frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Nestlé couldn't crack Japan's coffee market.Then they hired a child psychologist

https://twitter.com/BigBrainMkting/status/2019792335509541220
1•rmason•1m ago•0 comments

Notes for February 2-7

https://taoofmac.com/space/notes/2026/02/07/2000
2•rcarmo•2m ago•0 comments

Study confirms experience beats youthful enthusiasm

https://www.theregister.com/2026/02/07/boomers_vs_zoomers_workplace/
1•Willingham•9m ago•0 comments

The Big Hunger by Walter J Miller, Jr. (1952)

https://lauriepenny.substack.com/p/the-big-hunger
1•shervinafshar•10m ago•0 comments

The Genus Amanita

https://www.mushroomexpert.com/amanita.html
1•rolph•15m ago•0 comments

We have broken SHA-1 in practice

https://shattered.io/
2•mooreds•16m ago•1 comments

Ask HN: Was my first management job bad, or is this what management is like?

1•Buttons840•17m ago•0 comments

Ask HN: How to Reduce Time Spent Crimping?

1•pinkmuffinere•18m ago•0 comments

KV Cache Transform Coding for Compact Storage in LLM Inference

https://arxiv.org/abs/2511.01815
1•walterbell•23m ago•0 comments

A quantitative, multimodal wearable bioelectronic device for stress assessment

https://www.nature.com/articles/s41467-025-67747-9
1•PaulHoule•25m ago•0 comments

Why Big Tech Is Throwing Cash into India in Quest for AI Supremacy

https://www.wsj.com/world/india/why-big-tech-is-throwing-cash-into-india-in-quest-for-ai-supremac...
1•saikatsg•25m ago•0 comments

How to shoot yourself in the foot – 2026 edition

https://github.com/aweussom/HowToShootYourselfInTheFoot
1•aweussom•25m ago•0 comments

Eight More Months of Agents

https://crawshaw.io/blog/eight-more-months-of-agents
3•archb•27m ago•0 comments

From Human Thought to Machine Coordination

https://www.psychologytoday.com/us/blog/the-digital-self/202602/from-human-thought-to-machine-coo...
1•walterbell•28m ago•0 comments

The new X API pricing must be a joke

https://developer.x.com/
1•danver0•28m ago•0 comments

Show HN: RMA Dashboard fast SAST results for monorepos (SARIF and triage)

https://rma-dashboard.bukhari-kibuka7.workers.dev/
1•bumahkib7•29m ago•0 comments

Show HN: Source code graphRAG for Java/Kotlin development based on jQAssistant

https://github.com/2015xli/jqassistant-graph-rag
1•artigent•34m ago•0 comments

Python Only Has One Real Competitor

https://mccue.dev/pages/2-6-26-python-competitor
4•dragandj•35m ago•0 comments

Tmux to Zellij (and Back)

https://www.mauriciopoppe.com/notes/tmux-to-zellij/
1•maurizzzio•36m ago•1 comments

Ask HN: How are you using specialized agents to accelerate your work?

1•otterley•37m ago•0 comments

Passing user_id through 6 services? OTel Baggage fixes this

https://signoz.io/blog/otel-baggage/
1•pranay01•38m ago•0 comments

DavMail Pop/IMAP/SMTP/Caldav/Carddav/LDAP Exchange Gateway

https://davmail.sourceforge.net/
1•todsacerdoti•39m ago•0 comments

Visual data modelling in the browser (open source)

https://github.com/sqlmodel/sqlmodel
1•Sean766•41m ago•0 comments

Show HN: Tharos – CLI to find and autofix security bugs using local LLMs

https://github.com/chinonsochikelue/tharos
1•fluantix•41m ago•0 comments

Oddly Simple GUI Programs

https://simonsafar.com/2024/win32_lights/
1•MaximilianEmel•42m ago•0 comments

The New Playbook for Leaders [pdf]

https://www.ibli.com/IBLI%20OnePagers%20The%20Plays%20Summarized.pdf
1•mooreds•42m ago•1 comments

Interactive Unboxing of J Dilla's Donuts

https://donuts20.vercel.app
1•sngahane•44m ago•0 comments

OneCourt helps blind and low-vision fans to track Super Bowl live

https://www.dezeen.com/2026/02/06/onecourt-tactile-device-super-bowl-blind-low-vision-fans/
1•gaws•45m ago•0 comments

Rudolf Vrba

https://en.wikipedia.org/wiki/Rudolf_Vrba
1•mooreds•46m ago•0 comments

Autism Incidence in Girls and Boys May Be Nearly Equal, Study Suggests

https://www.medpagetoday.com/neurology/autism/119747
1•paulpauper•47m ago•0 comments
Open in hackernews

Show HN: Nix – open-source, zero-knowledge secret sharing

https://nix.jaid.dev
1•ntempus•3w ago
Hello HN,

I built Nix because I needed a fast, secure way to share environment variables and API keys with my team without creating accounts or worrying about server logs.

