a residential neighborhood without lawyers and special interests jamming things up for decades through endless impact studies and litigation. How is it going to compete with a country that can lay out entire cities, organizing the value chain geographically towards the ocean?
@827a: And, to be clear about one thing (which I believe is also raised in the book): Much of this is the direct result of Apple investing literally a quarter trillion dollars and exporting critical western IP toward developing Chinese advanced manufacturing capability (among other American technology companies). The story of startups only being able to manufacture in China is a cute tale that is true for startups. For Apple, investing in the strategic capabilities of America's geopolitical rivals was an active decision Tim Cook and other Apple leaders made.
6. Discord cuts ties with identity verification software, Persona
链接: 阅读原文
得分: 423 分
评论: 304 条
重要评论:
@bri3d: The referenced write-up based on the Persona front end code is here:https://vmfunc.re/blog/personaI definitely recommend reading this primary source before drawing conclusions about the code as most of the secondary reporting is quite low quality.
@cloverich: Note also there's a direct response from Persona's security team here[1], and a lot of back and forth from Rick on Twitter[2].[1]: https://withpersona.com/blog/post-incident-review-source-map…[2]: https://x.com/Persona_IDV/status/2025048195773198385?s=20
@cloverich: And his follow up here: https://vmfunc.re/blog/persona-2
7. I pitched a roller coaster to Disneyland at age 10 in 1978
链接: 阅读原文
得分: 417 分
评论: 157 条
重要评论:
@nogridbag: These letters matter a lot to kids. I sent my video game idea to Nintendo as a little kid and I had the same reaction seeing that envelope from Nintendo in the mailbox addressed to me. I think it was also a bit more special pre-internet as these companies felt a bit more magical and mysterious. You can only read about them through video game magazines and see their names in the credit scenes at the end of the games. Unless you were one of those weird kids that called Nintendo Power helpline of course!I remember also receiving that weird VHS tape from Nintendo in the mail: https://www.youtube.com/watch?v=rJzIc_c1PvEI have no idea how I received that, but it was so cool!
@tombert: When I was thirteen I sent an email to Tom Fulp (creator of Newgrounds.com) telling him I wanted to make my own website with Coldfusion (which I had learned about through a pirated copy of DreamWeaver) and MySQL, and asked if would help me make it. [1]He responded back extremely politely and said that my idea seems like a great idea, but he's far too busy running Newgrounds to build any other websites right now, but once I build it he would love to see it.I never ended up building the website, but I look back and think it was cool how encouraging he was to some random kid who emailed him.Kids will pick the weirdest people as "heroes" sometimes, and it's cool when your heroes turn out to be decent humans. Sometimes just responding to an email is all it takes.[1] I honestly do not remember at all what the website was supposed to be and I don't have the email anymore. Knowing thirteen year old me, it was probably a forum about Donkey Kong Country or something.
@projektfu: Six year old me sent an idea to McDonnell Douglas for an airplane with turboprops to back up the jets in case of engine fire. There was also a fire suppression system. They sent me some nice brochures about the DC-8, -9, and -10, but looking back on it they could have mentioned that the jets are already redundant and will usually stop burning when the fuel is cut.
8. How we rebuilt Next.js with AI in one week
链接: 阅读原文
得分: 412 分
评论: 157 条
重要评论:
@hungryhobbit: Man, I love Next … but I also love Vite … and I hate the Next team, because they focus on fancy new features for 0.1% of their users, at the complete expense of the other 99.9% of the Next community (who they basically ignore).This gives someone like me everything we want. Better performance is something the Next community has been begging for for years: the Next team ignored them, but not the Cloudflare team. Meanwhile Vite is a better core layer than the garbage the Next people use, but you still get the full Next functionality.I wish Cloudflare the best of luck with this fork: I hope it succeeds and gets proven so I can use it at my company!
@qudat: Next is the worst framework I’ve ever used next to rails. It’s pure overhead for most apps.
@3rodents: What is it you love about Next that isn’t tied to Vercel and isn’t available elsewhere? I love Next too but I find the value is inextricably linked to Vercel. I can’t imagine choosing to use Next if I’m not choosing it for Vercel’s fancy stuff.
