frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

"Ripples They Cause in the World"

https://www.shadowcat.co.uk/2025/07/09/ripples-they-cause-in-the-world/
38•todsacerdoti•1h ago•8 comments

MCP-B: A Protocol for AI Browser Automation

https://mcp-b.ai/
223•bustodisgusto•10h ago•107 comments

Tree Borrows

https://plf.inf.ethz.ch/research/pldi25-tree-borrows.html
490•zdw•18h ago•118 comments

Generic interfaces

https://go.dev/blog/generic-interfaces
40•Merovius•2d ago•26 comments

A Typology of Canadianisms

https://dchp.arts.ubc.ca/how-to-use
145•gnabgib•10h ago•148 comments

Biomni: A General-Purpose Biomedical AI Agent

https://github.com/snap-stanford/Biomni
181•GavCo•13h ago•29 comments

Show HN: FlopperZiro – A DIY open-source Flipper Zero clone

https://github.com/lraton/FlopperZiro
265•iraton•15h ago•59 comments

Show HN: MCP server for searching and downloading documents from Anna's Archive

https://github.com/iosifache/annas-mcp
142•iosifache•11h ago•40 comments

The Origin of the Research University

https://asteriskmag.com/issues/10/the-origin-of-the-research-university
66•Petiver•3d ago•1 comments

The jank programming language

https://jank-lang.org/
294•akkad33•3d ago•79 comments

Code and Trust: Vibrators to Pacemakers

https://punkx.org/jackdoe/code-and-trust.html
39•jackdoe•3d ago•25 comments

Thunderbird 140 "Eclipse"

https://blog.thunderbird.net/2025/07/welcome-to-thunderbird-140-eclipse/
11•TangerineDream•2d ago•2 comments

A fast 3D collision detection algorithm

https://cairno.substack.com/p/improvements-to-the-separating-axis
223•OlympicMarmoto•18h ago•27 comments

Show HN: BreakerMachines – Modern Circuit Breaker for Rails with Async Support

https://github.com/seuros/breaker_machines
22•seuros•3d ago•6 comments

Cmdk – CD anywhere and open anything in your terminal

https://github.com/mieubrisse/cmdk
9•mieubrisse•2d ago•4 comments

I used to prefer permissive licenses and now favor copyleft

https://vitalik.eth.limo/general/2025/07/07/copyleft.html
84•bpierre•10h ago•40 comments

Evaluating the Effectiveness of Memory Safety Sanitizers

https://www.computer.org/csdl/proceedings-article/sp/2025/223600a088/21TfesaEHTy
23•signa11•2d ago•5 comments

Show HN: Petrichor – a free, open-source, offline music player for macOS

https://github.com/kushalpandya/Petrichor
103•kushalpandya•10h ago•46 comments

Solar power has begun to transform the world’s energy system

https://www.newyorker.com/news/annals-of-a-warming-planet/46-billion-years-on-the-sun-is-having-a-moment
128•dmazin•20h ago•170 comments

I made a parody of enterprise AI chatbots

https://github.com/muratcanozdemir/chatgpt-parody
3•moezd•2h ago•1 comments

German court rules Meta tracking technology violates European privacy laws

https://therecord.media/german-court-meta-tracking-tech
257•bundie•3h ago•101 comments

Configuring Split Horizon DNS with Pi-Hole and Tailscale

https://www.bentasker.co.uk/posts/blog/general/configuring-pihole-to-serve-different-records-to-different-clients.html
97•gm678•15h ago•27 comments

Bootstrapping a side project into a profitable seven-figure business

https://projectionlab.com/blog/we-reached-1m-arr-with-zero-funding
840•jonkuipers•2d ago•227 comments

Archaeologists unveil 3,500-year-old city in Peru

https://www.bbc.co.uk/news/articles/c07dmx38kyeo
149•neversaydie•3d ago•53 comments

Linda Yaccarino is leaving X

https://www.nytimes.com/2025/07/09/technology/linda-yaccarino-x-steps-down.html
445•donohoe•18h ago•728 comments

Ruby 3.4 frozen string literals: What Rails developers need to know

https://www.prateekcodes.dev/ruby-34-frozen-string-literals-rails-upgrade-guide/
224•thomas_witt•3d ago•112 comments

