frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

Just Buy Nothing: A fake online store to combat shopping addiction

https://justbuynothing.com/
70•Improvement•1h ago•15 comments

How I code with AI on a budget/free

https://wuu73.org/blog/aiguide1.html
78•indigodaddy•3h ago•27 comments

Abusing Entra OAuth for fun and access to internal Microsoft applications

https://research.eye.security/consent-and-compromise/
85•the1bernard•4h ago•20 comments

GPTs and Feeling Left Behind

https://whynothugo.nl/journal/2025/08/06/gpts-and-feeling-left-behind/
59•Bogdanp•2h ago•35 comments

Show HN: The current sky at your approximate location, as a CSS gradient

https://sky.dlazaro.ca
554•dlazaro•12h ago•114 comments

My Lethal Trifecta talk at the Bay Area AI Security Meetup

https://simonwillison.net/2025/Aug/9/bay-area-ai/
272•vismit2000•11h ago•84 comments

Don't “let it crash”, let it heal

https://www.zachdaniel.dev/p/elixir-misconceptions-1
19•ahamez•3d ago•0 comments

A CT scanner reveals surprises inside the 386 processor's ceramic package

https://www.righto.com/2025/08/intel-386-package-ct-scan.html
169•robin_reala•8h ago•47 comments

Ch.at – a lightweight LLM chat service accessible through HTTP, SSH, DNS and API

https://ch.at/
86•ownlife•7h ago•28 comments

GPT-5: Overdue, overhyped and underwhelming. And that's not the worst of it

https://garymarcus.substack.com/p/gpt-5-overdue-overhyped-and-underwhelming
175•kgwgk•1h ago•119 comments

OpenFreeMap survived 100k requests per second

https://blog.hyperknot.com/p/openfreemap-survived-100000-requests
370•hyperknot•12h ago•74 comments

R0ML's Ratio

https://blog.glyph.im/2025/08/r0mls-ratio.html
42•zdw•13h ago•3 comments

Debian 13 "Trixie"

https://www.debian.org/News/2025/20250809
532•ducktective•7h ago•198 comments

People returned to live in Pompeii's ruins, archaeologists say

https://www.bbc.com/news/articles/c62wx23y2v1o
37•bookofjoe•2d ago•7 comments

Who got arrested in the raid on the XSS crime forum?

https://krebsonsecurity.com/2025/08/who-got-arrested-in-the-raid-on-the-xss-crime-forum/
60•todsacerdoti•3d ago•1 comments

Quickshell – building blocks for your desktop

https://quickshell.org/
248•abhinavk•4d ago•31 comments

Long-term exposure to outdoor air pollution linked to increased risk of dementia

https://www.cam.ac.uk/research/news/long-term-exposure-to-outdoor-air-pollution-linked-to-increased-risk-of-dementia
248•hhs•13h ago•78 comments

A Simple CPU on the Game of Life (2021)

https://nicholas.carlini.com/writing/2021/unlimited-register-machine-game-of-life.html
34•jxmorris12•3d ago•4 comments

Suzhou Imperial Kiln Ruins Park and Museum of Imperial Kiln Brick (2018)

https://www.theplan.it/eng/award-2018-Culture/suzhou-imperial-kiln-ruins-park-museum-of-imperial-kiln-brick-1
3•mooreds•3d ago•0 comments

How I use Tailscale

https://chameth.com/how-i-use-tailscale/
184•aquariusDue•3d ago•35 comments

An AI-first program synthesis framework built around a new programming language

https://queue.acm.org/detail.cfm?id=3746223
64•tosh•10h ago•3 comments

Consistency over Availability: How rqlite Handles the CAP theorem

https://philipotoole.com/consistency-over-availability-how-rqlite-handles-the-cap-theorem/
23•otoolep•3d ago•1 comments

Did California's fast food minimum wage reduce employment?

https://www.nber.org/papers/w34033
79•lxm•16h ago•173 comments

Stanford to continue legacy admissions and withdraw from Cal Grants

https://www.forbes.com/sites/michaeltnietzel/2025/08/08/stanford-to-continue-legacy-admissions-and-withdraw-from-cal-grants/
173•hhs•13h ago•341 comments

ESP32 Bus Pirate 0.5 – A hardware hacking tool that speaks every protocol

https://github.com/geo-tp/ESP32-Bus-Pirate
106•geo-tp•11h ago•22 comments

An engineer's perspective on hiring

https://jyn.dev/an-engineers-perspective-on-hiring
64•pabs3•16h ago•83 comments

Testing Bitchat at the music festival

https://primal.net/saunter/testing-bitchat-at-the-music-festival
75•alexcos•3d ago•40 comments

MCP overlooks hard-won lessons from distributed systems

https://julsimon.medium.com/why-mcps-disregard-for-40-years-of-rpc-best-practices-will-burn-enterprises-8ef85ce5bc9b
258•yodon•11h ago•146 comments

Isle FPGA Computer: creating a simple, open, modern computer

https://projectf.io/isle/fpga-computer.html
42•pabs3•3d ago•4 comments

Ratfactor's illustrated guide to folding fitted sheets

https://ratfactor.com/cards/fitted-sheets
136•zdw•14h ago•18 comments
Open in hackernews

Abusing Entra OAuth for fun and access to internal Microsoft applications

https://research.eye.security/consent-and-compromise/
85•the1bernard•4h ago

Comments

gjsman-1000•2h ago
Now remember these dimwits are bragging that 30% of their code is now written by AI; and have mandated Microsoft Accounts, set up OneDrive backup by default, and are providing infrastructure to OpenAI who is currently required to preserve even deleted chats. They also own LinkedIn.