9. Open Letter to Google on Mandatory Developer Registration for App Distribution
链接: 阅读原文
得分: 385 分
评论: 318 条
重要评论:
@dfabulich: The most controversial claim in this letter is in the section that "Existing Measures Are Sufficient."In Google's announcement in Nov 2025, they articulated a pretty clear attack vector. https://android-developers.googleblog.com/2025/11/android-de…> For example, a common attack we track in Southeast Asia illustrates this threat clearly. A scammer calls a victim claiming their bank account is compromised and uses fear and urgency to direct them to sideload a "verification app" to secure their funds, often coaching them to ignore standard security warnings. Once installed, this app — actually malware — intercepts the victim's notifications. When the user logs into their real banking app, the malware captures their two-factor authentication codes, giving the scammer everything they need to drain the account.> While we have advanced safeguards and protections to detect and take down bad apps, without verification, bad actors can spin up new harmful apps instantly. It becomes an endless game of whack-a-mole. Verification changes the math by forcing them to use a real identity to distribute malware, making attacks significantly harder and more costly to scale.I agree that mandatory developer registration feels too heavy handed, but I think the community needs a better response to this problem than "nuh uh, everything's fine as it is."A related approach might be mandatory developer registration for certain extremely sensitive permissions, like intercepting notifications/SMSes…? Or requiring an expensive "extended validation" certificate for developers who choose not to register…?
@bigstrat2003: > I agree that mandatory developer registration feels too heavy handed, but I think the community needs a better response to this problem than "nuh uh, everything's fine as it is."Why would the community give a different response? Everything is fine as it is. Life is not safe, nor can it be made safe without taking away freedom. That is a fundamental truth of the world. At some point you need to treat people as adults, which includes letting them make very bad decisions if they insist on doing so.Someone being gullible and willing to do things that a scammer tells them to do over the phone is not an "attack vector". It is people making a bad decision with their freedom. And that is not sufficient reason to disallow installing applications on the devices they own, any more than it would be acceptable for a bank to tell an alcoholic "we aren't going to let you withdraw your money because we know you're just spending it at the liquor store".
@marcprux: I am the author of the letter and the coordinator of the signatories. We aren't saying "nuh uh, everything's fine as it is." Rather, we are pointing out that Android has progressively been enhanced over the years to make it more secure and to address emerging new threat models.For example, the "Restricted Settings"¹ feature (introduced in Android 13 and expanded in Android 14) addresses the specific scam technique of coaching someone over the phone to allow the installation of a downloaded APK. "Enhanced Confirmation Mode"², introduced in Android 15, adds furthers protection against potentially malicious apps modifying system settings. These were all designed and rolled out with specified threat models in mind, and all evidence points to them working fairly well.For Google to suddenly abandon these iterative security improvements and unilaterally decide to lock-down Android wholesale is a jarring disconnect from their work to date. Malware has always been with us, and always will be: both inside the Play Store and outside it. Google has presented no evidence to indicate that something has suddenly changed to justify this extreme measure. That's what we mean by "Existing Measures Are Sufficient".
10. Goodbye InnerHTML, Hello SetHTML: Stronger XSS Protection in Firefox 148
链接: 阅读原文
得分: 331 分
评论: 153 条
重要评论:
@entuno: This kind of thing always makes me nervous, because you end with a mix of methods where you can (supposedly) pass arbitrary user input to them and they'll safely handle it, and methods where you can't do that without introducing vulnerabilities - but it's not at all clear which is which from the names. Ideally you design that in from the state, so any dangerous functions are very clearly dangerous from the name. But you can't easily do that down the line.I'm also rather sceptical of things that "sanitise" HTML, both because there's a long history of them having holes, and because it's not immediately clear what that means, and what exactly is considered "safe".
@jncraton: You are right that the concept of "safe" is nebulous, but the goal here is specifically to be XSS-safe [1]. Elements or properties that could allow scripts to execute are removed. This functionality lives in the user agent and prevents adding unsafe elements to the DOM itself, so it should be easier to get correct than a string-to-string sanitizer. The logic of "is the element currently being added to the DOM a <script>" is fundamentally easier to get right than "does this HTML string include a script tag".[1] https://developer.mozilla.org/en-US/docs/Web/API/Element/set…
@cxr: > it's not at all clear which is which from the names. Ideally you design that in from the [start]It was, and there is: setting elementNode.textContent is safe for untrusted inputs, and setting elementNode.innerHTML is unsafe for untrusted inputs. The former will escape everything, and the latter won't escape anything.You are right that these "sanitizers" are fundamentally confused:> "HTML sanitization" is never going to be solved because it's not solvable.¶ There's no getting around knowing whether or any arbitrary string is legitimate markup from a trusted source or some untrusted input that needs to be treated like text. This is a hard requirement.<https://news.ycombinator.com/item?id=46222923>The Web platform folks who are responsible for getting fundamental APIs standardized and implemented natively are in a position to know better, and they should know better. This API should not have made it past proposal stage and should not have been added to browsers.