Xenharmlib: A music theory library that supports non-western harmonic systems

https://xenharmlib.readthedocs.io/en/latest/
175•retooth•1d ago•17 comments

The most otherworldly, mysterious forms of lightning on Earth

https://www.nationalgeographic.com/science/article/lightning-sprites-transient-luminous-events-thunderstorms
97•Anon84•3d ago•30 comments

Grok 4 Launch [video]

https://twitter.com/xai/status/1943158495588815072
141•meetpateltech•4h ago•87 comments

Show HN: I built a playground to showcase what Flux Kontext is good at

https://fluxkontextlab.com
30•Zephyrion•7h ago•5 comments
Open in hackernews

Would You Like an IDOR With That? Leaking 64m McDonald's Job Applications

https://ian.sh/mcdonalds
94•samwcurry•13h ago

Comments

bravesoul2•11h ago
It involves AI but AI wasn't the cause. It was an enumeration on object id, discovered because the author could access a test site with password 123456 and try things out.
oc1•10h ago
I have so many questions to the developers but i believe the answers will just crush my poor worker soul so let it be.
ryandrake•9h ago
I've been so lucky throughout my career to have almost entirely worked with competent and smart developers. I've always wondered what a conversation with one of these other ones is like, after a production site is found to use 123456/123456 as credentials. "Hey, Mike, we just had someone in the public notice that our admin interface could be accessed by anyone with default credentials. You're the manager on this project. How did this happen?" I would love to be a fly on the wall for that conversation, or read the postmortem. How does this kind of configuration even make it past code review, let alone staging and production?
lmz•9h ago
It's config not code - and a demo interface is a nice thing to have. The cross account read, however...
Marsymars•7h ago
”Well you see, that work was outsourced to a team where none of the implementing developers are still present, our auditors and pen testers both signed off on it, and anyway we’ve got cyber insurance to cover the fallout.”
NooneAtAll3•7h ago
> How does this kind of configuration even make it past code review

that's the secret - there is none

viraptor•7h ago
It's rarely as simple as actually exposing something as a decision. Scope changes, access rules change, multiple systems interact in interesting ways, access configuration lives in a different place than the app, etc. You're implying that it wouldn't happen with competent developers, but I guarantee it does - just wait a bit longer and let the systems grow. The Swiss cheese will get everyone given enough time.
joules77•6h ago
"We outsourced it to the 3rd world cuz it costs 20 bucks a week to hire a "certified" sysadmin there"

You want data of any Large corp in the US - fly to well known outsourcing destinations. Stand outside the gate of their "global delivery centers". Hand out cash. Get access to whatever you want.

But the main thing to understand here in 2025 is that getting access to/monetizing user data has become so normalized, that you could legally just go to McD Biz Dev (or which ever other large corp) and say - hey guys I have this algo that can add 2 bucks of revenue per user per quarter (throw in a - just look at Meta they extract 70 bucks out of their American users and atleast 12 bucks out of everyone else per quarter just using the personal data). To test my algo, I need access to your DB. Your competitor has already given me access to theirs for testing.

What is corporate robot going to do?

They will hand you the data.

TZubiri•10h ago
It certainly doesn't reflect well on AI as a BuzzWord.

Execs vetted this provider and approved it, which isn't irrelevant to the disregard for safety occuring with AI in general right now.

Additionally, are we certain the vendor didn't use AI to vibecode stuff?

Proofread0592•10h ago
I cannot believe the 123456 worked, it's literally a joke from SpaceBalls.
shrubble•10h ago
Reminds me that I need to change the combination on my luggage…
jeffbee•8h ago
In a past life, I had an investment stake in Krispy Kreme donuts. We were poking around to see if we could learn anything about the company. We watched a training video for new store managers. It told the viewer to go to some URL and enter their credentials. In the video, the example credentials were "admin" and "admin" as the password. So we tried that, and of course it worked on their live system. We immediately had access to global, live, online revenue data for every real Krispy Kreme outlet, not some training simulation.

Most people are not qualified to handle computer security, is what I learned from that.

chasil•6h ago
When I started my job in 2000, I introduced my fellow (emeretus) DBA to "ps -ef | grep sqlplus" and sprayed a pile of user accounts and passwords. I fixed the problem and learned about Oracle databases.

