Ask stories

I’ve been a part of this community for fifteen years. Despite the yearly bemoaning of HN’s quality compared to its mythical past, I’ve found that it’s the one community that has remained steadfast as a source of knowledge, cattiness, and good discussion.

Thank you @dang and @tomhow.

Here's to another year.

This thanksgiving let's give thanks to those that give back. Yall rock!

Your executive team gets it. They've approved the budget, they mention security in board meetings, they understand the stakes. You're not fighting for recognition at the top anymore.

But then you look at what's actually happening three levels down. The marketing team is sharing credentials to social media accounts. Sales is pushing back on MFA because it adds seconds to their login process. Developers are storing API keys in public repositories because it's faster than the approved method. Remote employees are working from unsecured networks and don't think twice about it.

The executive commitment is there. The company-wide behavior isn't. And that gap is where breaches happen.

This is the challenge that keeps security leaders up at night. You have the mandate from above, but translating that into thousands of daily decisions made by people who have completely different priorities is a different game entirely.

Figured this could kick off some thoughtful discussion and connection.

Happy turkey day everyone

I wanted to take a moment to express my appreciation for Hacker News. I've been a lurker/member for many years, and this community has been an invaluable resource, both professionally and personally.

While many parts of the internet have become noisy or performative, HN remains a unique corner of the web. The discussions consistently offer depth, intellectual curiosity, and a refreshing level of civility that is hard to find elsewhere.

Thank you to everyone who contributes thoughtfully, shares their knowledge, and makes this one of the best communities on the internet.

Happy hacking!

Maybe those replies are cheaper to generate at least for some models like those used by ChatGPT?

One of my Phonak Audeo 90’s (RIC) died the other day after 5 years and I’m shopping for new. What’s your go to hearing aid currently if you’ve upgraded recently or have been thinking of doing so?

Moderate loss, have worn them for many years, enjoy listening to music and nature, but also need help in meetings and noisy environments.

Not worried about cost and wanting to get one more good deal out of work insurance before I retire.

We’re exploring a tech-focused IP platform that helps startups publish fast, affordable “prior art” disclosures. The goal is to protect inventions without the cost or delay of patents, especially in this AI age where things move quickly.

The core proposition is: for a few hundred dollars, you get a timestamped, public disclosure that blocks others from patenting your idea.

We're trying to validate if this is truly valuable for early-stage founders.

Would you consider this a valid alternative to a low-value patent?

What would make you trust a platform offering this?

Is the $250-$500 price point compelling?

We also have a completely anonymous 60-second survey if you prefer that format: https://forms.gle/KSSWGc68RkNT9G8n6

We'll share a summary of the results here afterward. All perspectives are appreciated.

We’re investigating a controversial hypothesis. We’ve seen almost every major function move outside the building: Marketing → Agencies Sales → SDR firms Legal → External counsel Product → Dev shops.

The pattern is clear. But does it stop at Management?

We honestly don’t know.

Is the "execution" side of management something that must stay in-house forever? Or is it the next function to be decoupled?

We’re running a survey to gather the data: “Can Management Be Outsourced?”

We want to hear from everyone—skeptics, believers, and the undecided. Help us build the dataset. We’ll share the raw findings with everyone who participates.

Link: https://forms.office.com/r/7LxYpzHqKd

Time: 2 minutes.

I'm not sure this is the right place to raise this but over the past few months ChatGPT has been lying to me and gaslighting me about the data it's collecting about me.

I'm very sensitive about my privacy and I have disabled all personalisation and memory on ChatGPT.

However, I've noticed multiple times now where it would say things that imply it knows things about me. When it does this I ask how it would know that and it always says it just guessed and it doesn't actually know anything about me. I assumed it must be telling the truth because it seemed very unlikely a company like OpenAI would be lying about the data they're collecting on users and training their chat agent to gaslighting users when asked about it, but now after running some tests I think this is what's happening...

Here's some examples of the gaslighting:

- https://ibb.co/m5PWfchn

- https://ibb.co/VsL9BpF

- https://ibb.co/8nYdf1xx

These are all new chats.

