frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Tilck: A Tiny Linux-Compatible Kernel

https://github.com/vvaltchev/tilck
1•chubot•11s ago•0 comments

Beat the 3D Level Design Blank Page by Starting from 2D

https://saarraz.substack.com/p/the-wrap-around-method
1•saarraz1•2m ago•0 comments

Cloudflare 1.1.1.1 Incident on July 14, 2025

https://blog.cloudflare.com/cloudflare-1-1-1-1-incident-on-july-14-2025/
2•nomaxx117•5m ago•0 comments

Automating Dependabot PR Merges with CI/CD

https://michaelbastos.com/blog/automating-dependabot-pr-merges-with-cicd
1•mbastos•7m ago•1 comments

A distributed systems reliability glossary

https://antithesis.com/resources/reliability_glossary/
1•jasonthorsness•16m ago•0 comments

How far can reasoning models scale?

https://epoch.ai/gradient-updates/how-far-can-reasoning-models-scale
1•Mehuleo•21m ago•0 comments

Lead GrapheneOS developer was forcibly conscripted into a war

https://grapheneos.social/@GrapheneOS/114825492698412916
1•pabs3•24m ago•1 comments

G-O-A-L Goals in English football

https://blog.engora.com/2025/07/g-o-l-goals-in-english-football.html
1•Vermin2000•27m ago•1 comments

Ask HN: Is anyone using Super Grok Heavy for code?

4•rickcarlino•29m ago•1 comments

San Diego County's Schools Have 27,000 Fewer Students Than a Decade Ago

https://voiceofsandiego.org/2025/07/15/san-diego-countys-schools-have-27000-fewer-students-than-a-decade-ago-it-will-get-worse/
2•gscott•30m ago•2 comments

Turbo Encabulator

https://en.wikipedia.org/wiki/Turbo_encabulator
2•wutwutwat•30m ago•0 comments

The Decimal Point Is 150 Years Older Than Historians Thought

https://www.scientificamerican.com/article/the-decimal-point-is-150-years-older-than-historians-thought/
2•WaitWaitWha•31m ago•0 comments

Show HN: Salary and Compensation Calculator

https://www.jobtransparency.com/salary-calculator
2•Ava234•32m ago•0 comments

Remembrance of Things Past: The Leopard (2010)

https://www.criterion.com/current/posts/326-remembrance-of-things-past-the-leopard
1•walterbell•34m ago•0 comments

Plasma Bigscreen – Open-source user interface for TV

https://plasma-bigscreen.org
7•WaitWaitWha•40m ago•1 comments

Show HN: FlowGram.AI – AI Workflow Building Engine

https://flowgram.ai/
1•xiamidaxia•42m ago•0 comments

Show HN: Longplay comes to the Mac – developer's commentary

https://adrian.schoenig.me/blog/2025/07/15/longplay-for-mac/
1•adrianschoenig•51m ago•0 comments

Show HN: The perfect win graph generator to track you winning streaks

http://www.echaozh.com/win-graph/
1•echaozh•51m ago•0 comments

Congress moves to reject bulk of White House's proposed NASA cuts

https://arstechnica.com/space/2025/07/congress-moves-to-reject-bulk-of-white-houses-proposed-nasa-cuts/
25•DocFeind•53m ago•4 comments

Claude Code System Prompt and Tool Descriptions

https://gist.github.com/sergeyk/b1eb7bf8fd8db2566c082409dbd3eca9
1•simonpure•54m ago•0 comments

He Called Me Out, Then Called Me In

https://mohammadhamid.net/news/mark-weiner-mohammad-hamid-mentorship
1•rmason•58m ago•0 comments

Open Source Multimodal Semantic Search

2•itstomo•1h ago•0 comments

Texan rare earth producer makes a play to end China's dominance

https://www.wsj.com/business/us-rare-earth-producer-texas-58796240
3•gsf_emergency_2•1h ago•0 comments

The reality of firearm suppressors vs. Hollywood

https://militaryrealism.blog/2025/06/12/silencers-not-very-silent/
2•bookofjoe•1h ago•0 comments

Show HN: Hot Take Generator – Turn your thoughts into hot takes

https://v0-hot-take-generator-ai.vercel.app/
2•beaniez•1h ago•0 comments

Laser smaller than a penny can measure objects 10 quintillion times per second

https://www.rochester.edu/newscenter/chip-scale-laser-ultrafast-optical-metrology-655642/
4•geox•1h ago•0 comments

Skintone Color Analysis AI Model and App

https://www.palettebymomo.com
1•saljump•1h ago•1 comments

Six Years of Gemini

https://geminiprotocol.net/news/2025_06_20.gmi
5•brson•1h ago•0 comments

Doug Wilson: a roadmap to American theocracy

https://www.politico.com/news/magazine/2025/05/23/doug-wilson-new-right-pastor-hegseth-trump-officials-00355376
5•jonjlee•1h ago•0 comments

Ask HN: Roadmap to a self-teach computer science?

