frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Queueing Theory v2: DORA metrics, queue-of-queues, chi-alpha-beta-sigma notation

https://github.com/joelparkerhenderson/queueing-theory
1•jph•10m ago•0 comments

Show HN: Hibana – choreography-first protocol safety for Rust

https://hibanaworks.dev/
3•o8vm•12m ago•0 comments

Haniri: A live autonomous world where AI agents survive or collapse

https://www.haniri.com
1•donangrey•13m ago•1 comments

GPT-5.3-Codex System Card [pdf]

https://cdn.openai.com/pdf/23eca107-a9b1-4d2c-b156-7deb4fbc697c/GPT-5-3-Codex-System-Card-02.pdf
1•tosh•26m ago•0 comments

Atlas: Manage your database schema as code

https://github.com/ariga/atlas
1•quectophoton•28m ago•0 comments

Geist Pixel

https://vercel.com/blog/introducing-geist-pixel
1•helloplanets•31m ago•0 comments

Show HN: MCP to get latest dependency package and tool versions

https://github.com/MShekow/package-version-check-mcp
1•mshekow•39m ago•0 comments

The better you get at something, the harder it becomes to do

https://seekingtrust.substack.com/p/improving-at-writing-made-me-almost
2•FinnLobsien•40m ago•0 comments

Show HN: WP Float – Archive WordPress blogs to free static hosting

https://wpfloat.netlify.app/
1•zizoulegrande•42m ago•0 comments

Show HN: I Hacked My Family's Meal Planning with an App

https://mealjar.app
1•melvinzammit•42m ago•0 comments

Sony BMG copy protection rootkit scandal

https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
1•basilikum•45m ago•0 comments

The Future of Systems

https://novlabs.ai/mission/
2•tekbog•45m ago•1 comments

NASA now allowing astronauts to bring their smartphones on space missions

https://twitter.com/NASAAdmin/status/2019259382962307393
2•gbugniot•50m ago•0 comments

Claude Code Is the Inflection Point

https://newsletter.semianalysis.com/p/claude-code-is-the-inflection-point
3•throwaw12•52m ago•1 comments

Show HN: MicroClaw – Agentic AI Assistant for Telegram, Built in Rust

https://github.com/microclaw/microclaw
1•everettjf•52m ago•2 comments

Show HN: Omni-BLAS – 4x faster matrix multiplication via Monte Carlo sampling

https://github.com/AleatorAI/OMNI-BLAS
1•LowSpecEng•52m ago•1 comments

The AI-Ready Software Developer: Conclusion – Same Game, Different Dice

https://codemanship.wordpress.com/2026/01/05/the-ai-ready-software-developer-conclusion-same-game...
1•lifeisstillgood•55m ago•0 comments

AI Agent Automates Google Stock Analysis from Financial Reports

https://pardusai.org/view/54c6646b9e273bbe103b76256a91a7f30da624062a8a6eeb16febfe403efd078
1•JasonHEIN•58m ago•0 comments

Voxtral Realtime 4B Pure C Implementation

https://github.com/antirez/voxtral.c
2•andreabat•1h ago•1 comments

I Was Trapped in Chinese Mafia Crypto Slavery [video]

https://www.youtube.com/watch?v=zOcNaWmmn0A
2•mgh2•1h ago•0 comments

U.S. CBP Reported Employee Arrests (FY2020 – FYTD)

https://www.cbp.gov/newsroom/stats/reported-employee-arrests
1•ludicrousdispla•1h ago•0 comments

Show HN: I built a free UCP checker – see if AI agents can find your store

https://ucphub.ai/ucp-store-check/
2•vladeta•1h ago•1 comments

Show HN: SVGV – A Real-Time Vector Video Format for Budget Hardware

https://github.com/thealidev/VectorVision-SVGV
1•thealidev•1h ago•0 comments

Study of 150 developers shows AI generated code no harder to maintain long term

https://www.youtube.com/watch?v=b9EbCb5A408
2•lifeisstillgood•1h ago•0 comments

Spotify now requires premium accounts for developer mode API access

https://www.neowin.net/news/spotify-now-requires-premium-accounts-for-developer-mode-api-access/
1•bundie•1h ago•0 comments

When Albert Einstein Moved to Princeton

https://twitter.com/Math_files/status/2020017485815456224
1•keepamovin•1h ago•0 comments

Agents.md as a Dark Signal

https://joshmock.com/post/2026-agents-md-as-a-dark-signal/
2•birdculture•1h ago•1 comments

System time, clocks, and their syncing in macOS

https://eclecticlight.co/2025/05/21/system-time-clocks-and-their-syncing-in-macos/
1•fanf2•1h ago•0 comments

McCLIM and 7GUIs – Part 1: The Counter

https://turtleware.eu/posts/McCLIM-and-7GUIs---Part-1-The-Counter.html
2•ramenbytes•1h ago•0 comments