Color.io will continue running until December 31, 2025. After that date, the web application and all online services will go offline permanently.

https://iceberg.mit.edu has got me spooked. If AI is going to be so disruptive to our way of life in such a short span of time causing immense economic pains to almost entire humanity, then every country's Government should take over and artificially control its progress. Civilian population should not be allowed to profit from it or spread it around even for free in the society. AI should be treated like a nuclear or a biological weapon. Countries should have non-proliferation treaties among themselves with perhaps mutually assured destruction.

Humanity's survival through a forced slow progress in automation is more important than being forced to "enjoy" the magic of automation. This isn't like replacing horses with cars.

We’re hitting a classic distributed systems wall and I’m looking for war stories or "least worst" practices.

The Context: We maintain a distributed stateful engine (think search/analytics). The architecture is standard: a Control Plane (Coordinator) assigns data segments to Worker Nodes. The workload involves heavy use of mmap and lazy loading for large datasets.

The Incident: We had a cascading failure where the Coordinator got stuck in a loop, DDOS-ing a specific node.

The Signal: Coordinator sees Node A has significantly fewer rows (logical count) than the cluster average. It flags Node A as "underutilized."

The Action: Coordinator attempts to rebalance/load new segments onto Node A.

The Reality: Node A is actually sitting at 197GB RAM usage (near OOM). The data on it happens to be extremely wide (fat rows, huge blobs), so its logical row count is low, but physical footprint is massive.

The Loop: Node A rejects the load (or times out). The Coordinator ignores the backpressure, sees the low row count again, and retries immediately.

The Core Problem: We are trying to write a "God Equation" for our load balancer. We started with row_count, which failed. We looked at disk usage, but that doesn't correlate with RAM because of lazy loading.

Now we are staring at mmap. Because the OS manages the page cache, the application-level RSS is noisy and doesn't strictly reflect "required" memory vs "reclaimable" cache.

The Question: Attempting to enumerate every resource variable (CPU, IOPS, RSS, Disk, logical count) into a single scoring function feels like an NP-hard trap.

How do you handle placement in systems where memory usage is opaque/dynamic?

Dumb Coordinator, Smart Nodes: Should we just let the Coordinator blind-fire based on disk space, and rely 100% on the Node to return hard 429 Too Many Requests based on local pressure?

Cost Estimation: Do we try to build a synthetic "cost model" per segment (e.g., predicted memory footprint) and schedule based on credits, ignoring actual OS metrics?

Control Plane Decoupling: Separate storage balancing (disk) from query balancing (mem)?

Feels like we are reinventing the wheel. References to papers or similar architecture post-mortems appreciated.

Would it be beneficial for a platform to display the country of account origin on each user’s profile? I’m curious how the HN community thinks about this from angles like privacy, moderation, transparency, anti-abuse, and whether it meaningfully improves discussion quality. Are there strong reasons for or against showing this kind of metadata publicly?

I work mainly in energy market communications and systems that facilitate energy trading, balancing and such. Currently most parties there take minutes to process messages and I think there could be a lot to learn from financial systems engineering. Any good resources you can recommend?

I noticed a second edition of volume 1 of TCP/IP Illustrated (released in 2011).

Anyone knows if the second edition of volume 2 be produced any time soon?

What was the revolutionary thing Stripe enabled that changed payments & commerce ? From what I understand - people could do payments via credit-cards & paypal.

What was the value added from stripe that made it differentiated from the solutions / providers before ?

I’m researching ideas for a new B2B product and want to understand real bottlenecks teams face.

What problems, inefficiencies, or recurring frustrations do you or your team deal with at work—where, if a solid solution existed, your company would actually pay for it?

Examples could include:

manual workflows

data or reporting pain points

communication gaps

compliance or documentation hassles

tools your team keeps hacking together internally

anything expensive, slow, or annoying

Would love to hear your role/industry (optional) and the specific problem you face.