I checked my apps into RCS archives later that decade with passwords. Expecting to move these archives into CVS, I changed them.

Now, any code repository that I touch, I will run "git grep password" (or the [TFS] equivalent) and once again hit pay dirt.

It seems to take a certain exposure, growth, and wisdom to be mindful of these things, and many are far behind.

david2ndaccount•9h ago
> We immediately began disclosure of this issue once we realized the potential impact. Unfortunately, no disclosure contacts were publicly available and we had to resort to emailing random people. The Paradox.ai security page just says that we do not have to worry about security!

Amazing.

eth0ws•7h ago
Having a security.txt would be best, but they've updated the page to include a security email address which is a start.
jonas21•5h ago
One might even say paradoxical.
snypher•9h ago
>Without much thought, we entered “123456” as the username and “123456” as the password

I feel like there's more to this that I'd love to know the story behind...

gruez•8h ago
Maybe they ran a simple wordlist attack and wanted to launder the methods they used?
ryandrake•9h ago
> The personality test was a disturbing experience powered by Traitify.com where we were asked if phrases like “enjoys overtime” are either Me or Not Me. It was simple to guess that we should probably select Me for the pro-employer questions and Not Me for questions referencing being argumentative or aggressive, but it was still quite strange.

Offtopic from the security issue, but I wonder if they really get any value out of this "Personality test." It seems like it's just a CAPTCHA that makes sure the applicant knows when to lie correctly.

veggieroll•9h ago
For the employer, the question is self fulfilling. Either way they get what they want. Even if someone knows enough to lie, the lie betrays that they’re desperate enough to be unable to resist anything management demands.
reactordev•9h ago
While also providing evidence that you do indeed love overtime based on your answer. Ugh… the only way to win is not to play.
bee_rider•9h ago
Working in retail is 99% lying that you care about your job, so might as well start it out on the right footing.
sgerenser•7h ago
What about working as a SWE at Google? Apparently they recently implemented a personality test as an initial screener (they call it a Googleyness test).
Retric•6h ago
It doesn’t necessarily need to be beneficial for the company.

Game theoretically there’s an advantage as an employee of a successful company to artificially reduce the number of people who can be employed to raise your own relative value to the company. If Google can only select from left handed employees suddenly they need to pay higher wages and existing employees are facing less competition as new employees are selected from a smaller applicant pool and thus worse.

Probably not the actual answer, but it’s worth considering such indirect motivations.

Waterluvian•5h ago
Google is screening for compliant, fungible engineers. Especially those swayed by the need to be told they’re the best of the best. Tests like that make sense in an ugly sort of way.
misnome•1h ago
I had a manager at a part time job at _Blockbuster_ say surprised in review “You make it sound like you are only working here for the money”.

I mean, lol, yes?

msgodel•8h ago
Is it simple to guess? I always assumed if you went too hard with those answers they'd assume you were lying and reject you.

Maybe this is why I never got the mcdonalds call back last time I was layed off.

latentsea•6h ago
I too was rejected from McDonald's.
cebert•6h ago
My wife is incredibly intelligent. She has a master’s degree and is working on her doctorate (definitely smarter than me). I still laugh about how, 12 years ago, she got rejected from a summer clerk job at a grocery store because she failed the online personality test. If anything, she was wildly overqualified. That store definitely missed out.
Incipient•5h ago
Apologies for the nitpick, but being rejected for personality is (essentially) mutually exclusive from (over)qualification.
seemaze•5h ago
Pedants unite!
giingyui•59m ago
I’m surprised at your comment. I really doubt a person with a high level of intelligence is a good match for a grocery clerk job. That is one of the reasons the personality tests exist.
_moof•4h ago
Best Buy for me.
Telemakhos•5h ago
Where's the line between "lying to pass a test" and "fitting in to a community?" Is there not some element of functioning well with other people as a group that requires us to repress certain individual desires and traits for the good of achieving a common goal? Nobody actually likes working fast food, but customers feel better when employees act less surly and more complacent.
HPsquared•7h ago
Overtime can be enjoyable if you get paid overtime rates.
kevin_thibedeau•6h ago
It works as a reading comprehension test. Semi-literates giving random responses will stand out from the compliant ones who know how to play the game.
cebert•6h ago
This Traitify the product makes me immediately suspicious. It asks candidates a few brief questions with images and assigns them personality and trait scores. Surely employers can’t think tools like this are good or accurate signals, right?

