[loves_mangoes]

That checks out. Years ago I noticed a vulnerability through the photography board. You'd upload your pictures, and 4chan would display all the EXIF info next to the post.

4chan's PHP code would offload that task to a well-know, but old and not very actively maintained EXIF library. Of course the thing with EXIF is that each camera vendor has their own proprietary extensions that need to be supported to make users happy. And as you'd expect from a library that parses a bunch of horrible undocumented formats in C, it's a huge insecure mess.

Several heap overflows and arbitrary writes all over the place. Heap spray primitives. Lots of user controlled input since you provide your own JPEG. Everything you could want.

So I wrote a little PoC out of curiosity. Crafted a little 20kB JPG that would try to allocate several GBs worth of heap spray. I submit my post, and the server dutifully times out.

And that's where I'd like to say I finished my PoC and reported the vulnerability, but in fact I got stuck on a reliable ASLR bypass and lost interest (I did send an email about the library, but I don't think it was actively maintained and there was no followup)

My impression from this little adventure is that 4chan never really had the maintenance and code quality it needed. Everything still seemed to be the same very old PHP code that leaked years ago (which included this same call to the vulnerable EXIF library). Just with a bunch of extra features hastily grafted and grown organically, but never dealing with the insane amount of technical debt.

[ryandrake]

> Just with a bunch of extra features hastily grafted and grown organically, but never dealing with the insane amount of technical debt.

This describes probably 95%+ of the entire software world, from enterprise, to SaaS to IoT to mobile to desktop to embedded... Everything seems to be hastily thrown together features that barely work and piles of debt that will never get fixed. It's a wonder anything actually even works. If cars (the non-software parts) were made like this, there would be millions of them breaking down by the side of the road daily.

[SV_BubbleTime]

>If cars (the non-software parts) were made like this, there would be millions of them breaking down by the side of the road daily.

I’m an automotive CE… we’re getting there.

Cars used to be DONE at lots… now, there are weeks to finish code before the customer lays hands on, and that time is factored in now.

Worse with OTA updates. Now, so long as it’s fixed if enough customers complain that’s good enough.

Cars used to be great. Then some morons connected them to the internet for no good reasons.

[whstl]

This reminds me of the (possibly apocryphal) story where traffic engineers design pedestrian-heavy intersections without traffic lights because it makes drivers more careful.

We now have sloppy software simply because we can update bugs later.

This is a purely social problem that won't get solved with technology.

[raxxorraxor]

> Then some morons connected them to the internet for no good reasons.

Bad engineering at this point. To be fair, we could have had good car OS, good smartphone OS. But we didn't because everyone wanted to have their own pie castle.

Imagine a smartphone that was actually useful. Or a car OS that supports you with repairs. Possible, but not wanted by manufacturers.

[bayindirh]

Use a proper RTOS kernel with a good UI layer, and see all the developers complain loudly because they can't use the latest mobile phone stacks on that robust platform.

Sony boots a RTOS Linux system on their cameras in 3 seconds flat, and the firmware is arguably mission critical for that camera. It can be done for an infotainment system.

[throwanem]

Three seconds is a long time. What's it doing to justify that lag? Or is there some kind of cold/warm boot distinction?

[bayindirh]

The booting process is dominated by checking SteadyShot's state (move sensor a bit, center and lock).

However, you don't notice that three seconds. Because when you flick the switch and raise the camera, and it's already ready to shoot.

There's powersave after a minute (configurable), which can be considered as S3 sleep, and returning from that is faster.

[nyarlathotep_]

> Sony boots a RTOS Linux system on their cameras in 3 seconds flat, and the firmware is arguably mission critical for that camera. It can be done for an infotainment system.

Is stuff like this documented anywhere? This is one software topic I find endlessly fascinating but can't find any resources on.

[gopher_space]

OTA firmware updates are so insane. Does your insurance company understand what’s going on?

[SV_BubbleTime]

There was a hack to a Cherokee featured in Wire years and years back. It was attributed to “two hackers”… yea my ass, I met both guys they knew surface level at best, these guys didn’t discover a flaw in Sprint’s network on their own.

It was three letter agencies embarrassing the mfgs into “taking security more seriously” but conveniently also giving gov access, backdoors, and data on vehicles.

Play the game or they’ll make sure the next article is about you.

People would look at the vehicle industry a lot differently if they knew what was going on behind the scenes.

[zikduruqe]

> There was a hack to a Cherokee featured in Wire years and years back

I discovered the vulnerability that lead to all that. I wish I could say more, but no one took it seriously.

[InDubioProRubio]

So, i guess thanks to whoever in the NSA does the final quality control preventing mass incidents.

[Shekelphile]

> Then some morons connected them to the internet for no good reasons.

Elon Musk and Franz von Holzhausen, to be precise.

[fwungy]

New cars have 3G cellular transmitters constantly sending telemetry data. This started becoming common in 2012.

[tmerc]

https://news.ycombinator.com/item?id=37971038

4g now. 3g was turned off causing these cars to drain the battery searching for signal.

