frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

I prefer to pass secrets between programs through standard input

https://utcc.utoronto.ca/~cks/space/blog/programming/PassingSecretsViaStdin
38•ingve•2h ago

Comments

kevin_thibedeau•1h ago
> Unfortunately you're using a browser (or client library) that my anti-crawler precautions consider suspicious because it's sending inconsistent values for Sec-CH-UA-* HTTP request headers...

The world doesn't exclusively use Chrome. Nice to see even the nerds are contributing to the closed web.

edwcross•1h ago
I'm using Firefox and didn't see that message.
swiftcoder•1h ago
Nor on Safari. I wonder what exotic browser the parent is using?
ErroneousBosh•1h ago
Doesn't appear to be Firefox, Chrome, Chromium, Edge, or Falkon on Linux, doesn't appear to be Falkon on Haiku.

I also wonder what they're using and where can I get some so I can break stuff too?

guerrilla•50m ago
> Falkon

In case anyone is wondering: https://www.falkon.org/about/

efilife•1h ago
I am on ungoogled chromium and I see this
mhitza•1h ago
Also site is not accessible via Mullvad VPN.
figmert•28m ago
I am on Mullvad (at the router), and I am able to connect.
mhitza•22m ago
Checks out, it was my preferred exit node.
Alex-Programs•27m ago
It's also moaning about me coming from a datacentre IP (proxy) with some vague complaints about load introduced by AI crawlers. I think this guy treats "protecting" his site as a hobby.
Dwedit•1h ago
I haven't actually tested this, but aren't the input and output handles exposed on /proc/? What's stopping another process from seeing everything?
trashb•1h ago
Yes pipes are exposed /proc/$pid/fd/$thePipeFd with user permissions [0].

Additionally command line parameters are always readable /proc/$YOUR_PROCESS_PID/cmdline [1]

There are workarounds but it's fragile. You may accept the risks and in that case it can work for you but I wouldn't recommend it for "general security". Seems it wouldn't be considered secure if everyone did it this way, therefore is it security through obscurity?

[0] https://unix.stackexchange.com/questions/156859/is-the-data-...

[1] https://stackoverflow.com/questions/3830823/hiding-secret-fr...

Lex-2008•1h ago
not a Linux expert, but I believe that at the very least it's time sensitive: after consumer process reads it, it's gone from the pipe. Unlike env vars and cli argument that stay there.
Tajnymag•1h ago
I guess the kernel is stopping that. I don't think permission wise you'd have the privileges to read someone else's stdin/out.
juancn•1h ago
I used to do that, I had a sort of IDE that launched a local server, bound to localhost.

The launching process would send a random password through stdin to the child after launch, and the child would use that to authenticate the further RPC calls.

It's surprisingly hard to intercept a process' stdin stream.

pvtmert•1h ago
Interesting approach. I like Docker/Kubernetes way of secret mounts where you can limit user/group permissions too.

Meanwhile, I was an avid user of the echo secret | ssh consume approach, specifically for the kerberos authentication.

In my workflow, I saved the kerberos password to the macOS keychain, where kinit --use-keychain authenticated me seamlessly. However this wasn't the case for remote machines.

Therefore, I have implemented a quick script that is essentially

    security find-generic-password -a "kerberos" -s "kerberos-password" -w | ssh user@host kinit user@REALM
Which served me really good for the last 4~years.
stale-labs•1h ago
The main practical win is that cmd args show up in `ps aux` for anyone on the system to see, whereas stdin keeps it off that list.

re: the /proc concerns - true, but if someones got same-user access to read your /proc/pid/fd, they can probably ptrace you or read process memory anyway. stdin is more about basic hygiene than stopping sophisticated attackers.

tbh for anything actually sensitive I've been leaning toward tmpfs files with strict perms, or using something like vault/age. stdin is a nice middle ground tho for quick scripts.

reliefcrew•3m ago
> The main practical win is that cmd args show up in `ps aux` for anyone on the system to see, whereas stdin keeps it off that list.

For those interested, re-mounting /proc with hidepid can prevent this: `mount -o remount,rw,hidepid=2 /proc`

blibble•48m ago
linux has a key api that works pretty well

man keyctl

azornathogron•27m ago
For one of my projects my server needs a private key, and it reads this from a file descriptor on startup and then closes the fd. The fd is set up by the systemd unit, which is also configured to restrict filesystem access for the server. So the server reads a key from a file that is never visible in its mount namespace.
computerfriend•9m ago
I do something similar with LoadCredential and it is quite amazing, especially when you want to run the application as a dynamic user.

