frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

What happens when a neighborhood is built around a farm

https://grist.org/cities/what-happens-when-a-neighborhood-is-built-around-a-farm/
1•Brajeshwar•30s ago•0 comments

Every major galaxy is speeding away from the Milky Way, except one

https://www.livescience.com/space/cosmology/every-major-galaxy-is-speeding-away-from-the-milky-wa...
1•Brajeshwar•37s ago•0 comments

Extreme Inequality Presages the Revolt Against It

https://www.noemamag.com/extreme-inequality-presages-the-revolt-against-it/
1•Brajeshwar•50s ago•0 comments

There's no such thing as "tech" (Ten years later)

1•dtjb•1m ago•0 comments

What Really Killed Flash Player: A Six-Year Campaign of Deliberate Platform Work

https://medium.com/@aglaforge/what-really-killed-flash-player-a-six-year-campaign-of-deliberate-p...
1•jbegley•2m ago•0 comments

Ask HN: Anyone orchestrating multiple AI coding agents in parallel?

1•buildingwdavid•3m ago•0 comments

Show HN: Knowledge-Bank

https://github.com/gabrywu-public/knowledge-bank
1•gabrywu•9m ago•0 comments

Show HN: The Codeverse Hub Linux

https://github.com/TheCodeVerseHub/CodeVerseLinuxDistro
3•sinisterMage•10m ago•0 comments

Take a trip to Japan's Dododo Land, the most irritating place on Earth

https://soranews24.com/2026/02/07/take-a-trip-to-japans-dododo-land-the-most-irritating-place-on-...
2•zdw•10m ago•0 comments

British drivers over 70 to face eye tests every three years

https://www.bbc.com/news/articles/c205nxy0p31o
9•bookofjoe•10m ago•2 comments

BookTalk: A Reading Companion That Captures Your Voice

https://github.com/bramses/BookTalk
1•_bramses•11m ago•0 comments

Is AI "good" yet? – tracking HN's sentiment on AI coding

https://www.is-ai-good-yet.com/#home
1•ilyaizen•12m ago•1 comments

Show HN: Amdb – Tree-sitter based memory for AI agents (Rust)

https://github.com/BETAER-08/amdb
1•try_betaer•13m ago•0 comments

OpenClaw Partners with VirusTotal for Skill Security

https://openclaw.ai/blog/virustotal-partnership
2•anhxuan•13m ago•0 comments

Show HN: Seedance 2.0 Release

https://seedancy2.com/
2•funnycoding•13m ago•0 comments

Leisure Suit Larry's Al Lowe on model trains, funny deaths and Disney

https://spillhistorie.no/2026/02/06/interview-with-sierra-veteran-al-lowe/
1•thelok•13m ago•0 comments

Towards Self-Driving Codebases

https://cursor.com/blog/self-driving-codebases
1•edwinarbus•14m ago•0 comments

VCF West: Whirlwind Software Restoration – Guy Fedorkow [video]

https://www.youtube.com/watch?v=YLoXodz1N9A
1•stmw•15m ago•1 comments

Show HN: COGext – A minimalist, open-source system monitor for Chrome (<550KB)

https://github.com/tchoa91/cog-ext
1•tchoa91•15m ago•1 comments

FOSDEM 26 – My Hallway Track Takeaways

https://sluongng.substack.com/p/fosdem-26-my-hallway-track-takeaways
1•birdculture•16m ago•0 comments

Show HN: Env-shelf – Open-source desktop app to manage .env files

https://env-shelf.vercel.app/
1•ivanglpz•20m ago•0 comments

Show HN: Almostnode – Run Node.js, Next.js, and Express in the Browser

https://almostnode.dev/
1•PetrBrzyBrzek•20m ago•0 comments

Dell support (and hardware) is so bad, I almost sued them

https://blog.joshattic.us/posts/2026-02-07-dell-support-lawsuit
1•radeeyate•21m ago•0 comments

Project Pterodactyl: Incremental Architecture

https://www.jonmsterling.com/01K7/
1•matt_d•21m ago•0 comments

Styling: Search-Text and Other Highlight-Y Pseudo-Elements

https://css-tricks.com/how-to-style-the-new-search-text-and-other-highlight-pseudo-elements/
1•blenderob•23m ago•0 comments

Crypto firm accidentally sends $40B in Bitcoin to users

https://finance.yahoo.com/news/crypto-firm-accidentally-sends-40-055054321.html
1•CommonGuy•23m ago•0 comments

Magnetic fields can change carbon diffusion in steel

https://www.sciencedaily.com/releases/2026/01/260125083427.htm
1•fanf2•24m ago•0 comments

Fantasy football that celebrates great games

https://www.silvestar.codes/articles/ultigamemate/
1•blenderob•24m ago•0 comments

Show HN: Animalese

https://animalese.barcoloudly.com/
1•noreplica•24m ago•0 comments

StrongDM's AI team build serious software without even looking at the code

https://simonwillison.net/2026/Feb/7/software-factory/
3•simonw•25m ago•0 comments
Open in hackernews

Lovense: The Company That Lies to Security Researchers

https://bobdahacker.com/blog/lovense-still-leaking-user-emails
60•campuscodi•6mo ago

Comments

ykonstant•6mo ago
That is beyond bad; some models using lovense have high privacy needs and probably don't know their equipment is so insecure. Even leaving account takeover aside, it is hard enough to fend off stalkers without them having your email.
cwmoore•6mo ago
Gotta honor high-profile privacy needs.
breakingcups•6mo ago
This is crazy bad, malpractice-level bad if this were a regulated profession.
cwmoore•6mo ago
"State-licensed teledildonicist."
dannykwells•6mo ago
This is what I come here for.
dizhn•6mo ago
Like the author I would expect a lot more attention to privacy and security from a remote operated vibrating dong company.
graemep•6mo ago
I genuinely do not know whether you are being serious or sarcastic.
dizhn•6mo ago
Serious but tongue in cheek. Their product and service naturally requires a somewhat higher level of personal privacy yet they seem to look at their own business as serving the horny freaks who don't deserve better.
graemep•6mo ago
They may be right in that their customers are probably not very privacy focused. The intersection between "people who connect sex toys to the internet" and "people who care a lot about privacy" is quite likely to be small.

