frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Computer Scientists Figure Out How to Prove Lies

https://www.quantamagazine.org/computer-scientists-figure-out-how-to-prove-lies-20250709/
84•nsoonhui•2h ago•39 comments

Magic .env files built for sharing: Human-first, AI-friendly

https://varlock.dev/
18•mooreds•1h ago•4 comments

Optimizing a Math Expression Parser in Rust

https://rpallas.xyz/math-parser/
55•serial_dev•3h ago•24 comments

Show HN: Typeform was too expensive so I built my own forms

https://www.ikiform.com/
46•preetsuthar17•3h ago•38 comments

Kite – News App by Kagi

https://kite.kagi.com/
82•tigroferoce•4h ago•35 comments

Thunderbird 140 “Eclipse”

https://blog.thunderbird.net/2025/07/welcome-to-thunderbird-140-eclipse/
130•TangerineDream•2d ago•71 comments

At last, a use case for AI agents with sky-high ROI: Stealing crypto

https://www.theregister.com/2025/07/10/ai_agents_automatically_steal_cryptocurrency/
34•rntn•1h ago•5 comments

MCP-B: A Protocol for AI Browser Automation

https://mcp-b.ai/
256•bustodisgusto•13h ago•128 comments

Tree Borrows

https://plf.inf.ethz.ch/research/pldi25-tree-borrows.html
516•zdw•21h ago•132 comments

Radiocarbon dating reveals Rapa Nui not as isolated as previously thought

https://phys.org/news/2025-06-radiocarbon-dating-reveals-rapa-nui.html
18•wglb•2d ago•0 comments

A Typology of Canadianisms

https://dchp.arts.ubc.ca/how-to-use
175•gnabgib•14h ago•179 comments

Show HN: MCP server for searching and downloading documents from Anna's Archive

https://github.com/iosifache/annas-mcp
175•iosifache•15h ago•54 comments

Show HN: FlopperZiro – A DIY open-source Flipper Zero clone

https://github.com/lraton/FlopperZiro
299•iraton•18h ago•61 comments

Biomni: A General-Purpose Biomedical AI Agent

https://github.com/snap-stanford/Biomni
195•GavCo•17h ago•29 comments

The Origin of the Research University

https://asteriskmag.com/issues/10/the-origin-of-the-research-university
91•Petiver•3d ago•5 comments

The jank programming language

https://jank-lang.org/
339•akkad33•3d ago•93 comments

Browser extensions turn nearly 1M browsers into website-scraping bots

https://arstechnica.com/security/2025/07/browser-extensions-turn-nearly-1-million-browsers-into-website-scraping-bots/
9•chha•1h ago•4 comments

Solar power has begun to transform the world’s energy system

https://www.newyorker.com/news/annals-of-a-warming-planet/46-billion-years-on-the-sun-is-having-a-moment
194•dmazin•1d ago•303 comments

A fast 3D collision detection algorithm

https://cairno.substack.com/p/improvements-to-the-separating-axis
237•OlympicMarmoto•22h ago•27 comments

Show HN: Petrichor – a free, open-source, offline music player for macOS

https://github.com/kushalpandya/Petrichor
130•kushalpandya•14h ago•60 comments

Author of William the Conqueror's 'Medieval Big Data' Project Revealed

https://www.ox.ac.uk/news/2025-07-02-author-william-conqueror-s-medieval-big-data-project-revealed
6•zeristor•3d ago•0 comments

Show HN: BreakerMachines – Modern Circuit Breaker for Rails with Async Support

https://github.com/seuros/breaker_machines
31•seuros•4d ago•16 comments

Bootstrapping a side project into a profitable seven-figure business

https://projectionlab.com/blog/we-reached-1m-arr-with-zero-funding
861•jonkuipers•2d ago•230 comments

Grok 4 Launch [video]

https://twitter.com/xai/status/1943158495588815072
244•meetpateltech•8h ago•199 comments

