frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

TS-2026-009: Insecure argument handling in Tailscale SSH permitted root access

https://tailscale.com/security-bulletins
42•jervant•1h ago

Comments

tptacek•1h ago
This is such a venerable and ancient class of bugs, going at least as far back as AIX 3. Glad to see they're still makin' 'em like they used to.

(If you had SSH access to a host in your Tailscale ACL, you could log in as `-i` and get a root login.)

e40•1h ago
So, giving access via tailscale but using OpenSSH is safe, right?
lugoues•1h ago
Yes, this only involves their wrapper that is managed by ACL rules.
kbumsik•58m ago
Why own numbering instead of CVE?
vngzs•52m ago
It lets organizations (Tailscale) control the timing and narrative around the disclosure more directly. Organizations sometimes avoid the bureaucracy of going through CVE Numbering Authorities by self-publishing. Often a CVE assignment follows self-disclosure, especially when there's pressure to interoperate with vuln-scanning/compliance tooling
cyberax•50m ago
> "Tailscale SSH now rejects usernames with leading dashes."

Really? That's the fix?

A proper fix is to use "--" to separate arguments.

sedatk•48m ago
Their fix just future-proofs it in case the same bug gets reintroduced.
cyberax•20m ago
This is just a dirty fix. It adds weird restrictions and masks issues.

Refactoring external invocations to use safe argument handling is a better way to fix it. Along with tests that exercise weird names.

valleyer•23m ago
A proper fix is not to shell out to a command at all; use getpwnam(3) or similar.
doublepg23•43m ago
I’m a heavy Tailscale user, so I do trust them quite a bit, but I never used the Tailscale SSH feature. I feel like OpenSSH’s security record is pretty unbeatable, not sure why I’d swap over for such a security-sensitive tool.
jdiff•32m ago
I've used it before to access my tailnet machines through a browser on a machine I can't download software on.
isatty•32m ago
Convenience for the most part but in general, I agree. I like having it as an option.
bakies•19m ago
Yeah pretty much just use tailscale as a vpn.. do one thing as they say.
dgacmu•7m ago
I used it for a bunch of remote monitor boxes to have a way of centrally managing ssh access to things that were often on- and off-line. It was simple and convenient and access was easily revocable.
modeless•34m ago
Tailscale SSH has caused me other problems in the past because it takes over port 22. I'm not a fan.

Samosa Chat: Run Qwen3.6-35B-A3B Locally on a 16 GB Apple Silicon Mac

https://github.com/deepanwadhwa/samosa-chat
2•dwa3592•11m ago•0 comments

Ptolemaic and LLM Architecture Compared (In 3D)

https://celestial-llm-mirror.vercel.app/
1•mikemangialardi•13m ago•0 comments

Dell Is on a Roll with the XPS

https://world.hey.com/dhh/dell-is-on-a-roll-with-the-xps-5a09a84e
2•dotcoma•14m ago•0 comments

GPT 5.6 Sol Pro disproves long-standing hypothesis in statistics

https://twitter.com/i/status/2077082912021786660
1•qsi•14m ago•1 comments

John Archibald Wheeler: It from Bit

https://en.wikipedia.org/wiki/John_Archibald_Wheeler
1•lioeters•19m ago•1 comments

Fix CSS Problems

https://www.fix-css.com/
1•ilreb•21m ago•0 comments

vLLM prefill paired with TileRT decode

https://vllm.ai/blog/2026-07-14-vllm-tilert-pd
2•ilreb•23m ago•0 comments

3k-year-old Egyptian tomb with vivid afterlife paintings uncovered near Luxor

https://www.euronews.com/culture/2026/07/14/3000-year-old-egyptian-tomb-with-vivid-afterlife-pain...
3•devonnull•24m ago•0 comments

White House launches AI cybersecurity clearinghouse

https://www.cnn.com/2026/07/14/tech/ai-cybersecurity-clearing-house-white-house
1•1659447091•25m ago•0 comments

Cicada- an agentic Python IDE Free to use ( comes with built in small model)

https://github.com/godsonj64/Cicada/releases/tag/v0.4.0
1•godsonj64•25m ago•1 comments

Show HN: PullCard – Pull your AI coding style as a holographic trading card

https://pullcard.sakimyto.com
1•sakimyto•27m ago•0 comments

Show HN: I built an AI agent memory engine because Obsidian wasn't cutting it

https://perseus.observer/blog/built-perseus-vault-obsidian-wasnt-cutting-it/
1•perseusai•32m ago•0 comments

TPU and GPU Clusters: The Anatomy of Collective Communication

https://www.aleksagordic.com/blog/collective-operations
1•npalli•34m ago•0 comments

When China's open-source AI is a trap

https://www.economist.com/international/2026/07/14/when-chinas-open-source-ai-is-a-trap
2•andsoitis•35m ago•1 comments

Data for Agents

https://huggingface.co/blog/nvidia/open-data-for-agents
1•gmays•36m ago•0 comments

Midnight social media curfew proposed for older UK teens

https://www.bbc.com/news/articles/c982857nlrlo
2•dabinat•38m ago•0 comments

High-Bandwidth Flash offers efficient storage for model weights

https://spectrum.ieee.org/high-bandwidth-flash
1•Gaishan•38m ago•0 comments

Cisco licenses iOS name to Apple, screenshot shows iWork on iPhone (2010)

https://appleinsider.com/articles/10/06/08/cisco_licenses_ios_name_to_apple_screenshot_shows_iwor...
1•thunderbong•39m ago•0 comments

A Magazine with One Subscriber

https://matthodges.com/posts/2026-07-12-personal-magazine-claude-codex/
1•jv22222•41m ago•1 comments

When AI gets a pass: the rise of 'AI Exceptionalism'

https://www.magiclasso.co/insights/ai-exceptionalism/
2•bentocorp•41m ago•0 comments

Show HN: Gomoku AI Edu – A Native macOS Gomoku Game with AI Opponent

https://gomoku.w3cub.com/
1•terryXyz•43m ago•0 comments

UEFI shims undermining Secure Boot

https://www.welivesecurity.com/en/eset-research/forgotten-uefi-shims-undermining-secure-boot/
3•gnabgib•50m ago•0 comments

6 months of OpenClaw

https://notesbylex.com/6-months-of-openclaw
1•lexandstuff•52m ago•0 comments

Show HN: A web based VistaPro clone

https://toby.github.io/vista/
1•tobypadilla•53m ago•0 comments

Microsoft's Secure Boot has been broken for a decade and no one noticed

https://arstechnica.com/security/2026/07/microsoft-secure-boot-has-been-broken-for-most-of-its-ex...
3•Gaishan•56m ago•1 comments

Global Warming at 3 °C by 2050? What's Behind the New German Climate Warning

https://worldcrunch.com/focus/green-or-gone/global-warming-at-3c-by-2050-what-s-behind-the-new-ge...
9•tejohnso•59m ago•1 comments

Making it easier to party is becoming serious public policy

https://www.economist.com/united-states/2026/07/14/cities-are-rethinking-what-happens-after-dark
1•petethomas•59m ago•0 comments

The Web Won Because It Got Easier

https://www.gordonmclean.co.uk/2026/06/18/on-the-indiefediactivitymastoweb/
1•zetamax•1h ago•0 comments

Teleparallel Gravity: From Theory to Cosmology(2021)

https://arxiv.org/abs/2106.13793
2•rolph•1h ago•0 comments

Piuma – A minimal, feather-weight, site builder in Go

https://github.com/sprawz/piuma
1•H501•1h ago•0 comments