This totally has no foreseeable potential consequences. It would be a real shame if some foreign hostile government with nuclear weapons managed to connect MS Account, LinkedIn Profile, and OpenAI accounts together by shared emails and phone numbers. Is it really worth starting a war for the crime of depantsing the nation?

jychang•1h ago
To be fair, I’m pretty sure the code here was written before modern AI was a thing, back when dinosaurs roamed the earth.
gjsman-1000•1h ago
Yes, but Microsoft hasn’t put together that AI making mistakes, is perfect plausible deniability for intentional “mistakes.”
croes•45m ago
And they don’t use AI to at least check older code?
muststopmyths•2h ago
Move to the cloud they said. It will be more secure then your intranet they said. Only fools pay for their own Ops team they said.

I’m so old and dumb that I don’t even understand why an app for internal Microsoft use is even accesible from outside its network.

jameskilton•2h ago
The last decade has seen an increase push in what Google started calling "Zero Trust"[0] and dropping VPNs entirely. The issue being that once someone got into a VPN it was much, much harder to prevent them from accessing important data.

So everything "internal" is now also external and required to have its own layer of permissions and the like, making it much harder for, e.g. the article, to use one exploit to access another service.

[0] https://cloud.google.com/learn/what-is-zero-trust

ronbenton•2h ago
Does having a VPN/intranet preclude zero trust? It seems you could do both with the private network just being an added layer of security.
AWebOfBrown•2h ago
It doesn't, but from my perspective the thinking behind zero trust is partly to stop treating networking as a layer of security. Which makes sense to me - the larger the network grows, the harder to know all its entry-points and the transitive reach of those.
nicce•2h ago
I don’t see that really as an argument for this. You still should use VPN as an additional layer of security, assuming that you use some proper protocol. Then zero trust applies to internal network.
gjsman-1000•2h ago
Rule #1 of business, government, or education: Nobody, ever, ever, does what they “should.”

Even here: Hacker News “should” support 2 factor authentication, being an online forum literally owned by a VC firm with tons of cash, but they don’t.

mdaniel•7m ago
I'm firmly in the pro 2FA camp, but merely as a point of discussion: the Arc codebase is already so underwater with actual features that would benefit a forum, and if I changed my password to hunter2 right now the only thing that would happen is my account would shortly be banned when spammers start to hate-bomb or crypto-scam-bomb discussion threads. Dan would be busy, I would be sad, nothing else would happen

For accounts that actually mean something (Microsoft, Azure, banking, etc), yes, the more factors the better. For a lot of other apps, the extra security is occupying precious roadmap space[1]

1: I'm intentionally side-stepping the "but AI does everything autonomously" debate for the purpose of this discussion

mdaniel•1m ago
I am currently having this debate at $DAYJOB, having come from a zero trust implementation to one using fucking Cloudflare Warp. The cost to your "just use a VPN" approach or, if I'm understanding your point correctly, use VPN and zero trust(?!), is that VPNs were designed for on-premises software. In modern times, the number of cases where one needs to perform a fully authenticated, perfectly valid action, from a previously unknown network on previously unconfigured compute is bigger than in the "old days"

GitHub Actions are a prime example. Azure's network, their compute, but I can cryptographically prove it's my repo (and my commit) OIDC-ing into my AWS account. But configuring a Warp client on those machines is some damn nonsense

If you're going to say "self hosted runners exist," yes, so does self-hosted GitHub and yet people get out of the self-hosted game because it eats into other valuable time that could be spent on product features

glitchc•1h ago
The zero trust architechture implies (read: requires) that authentication occurs at every layer. Token reuse constitutes a replay attack that mandatory authentication is supposed to thwart. Bypass it and the system's security profile reverts back to perimeter security, with the added disadvantage of that perimeter being outside your org's control.
ocdtrekkie•12m ago
Zero trust is a good concept turned into a dumb practice. Basically people buying Google's koolaid for this forgot about "defense in depth". Yeah, authenticating every connection is great, throwing a big effing moat around it too is better.

The other thing is most companies are not Google. If you're a global company with hundreds of thousands of people who need internal access, moats may be non-ideal. For a business located in one place, local-only on-premise systems which block access to any country which they don't actively do business with is leaps and bounds better.

medhir•2h ago
ohhhh the gifts multi-tenant app authorization keeps giving!

(laid off) Microsoft PM here that worked on the patch described as a result of the research from Wiz.

One correction I’d like to suggest to the article: the guidance given is to check either the “iss” or “tid” claim when authorizing multi-tenant apps.

The actual recommended guidance we provided is slightly more involved. There is a chance that when only validating the tenant, any service principal could be granted authorized access.

You should always validate the subject in addition to validating the tenant for the token being authorized. One method for this would be to validate the token using a combined key (for example, tid+oid) or perform checks on both the tenant and subject before authorizing access. More info can be found here:

https://learn.microsoft.com/en-us/entra/identity-platform/cl...

reactordev•1h ago
Assume every token is forged. Secure by default. Even if it wastes cpu, validate each and every field. Signatures only work if verified. While you're at it, validate it against your identity database as well. Double check, triple check if you must. This is what I taught my devs.

Tenant, User, Group, Resource - validate it all before allowing it through.

Permik•55m ago
Also knowing the difference between authentication and authorization is crucial and should not be forgotten.
therein•1h ago
Did he really get no bounties out of this? The guy found a way into build boxes retail Windows is built on, potentially found the private key that would be used to generate license keys, likely could have dived in a little bit more after getting RCE on the build box to exfil the latest Windows 11 source code. He even found a way to issue rewards. They still gave him nothing?
9cb14c1ec0•37m ago
OAuth is frequently marketed as "more secure". But implementations often confuse authentication with authorization, resulting in problems like this.
koakuma-chan•26m ago
I just say auth. You decide which one I mean.