That checks out. Years ago I noticed a vulnerability through the photography board. You'd upload your pictures, and 4chan would display all the EXIF info next to the post.
4chan's PHP code would offload that task to a well-know, but old and not very actively maintained EXIF library. Of course the thing with EXIF is that each camera vendor has their own proprietary extensions that need to be supported to make users happy. And as you'd expect from a library that parses a bunch of horrible undocumented formats in C, it's a huge insecure mess.
Several heap overflows and arbitrary writes all over the place. Heap spray primitives. Lots of user controlled input since you provide your own JPEG. Everything you could want.
So I wrote a little PoC out of curiosity. Crafted a little 20kB JPG that would try to allocate several GBs worth of heap spray. I submit my post, and the server dutifully times out.
And that's where I'd like to say I finished my PoC and reported the vulnerability, but in fact I got stuck on a reliable ASLR bypass and lost interest (I did send an email about the library, but I don't think it was actively maintained and there was no followup)
My impression from this little adventure is that 4chan never really had the maintenance and code quality it needed. Everything still seemed to be the same very old PHP code that leaked years ago (which included this same call to the vulnerable EXIF library). Just with a bunch of extra features hastily grafted and grown organically, but never dealing with the insane amount of technical debt.
> Just with a bunch of extra features hastily grafted and grown organically, but never dealing with the insane amount of technical debt.
This describes probably 95%+ of the entire software world, from enterprise, to SaaS to IoT to mobile to desktop to embedded... Everything seems to be hastily thrown together features that barely work and piles of debt that will never get fixed. It's a wonder anything actually even works. If cars (the non-software parts) were made like this, there would be millions of them breaking down by the side of the road daily.
>If cars (the non-software parts) were made like this, there would be millions of them breaking down by the side of the road daily.
I’m an automotive CE… we’re getting there.
Cars used to be DONE at lots… now, there are weeks to finish code before the customer lays hands on, and that time is factored in now.
Worse with OTA updates. Now, so long as it’s fixed if enough customers complain that’s good enough.
Cars used to be great. Then some morons connected them to the internet for no good reasons.
This reminds me of the (possibly apocryphal) story where traffic engineers design pedestrian-heavy intersections without traffic lights because it makes drivers more careful.
We now have sloppy software simply because we can update bugs later.
This is a purely social problem that won't get solved with technology.
> Then some morons connected them to the internet for no good reasons.
Bad engineering at this point. To be fair, we could have had good car OS, good smartphone OS. But we didn't because everyone wanted to have their own pie castle.
Imagine a smartphone that was actually useful. Or a car OS that supports you with repairs. Possible, but not wanted by manufacturers.
Use a proper RTOS kernel with a good UI layer, and see all the developers complain loudly because they can't use the latest mobile phone stacks on that robust platform.
Sony boots a RTOS Linux system on their cameras in 3 seconds flat, and the firmware is arguably mission critical for that camera. It can be done for an infotainment system.
> Sony boots a RTOS Linux system on their cameras in 3 seconds flat, and the firmware is arguably mission critical for that camera. It can be done for an infotainment system.
Is stuff like this documented anywhere? This is one software topic I find endlessly fascinating but can't find any resources on.
Three seconds is a long time. What's it doing to justify that lag? Or is there some kind of cold/warm boot distinction?
The booting process is dominated by checking SteadyShot's state (move sensor a bit, center and lock).
However, you don't notice that three seconds. Because when you flick the switch and raise the camera, and it's already ready to shoot.
There's powersave after a minute (configurable), which can be considered as S3 sleep, and returning from that is faster.
Seems complicated. IBIS would be nice to have, but the two stops or so I get from my lenses' stabilizers usually works out to be enough.
Actually, there's a distinct level up in camera sensors starting with Sony A7-III and onward (incl. Fuji, Canon, Nikon). Having IBIS with a standard lens (like 28/2) allows you to take unbelievable shots at dusk and night.
