frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Al Lowe on model trains, funny deaths and working with Disney

https://spillhistorie.no/2026/02/06/interview-with-sierra-veteran-al-lowe/
38•thelok•2h ago•3 comments

Hoot: Scheme on WebAssembly

https://www.spritely.institute/hoot/
101•AlexeyBrin•6h ago•18 comments

First Proof

https://arxiv.org/abs/2602.05192
51•samasblack•3h ago•38 comments

OpenCiv3: Open-source, cross-platform reimagining of Civilization III

https://openciv3.org/
789•klaussilveira•20h ago•243 comments

Stories from 25 Years of Software Development

https://susam.net/twenty-five-years-of-computing.html
39•vinhnx•3h ago•5 comments

Reinforcement Learning from Human Feedback

https://rlhfbook.com/
63•onurkanbkrc•5h ago•5 comments

The Waymo World Model

https://waymo.com/blog/2026/02/the-waymo-world-model-a-new-frontier-for-autonomous-driving-simula...
1040•xnx•1d ago•587 comments

Start all of your commands with a comma (2009)

https://rhodesmill.org/brandon/2009/commands-with-comma/
462•theblazehen•2d ago•165 comments

France's homegrown open source online office suite

https://github.com/suitenumerique
509•nar001•4h ago•235 comments

Vocal Guide – belt sing without killing yourself

https://jesperordrup.github.io/vocal-guide/
183•jesperordrup•10h ago•65 comments

The AI boom is causing shortages everywhere else

https://www.washingtonpost.com/technology/2026/02/07/ai-spending-economy-shortages/
63•1vuio0pswjnm7•7h ago•59 comments

Coding agents have replaced every framework I used

https://blog.alaindichiappari.dev/p/software-engineering-is-back
186•alainrk•5h ago•280 comments

Software factories and the agentic moment

https://factory.strongdm.ai/
49•mellosouls•3h ago•51 comments

A Fresh Look at IBM 3270 Information Display System

https://www.rs-online.com/designspark/a-fresh-look-at-ibm-3270-information-display-system
27•rbanffy•4d ago•5 comments

What Is Stoicism?

https://stoacentral.com/guides/what-is-stoicism
17•0xmattf•2h ago•7 comments

72M Points of Interest

https://tech.marksblogg.com/overture-places-pois.html
19•marklit•5d ago•0 comments

Unseen Footage of Atari Battlezone Arcade Cabinet Production

https://arcadeblogger.com/2026/02/02/unseen-footage-of-atari-battlezone-cabinet-production/
108•videotopia•4d ago•27 comments

Where did all the starships go?

https://www.datawrapper.de/blog/science-fiction-decline
58•speckx•4d ago•62 comments

Show HN: Look Ma, No Linux: Shell, App Installer, Vi, Cc on ESP32-S3 / BreezyBox

https://github.com/valdanylchuk/breezydemo
268•isitcontent•20h ago•34 comments

Learning from context is harder than we thought

https://hy.tencent.com/research/100025?langVersion=en
197•limoce•4d ago•107 comments

Monty: A minimal, secure Python interpreter written in Rust for use by AI

https://github.com/pydantic/monty
281•dmpetrov•21h ago•150 comments

British drivers over 70 to face eye tests every three years

https://www.bbc.com/news/articles/c205nxy0p31o
169•bookofjoe•2h ago•152 comments

Making geo joins faster with H3 indexes

https://floedb.ai/blog/how-we-made-geo-joins-400-faster-with-h3-indexes
152•matheusalmeida•2d ago•47 comments

Hackers (1995) Animated Experience

https://hackers-1995.vercel.app/
549•todsacerdoti•1d ago•266 comments

Sheldon Brown's Bicycle Technical Info

https://www.sheldonbrown.com/
422•ostacke•1d ago•110 comments

Ga68, a GNU Algol 68 Compiler

https://fosdem.org/2026/schedule/event/PEXRTN-ga68-intro/
39•matt_d•4d ago•14 comments

Show HN: I spent 4 years building a UI design tool with only the features I use

https://vecti.com
365•vecti•23h ago•167 comments

An Update on Heroku

https://www.heroku.com/blog/an-update-on-heroku/
465•lstoll•1d ago•305 comments

Show HN: If you lose your memory, how to regain access to your computer?

https://eljojo.github.io/rememory/
341•eljojo•23h ago•210 comments

What Is Ruliology?

https://writings.stephenwolfram.com/2026/01/what-is-ruliology/
66•helloplanets•4d ago•70 comments
Open in hackernews

New downgrade attack can bypass FIDO auth in Microsoft Entra ID

https://www.bleepingcomputer.com/news/security/new-downgrade-attack-can-bypass-fido-auth-in-microsoft-entra-id/
26•mikece•5mo ago

Comments

moi2388•5mo ago
Pff.. again an Entra ID security flaw? It’s incredibly how sloppy their single auth solution is..
Loudergood•5mo ago
Safari on Windows? That browser hasn't been supported since 2012...
lousken•5mo ago
What if you have conditional access policy requiring phishing resistant auth to be able to login?
parliament32•5mo ago
Then the attack won't work, because this depends on you (for some reason) having both FIDO and non-phishing-resistant MFA methods available at the same time.
parliament32•5mo ago
It's not clear who this is an attack for.. organizations that have implemented phishing-resistant MFA will already have CA policy to block any sign-ins that don't have the required authentication strength (that same "You can't get there from here" message users in unsupported browsers get). Maybe it's effective if the organization is in the middle of a rollout, where FIDO is enabled but old MFA methods haven't been disabled yet?

EDIT: This is actually called out in the article:

> The attack sequence relies on the existence of an alternative authentication method (usually MFA), besides FIDO, for the targeted user account. But luckily, this tends to be the case with FIDO implementations, as most admins prefer to maintain a practical option for account recovery.

Most orgs will have TAP for account recovery, but that's not really phishable for other reasons.

tatersolid•5mo ago
Basically all other identity providers are also vulnerable to phishers which strip out webautn calls in the payload when acting as a proxy to the real IdP.

Basically you must disable all other phishable forms of MFA fallback if you want phishing-resistant FIDO2/passkeys. Conditional access policies in Entra can do this selectively or org-wide. If you don’t do this you’re relying on “end user training and wariness” again as phishing protection.

parliament32•5mo ago
Yes, exactly. But there is little point of going through the pain and effort of rolling out phishing-resistant MFA if you're going to leave non-phishing-resistant methods available / as a fallback...
esseph•5mo ago
Hmmmmmmm

https://taptrap.click/

dvno42•5mo ago
Since this relies on simulating safari as the broswer, I wonder if a conditional access policy enforcing browser selection would help mitigate this.

While only realistic for a small number of users, I've started enforcing users of privileged tools to go through a wireguard instance before being allowed to access Azure hosted tools that rely on Entra auth. Services I publish then have a ingress whitelist of said wireguard VM.