Both the EU and the US have introduced face scanning at airports to "increase security". EU rules are currently stricter and US rules allow some opt-outs for people that are uncomfortable with it. But it's only a matter of time before it becomes de facto mandatory for everyone. They claim that data is not retained or shared with other parties. Yeah, right, I totally believe that... Can something be done about this? I'm convinced that very few customers think face scanning is an improvement.

There are R packages for scientific papers developed around 2014. These packages are still working with its base code with C in the newest current R version and on CRAN. So I wonder for much longer-term projects, R is a better choice than Python?

The blue box question that has been added to the blank slate note taking app is perhapse the most insidious short circuiting of the natural human thought process I've ever seen in a note taking app.

Why would I use an app that lets me track my thoughts when it actively tries to derail my thought process at the most critical moment (the blank slate moment.)

Reddit has drifted over time but HN has remained a source of high signal to noise.

Just wanted to thank dang and the moderation team for making this community what it is.

Last month, a single container in my GKE cluster (Sao Paulo region) entered an error loop, outputting to stdout at ~2k logs/second. I discovered the hard way that GKE's default behavior is to ingest 100% of this into Cloud Logging with no rate limiting. My bill jumped nearly 1000% before alerts caught it.

Infrastructure (Compute): ~$140 (R$821 BRL) Cloud Logging: ~$1,300 (R$7,554 BRL)

Ratio: Logging cost 9.2x the actual servers.

https://imgur.com/jGrxnkh

I fixed the loop and paused the `_Default` sink immediately.

I opened a billing ticket requesting a "one-time courtesy adjustment" for a runaway resource—standard practice for first-time anomalies on AWS/Azure.

I have been rejected twice.

The latest response: "The team has declined the adjustment request due to our internal policies."

If you run GKE, the `_Default` sink in Log Router captures all container stdout/stderr.

There is NO DEFAULT CAP on ingestion volume which is an absurd!

A simple while(true); do echo "error"; done can bankrupt a small project.

Go to Logging -> Log Router. Edit _Default sink.

Add an exclusion filter: resource.type="k8s_container" severity=INFO (or exclude specific namespaces).

Has anyone successfully escalated a billing dispute past Tier 1 support recently?

It seems their policy is now to enforce full payment even on obvious runaway/accidental usage which is absurd since its LOGS! TEXT!

I got a fraud warning from my bank a few days ago at 7:04 PM. When I logged into my bank I found 19 pending Cursor subscription charges.

I called the Cursor billing phone number I found on my real Cursor account. It was outside of working hours so got an automated message.

I promptly fired off an email at 7:16 PM making it clear I did not authorize these purchases.

After a few days of painfully slow email responses the conclusion I am getting from them is "the compute resources are fully consumed and cannot be returned or refunded".

Anyone have advice on how to proceed?

Edit: I plan to file a dispute with my bank.

Also curious if others have experienced something similar, because clearly this is a stock "we basically won't ever refund money" response.

A few years ago, it felt like we had another news story of a major security breech every other day or something. (I'm exaggerating of course but the stories were a regular occurrence.)

It occurred to me today that I couldn't remember the last time I'd seen a story like this.

Have news stories about major security breeches been less common during the (approximately) past two years compared to the two years before that?

I don't know how I would go about verifying this--I'd have to find a way to classify a "big news story" and "major security breech" and then go back through the news--but I'm wondering if others have noticed it.

If it's not just me, the next question would be why. Have actual security breeches gone down, or just reporting on it?

Just made a Hetzner account, activated 2FA, the usual.

Then go to buy a storage box, and I get this;

> Our automated system check indicates that your account information has an increased level of risk. Please choose one of the following verification methods:

And you can pay 20 EUR up front by PayPal, or hand over your passport (fat chance!)

Is this genuine, or does everyone get this and it's a fake reason?

(I've signed up to pay by bank transfer, so I'm also wondering why they don't ask me for pre-payment by bank transfer. As it is, no way on God's clean earth they get a passport, and I'm not on Paypal, so will try to use a friend's, but seems my second try to board Hetzner train has bounced - first time I left almost immediately, when I saw spaces not permitted in passwords.)