Attention at Constant Cost per Token via Symmetry-Aware Taylor Approximation

https://arxiv.org/abs/2602.00294
21•fheinsen•38m ago•0 comments

FBI couldn't get into WaPo reporter's iPhone because Lockdown Mode enabled

https://www.404media.co/fbi-couldnt-get-into-wapo-reporters-iphone-because-it-had-lockdown-mode-e...
111•robin_reala•40m ago•67 comments

A sane but bull case on Clawdbot / OpenClaw

https://brandon.wang/2026/clawdbot
57•brdd•23h ago•76 comments

Data centers in space makes no sense

https://civai.org/blog/space-data-centers
845•ajyoon•19h ago•951 comments

Lessons learned shipping 500 units of my first hardware product

https://www.simonberens.com/p/lessons-learned-shipping-500-units
708•sberens•2d ago•323 comments

Show HN: Ghidra MCP Server – 110 tools for AI-assisted reverse engineering

https://github.com/bethington/ghidra-mcp
164•xerzes•8h ago•44 comments

Guinea worm on track to be 2nd eradicated human disease; only 10 cases in 2025

https://arstechnica.com/health/2026/02/guinea-worm-on-track-to-be-2nd-eradicated-human-disease-on...
19•bookofjoe•44m ago•6 comments

Brazilian Micro-SaaS Map

https://saas-map.ssr.trapiche.cloud/
53•acfilho•3d ago•3 comments

A case study in PDF forensics: The Epstein PDFs

https://pdfa.org/a-case-study-in-pdf-forensics-the-epstein-pdfs/
15•DuffJohnson•24m ago•6 comments

I miss thinking hard

https://www.jernesto.com/articles/thinking_hard
947•jernestomg•11h ago•523 comments

Old Insurance Maps – Georeferencing Sanborn Fire Insurance Maps on Modern Maps

https://oldinsurancemaps.net/
18•lapetitejort•1w ago•3 comments

Show HN: Craftplan – I built my wife a production management tool for her bakery

https://github.com/puemos/craftplan
453•deofoo•2d ago•120 comments

Cannabis usage in older adults linked to larger brain, better cognitive function

https://medicalxpress.com/news/2026-02-qa-cannabis-usage-middle-aged.html
44•PaulHoule•51m ago•28 comments

New York’s budget bill would require “blocking technology” on all 3D printers

https://blog.adafruit.com/2026/02/03/new-york-wants-to-ctrlaltdelete-your-3d-printer/
557•ptorrone•23h ago•630 comments

The fax numbers of the beast, and other mathematical sports

https://cabinetmagazine.org/issues/57/wertheim.php
11•marysminefnuf•1d ago•5 comments

Deno Sandbox

https://deno.com/blog/introducing-deno-sandbox
488•johnspurlock•21h ago•150 comments

Agent Skills

https://agentskills.io/home
493•mooreds•1d ago•237 comments

Thatcher Effect – Optical Illusion and Explanation

https://optical.toys/thatcher-effect/
12•robin_reala•1h ago•3 comments

High-Altitude Adventure with a DIY Pico Balloon

https://spectrum.ieee.org/explore-stratosphere-diy-pico-balloon
67•jnord•3d ago•25 comments

X offices raided in France as UK opens fresh investigation into Grok

https://www.bbc.com/news/articles/ce3ex92557jo
477•vikaveri•1d ago•920 comments

Goblins: Distributed, Transactional Programming with Racket and Guile

https://spritely.institute/goblins/
84•alhazrod•4d ago•6 comments

Coding Agent VMs on NixOS with Microvm.nix

https://michael.stapelberg.ch/posts/2026-02-01-coding-agent-microvm-nix/
6•secure•3d ago•1 comments

AliSQL: Alibaba's open-source MySQL with vector and DuckDB engines

https://github.com/alibaba/AliSQL
258•baotiao•20h ago•38 comments

Xcode 26.3 – Developers can leverage coding agents directly in Xcode

https://www.apple.com/newsroom/2026/02/xcode-26-point-3-unlocks-the-power-of-agentic-coding/
337•davidbarker•21h ago•293 comments

The Mathematics of Tuning Systems

https://math.ucr.edu/home/baez/tuning_talk/
54•u1hcw9nx•4d ago•9 comments

Reimplementing Tor from Scratch for a Single-Hop Proxy

https://foxmoss.com/blog/kurrat/
66•Agreed3750•3d ago•10 comments

221 Cannon is Not For Sale

https://fredbenenson.com/blog/2026/02/03/221-cannon-is-not-for-sale/
283•mecredis•22h ago•220 comments

The largest zip tie is nearly 4 feet long and $75

https://www.thedrive.com/news/youll-have-that-on-those-big-jobs-the-worlds-largest-zip-tie-is-nea...
119•PaulHoule•5d ago•74 comments

Broken Proofs and Broken Provers

https://lawrencecpaulson.github.io/2026/01/15/Broken_proofs.html
24•RebelPotato•6h ago•4 comments

Exploring Different Keyboard Sensing Technologies

https://www.lttlabs.com/articles/2026/01/27/exploring-different-keyboard-sensing-technologies
49•viraptor•1w ago•34 comments