frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Gemini 3 Flash: Frontier intelligence built for speed

https://blog.google/products/gemini/gemini-3-flash/
707•meetpateltech•7h ago•361 comments

Coursera to combine with Udemy

https://investor.coursera.com/news/news-details/2025/Coursera-to-Combine-with-Udemy-to-Empower-th...
397•throwaway019254•11h ago•227 comments

Inside PostHog: SSRF, ClickHouse SQL Escape and Default Postgres Creds to RCE

https://mdisec.com/inside-posthog-how-ssrf-a-clickhouse-sql-escaping-0day-and-default-postgresql-...
61•arwt•3h ago•15 comments

I got hacked: My Hetzner server started mining Monero

https://blog.jakesaunders.dev/my-server-started-mining-monero-this-morning/
145•jakelsaunders94•3h ago•134 comments

OBS Studio Gets a New Renderer

https://obsproject.com/blog/obs-studio-gets-a-new-renderer
48•aizk•3h ago•13 comments

Developers can now submit apps to ChatGPT

https://openai.com/index/developers-can-now-submit-apps-to-chatgpt/
41•tananaev•1h ago•35 comments

AWS CEO says replacing junior devs with AI is 'one of the dumbest ideas'

https://www.finalroundai.com/blog/aws-ceo-ai-cannot-replace-junior-developers
695•birdculture•7h ago•393 comments

Show HN: High-Performance Wavelet Matrix for Python, Implemented in Rust

https://pypi.org/project/wavelet-matrix/
52•math-hiyoko•4h ago•0 comments

Cloudflare Radar 2025 Year in Review

https://radar.cloudflare.com/year-in-review/2025
37•ksec•2h ago•13 comments

A Safer Container Ecosystem with Docker: Free Docker Hardened Images

https://www.docker.com/blog/docker-hardened-images-for-every-developer/
263•anttiharju•7h ago•55 comments

Tell HN: HN was down

448•uyzstvqs•7h ago•269 comments

Fast Sequence Iteration in Common Lisp

https://world-playground-deceit.net/blog/2025/12/fast-sequence-iteration-in-common-lisp.html
24•BoingBoomTschak•4d ago•4 comments

How SQLite is tested

https://sqlite.org/testing.html
210•whatisabcdefgh•6h ago•51 comments

Zmij: Faster floating point double-to-string conversion

https://vitaut.net/posts/2025/faster-dtoa/
81•fanf2•3d ago•8 comments

The Number That Turned Sideways

https://zuriby.github.io/math.github.io/the-number-that-turned-sideways.html
8•tzury•4d ago•3 comments

Launch HN: Kenobi (YC W22) – Personalize your website for every visitor

26•sarreph•7h ago•48 comments

Venezuela's Navy Begins Escorting Ships as U.S. Threatens Blockade

https://www.nytimes.com/live/2025/12/17/us/trump-news
30•belter•1h ago•4 comments

Speed matters: Why working quickly is more important than it seems

https://jsomers.net/blog/speed-matters
23•bschne•2d ago•12 comments

Pornhub extorted after hackers steal Premium member activity data

https://www.bleepingcomputer.com/news/security/pornhub-extorted-after-hackers-steal-premium-membe...
78•coloneltcb•4h ago•26 comments

Flick (YC F25) Is Hiring Founding Engineer to Build Figma for AI Filmmaking

https://www.ycombinator.com/companies/flick/jobs/Tdu6FH6-founding-frontend-engineer
1•rayruiwang•7h ago

VRChat: “There are more Japanese creators than all other countries combined”

https://twitter.com/chyadosensei/status/2001356290531156159
65•numpad0•3h ago•39 comments

I couldn't find a logging library that worked for my library, so I made one

https://hackers.pub/@hongminhee/2025/logtape-fedify-case-study
24•todsacerdoti•5d ago•30 comments

Show HN: GitForms – Zero-cost contact forms using GitHub Issues as database

https://gitforms-landing.vercel.app/
15•lgreco•5h ago•6 comments

No AI* Here – A Response to Mozilla's Next Chapter

https://www.waterfox.com/blog/no-ai-here-response-to-mozilla/
523•MrAlex94•1d ago•292 comments

The State of AI Coding Report 2025

https://www.greptile.com/state-of-ai-coding-2025
68•dakshgupta•7h ago•72 comments

