Crypto proof verifier flaw & Universal DO_NOT_TRACK telemetry opt-out - Hacker News (May 3, 2026)

First up, a serious security disclosure in the zero-knowledge world. Researchers say they found a soundness flaw in Dusk Network’s dusk-plonk verifier—the component that decides whether a cryptographic proof is valid. The issue wasn’t about a clever new attack technique so much as a missing check: some values the verifier relied on weren’t properly bound to the trusted commitments. In plain terms, that can turn “math-proof security” into “attacker gets to pick the answer.” Why it matters: the authors demonstrated a proof-of-concept where they created new coins from zero and sent funds to an honest wallet on a local testnet, with nodes accepting the transactions. Dusk has shipped a patch, but the bigger takeaway is ecosystem-wide: verifier implementations need more mechanical, standardized safeguards so “unbound evaluation” bugs don’t quietly slip into production code.

Staying on trust and control, there’s a new proposal aimed at cleaning up the mess of telemetry opt-outs in developer tools. The idea is a single environment variable—DO_NOT_TRACK=1—that would tell CLIs, SDKs, and frameworks to disable non-essential network calls like usage analytics, crash reporting, and similar reporting. Why it matters: today, every tool seems to invent its own switch, which means privacy becomes a scavenger hunt. A universal signal wouldn’t fix the broader debate about what software should collect—but it could make user intent unambiguous, and it nudges the industry toward opt-in instead of opt-out defaults.

On production engineering, Mercury published a detailed look at running a roughly two-million-line Haskell system while moving real money at high volume—much of it maintained by people who learned Haskell after joining. The core argument is refreshing: reliability isn’t the absence of failure; it’s “adaptive capacity”—systems that fail in predictable ways, are understandable under pressure, and make the safe path the easiest path. A key theme is using the type system as an operational tool, not an ideology. Mercury’s engineers encode institutional knowledge into APIs so that critical actions—like emitting the right transactional events—are hard to forget by accident. But they also warn against over-encoding invariants so tightly that teams can’t evolve. And one very practical reliability win: adopting Temporal for durable workflows, so retries, timeouts, and crash recovery are handled consistently in a way that fits nicely with Haskell’s “pure core, impure shell” mindset. The post also calls out a perennial Haskell pain point—observability—and recommends patterns like explicit instrumentation hooks and avoiding library-level logging so production teams can trace behavior when it counts.

Now to browsers—specifically, the Ladybird project’s April progress report. They merged hundreds of pull requests, brought in new contributors, and landed meaningful user-facing upgrades like an inline PDF viewer powered by Mozilla’s pdf.js. That’s paired with profiling-driven work to keep large PDFs from bogging down the experience. Under the hood, Ladybird is also pushing on the stuff that makes a browser feel “fast” in daily use: getting earlier starts on parsing, moving more work off the main thread, improving rendering responsiveness with more parallelism, and tightening up the JavaScript engine’s speed and memory use. Why it matters: independent browser engines are rare, and Ladybird’s steady climb in standards testing and performance work suggests it’s moving from “interesting experiment” toward “credible alternative,” which is healthy for the web ecosystem.

Microsoft also shared a progress update—this time on Windows 11 quality improvements and how it’s reworking the Windows Insider Program. The headline is simplification: two main channels, Experimental and Beta, with fewer confusing rollout mechanics. Beta is positioned to be more predictable, while Experimental becomes the place to try new features more explicitly—without trapping people in a maze of hidden switches. They’re also trying to make Windows Update less disruptive, including efforts to consolidate restarts and keep shutdown options visible even when updates are pending. And in a notable bit of restraint, Microsoft says it’s “right-sizing” AI integration—removing “Ask Copilot” from some app surfaces and making AI entry points feel more intentional. Why it matters: Windows reliability isn’t just about fewer crashes; it’s also about fewer surprises. Clearer channels, calmer defaults, and less forced AI could rebuild some trust with power users who’ve felt like involuntary beta testers.

On the AI-in-the-browser front, a new open-source project called ml-sharp-web shows a complete, browser-based playground for generating 3D “Gaussian splats” from a single image using Apple’s SHARP model. It runs end-to-end in the browser: inference happens with ONNX Runtime Web in a worker, then the result is previewed and exported as a downloadable file. Why it matters: this is a concrete demo of heavyweight AI workloads moving closer to the client side, which can improve privacy and reduce server costs. But it also documents the less glamorous reality: browser constraints like cross-origin isolation requirements for high-performance WebAssembly, real deployment friction around large model files, and licensing gotchas where model weights have very different terms than the surrounding code.

Switching to science, Stanford Medicine published results that challenge a common habit in brain imaging: averaging people together and assuming the result reflects individuals. Using fMRI data from thousands of children doing an inhibitory-control task, the researchers compared group-level results with within-person, trial-by-trial dynamics. In some cases, the relationship flipped—what looked true in the average wasn’t true inside an individual. Why it matters: it’s a reminder that “one chart for everyone” can be misleading in neuroscience, especially when the goal is understanding behavior and mental health. The work also suggests conditions linked to inhibitory control—like ADHD—may involve multiple underlying pathways, which argues for more tailored interventions rather than a single story built from averages.

And now for a deep history datapoint: a study reports that Neanderthals in central Germany were rendering bone grease at scale around 125,000 years ago. The evidence points to a deliberate, repeated processing operation—bones smashed into massive quantities of fragments and heated to extract fat—at what appears to be a centralized lakeside work site. Why it matters: this pushes sophisticated food processing and coordinated labor further back in time than many people assume. It also adds weight to the picture of Neanderthals as strategic planners who managed resources across landscapes, not just opportunistic hunters.

Finally, a developer story from the small-screen frontier: one engineer described a multi-year effort to build a genuinely usable map experience on Apple Watch. Early approaches leaned on server-generated images, which meant latency and no offline capability. Over time, the project shifted toward on-device rendering for speed and reliability, and a lot of the work was simply interface design—making panning, zooming, and metrics readable on a tiny, one-handed display. Why it matters: wearables keep getting marketed as “mini phones,” but they succeed or fail on interaction design. This story is a good reminder that performance, offline behavior, and UI constraints are inseparable—and sometimes the default platform tools aren’t flexible enough for demanding outdoor navigation use cases.