Evaluating the Effectiveness of Memory Safety Sanitizers

https://www.computer.org/csdl/proceedings-article/sp/2025/223600a088/21TfesaEHTy
31•signa11•2d ago•9 comments

Archaeologists unveil 3,500-year-old city in Peru

https://www.bbc.co.uk/news/articles/c07dmx38kyeo
161•neversaydie•3d ago•60 comments

YouTube prepares crackdown on mass-produced videos as concern over AI slop grows

https://techcrunch.com/2025/07/09/youtube-prepares-crackdown-on-mass-produced-and-repetitive-videos-as-concern-over-ai-slop-grows/
10•baylearn•21m ago•0 comments

Xenharmlib: A music theory library that supports non-western harmonic systems

https://xenharmlib.readthedocs.io/en/latest/
179•retooth•1d ago•18 comments

Linda Yaccarino is leaving X

https://www.nytimes.com/2025/07/09/technology/linda-yaccarino-x-steps-down.html
474•donohoe•21h ago•827 comments

Configuring Split Horizon DNS with Pi-Hole and Tailscale

https://www.bentasker.co.uk/posts/blog/general/configuring-pihole-to-serve-different-records-to-different-clients.html
104•gm678•19h ago•29 comments
Open in hackernews

Would You Like an IDOR With That? Leaking 64m McDonald's Job Applications

https://ian.sh/mcdonalds
100•samwcurry•17h ago

Comments

bravesoul2•14h ago
It involves AI but AI wasn't the cause. It was an enumeration on object id, discovered because the author could access a test site with password 123456 and try things out.
oc1•14h ago
I have so many questions to the developers but i believe the answers will just crush my poor worker soul so let it be.
ryandrake•13h ago
I've been so lucky throughout my career to have almost entirely worked with competent and smart developers. I've always wondered what a conversation with one of these other ones is like, after a production site is found to use 123456/123456 as credentials. "Hey, Mike, we just had someone in the public notice that our admin interface could be accessed by anyone with default credentials. You're the manager on this project. How did this happen?" I would love to be a fly on the wall for that conversation, or read the postmortem. How does this kind of configuration even make it past code review, let alone staging and production?
lmz•13h ago
It's config not code - and a demo interface is a nice thing to have. The cross account read, however...
Marsymars•11h ago
”Well you see, that work was outsourced to a team where none of the implementing developers are still present, our auditors and pen testers both signed off on it, and anyway we’ve got cyber insurance to cover the fallout.”
NooneAtAll3•11h ago
> How does this kind of configuration even make it past code review

that's the secret - there is none

viraptor•10h ago
It's rarely as simple as actually exposing something as a decision. Scope changes, access rules change, multiple systems interact in interesting ways, access configuration lives in a different place than the app, etc. You're implying that it wouldn't happen with competent developers, but I guarantee it does - just wait a bit longer and let the systems grow. The Swiss cheese will get everyone given enough time.
joules77•10h ago
"We outsourced it to the 3rd world cuz it costs 20 bucks a week to hire a "certified" sysadmin there"

You want data of any Large corp in the US - fly to well known outsourcing destinations. Stand outside the gate of their "global delivery centers". Hand out cash. Get access to whatever you want.

But the main thing to understand here in 2025 is that getting access to/monetizing user data has become so normalized, that you could legally just go to McD Biz Dev (or which ever other large corp) and say - hey guys I have this algo that can add 2 bucks of revenue per user per quarter (throw in a - just look at Meta they extract 70 bucks out of their American users and atleast 12 bucks out of everyone else per quarter just using the personal data). To test my algo, I need access to your DB. Your competitor has already given me access to theirs for testing.

What is corporate robot going to do?

They will hand you the data.

TZubiri•14h ago
It certainly doesn't reflect well on AI as a BuzzWord.

Execs vetted this provider and approved it, which isn't irrelevant to the disregard for safety occuring with AI in general right now.