1•shivajikobardan•1h ago•1 comments
Open in hackernews

The FIPS 140-3 Go Cryptographic Module

https://go.dev/blog/fips140
108•FiloSottile•7h ago

Comments

aranw•5h ago
I’m curious to understand what implications this will have on Go and where it is used? How does this differ to other languages as well? I don’t fully understand what it will mean for Go and its community
tptacek•5h ago
None; it's an optional package you use when your users require FIPS 140.
haiku2077•3h ago
It means companies with US government contracts writing Go code can use the standard library crypto package in native Go instead if having to enable CGO and using a crypto library written in C. CGO is kind of a pain in the ass to develop with compared to fully native Go code, especially when cross-compiling (and cross compilation is very common now that ARM is common on both laptops and servers).

This also now makes Go a very convenient language to write US Gov software in.

If you have never heard of FIPS before ignore this entirely and continue to live in happiness.

tptacek•5h ago
It's interesting and kind of neat in an inside-baseball way that the standard Go cryptographic library (already unusual in the major languages for being a soup-to-nuts implementation rather than wrappers around an OpenSSL) is almost fully NIST-validated; in particular, it means vendors who want to sell into FedGov can confidently build with the Go standard library.

Having said all this: nobody should be using crypto/fips140 unless they know specifically why they're doing that. Even in its 140-3 incarnation, FIPS 140 is mostly a genuflection to FedGov idiosyncrasies.

twoodfin•5h ago
Would you say there’s a brown M&M’s aspect (intentional or otherwise) to FIPS-140, or is it all just bowing to the sovereign for his indulgences?
YawningAngel•4h ago
Not really. It isn't hard to use FIPS validated software, it's just annoying to do because most libraries you would want to use aren't FIPS compliant by default for good reasons. If you can get a government contract in the first place you are already administratively competent enough to use FIPS.
tptacek•4h ago
Yeah, I don't think there's any malice to any of this; FIPS is just the product of a particularly conservative (backwards-looking, path-dependent) and market-unaccountable standards process. It's like what would happen if JPMC had so much market power that they could make their own cryptographic standard; it would, I am saying, suck ass, without anyone meaning for it to.
EvanAnderson•3h ago
> If you can get a government contract in the first place you are already administratively competent enough to use FIPS.

Speaking as a sysadmin for a local government roped into FIPS requirements by way of FBI CJIS compliance I can safely say your assumption of competence is incorrect.

FiloSottile•4h ago
> Applications that have no need for FIPS 140-3 compliance can safely ignore [this page], and should not enable FIPS 140-3 mode.

https://go.dev/doc/security/fips140

Yup.

chrisabrams•4h ago
> Having said all this: nobody should be using crypto/fips140 unless they know specifically why they're doing that. Even in its 140-3 incarnation, FIPS 140 is mostly a genuflection to FedGov idiosyncrasies.

What should folks use then?

tptacek•4h ago
crypto/, not crypto/fips140.
FiloSottile•4h ago
To nitpick, there is no special crypto/fips140 package. (Ok, there is, but it just has an Enabled() bool function.)

FIPS 140-3 mode is enabled by building with GOFIPS140=v1.0.0 (or similar, see https://go.dev/doc/security/fips140), but it shares 99% of the code with non-FIPS mode.

Still, your message is right, just GOFIPS140=off (the default!), not GOFIPS140=v1.0.0.

tptacek•2h ago
Not a nitpick! I was just wrong!
3eb7988a1663•13m ago
Does that mean it might be easier, regardless of language, to shell out to your cryptographic Go binary rather than deal with OpenSSL? I dislike a lot of Go, but they have been pretty good about backwards compatibility.
hamburglar•5h ago
This is huge. I’ve spent years jumping through hoops to get Go projects signed off for FIPS-140 and I always worried that something was going to go wrong and we’d have a compliance nightmare on our hands. They just made it super easy.
dangoodmanUT•4h ago
I think this was in MS Go before, right?
FiloSottile•4h ago
No, the Go 1.24 native module effort that they talk about in https://devblogs.microsoft.com/go/go-1-24-fips-update/ is this effort, which Microsoft was not involved in. We simply decided to delay the official announcement until the module reached the In Process list.