I agree their attitude is pretty bad though. They should care about customers privacy with something like this.

dizhn•6mo ago
> their customers are probably not very privacy focused.

Maybe. I think it's more like they are not tech literate (and also this Lovense thing is like google or microsoft for them. They can't not use it if they want to remain competitive.) If people go doxing a few high profile users, I am sure people will worry about their privacy a lot more.

graemep•6mo ago
Good point. I was thinking about normal users, which the site seems to be aimed at, but I can see its a much more of a risk for high profile users.
RockRobotRock•6mo ago
They're just another cheap IoT consumer electronics company. It's not that deep.
JohnMakin•6mo ago
Why even have a bounty system in the first place if you're going to do this kind of thing?
water-data-dude•6mo ago
For the optics of "we have a bug bounty system".
noboostforyou•6mo ago
Assuming everything you reported is true (I'm not doubting you, I just don't have the time to test everything myself atm) this is actually insane behavior from the company.
tristor•6mo ago
This type of behavior should honestly get the leaders of the company criminally charged, this is willful negligence. Assuming this is true (and it the blog post has enough receipts to assume that it is), this company should be forcibly dissolved by the government and the leadership criminally charged. This is absolutely ridiculous behavior in response to a security report.
dmitrygr•6mo ago

  What are you in for?

  Murder 1. You?

  Didn't secure someones's buttplug properly

  Duuuude... you're a monster
jterrys•6mo ago
https://web.archive.org/web/20250728145153/https://bobdahack... hugged to death
chmod775•6mo ago
Am I crazy or does all of that look ridiculously over engineered for what they actually provide? It looks like the 4-5 devs wanted to build something fancy like the big boys would, without having the manpower to deal with the overhead.

These kinds of issues usually arise because complex technologies are introduced, mostly by following some basic tutorials and light googling, without anyone actually understanding what that random NPM package (speaking a protocol of which they have at best a rudimentary understanding) actually does to communicate with the rust crate the other guy pulled.

I don't doubt their entire service could be a monolithic, small, and easily comprehensible node app running on some consumer PC hardware at the company HQ. You're never going to outgrow that in their business. It'd likely run off a macbook with some engineering discipline.

Instead it's probably a confusing mess of microservices in a Kubernetes cluster, each running in its own Docker container for "isolation", glued together with some YAML magic and a few bash scripts, tunneling XMPP over gRPC "because it's faster", behind an Istio mesh someone half-configured, talking to a bunch of managed cloud services across AWS and GCP "for redundancy", with Redis caches scattered around "just in case", logs streaming into three different observability tools (none of them fully set up), CI/CD powered by GitHub Actions triggering Terraform deployments through a Slack bot, autoscaling turned on "with default settings", and of course there's a blockchain component for audit logs - though no one remembers why - and a colocated 96-core fifteen-thousand dollar server running a cron job that updates a config file in S3 every hour "to keep things in sync".

Too bad the entire thing relies on those JIDs containing PII now, which everyone is afraid of changing. The solution? Slap another micro-service in front that translates them to something else. Devs have been unsuccessfully trying to get exactly that deployed for weeks now. But cut them some slack: getting shit done is hard when you're overqualified for your job.

BobDaHacker•6mo ago
You absolutely nailed it. As the researcher who found these vulns, I can confirm the over-engineering is real.

They literally had internal user IDs (ofId) already implemented and working, but kept the email-based JIDs for "legacy support." The entire XMPP system could have used these internal IDs from day one.

The "14 months to fix" claim was even more ridiculous when you realize the fix was just... using the IDs they already had. No architectural changes needed. They even admitted they had a 1-month fix ready but chose not to deploy it.

Your microservice translation layer guess is scary accurate - that's essentially what their "v2" endpoints were trying to do. They created new HTTP endpoints that used internal JIDs instead of email-based ones, but the XMPP layer still exposed everything, making the whole effort pointless.

The best part? After going public, they implemented the "impossible" fix in 48 hours. Turns out you don't need 14 months when the Internet is watching.

BobDaHacker•6mo ago
Hi HN, I'm the researcher who found these vulnerabilities. Happy to answer questions.

A few clarifications on the technical side:

The XMPP issue wasn't just about JIDs containing emails - it was that their roster sync actively linked internal IDs to real email JIDs. Even their "v2" endpoints that tried to hide emails were useless because the XMPP layer still exposed everything.

Regarding the "14 months to fix" claim - they actually had the fix ready (they admitted they could do it in 1 month) but chose not to deploy it for "legacy support." The fix they implemented after public pressure was exactly what I suggested months ago: just use the internal IDs they already had.

The most frustrating part was discovering other researchers reported these exact bugs in 2022 and 2023. Lovense told them it was "fixed" while paying them peanuts ($350 vs the $3000 they paid me for the same bugs).

Also, to address the over-engineering comment by chmod775 - you're spot on. They had internal user IDs (ofId) the whole time but maintained this complex dual system. The "architectural complexity" was self-inflicted.