Learning Fortran (2024)

https://uncenter.dev/posts/learning-fortran/
54•lioeters•10h ago•47 comments

I created a publishing system for step-by-step coding guides in Typst

https://press.knowledge.dev/p/new-150-pages-rust-guide-create-a
27•deniskolodin•4d ago•7 comments

AI Isn't Just Spying on You. It's Tricking You into Spending More

https://newrepublic.com/article/204525/artificial-intelligence-consumers-data-dynamic-pricing
69•c420•3h ago•42 comments

Thin desires are eating life

https://www.joanwestenberg.com/thin-desires-are-eating-your-life/
743•mitchbob•1d ago•242 comments

Is Mozilla trying hard to kill itself?

https://infosec.press/brunomiguel/is-mozilla-trying-hard-to-kill-itself
802•pabs3•14h ago•719 comments
Open in hackernews

Inside PostHog: SSRF, ClickHouse SQL Escape and Default Postgres Creds to RCE

https://mdisec.com/inside-posthog-how-ssrf-a-clickhouse-sql-escaping-0day-and-default-postgresql-credentials-formed-an-rce-chain-zdi-25-099-zdi-25-097-zdi-25-096/
61•arwt•3h ago

Comments

taw_1265•2h ago
PostHog does a lot of vibe coding, I wonder how many other issues they have.
Nextgrid•2h ago
Not that I’m disproving it but do you have a source? Companies say all kinds of things for hype and to attract investors, but it doesn’t necessarily make it true.
matmuls•2h ago
looking at their commits, there are about 300+ commits tagged with " Generated with https://claude.com/claude-code" attribution.
dewey•2h ago
Just because AI tools are involved doesn't mean it's "Vibe coding".
hsbauauvhabzb•1h ago
It sure is a pretty good indicator, and if you underestimate human laziness you’re gonna have a bad time regardless.
jwpapi•26m ago
Also looking at how much they’ve released and how fast and how they blog like they own the world (or design the website)

I used to look up to Posthog as I thought, wow this is a really good startup. They’re achieving a lot fast actually.

But turns out a lot was sloppy. I don’t trust them no more and would opt for another platform now.

thenaturalist•2h ago
Wow, chapeau to the author.

What an elegant, interesting read.

What I don't quite understand: Why is the Clickhouse bug not given more scrutiny?

Like that escape bug was what made the RCE possible and certainly a core DB company like ClickHouse should be held accountable for such an oversight?

matmuls•2h ago
ssrf was the entry point, and clickhouse is supposed to be an internal only service, but one could reach it only with that ssrf, so hence less of "scrutiny". The 0day by itself wouldnt be useful, unless an attacker can reach clickhouse, which they usually can't.
thenaturalist•1h ago
But if they do, prohibiting SQL injection, a critical last mile vulnerability, seems trivial?
nightpool•1h ago
The author already had basically full Clickhouse querying abilities, and Clickhouse lets you run arbitrary SQL on postgres, the fact that the author used a read-only command to execute it wasn't the author bypassing a security boundary (anyone with access to the Clickhouse DB also had access to the Postgres DB), it was just a gadget that made the SSRF more convenient. They could have escalated it into a different internal HTTP API instead.
ch2026•21m ago
Sure, it’s a bug they can fix. But it’s more the setup itself that’s the issue. For example clickhouse’s HTTP interface would normally require user/pass auth and not have access to all privileges. Clickhouse has a table engine that maps to local processes too (eg select from a python process you pipe stdin into).

No need for postgres if you have a fully authenticated user.

lkt•2h ago
Out of interest, how much does ZDI pay for a bug like this?
anothercat•1h ago
Does this require authenticated access to the posthog api to kick off? In that case I feel clickhouse and posthog both have their share of the blame here.
nightpool•1h ago
It looks like the entire class of bugs here are "if you have access to Posthog's admin dashboard, you can configure webhook URLs that hit Posthog's internal services". That's not particularly surprising for a self-hosted system like the author's, but I expect it would pretty bad if you were using their cloud-hosted product.
piccirello•12m ago
I work on security at PostHog. We resolved these SSRF findings back in October 2024 when this report was responsibly disclosed to us. I'm currently gathering the relevant PRs so that we can share them here. We're also working on some architectural improvements around egress, namely using smokescreen, to better protect against this class of issue.