frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

France's homegrown open source online office suite

https://github.com/suitenumerique
1•nar001•20s ago•0 comments

SpaceX Delays Mars Plans to Focus on Moon

https://www.wsj.com/science/space-astronomy/spacex-delays-mars-plans-to-focus-on-moon-66d5c542
1•BostonFern•39s ago•0 comments

Jeremy Wade's Mighty Rivers

https://www.youtube.com/playlist?list=PLyOro6vMGsP_xkW6FXxsaeHUkD5e-9AUa
1•saikatsg•1m ago•0 comments

Show HN: MCP App to play backgammon with your LLM

https://github.com/sam-mfb/backgammon-mcp
1•sam256•3m ago•0 comments

AI Command and Staff–Operational Evidence and Insights from Wargaming

https://www.militarystrategymagazine.com/article/ai-command-and-staff-operational-evidence-and-in...
1•tomwphillips•3m ago•0 comments

Show HN: CCBot – Control Claude Code from Telegram via tmux

https://github.com/six-ddc/ccbot
1•sixddc•4m ago•1 comments

Ask HN: Is the CoCo 3 the best 8 bit computer ever made?

1•amichail•6m ago•0 comments

Show HN: Convert your articles into videos in one click

https://vidinie.com/
1•kositheastro•9m ago•0 comments

Red Queen's Race

https://en.wikipedia.org/wiki/Red_Queen%27s_race
2•rzk•9m ago•0 comments

The Anthropic Hive Mind

https://steve-yegge.medium.com/the-anthropic-hive-mind-d01f768f3d7b
2•gozzoo•12m ago•0 comments

A Horrible Conclusion

https://addisoncrump.info/research/a-horrible-conclusion/
1•todsacerdoti•12m ago•0 comments

I spent $10k to automate my research at OpenAI with Codex

https://twitter.com/KarelDoostrlnck/status/2019477361557926281
2•tosh•13m ago•0 comments

From Zero to Hero: A Spring Boot Deep Dive

https://jcob-sikorski.github.io/me/
1•jjcob_sikorski•13m ago•0 comments

Show HN: Solving NP-Complete Structures via Information Noise Subtraction (P=NP)

https://zenodo.org/records/18395618
1•alemonti06•18m ago•1 comments

Cook New Emojis

https://emoji.supply/kitchen/
1•vasanthv•21m ago•0 comments

Show HN: LoKey Typer – A calm typing practice app with ambient soundscapes

https://mcp-tool-shop-org.github.io/LoKey-Typer/
1•mikeyfrilot•24m ago•0 comments

Long-Sought Proof Tames Some of Math's Unruliest Equations

https://www.quantamagazine.org/long-sought-proof-tames-some-of-maths-unruliest-equations-20260206/
1•asplake•25m ago•0 comments

Hacking the last Z80 computer – FOSDEM 2026 [video]

https://fosdem.org/2026/schedule/event/FEHLHY-hacking_the_last_z80_computer_ever_made/
2•michalpleban•25m ago•0 comments

Browser-use for Node.js v0.2.0: TS AI browser automation parity with PY v0.5.11

https://github.com/webllm/browser-use
1•unadlib•26m ago•0 comments

Michael Pollan Says Humanity Is About to Undergo a Revolutionary Change

https://www.nytimes.com/2026/02/07/magazine/michael-pollan-interview.html
2•mitchbob•26m ago•1 comments

Software Engineering Is Back

https://blog.alaindichiappari.dev/p/software-engineering-is-back
2•alainrk•27m ago•1 comments

Storyship: Turn Screen Recordings into Professional Demos

https://storyship.app/
1•JohnsonZou6523•28m ago•0 comments

Reputation Scores for GitHub Accounts

https://shkspr.mobi/blog/2026/02/reputation-scores-for-github-accounts/
2•edent•31m ago•0 comments

A BSOD for All Seasons – Send Bad News via a Kernel Panic

https://bsod-fas.pages.dev/
1•keepamovin•34m ago•0 comments

Show HN: I got tired of copy-pasting between Claude windows, so I built Orcha

https://orcha.nl
1•buildingwdavid•35m ago•0 comments

Omarchy First Impressions

https://brianlovin.com/writing/omarchy-first-impressions-CEEstJk
2•tosh•40m ago•1 comments

Reinforcement Learning from Human Feedback

https://arxiv.org/abs/2504.12501
7•onurkanbkrc•41m ago•0 comments

Show HN: Versor – The "Unbending" Paradigm for Geometric Deep Learning

https://github.com/Concode0/Versor
1•concode0•41m ago•1 comments

Show HN: HypothesisHub – An open API where AI agents collaborate on medical res

https://medresearch-ai.org/hypotheses-hub/
1•panossk•44m ago•0 comments

Big Tech vs. OpenClaw

https://www.jakequist.com/thoughts/big-tech-vs-openclaw/
1•headalgorithm•47m ago•0 comments
Open in hackernews