The system libraries approach used by Microsoft Go is cgo based IIUC, and I think derived from Go+BoringCrypto. I understand they are working on migrating their bindings to fit better downstream of the new native mode.

dadrian•4h ago
If DOGE had done nothing other than get rid of FIPS validation, the GDP unlock alone would have solved the debt problem.
dlock17•4h ago
Companies don't need any additional reasons to skimp out on security.

The money could probably be more wisely spent if not following FIPS but without FIPS the average company wouldn't direct that money towards security at all.

tptacek•4h ago
No. FIPS has literally nothing to do with security.
dlock17•3h ago
I may be thinking more about FedRAMP in general rather than just FIPS140-3, but mandating things like keeping user passwords out of logs is a security improvement.

And the average company needs to be dragged kicking and screaming to care about security at all.

tptacek•3h ago
This is about exclusively using "validated" implementations of specific cryptographic constructions. You can avoid it simply by not encrypting stuff at all, which is an indication of how little it has to do with security.
hamandcheese•2h ago
> You can avoid it simply by not encrypting stuff at all, which is an indication of how little it has to do with security.

The consequences of encrypting wrongly quite possibly are worse than if you never encrypted at all.

tptacek•2h ago
Good thing FIPS 140 does virtually nothing to prevent cryptographic vulnerabilities, then.
Spooky23•40m ago
Remember when HN was losing its collective mind over Dual_EC_DRBG? That was delivered to customers with a FIPS validated software stack.
tguvot•10m ago
fedramp requires to encrypt a bunch of stuff
Spooky23•44m ago
FedRAMP is more a cheatsheet for compliance people. Someone in a federal agency had an auditor validate that the required NIST controls were done.

The most useful thing about FIPS 140 is that it’s a great way of quickly identifying clueless security people.

api•2h ago
Doesn’t it at least keep snake oil crypto out of government? If it were removed it should be replaced by something. No standard would lead to a lot of crap being deployed.
akerl_•2h ago
It’s way better at preventing usage of modern crypto than it is at blocking snake oil.
tptacek•2h ago
A lot of FIPS-compatible crap is already deployed, and our most secure and trusted cryptography generally wasn't created under any standards regime.
thayne•1h ago
I wouldn't say nothing. It is intended to ensure some level of security. And in some ways it can lead to decreased security if you comply with it (for example, if a vulnerability is found in your crypto library, you have to wait for the fix to be "validated" before you can patch it).

But yeah, complying with FIPS doesn't necessarily mean you are secure, and it is definitely possible to be secure without being FIPS compliant.

tptacek•1h ago
FIPS-140 doesn't even speak to most cryptographic vulnerabilities; it could prevent you from using, like, the PKZip cipher rather than AES, but not (really) from having code that could be induced into reusing a GCM nonce.

It is of no security value.

tguvot•6m ago
fedramp as of last year allows to use not fips validated version in order to patch security vulnerabilities
firesteelrain•4h ago
Does the use of the library in your application still require the application itself to be FIPS validated? This just makes it a little easier to go through full, validated NIST compliance, right?.
FiloSottile•4h ago
[ Big I am a cryptographer, not your cryptographer disclaimer ]

It depends, but if you are targeting Security Level 1 (which is what most folks think about when they think about FIPS 140) you generally don't need your entire application to be validated, only the cryptographic module.

So (again, depending on your requirements and on the Operating Environment you deploy to and on what algorithms you use and how) setting GOFIPS140 might actually be all you need to do.

firesteelrain•4h ago
Thank you. I will remember this the next time this comes up at work
bradfitz•3h ago
Congrats, Filippo!
midocon•3h ago
This is at est!
midocon•3h ago
This is a test
SAI_Peregrinus•3h ago
The "Uncompromising Security" section[1] is particularly interesting to me. FIPS-140 compliance usually leads to reduced security, but it looks like the Go team found ways around the main janky bits. It's nice that there's now a FIPS-140 module for FedRAMP that doesn't require avoiding VMs to stay secure, for example.

[1] https://go.dev/blog/fips140#uncompromising-security