Moreover if you have a stabilized lens, they work in tandem to improve things even further.
Many shots you think which would gonna be blurry comes out perfect. e.g.: https://www.flickr.com/photos/zerocoder/49047642802/in/photo...
Apparently the low light performance of the full-frame Sonys is a combination of IBIS (mechanical in-body image stabilization) and Back-Side Illuminated (BSI) sensors. The Sony A6600 (APC) has IBIS, the A6700 adds BSI. Other camera manufacturers also offer BSI sensors.
https://en.wikipedia.org/wiki/Back-illuminated_sensor
Oh, my D850 has one of those. It does perform very well in low light, but those extra stops of dynamic range in my view count most when they're yielding more contrast in an adequately lit scene - admittedly a privilege, and one I can more often afford myself with the kind of shots I like to take. I do print my work, though, and there's nothing else like that to show the limits of even a very good display.
That's quite good for handheld at 1/30. I could imagine you wouldn't need to hold your breath or consider your stance and motion at all.
I don't really use Flickr and a new personal website remains as yet on my list for this year, but here's something from back in 2020, one of the few really good shots I got that year: https://web.archive.org/web/20230513030226/https://aaron-m.c...
Not the soul of technical perfection, I freely grant, and I'm obviously adding a fair bit of light. But this was the second or third time I'd strayed even as far as my own backyard, after a covid dose earlier in the year had me knocked back for a few months. I suppose it could be sharper, but I had a hard time catching my breath that day, and I'm not actually sorry that a little human frailty should show through in a work where impending death and the onset of life are quite literally belly to belly.
In any case, it was really switch-to-shutter lag I was curious about. Three seconds there would be an eternity, so I appreciate knowing that's not the case.
OTA firmware updates are so insane. Does your insurance company understand what’s going on?
There was a hack to a Cherokee featured in Wire years and years back. It was attributed to “two hackers”… yea my ass, I met both guys they knew surface level at best, these guys didn’t discover a flaw in Sprint’s network on their own.
It was three letter agencies embarrassing the mfgs into “taking security more seriously” but conveniently also giving gov access, backdoors, and data on vehicles.
Play the game or they’ll make sure the next article is about you.
People would look at the vehicle industry a lot differently if they knew what was going on behind the scenes.
> There was a hack to a Cherokee featured in Wire years and years back
I discovered the vulnerability that lead to all that. I wish I could say more, but no one took it seriously.
So, i guess thanks to whoever in the NSA does the final quality control preventing mass incidents.
> Then some morons connected them to the internet for no good reasons.
Elon Musk and Franz von Holzhausen, to be precise.
New cars have 3G cellular transmitters constantly sending telemetry data. This started becoming common in 2012.
https://news.ycombinator.com/item?id=37971038
4g now. 3g was turned off causing these cars to drain the battery searching for signal.
Depends on the brand still. Honda for example only does that to the top tier touring trims because it's part of their remote-remote start offering for that trim (that you have to subscribe to)
That was way before the musk rat.
No. Not even close.
Far closer to Obama and his circle. Around Carpocalypse 2008, a bunch of three letter agencies started pushes for internet connected vehicles knowing the tech wasn’t there; but would be.
I watched it happen. There was some shady shit, and the reality was 2008 wasn’t just about GM and Chrysler but and entire JustInTime mistake that could have stopped almost all car production around the world. Different topic, but the effect was government would be involved in cars a lot more than previously.
Fast forward, and here we are. Your car ABSOLUTELY is spying on you, and the upside is you also get shipped unfinished vehicles.
Be a culture war sally about Musk all you like, I know, the bad men say the mean things. But this isn’t on him. Tesla had to and in some ways is still learning that cars aren’t computers on wheels, but this specific “feature” came from Big Government first.
Obama wasn't president until January 2009.
The fallout was after 2009, thank you though maybe I was remembering it wrong. I wasn’t, and you were making assumptions, but good to check anyhow.