Break Me If You Can: Exploiting PKO and Relay Attacks in 3DES/AES NFC

https://www.breakmeifyoucan.com/
52•noproto•1w ago

Comments

1970-01-01•1w ago
3DES has been broken for a decade. Nice job putting it all together though.
tptacek•1w ago
It has? What exactly do you mean by that?
zxcvasd•1w ago
if i were to guess, they are referring to CVE-2016-2183, which lead to deprecation of 3DES by NIST in 2019 (announced in 2017) and disallowing all uses in 2023. openssl also stopped including it in default builds starting in 2016 because it is considered weak.
tptacek•1w ago
This is Sweet32, an attack on any block cipher with an 8-byte block size. We don't consider those ciphers "broken"; they just can't be used safely in some common modes. You shouldn't use 3DES or IDEA or Blowfish, of course, but I don't think they're considered "broken", not in the same sense that, say, RC4 is.
zxcvasd•1w ago
to any non-cryptographer, i think that's a distinction without a difference. it's disallowed from use by the major standards institute due to a vulnerability where people can recover the plain text.

that sounds "broken" to me, but i'm not a cryptographer. so, i'll defer to you when you say it's not broken. (i dont know what the cryptographer-specific definition of broken is -- it'd be great if you would shed some light on that)

tptacek•1w ago
Again: not a vulnerability in the cipher.
tialaramex•1w ago
It's true that 64 bits was known not to be enough when DES shipped decades ago, but there is some difference between "We know that's a bad idea" and a demo showing why, and so I think I'm OK with the word "broken" in that context.

There's a reason POCs matter right? Why you feel comfortable (even though I don't agree) saying multi-threaded Go doesn't have a memory safety problem and yet you wouldn't feel comfortable making the same claim for C++.

fc417fc802•1w ago
I'm not a cryptographer but to me "broken" seems to imply that the core algorithm itself can be attacked. If merely applying it in certain ways as part of some larger system can fail then aren't most (possibly all) ciphers broken? It's entirely possible to do all sorts of stupid things.

Granted, a 2^32 block limit is pretty severe by modern standards.

upofadown•1w ago
Si (2^32)*8 works out to 34GB for TDES. How many applications involve encrypting that much data in one go?
fc417fc802•1w ago
Sorry, calling that a block limit was an error by omission on my part. 2^32 yields a 50% chance of reuse. If we pick a sane security margin it's a lot smaller. Assuming I did the math correctly just now, 2^-32 only gives you ~2^17 blocks; dropping that to 2^-24 yields ~2^21 blocks.
upofadown•1w ago
Off the top of my head, NIST was suggesting something like 8GB as the working limit. It would depend on your risk tolerance and the application in practice I guess. For something like video you might not really care about exposing a few 8 byte blocks here and there where the exposure is one block XORed with the other.
fc417fc802•1w ago
An aside, personally I quite like TDES for the purpose of generating secure handles and the like. The larger block sizes of pretty much every other common algorithm yield URLs and integers that are more difficult to work with. 64 bits is a manageable enough length and you don't have to implement the algorithm yourself (at which point you'd have rolled your own crypto).
tptacek•6d ago
Further aside, note that there are constructions designed specifically for that problem and its relatives:

https://www.cs.ucdavis.edu/~rogaway/papers/subset.pdf

tptacek•1w ago
This semantic argument was more plausible before the original commenter claimed 3DES can be "broken with little effort".
tialaramex•1w ago
That's fair, I won't defend "broken with little effort".
_tk_•1w ago
Not to be rude, but it seems to me that you are engaging in some hairsplitting. In general, security people do not recommend to use 3DES or RC4 - even if RC4 is broken in other ways than 3DES.
tptacek•1w ago
RC4 is actually broken. It's fundamentally broken. As you run it, it's face melts off like the guy at the end of Raiders. It's genuinely weird nobody noticed how bad it was, in a practical sense, until the late aughts.

The 64 bit block size in 3DES (and Blowfish and IDEA) limits how much data you can encrypt under a single key. I think the real "tell" that this isn't hair-splitting is that people don't ever generally talk about Blowfish being "broken", just obsoleted.

_tk_•1w ago
People just don’t talk about Blowfish.
somat•1w ago
They do, but indirectly, the b in bcrypt stands for blowfish.
1970-01-01•1w ago
It means you should not use it for anything important, because it can be decrypted by the public with little effort. If you look back, it has been this way for quite awhile. My gripe is with the clickbait title 'Break Me If You Can'

https://nvd.nist.gov/vuln/detail/cve-2016-2183

tptacek•1w ago
How exactly would you decrypt a 3DES ciphertext "with little effort"?
1970-01-01•1w ago
It's supported in hashcat
some_furry•1w ago
Is this a bit?
1970-01-01•1w ago
Have you tried it?
some_furry•1w ago
We're talking about symmetric ciphers and you're talking about password cracking software.