Additionally, are we certain the vendor didn't use AI to vibecode stuff?

Proofread0592•14h ago
I cannot believe the 123456 worked, it's literally a joke from SpaceBalls.
shrubble•14h ago
Reminds me that I need to change the combination on my luggage…
jeffbee•12h ago
In a past life, I had an investment stake in Krispy Kreme donuts. We were poking around to see if we could learn anything about the company. We watched a training video for new store managers. It told the viewer to go to some URL and enter their credentials. In the video, the example credentials were "admin" and "admin" as the password. So we tried that, and of course it worked on their live system. We immediately had access to global, live, online revenue data for every real Krispy Kreme outlet, not some training simulation.

Most people are not qualified to handle computer security, is what I learned from that.

chasil•9h ago
When I started my job in 2000, I introduced my fellow (emeretus) DBA to "ps -ef | grep sqlplus" and sprayed a pile of user accounts and passwords. I fixed the problem and learned about Oracle databases.

I checked my apps into RCS archives later that decade with passwords. Expecting to move these archives into CVS, I changed them.

Now, any code repository that I touch, I will run "git grep password" (or the [TFS] equivalent) and once again hit pay dirt.

It seems to take a certain exposure, growth, and wisdom to be mindful of these things, and many are far behind.

david2ndaccount•13h ago
> We immediately began disclosure of this issue once we realized the potential impact. Unfortunately, no disclosure contacts were publicly available and we had to resort to emailing random people. The Paradox.ai security page just says that we do not have to worry about security!

Amazing.

eth0ws•11h ago
Having a security.txt would be best, but they've updated the page to include a security email address which is a start.
jonas21•9h ago
One might even say paradoxical.
snypher•13h ago
>Without much thought, we entered “123456” as the username and “123456” as the password

I feel like there's more to this that I'd love to know the story behind...

gruez•12h ago
Maybe they ran a simple wordlist attack and wanted to launder the methods they used?
netsharc•3h ago
Perhaps it was implied that the username is numeric.
ryandrake•13h ago
> The personality test was a disturbing experience powered by Traitify.com where we were asked if phrases like “enjoys overtime” are either Me or Not Me. It was simple to guess that we should probably select Me for the pro-employer questions and Not Me for questions referencing being argumentative or aggressive, but it was still quite strange.

Offtopic from the security issue, but I wonder if they really get any value out of this "Personality test." It seems like it's just a CAPTCHA that makes sure the applicant knows when to lie correctly.

veggieroll•13h ago
For the employer, the question is self fulfilling. Either way they get what they want. Even if someone knows enough to lie, the lie betrays that they’re desperate enough to be unable to resist anything management demands.
reactordev•13h ago
While also providing evidence that you do indeed love overtime based on your answer. Ugh… the only way to win is not to play.
bee_rider•12h ago
Working in retail is 99% lying that you care about your job, so might as well start it out on the right footing.
sgerenser•10h ago
What about working as a SWE at Google? Apparently they recently implemented a personality test as an initial screener (they call it a Googleyness test).
Retric•9h ago
It doesn’t necessarily need to be beneficial for the company.

Game theoretically there’s an advantage as an employee of a successful company to artificially reduce the number of people who can be employed to raise your own relative value to the company. If Google can only select from left handed employees suddenly they need to pay higher wages and existing employees are facing less competition as new employees are selected from a smaller applicant pool and thus worse.

Probably not the actual answer, but it’s worth considering such indirect motivations.

trod1234•2h ago
That's called wrong-think.

If one were to do that, you would be imposing costs to the point where demand drops to 0, and supply in the near term would follow that to 0.

From there you have a short march to economic collapse.

Waterluvian•9h ago
Google is screening for compliant, fungible engineers. Especially those swayed by the need to be told they’re the best of the best. Tests like that make sense in an ugly sort of way.
misnome•5h ago
I had a manager at a part time job at _Blockbuster_ say surprised in review “You make it sound like you are only working here for the money”.