Also, you can remind me who bailed out GM and Chrysler (which again, debatable move).
In fact, I'd go so far as to say that he did not exist before January 2009 /s
> the bad men say the mean things
You really lose all credibility when you downplay the richest man on earth openly bribing voters and the President claiming the man helped rig voting machines, and that same man makes Nazi salutes and goes to Europe and supports the Nazi party in the place where they invented Nazi parties. And then he basically moves into the White House and magically his companies start getting government contracts, while saying empathy is a bad thing and begins eviscerating the government with no oversight.
That isn't "bad men saying bad things." But, of course, this very bad man did say some very bad things, too.
There’s no reason it should cost credibility to say that these people are motivated by an enjoyment of the spectacle of their cruelty and do it on purpose. Bad man has a moral connotation as well as a tradecraft connotation. Neither one of you is wrong to use the Bad Man monicker here.
I recognize their username. I would say it is deliberate that they overlook seriously concerning events in a manner that is patronizing and disrespectful to the people they disagree with.
“bribing voters”. No, he hired them as spokesmen, perfectly legal. Personally I am happy for any positive motivation that gets people to the voting booth. “nazi salute”. That's willful disinformation and hyperboyle. That wasn’t a “Nazi salute” he even said verbally “I give you my heart” not “heil Hitler” give me a break. “magically his companies get government contracts”. What contracts? Are you referring to rescuing the astronauts? The Biden administration already contracted Space X for thay mission.
Imagine being trigger by a department of government finding fraud, waste, and misspending of YOUR’s and my tax dollars! If Bernie Sanders suggested it you’d be touting it as the best idea ever.
If it wasn't a nazi salute, why don't you go into work tomorrow and do it (exactly as Musk did it) in front of your manager, and then let us know what happens.
Funny have done a very similar hand gesture when giving a small speach at a going away party. Anecdotally, I don't have a manager any longer as I have retired from my career due to a chronic illness that has effectively left me disabled BUT I do play a few songs every Friday night (tonight) and I will do the exact same guesture and say exactly what Elon said when I leave :-)
Saying “I give you my heart” and then making a gesture of giving the crowd your heart is not a “nazi salute”. If that is a nazi salute then Hillary Clinton and Alexandria Ocasio-Cortez have both given “nazi salutes”.
I’m no fan of Musk, but this is silly. If I thought Musk was being falsely painted as a Nazi due to a gesture made innocuously, doing it myself so other people could falsely call me a Nazi would hardly convince me that Elon was actually a Nazi.
Like, I know an erudite person (“Bill”) who uses the word “niggard” as defined (miser), without any ill intentions whatsoever. Maybe there are edgelords who intentionally use it because of its similarity to you-know-what, but not this guy. If someone did try to convince me that Bill says it to be an edgelord, and told me to try using it myself and see how people react, I would no doubt get falsely accused of using it in a bad way myself. That wouldn’t convince me that Bill has bad intentions, it would only reaffirm my existing belief that people can misinterpret innocuous things.
Just one little example:
https://arstechnica.com/tech-policy/2025/03/starlink-benefit...
And it 100% was a Nazi salute. Plain as day. Quit telling people to ignore what their own eyes can see. Him saying a little phrase after doing that gesture doesn't change the gesture.
https://en.wikipedia.org/wiki/Elon_Musk_salute_controversy#/...
> Imagine being trigger by a department of government finding fraud, waste
They're doing nothing of the sort. They'll probably only end up wasting more money than anything they're "saving", which is really "saving" in the same way as not paying your rent is "saving".
No saying Elon gave a nazi salute is so silly. DOGE has already saved the tax payer BILLIONS and that has been easily proved by DOGE’s X.com account where they detail all of the taxpayer money that they have saved. Now go set some more Tesla’s on fire, disregarding what doing that does to the environment
There are ways to battle waste, fraud, and abuse that do not resort to 'parachute into the middle of an agency, fire most of the staff and then walk away congratulating yourself because you eliminated waste, fraud, and abuse.'