Most positions at McDonalds are entry-level and minimum wage. It’s not like they’re applying to NASA.

(https://www.traitify.com/)

yieldcrv•2h ago
A very large part of the population treats “minimum wage” as “maximum wage”.

Once you understand that, many behaviors make a lot of sense.

jofer•5h ago
Similar tests have been standard for over 20 years. When I worked at McDonald's (late 90's), they didn't do the personality test, but when I applied across the street at Arby's a few years later, they did.

The one that I just got annoyed with and decided it wasn't worth switching from McD's to Arby's was "would you rather read a book or talk to a person?". I mean, I get it, they want people-focused-people, but being introverted and/or just liking books doesn't mean you can't give excellent customer service.

Sure, it's easy to guess what want most of the time, but the fact that personality tests are as widespread as they are in employment is maddening.

Many years later I worked at Chevron (upstream as an exploration geologist -- not a gas station). While they didn't do it as part of the application process, you were required to take a personality/communication style test when you started (ecolors). That's all well and good (it _is_ very useful to understand personalities for communication styles), but in a lot of roles you literally had to wear the colors on your badge. If you wanted to go into management, you essentially had to score "red over yellow". "Greens" and "blues" were considered to be limited to technical roles and were explicitly not given opportunities to advance, though it took a long time to realize that. I started out thinking "hey, this is actually practical" and then over a few years went to "oh, they're using this to decide who moves up... That's a problem". I asked folks and was told by my manager's manager that ecolors were explicitly used in advancement criteria and who got opportunities to lead projects/etc. That's around the time I left. I hear they've dialed that particular bit back a lot, but it's still very weird to me that it's considered a normal and acceptable practice.

idiotsecant•5h ago
Wow, talk about unintended consequences. I guarantee that at some early stage some non-sociopath genuinely thought that program would help people communicate. They underestimated the degree to which humans are willing to let tribalism supplant empathy.
saghm•5h ago
Maybe the goal isn't knowing when the lie as much as being willing to tolerate the bullshit they'll want to throw your way away the job. Presumably anyone not willing to say they like overtime (or unable to determine that's what the employer wants them to say) would not be compliant to demands to actually work overtime. If you don't give the answers they expect you to know you're supposed to give, they can likely rule out you as as an employee who will keep your head down and not rock the boat.
idiotsecant•5h ago
It's a personality test, just not for what it says on the tin. It's a way of determining how beaten down by the system you are. Have you been taught yet that your corporate masters expect you to cheerily tell them how much you love being fry cook drone 732-b926? It's a measure of docility - they are seeing if you have been 'broken' yet. Everyone wants the workhorse, nobody wants to break him.
sandspar•3h ago
From talking to people who invigilate these tests, you'd be surprised by how people answer. For example, someone answers Yes to "It is ok to steal from my employer."

I think these tests optimize for multiple things. Part of the test is designed to weed out people who are hostile and violent. Plus it's an IQ test with a floor of around 80, which seems reasonable. And it judges how well you can follow orders and "play the game".

McDonald's has dealt with tens of millions of job applicants. Many of these people arrive with complex challenges. There's a reason why McDonald's uses tests like these.

It might make more sense if you take the perspective of a McDonald's worker. Imagine you're a typical McDonald's employee - maybe you're a mom with two kids. Let's say you get a new coworker. Wouldn't you feel a little safer to know that they passed this test?

Titan2189•9h ago
Hats off to Paradox for remediating this within 30 hours of reporting.
RandomBacon•5h ago
Hopefully it shouldn't take longer than 30 hours to change a password.
ge96•6h ago
Funny I remember trying to get a job at McD's before and had to answer those behavioral questions kill 1 or 5
bombcar•6h ago
It’s kind of sad and yet expected that McDonald’s responds. Wyeth to security vulnerabilities than many Internet companies do.
macqm•2h ago
Paradox.ai hasn't fixed their vulnerabilities for years.

You used to be able to find full conversations with candidates indexed by Google, with PII, resumes, lots of sensitive data.

Now they add a verification step (sometimes) that still leaks the full e-mail and phone number: "We sent you a verification code to your@email.xyz and SMS to 914-555-1212".