I mean, lol, yes?

msgodel•11h ago
Is it simple to guess? I always assumed if you went too hard with those answers they'd assume you were lying and reject you.

Maybe this is why I never got the mcdonalds call back last time I was layed off.

latentsea•10h ago
I too was rejected from McDonald's.
cebert•9h ago
My wife is incredibly intelligent. She has a master’s degree and is working on her doctorate (definitely smarter than me). I still laugh about how, 12 years ago, she got rejected from a summer clerk job at a grocery store because she failed the online personality test. If anything, she was wildly overqualified. That store definitely missed out.
Incipient•9h ago
Apologies for the nitpick, but being rejected for personality is (essentially) mutually exclusive from (over)qualification.
seemaze•8h ago
Pedants unite!
giingyui•4h ago
I’m surprised at your comment. I really doubt a person with a high level of intelligence is a good match for a grocery clerk job. That is one of the reasons the personality tests exist.
_moof•8h ago
Best Buy for me.
Telemakhos•8h ago
Where's the line between "lying to pass a test" and "fitting in to a community?" Is there not some element of functioning well with other people as a group that requires us to repress certain individual desires and traits for the good of achieving a common goal? Nobody actually likes working fast food, but customers feel better when employees act less surly and more complacent.
HPsquared•11h ago
Overtime can be enjoyable if you get paid overtime rates.
kevin_thibedeau•10h ago
It works as a reading comprehension test. Semi-literates giving random responses will stand out from the compliant ones who know how to play the game.
cebert•10h ago
This Traitify the product makes me immediately suspicious. It asks candidates a few brief questions with images and assigns them personality and trait scores. Surely employers can’t think tools like this are good or accurate signals, right?

Most positions at McDonalds are entry-level and minimum wage. It’s not like they’re applying to NASA.

(https://www.traitify.com/)

yieldcrv•6h ago
A very large part of the population treats “minimum wage” as “maximum wage”.

Once you understand that, many behaviors make a lot of sense.

jofer•9h ago
Similar tests have been standard for over 20 years. When I worked at McDonald's (late 90's), they didn't do the personality test, but when I applied across the street at Arby's a few years later, they did.

The one that I just got annoyed with and decided it wasn't worth switching from McD's to Arby's was "would you rather read a book or talk to a person?". I mean, I get it, they want people-focused-people, but being introverted and/or just liking books doesn't mean you can't give excellent customer service.

Sure, it's easy to guess what want most of the time, but the fact that personality tests are as widespread as they are in employment is maddening.

Many years later I worked at Chevron (upstream as an exploration geologist -- not a gas station). While they didn't do it as part of the application process, you were required to take a personality/communication style test when you started (ecolors). That's all well and good (it _is_ very useful to understand personalities for communication styles), but in a lot of roles you literally had to wear the colors on your badge. If you wanted to go into management, you essentially had to score "red over yellow". "Greens" and "blues" were considered to be limited to technical roles and were explicitly not given opportunities to advance, though it took a long time to realize that. I started out thinking "hey, this is actually practical" and then over a few years went to "oh, they're using this to decide who moves up... That's a problem". I asked folks and was told by my manager's manager that ecolors were explicitly used in advancement criteria and who got opportunities to lead projects/etc. That's around the time I left. I hear they've dialed that particular bit back a lot, but it's still very weird to me that it's considered a normal and acceptable practice.

idiotsecant•8h ago
Wow, talk about unintended consequences. I guarantee that at some early stage some non-sociopath genuinely thought that program would help people communicate. They underestimated the degree to which humans are willing to let tribalism supplant empathy.
pjc50•2h ago
This is a classic of "a metric becomes a target" which turns into "so the way to get ahead is to lie about the metrics". It's an inefficient way of telling people what personality they need to fake in order to get ahead.