Sure you lowered the spend of the agency, but you probably, by removing all the people who actively investigate/police waste, fraud and abuse, promoted more people to defraud the agency and not get caught.
Congratulations, you played yourself.
Yet the government hasn’t fallen apart. I also don’t agree witn your cartoonish assessment of how DOGE goes about eliminating waste and fraud, the blatant fraud in the Social Security Department is more than evidence of that. How many 140 year olds do you know?
there is no proven blatant fraud in the SSA, the SSA actually prevents a ton of fraud. You clearly see elon tweet some dumb shit that he DOES NOT understand, and ignore all the people that correct him.
jesus expand your fucking media diet you absolute loon: https://www.marketplace.org/story/2025/02/20/150-year-olds-a...
Reminds me of Bill Gates & GM (apparently discredited though)
https://www.snopes.com/fact-check/car-balk/
7. Oil, water temperature and alternator warning lights would be replaced by a single 'general car default' warning light. ...
10. Occasionally, for no reason, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key, and grabbed the radio antenna.
11. GM would require all car buyers to also purchase a deluxe set of road maps from Rand-McNally (a subsidiary of GM), even though they neither need them nor want them. Trying to delete this option would immediately cause the car's performance to diminish by 50 per cent or more. Moreover, GM would become a target for investigation by the Justice Department. ...
13. You would press the 'start' button to shut off the engine.
I have a Mercedes that has an OFF button for the A/C. Took me way too long to realize it is just a badly named Power button.
Ironically, that last point has come true!
(Though to be fair, the button tends to be labeled both start and stop)
Prophetic
Old, but gold!
> Everything seems to be hastily thrown together features that barely work and piles of debt that will never get fixed.
move fast and break things is going to be studied in the future as a hilariously clusterfuk misuse of an idea.
It's hard to appreciate that there is a vast difference between hitting walls in a tank and not caring about the exterior, and slamming into a wall on a bicycle.
> It's a wonder anything actually even works.
> If cars were made like this, there would be millions of them breaking down by the side of the road daily.
Next to the software side of things, I also often wonder about planes. But, until now, they have proved fairly resilient to falling out of the sky, except for the well known "recent" events. Which is fairly surprising, knowing the levels of mismanagement at play. We've been lucky..
Planes have just as much spaghetti code as anything else, the only difference is that it's extremely well tested (functionally) and verified spaghetti code.
It's not hard to imagine there would be even more than in less verified fields, since if you try to clean it up you need to verify it again too.
From talking to someone in the industry TDD seems to be a popular methodology.
Funny anecdote - I was flying through Minneapolis and the passengers on a plane about to depart had to get back off the plane so it could be rebooted. It takes 20 minutes to power down to zero and 20 minutes to boot back up. The gate agent said it was a known touchy computer on that plane - I was wondering if that was true.
> If cars (the non-software parts) were made like this, there would be millions of them breaking down by the side of the road daily.
Well, cars did break down by the side of the road daily! That's why it used to be good advice even in the 90s to always have a basic set of tools in your trunk, why AAA offered roadside assistance already in 1915, and why part of the European CDL is enough basic mechanic knowledge to self-help when the truck breaks down.
It's only in the last 20-ish years that "smarts" became cheap and ubiquitous enough in cars that the car can warn preemptively. And additionally, regulatory requirements on quality, parts availability and public expectations went up, exerting competitive pressure.
> If cars (the non-software parts) were made like this
The critical software parts of cars (non user-facing entertainment systems gripes aside). Think engine control modules, ABS, etc.
This stuff is mission critical and almost always works. I think about that a lot.
Why do I feel so specifically targeted by this.