The Problem: Most "pastebin" tools are either not encrypted, require a login, or are closed source (so you have to trust them blindly). I wanted something that did one thing well: encrypt data in the browser so the server never sees the key.

How it works:

Client Side Encryption: Nix uses the Web Crypto API (window.crypto) to encrypt your text or files with AES-256-GCM.

The URL Hash: The decryption key is part of the URL fragment (#key). Since fragments are never sent to the server, I literally cannot see your data even if I wanted to.

Ephemeral: You can set expiration times (5m, 1h, 24h) or "Burn on Read."

The Stack:

Next.js / React

Tailwind CSS

Web Crypto API (No external crypto libraries)

Repo: https://github.com/ntempus/nix

It’s free, no ads, and no tracking. I’d love to hear your feedback on the security implementation or the UX.

Comments

Privavault•3w ago
Nice work on the zero-knowledge implementation. A few questions from someone working on encrypted document storage:

1. How are you handling key derivation? I see Argon2 mentioned - curious about your iteration counts and memory parameters for the tradeoff between security and UX.

2. For the encrypted link approach, are you storing any metadata server-side (file sizes, timestamps, IP addresses)? Even seemingly innocuous metadata can be surprisingly revealing.

3. What's your threat model around browser-based crypto? We've been wrestling with questions like service worker persistence, CSP headers, and whether users should trust browser storage for keys at all.

The time-limited secret sharing is a great feature. I've found that immigration lawyers and journalists are particularly interested in this kind of temporary, verifiable sharing - curious if you've had similar feedback.

ntempus•3w ago
TL;DR: PBKDF2 (100k iters), Keys never hit server logs (URL fragments), Zero 3rd party scripts, Public repo for verification.

Thanks! I really appreciate the deep dive, always great to hear from someone else in the encrypted storage space.

To answer your points:

1. Key Derivation: I am currently using PBKDF2 (SHA-256 with 100,000 iterations) for the passphrase protection. I aimed for a balance that keeps decryption instant on mobile devices while remaining expensive for brute force. (I am looking at bumping the parameters in the next release to lean harder into security.)

2. Metadata & Logs: You're right, metadata is the silent killer. I strictly store:

Timestamps: Required for the auto-expiration (TTL).

Encrypted Blob: To allow retrieval.

Logs: I host on Vercel/Supabase, so standard access logs (IP/User-Agent) exist for abuse prevention. Crucially, while the random Secret IDs appear in URL paths in our logs, the decryption keys never do (they live strictly in the URL hash fragment or are derived locally). The database itself wipes the row completely upon expiration or "burn", leaving no trace of the relationship between the creator and the content.

3. Browser Threat Model: This is the elephant in the room for all web based apps. Our threat model assumes the user trusts the delivery mechanism (TLS + our server) to send uncompromised JavaScript. We mitigate XSS risks by having zero third party analytics/tracking scripts. However, for users who can't trust the "host", we made the repo public (including the SQL schema). I believe the only true solution for high threat models is "verify and self-host" so we made that as easy as possible.

Re: Lawyers/Journalists: That’s a great insight. I hadn't specifically targeted the legal/press crowd yet, but the "verifiable ephemeral" nature of the link seems to fit their workflow perfectly. I’ll definitely explore that angle further. Thanks for the tip!

burnbox•3w ago
We built Burnbox (burnbox.au) with similar goals. To answer your questions for comparison:

1. Argon2id, 64MB memory, 3 iterations. Memory-hard beats iteration count.

2. Encrypted blob + padded filename (256 bytes fixed) + expiry timestamp. No IP logging—downloads proxy through Netlify so Supabase never sees user IPs.

3. Threat model documented at /security. Trust assumption is TLS + uncompromised JS delivery. Source hashes published for verification without self-hosting.

We've had interest from lawyers and incident response teams. Use cases at /use-cases.

mehackernewsacc•3w ago
First-glance feedback is that Nix (https://nixos.org/) is _way_ too established a technology to use its name in another software project, if only for SEO reasons, and I'd recommend coming up with a new moniker.