Corporate Stakhanovism. It's funny how very large employers can end up with a culture which replicates some of the pathologies of Soviet life.

saghm•8h ago
Maybe the goal isn't knowing when the lie as much as being willing to tolerate the bullshit they'll want to throw your way away the job. Presumably anyone not willing to say they like overtime (or unable to determine that's what the employer wants them to say) would not be compliant to demands to actually work overtime. If you don't give the answers they expect you to know you're supposed to give, they can likely rule out you as as an employee who will keep your head down and not rock the boat.
idiotsecant•8h ago
It's a personality test, just not for what it says on the tin. It's a way of determining how beaten down by the system you are. Have you been taught yet that your corporate masters expect you to cheerily tell them how much you love being fry cook drone 732-b926? It's a measure of docility - they are seeing if you have been 'broken' yet. Everyone wants the workhorse, nobody wants to break him.
sandspar•6h ago
From talking to people who invigilate these tests, you'd be surprised by how people answer. For example, someone answers Yes to "It is ok to steal from my employer."

I think these tests optimize for multiple things. Part of the test is designed to weed out people who are hostile and violent. Plus it's an IQ test with a floor of around 80, which seems reasonable. And it judges how well you can follow orders and "play the game".

McDonald's has dealt with tens of millions of job applicants. Many of these people arrive with complex challenges. There's a reason why McDonald's uses tests like these.

It might make more sense if you take the perspective of a McDonald's worker. Imagine you're a typical McDonald's employee - maybe you're a mom with two kids. Let's say you get a new coworker. Wouldn't you feel a little safer to know that they passed this test?

briangriffinfan•12m ago
I get more and more exhausted every time I see the, to give a hyperbolic comparison, "The momentum generated by our economy of scale means we really have no choice but to keep the orphan-crushing machine going."

I may be an old man yelling at the clouds here, but I just wish "Maybe the fact that they're trying to be so big that problems like this become inevitable" were rhetorically explored more.

Titan2189•13h ago
Hats off to Paradox for remediating this within 30 hours of reporting.
RandomBacon•9h ago
Hopefully it shouldn't take longer than 30 hours to change a password.
ge96•10h ago
Funny I remember trying to get a job at McD's before and had to answer those behavioral questions kill 1 or 5
bombcar•9h ago
It’s kind of sad and yet expected that McDonald’s responds. Wyeth to security vulnerabilities than many Internet companies do.
macqm•6h ago
Paradox.ai hasn't fixed their vulnerabilities for years.

You used to be able to find full conversations with candidates indexed by Google, with PII, resumes, lots of sensitive data.

Now they add a verification step (sometimes) that still leaks the full e-mail and phone number: "We sent you a verification code to your@email.xyz and SMS to 914-555-1212".

trod1234•2h ago
I'm sure there are a lot of McDonald's positions out there, but doesn't 64 million job applicants seem like a bit much?

There are only 13,647 locations in the US, so that would be 4,689 applications for each store? Makes you wonder how many of those were actually hired because there may only be 30-50 people per store.

What's it say about a company when they deceptively advertise that they are hiring when they really aren't (because all the positions were filled). Bad acting stuff like this needs cost imposed.

Macha•1h ago
How many countries do McDonald's use this system in? It's a global company, and as big a market as the US is, McDonalds themselves claim they have "over 38,000 stores" so the US is less than half.

Then how often does the typical McDonald's have a vacancy? These are not good jobs that would cause low turnover, especially once you get into touristy markets where demand is very seasonal. Let's say 10 openings per store per year.

Finally when your applicant pool is basically "every college student, unqualified adult, and even some teenagers", 200-300 applications per opening seems entirely plausible. Low even, from the times I've seen the entry level hiring process close up.

Of course, the thing that confuses people with application numbers like this is they assume that there's no overlap. The same people generally apply to all the jobs in an area so the local McDonalds getting a few thousand applications a year might only be a few hundred unemployed people.

combinator_y•1h ago
On top of the shit system in place, there is no corporate control internally (5th screenshot "NGA FS" ...)