[delfinom]

Depends on the brand still. Honda for example only does that to the top tier touring trims because it's part of their remote-remote start offering for that trim (that you have to subscribe to)

[barbazoo]

That was way before the musk rat.

[SV_BubbleTime]

No. Not even close.

Far closer to Obama and his circle. Around Carpocalypse 2008, a bunch of three letter agencies started pushes for internet connected vehicles knowing the tech wasn’t there; but would be.

I watched it happen. There was some shady shit, and the reality was 2008 wasn’t just about GM and Chrysler but and entire JustInTime mistake that could have stopped almost all car production around the world. Different topic, but the effect was government would be involved in cars a lot more than previously.

Fast forward, and here we are. Your car ABSOLUTELY is spying on you, and the upside is you also get shipped unfinished vehicles.

Be a culture war sally about Musk all you like, I know, the bad men say the mean things. But this isn’t on him. Tesla had to and in some ways is still learning that cars aren’t computers on wheels, but this specific “feature” came from Big Government first.

[tapoxi]

Obama wasn't president until January 2009.

[SV_BubbleTime]

The fallout was after 2009, thank you though maybe I was remembering it wrong. I wasn’t, and you were making assumptions, but good to check anyhow.

[SV_BubbleTime]

Also, you can remind me who bailed out GM and Chrysler (which again, debatable move).

[balamatom]

In fact, I'd go so far as to say that he did not exist before January 2009 /s

[KPGv2]

> the bad men say the mean things

You really lose all credibility when you downplay the richest man on earth openly bribing voters and the President claiming the man helped rig voting machines, and that same man makes Nazi salutes and goes to Europe and supports the Nazi party in the place where they invented Nazi parties. And then he basically moves into the White House and magically his companies start getting government contracts, while saying empathy is a bad thing and begins eviscerating the government with no oversight.

That isn't "bad men saying bad things." But, of course, this very bad man did say some very bad things, too.

[none4methx]

There’s no reason it should cost credibility to say that these people are motivated by an enjoyment of the spectacle of their cruelty and do it on purpose. Bad man has a moral connotation as well as a tradecraft connotation. Neither one of you is wrong to use the Bad Man monicker here.

[plagiarist]

I recognize their username. I would say it is deliberate that they overlook seriously concerning events in a manner that is patronizing and disrespectful to the people they disagree with.

[vanschelven]

Reminds me of Bill Gates & GM (apparently discredited though)

https://www.snopes.com/fact-check/car-balk/

[axus]

7. Oil, water temperature and alternator warning lights would be replaced by a single 'general car default' warning light. ...

10. Occasionally, for no reason, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key, and grabbed the radio antenna.

11. GM would require all car buyers to also purchase a deluxe set of road maps from Rand-McNally (a subsidiary of GM), even though they neither need them nor want them. Trying to delete this option would immediately cause the car's performance to diminish by 50 per cent or more. Moreover, GM would become a target for investigation by the Justice Department. ...

13. You would press the 'start' button to shut off the engine.

[atq2119]

Ironically, that last point has come true!

(Though to be fair, the button tends to be labeled both start and stop)

[lubujackson]

I have a Mercedes that has an OFF button for the A/C. Took me way too long to realize it is just a badly named Power button.

[celeryd]

Prophetic

[fransje26]

Old, but gold!

[toofy]

> Everything seems to be hastily thrown together features that barely work and piles of debt that will never get fixed.

move fast and break things is going to be studied in the future as a hilariously clusterfuk misuse of an idea.

[infintropy]

It's hard to appreciate that there is a vast difference between hitting walls in a tank and not caring about the exterior, and slamming into a wall on a bicycle.

[fransje26]

> It's a wonder anything actually even works.

> If cars were made like this, there would be millions of them breaking down by the side of the road daily.

Next to the software side of things, I also often wonder about planes. But, until now, they have proved fairly resilient to falling out of the sky, except for the well known "recent" events. Which is fairly surprising, knowing the levels of mismanagement at play. We've been lucky..

[bibabaloo]

Planes have just as much spaghetti code as anything else, the only difference is that it's extremely well tested (functionally) and verified spaghetti code.

[cudder]

It's not hard to imagine there would be even more than in less verified fields, since if you try to clean it up you need to verify it again too.

[mr_toad]

From talking to someone in the industry TDD seems to be a popular methodology.

[DougN7]

Funny anecdote - I was flying through Minneapolis and the passengers on a plane about to depart had to get back off the plane so it could be rebooted. It takes 20 minutes to power down to zero and 20 minutes to boot back up. The gate agent said it was a known touchy computer on that plane - I was wondering if that was true.

[mschuster91]

> If cars (the non-software parts) were made like this, there would be millions of them breaking down by the side of the road daily.

Well, cars did break down by the side of the road daily! That's why it used to be good advice even in the 90s to always have a basic set of tools in your trunk, why AAA offered roadside assistance already in 1915, and why part of the European CDL is enough basic mechanic knowledge to self-help when the truck breaks down.