Triple-DES has 168 bit keys. Even if you use a meet-in-the-middle attack, your attack cost has an exponent of 112 (with an associated memory cost with an exponent of 88).

That's not practically exploitable today.

If you think I'm wrong, here's a single block message encrypted with 3DES, then hex-encoded. Have fun:

  924db449f52ea976
But really, the bigger problem is Sweet32.
tostrstrudel•1w ago
BREAKMEIFYOUCAN! is the default factory key programmed into every MIFARE Ultralight C chip by NXP.
1970-01-01•1w ago
Ok that makes much more sense.
gjurhgd•1w ago
Surely someone who has been here as long as you have understands that this type of behavior is not compatible with the guidelines.

> Converse curiously; don't cross-examine.

You could have just corrected them and not goaded them into further revealing their ignorance. Yes, they underestimated how difficult it is to crack 3DES. You could have simply told them that.

tptacek•1w ago
I have no idea who they are or what they were talking about. I think they're thinking about 3DES used as a password hash. I never in 100 years would have guessed that's where they were coming from.

The thread that ensued, a discussion of what it means for a cipher to be obsoleted or unsafe versus "broken", is an actually-interesting question.

I feel pretty OK about how this went.

gjurhgd•1w ago
You could never, in a million years, have guessed by "broken" they meant "it can be decrypted by the public with little effort?" I doubt that. I see no evidence they are talking about a password hash. Here's what they actually cited:

> The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, ...

They're clearly talking about it's use as a cipher. Again, someone who has been here as long as you have should understand that you shouldn't put words in their mouth or be evasive in this way.

The conversation would still have touched on these interesting topics, and would likely have done so more immediately.

tptacek•1w ago
Do we have conflicting premises about what Hashcat is? I'm pretty sure you're just wrong here.
gjurhgd•1w ago
Do we have conflicting premises about what SSH is? I'm pretty sure you're dodging and deflecting from the actual issues here.

They were clearly suggesting that there exists a publicly available tool to attack this algorithm. They clearly didn't care one way or the other about whether it was used in passwords. What they actually cited was vulnerabilities in network services.

You are being disingenuous. Cut it out.

tptacek•1w ago
What are you talking about? No there isn't. There is no "publicly available tool to attack 3DES". Hashcat is a password cracker. You know what else it supports? AES. Is AES broken?
gjurhgd•1w ago
It's very difficult for me to imagine a way you could have read my remarks in good faith and come to that conclusion. I hope someday you figure this out, I guess I have no hope of explaining it.
tptacek•1w ago
Here's a simple question. When you said:

They were clearly suggesting that there exists a publicly available tool to attack this algorithm.

What were you referring to? If it was Hashcat, then I have just one more question:

Is Hashcat a publicly available tool that attacks AES?

gjurhgd•1w ago
I'm not going back and forth with you if you're not going to discuss the thrust of our disagreement. I am not wading into this minutia with you. I see the game you are playing to evade the subject I am trying to discuss; I'm not interested in playing.
tptacek•1w ago
Ok! Seems simple, though.
zxcvasd•1w ago
this is a very common pattern in tptacek's comments, but it's not worth calling out as he absolutely refuses to recognize it, always falling back to a similar response you see here.

with a quick google of "3des broken" and reading the first paragraph of wikipedia on 3des, i was able to guess (correctly!) what they original commenter was referring to.

tptacek•1w ago
It's pretty self-indulgent of me to respond to this comment, but just real quick: the pattern you're seeing is me in fact not being one of the top-tier experts in cryptography on Hacker News (just one of the loudest), and not knowing who this person is, and not having had a reason to think about 3DES in quite a long time. What you're reading as snark or lawyering is, rather, me meaning exactly what I said, and being uncertain about what that person was talking about.
rootlocus•2d ago
Sorry for being off-topic but I find it so refreshing that people can still engage in arguments in good faith, without resorting to personal attacks.

Thank you!

moribvndvs•1w ago
> Is this a flaw in the cryptography itself? No. The underlying cryptographic algorithms (3DES and AES-128) remain secure. The vulnerabilities arise from:

Protocol design choices that allow unauthenticated memory writes after initial authentication Lack of atomicity when writing cryptographic keys across multiple memory pages Widespread misconfiguration in real-world deployments (unlocked memory, static keys) Non-NXP compatible chips with severely flawed random number generators

arkwin•1w ago
Looks awesome! I see some Flipper Zero apps were already created. When will you be releasing this for the Chameleon? Also, any plans to port this over to the Proxmark?
noproto•1w ago
All of the attacks are released for the three platforms (Proxmark3, Flipper Zero, and Chameleon Ultra). Our goal was day 1 support for RFID testing devices.
redbell•1w ago
> Break Me If You Can

This, somehow, triggered my mind to recall LifeLock's CEO Todd Davis’s public marketing campaign where he displayed his Social Security number on the company website and advertisements to demonstrate the security of his platform, however, the challenge backfired dramatically and he becomes a victim of identity theft on at least 13 separate occasions.