So whats the next word, then? Almost-no-math intro to transformer models

https://matthias-kainer.de/blog/posts/so-whats-the-next-word-then-/
1•oesimania•1h ago•0 comments
Open in hackernews

When root meets immutable: OpenBSD chflags vs. log tampering

https://rsadowski.de/posts/2025/openbsd-immutable-system-logs/
154•todsacerdoti•6mo ago

Comments

johnisgood•6mo ago
It is not the same, but I do use "chattr +i" on a file (which applies the immutable attribute) on Linux to a file that otherwise would have been overwritten by programs that do not give a damn whether I want it to or not, and in my case it was easier to just make that file immutable, mainly: /etc/resolv.conf.
mmsc•6mo ago
.bash_history
mzajc•6mo ago
Better yet, `shopt -s 'histappend'` in your .bashrc and `chattr +a .bash_history`. This will still allow bash to add to the history, but it won't be able to trim the file.
mmsc•6mo ago
Yes! And for macOS, `chflags uappnd .bash_history`
claviola•6mo ago
Are you using systemd-resolved? If so, it's actually a symlink to /run/systemd/resolve/stub-resolv.conf, and all you need to do to manage it yourself is to turn it into a regular file of your own. This is explained in the admittedly very long commented out text above the actual directives.
johnisgood•6mo ago
No, it is a runit-based system. I think the issue was related to resolvconf + package updates overwriting the file.

That said, I am sure your comment will be useful to some!

comex•6mo ago
> Once the system reaches normal security level, even root cannot tamper with these logs without rebooting into single-user mode

What stops the attacker from just editing /etc/rc.securelevel and then doing a normal reboot?

TacticalCoder•6mo ago
> What stops the attacker from just editing /etc/rc.securelevel and then doing a normal reboot?

Certainly a full reboot leaves more tracks than no full reboot? So it's harder to hide?

kstrauser•6mo ago
Make that file immutable so that you can only edit it in single-user mode.

This is definitely one of those “security vs convenience” situations where you can easily shoot yourself in the foot, but it’s great to have the option when you need it.

dgl•6mo ago
Except it is sourced from /etc/rc, and that’s a shell script which obviously depends on the shell and some other pieces. If you want an immutable base you kind of need to make the whole (base) system immutable (and that is possibly best designed as such to start with).

I don’t think this is “security vs convenience”, I’d more argue it’s possible to think you’ve made this secure but you’ve missed something and haven’t configured it to be as secure as you think. An approach like others have suggested with remote logging is at least easier to reason about.

h43z•6mo ago
Do I understand that correctly that in order for logs to rotate you have to reboot?
jelder•6mo ago
My thoughts exactly. And couldn’t an attacker just fill the logging volume with uninteresting events to prevent certain other events from being recorded?
jorvi•6mo ago
Log filtering via severity / keywords prevents this, assuming the logs are regularly and properly checked.
gertrunde•6mo ago
That would be where something like auditd would come in, configured so that if the audit logs location runs low on space (or out of space), it will halt the system.

(Yes, quite harsh, but for some use cases it may be the right thing to do, i.e. to fail closed).

louwrentius•6mo ago
If you want immutable logs, you log to an external log server. Anything else seems security theater to me.

That log server is properly firewalled/hardened so a hacked server can’t be used as a stepping stone to compromise the log server.

Maybe you even have access restrictions in place for the log server so people can’t wipe their own misdeeds (4-eyes principle).

This is how it’s been done for 35+ years, nothing special about this.

holowoodman•6mo ago
Yes, so much this. It used to be that important logs (filtered by severity and keywords) were even continuously live-printed by a line printer, so that there was always a current paper copy of the really important stuff for forensics.

See e.g. https://www.youtube.com/watch?v=FiEGoVzmyvs but dot-matrix was also used and at least a little less noisy.

accrual•6mo ago
tsch! tsch! tsch! tsch! "Ah, someone is trying to login as root again"
pjmlp•6mo ago
Exactly the right approach.
eternauta3k•6mo ago
Is root prevented from directly writing to the underlying block device?
kstrauser•6mo ago
Yes.
messe•6mo ago
Only if securelevel is 2. If securelevel = 1, then only mounted filesystems are RO. An attacker could conceivably forcibly unmount /var/log as root, and make the changes directly to the block device.
dspillett•6mo ago
I feel this is fixating on the wrong problem. Even with immutable flags there are various ways an attacker with root access could, after getting what they want from the system, cover their tracks by trashing the whole system⁰, and as usual if someone has physical access all bets are off. I see filesystem level flags like that to be more tools to stop you or a bug accidentally doing something stupid, than to get in the way of a malicious action by someone else.

While the standard might effectively call for immutable logs¹, he needs to read between the lines one step further: those logs do not need to be on the same machine. You could stream logs to another system that stores them immutably from the PoV of anyone except those with root or physical access to it. You still have a problem if an attacker gets access to both the source system(s) and the log sinks², there might be a latency issue meaning you could easily lose the last few log entries in the case of a complete disaster, and you have an extra moving part in your infrastructure to monitor, but it satisfies the requirement where immutable filesystem flags can not.