Though maybe I am of the philosophy of prototyping as I like to code for problems that I am facing right now in real life and wish like damn... wish someone could build something cool & though I use AI quite hard. Its actually because I am currently in school and I just don't have the time to code but I face some issues which I genuinely feel need to be solved right now. (Maybe even as just a proof of concept) so that I can later write good readable code later on when I go into university.
Forget cars, imagine if we treated government systems that millions of people's entire medical care/retirement/lives/national security/secrets/proof of existence depend upon this way? Luckily we treat those systems a little more seriously even though it costs us a little bit more/doesn't allow us to move fast and break things in that space.
Government software of those types are some of the worst on the planet.
Other than, you mean, the next best option of break things and ruin peoples lives in the process because it fits the current software development paradigms? I'm old, I've seen 'the new right way' come then become 'the worst way of doing things on the planet' over at least 5 iterations now.
> the next best option of break things and ruin peoples lives in the process
Lots of software works very well. Including Facebook's, where "move fast and break things" was coined, I believe, which is some of the most scalable and reliable on the planet.
Very well isn't good enough when peoples lives/the continuous functioning of society is at stake.
Facebook had a shit ton of teething problems. If social security/Medicaid has teething problems, people die. If Social Security has teething problems, people can't eat/pay rent/property tax, they get kicked out, their credit is ruined, and they can't qualify for new housing. Miss medication. Die. A little different than a blank page on Facebook. Facebook is also 'optional', and people can use other things to replace it. Society has committed to people over their entire lifetimes on Social Security/Medicaid. America should honor it's commitments, even when it's a little bit harder/inconvenient/more expensive. Especially when at the same time it's making 4 trillion dollar optional tax cuts instead of honoring it's promises to it's people.
Should blood bank typing software move fast and break things? Should your bank move fast and break things? Should your car's anti-lock braking system software move fast and break things? But the funds people depend on to live (Medicaid pays for the majority of nursing homes for the elderly, Social Security is many people's entire retirement income) should?
I disagree that that is how the United States should treat it's 'use cases' and 'constraints' in serving it's citizens/honoring it commitments.
And unlike Facebook, the current systems have actually worked for decades. How many times has Social Security needed a major uplift?
Now compare that to how often Facebook has had to overhaul its tech stack.
Lastly, for your comparison to work, you are claiming you are willing to fund government tech on the same level that Facebook funds their tech (otherwise the comparison makes no sense). Are you REALLY saying you are willing to fund government software development at the same expense level as Facebook? That's $60 billion and $65 billion in 2025 alone.
You forgot the /s.
https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-...
To be fair, a car isn't accessible to 8 billion+ people at any given second. That's the scary part about the internet now. You can't just have a fun little garden and only have to protect the veggies from rabbits. Them gnawing on your lettuce is your biggest issue. Now, you have to protect your veggies from essentially professional armed raiders who either burn your garden to the ground for lolz or a cryptocoin ransom.
In this day and age, like... is anything secure at this point? You say hastily... but even the biggest "walls" get breached, constantly. Just claiming hastily to feel better about your own glass walls is just as bad.
I think about this daily.
As far as I can tell, no real maintenance has happened since Poole sold the site a decade ago. Hiroyuki paid for it and then mostly forgot about it.
The current FreeBSD version the hacker displayed was from around the time of the sale so that tracks.
Nishimura for most part become a Japanese public personality - he has wrote for Japanese tabloids and has a YT channel.
This in general is the main factor of the decline of the "old web". Many of the people who drove it, who run these forums, are simply happier running a substack, a subreddit, a facebook group, without worrying about servers.
Certainly explains why 4chan fell way down his priority list.
as someone who had to upgrade a stack from php 5.3 to 7.1 back in 2019... do you know what version of php they were running?
Based on one of the comments in the leaked source, at least php 6, though no idea what specific version:
> // In PHP 6 this... doesn't seem to do anything? Let's try again in 7.
PHP 6 was never released ;) Got stuck in development hell and they went straight to 7.
Oh interesting, thanks! Which makes that comment in the code even more confusing