It's only in the last 20-ish years that "smarts" became cheap and ubiquitous enough in cars that the car can warn preemptively. And additionally, regulatory requirements on quality, parts availability and public expectations went up, exerting competitive pressure.

[nyarlathotep_]

> If cars (the non-software parts) were made like this

The critical software parts of cars (non user-facing entertainment systems gripes aside). Think engine control modules, ABS, etc.

This stuff is mission critical and almost always works. I think about that a lot.

[Imustaskforhelp]

Why do I feel so specifically targeted by this.

Though maybe I am of the philosophy of prototyping as I like to code for problems that I am facing right now in real life and wish like damn... wish someone could build something cool & though I use AI quite hard. Its actually because I am currently in school and I just don't have the time to code but I face some issues which I genuinely feel need to be solved right now. (Maybe even as just a proof of concept) so that I can later write good readable code later on when I go into university.

[_DeadFred_]

Forget cars, imagine if we treated government systems that millions of people's entire medical care/retirement/lives/national security/secrets/proof of existence depend upon this way? Luckily we treat those systems a little more seriously even though it costs us a little bit more/doesn't allow us to move fast and break things in that space.

[chasd00]

Government software of those types are some of the worst on the planet.

[_DeadFred_]

Other than, you mean, the next best option of break things and ruin peoples lives in the process because it fits the current software development paradigms? I'm old, I've seen 'the new right way' come then become 'the worst way of doing things on the planet' over at least 5 iterations now.

[robertlagrant]

> the next best option of break things and ruin peoples lives in the process

Lots of software works very well. Including Facebook's, where "move fast and break things" was coined, I believe, which is some of the most scalable and reliable on the planet.

[_DeadFred_]

Very well isn't good enough when peoples lives/the continuous functioning of society is at stake.

Facebook had a shit ton of teething problems. If social security/Medicaid has teething problems, people die. If Social Security has teething problems, people can't eat/pay rent/property tax, they get kicked out, their credit is ruined, and they can't qualify for new housing. Miss medication. Die. A little different than a blank page on Facebook. Facebook is also 'optional', and people can use other things to replace it. Society has committed to people over their entire lifetimes on Social Security/Medicaid. America should honor it's commitments, even when it's a little bit harder/inconvenient/more expensive. Especially when at the same time it's making 4 trillion dollar optional tax cuts instead of honoring it's promises to it's people.

Should blood bank typing software move fast and break things? Should your bank move fast and break things? Should your car's anti-lock braking system software move fast and break things? But the funds people depend on to live (Medicaid pays for the majority of nursing homes for the elderly, Social Security is many people's entire retirement income) should?

I disagree that that is how the United States should treat it's 'use cases' and 'constraints' in serving it's citizens/honoring it commitments.

And unlike Facebook, the current systems have actually worked for decades. How many times has Social Security needed a major uplift?

Now compare that to how often Facebook has had to overhaul its tech stack.

Lastly, for your comparison to work, you are claiming you are willing to fund government tech on the same level that Facebook funds their tech (otherwise the comparison makes no sense). Are you REALLY saying you are willing to fund government software development at the same expense level as Facebook? That's $60 billion and $65 billion in 2025 alone.

[fransje26]

You forgot the /s.

https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-...

[mattskr]

To be fair, a car isn't accessible to 8 billion+ people at any given second. That's the scary part about the internet now. You can't just have a fun little garden and only have to protect the veggies from rabbits. Them gnawing on your lettuce is your biggest issue. Now, you have to protect your veggies from essentially professional armed raiders who either burn your garden to the ground for lolz or a cryptocoin ransom.

In this day and age, like... is anything secure at this point? You say hastily... but even the biggest "walls" get breached, constantly. Just claiming hastily to feel better about your own glass walls is just as bad.

[pglevy]

I think about this daily.

[bigfatkitten]

As far as I can tell, no real maintenance has happened since Poole sold the site a decade ago. Hiroyuki paid for it and then mostly forgot about it.

[doublepg23]

The current FreeBSD version the hacker displayed was from around the time of the sale so that tracks.

[FMecha]

Nishimura for most part become a Japanese public personality - he has wrote for Japanese tabloids and has a YT channel.

[amadeuspagel]

This in general is the main factor of the decline of the "old web". Many of the people who drove it, who run these forums, are simply happier running a substack, a subreddit, a facebook group, without worrying about servers.

[bigfatkitten]

Certainly explains why 4chan fell way down his priority list.

[lazystar]

as someone who had to upgrade a stack from php 5.3 to 7.1 back in 2019... do you know what version of php they were running?

[s3krit]

Based on one of the comments in the leaked source, at least php 6, though no idea what specific version:

> // In PHP 6 this... doesn't seem to do anything? Let's try again in 7.

[lobsterthief]

PHP 6 was never released ;) Got stuck in development hell and they went straight to 7.

[s3krit]

Oh interesting, thanks! Which makes that comment in the code even more confusing