----

[0] Yes, you'll know something happened, and you might guess it was malicious and not random corruption, but enough tracks might be covered to stop you working out the initial who & how.

[1] and some standars explicitly call for them

[2] Careful granular access management should largely mitigate that risk. That could be a problem if you are a small organisation trying to protect against internal disgruntled admins³, but you could use a a 3rd party log-sink service in that case.

[3] This may seem overly paranoid, but if it is required for the standard your target audience wants you to have a certificate for…, and TBH it isn't that paranoid.

Rygian•6mo ago
That point should not require "reading between the lines" and that's why other standards (e.g. PCI) require explicitly that the logs are sent to a separate "central server" that provides guarantees of immutability.
dspillett•6mo ago
Standards like ISO27001 and such are deliberately not prescriptive in that way. You might argue that this makes them less useful, and I would agree…

The standard states that you should do something about X, and perhaps that your choice of how to do X should have property Y, but won't go into thither specifics. All the certificate you have, of you have one, really says is that you seem to have covered the relevant points in what you decided to do, and that you are actually implementing what you decided to do. This is one of the reasons why, despite companies having a pile of certificates like that, large prospective clients send a huge questionnaire to anyone wishing to tender for a job: the questionnaire on post fills in the gaps by requesting further detail on how you implemented the requirements of the standard (and in many cases makes it obvious that their are wrong answers that you could give).

JdeBP•6mo ago
Indeed. That was exactly what I was thinking when I read the article, from experience of PCI compliance as a matter of fact. And clearly from comments here a lot of people are thinking the same. It may be a fun "Look! OpenBSD can do something!" thing, but the reality is that defence against the dark arts goes a lot deeper, and (as ever) one often has to read more than one standard/specification. (-:
anthk•6mo ago
Linux has chattr, similar features.
tptacek•6mo ago
I came here to say the same thing; trying to make logs immutable on an attacker-controlled machine feels like a very 2000s-era OpenBSD thing to do.
accrual•6mo ago
I enjoyed reading the article, I didn't realize I could have this layer of immutability on my OpenBSD systems so easily. But after reading the comments here, indeed the real solution is to export the logs to a central server in another security domain à la PCI requirements.

On the other hand it's great to have documentation like this. I feel there's a gradient between convenience and security and immutable local logs could provide a layer of defense without requiring another server for logging. Maybe a "nice to have" for a small homelab, security practice, etc.

medguru•6mo ago
OpenBSD isn't trying anything along those lines. The author is. Your statement comes off as an odd and disingenuous conflation. They are just file system attributes shared alike with Linux and a few other operating systems.
i80and•6mo ago
Without defending this endeavor, is the immutable bit all that different from macOS's SIP?
khaki54•6mo ago
Yep use syslog server or similar in conjuction with this, which basically gives you something like immutability since the data is on a remote server with hopefully different security controls. You really don't want to be trying to sort an attack out after the fact on attacker-controlled machine. They could of course turn off network links or syslog eventually, but you'd at least have the early stages of the attack and or perhaps be able to detect it before they actually get full access.
stouset•6mo ago
You’re not wrong, but now you have all your logs on another machine. And that machine could make them immutable/append-only for defense-in-depth purposes :)
burnt-resistor•6mo ago
We need blockchain-esque, WORM-/log-structured filesystems for logs and formal validation of compilers, kernels, and critical bits of userspace. I think a case could be made for a proprietary Flash EEPROM log device "HSM"-like gizmo on a centralized "syslog" box/es that only does one-way writes and authenticated queries.
dspillett•6mo ago
Log structured data and/or hash based ledgers are already sometimes used¹, both locally and in off-server & off-site backups, to prove that data and logs have not been tempered with. If they have then it is much harder (though far from impossible if the ledger is local-only) to hoover the fact. Of course the ledger doesn't say how the data/logs where populated nor what with, it just indicates if tampering definitely hasn't taken place (they can't say that deliberate tampering definitely has taken place, just that it might be likely, as corruption from other sources (hardware failure, etc) could also break the chain).

--------

[1] such schemes existed much prior to bitcoin & friends, though they were not used a lot back than.

bananapub•6mo ago
immutable is a handy advisory feature, but the actual answer for log tampering is "get them off the box in to a different security domain", e.g. a log server this machine can't access and is securely backed up so logs that make it there can be fairly well trusted.
mrtesthah•6mo ago
macOS has always had these chflags attributes, by the way, long before System Integrity Protection existed. Changing or removing the system-immutable/append-only flags required booting into single user mode. Even the macOS installer application itself was unable to clear them otherwise.
spauldo•6mo ago
That's not surprising given MacOS' lineage.
naltun•6mo ago
Great article.