frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Alberta startup sells no-tech tractors for half price

https://wheelfront.com/this-alberta-startup-sells-no-tech-tractors-for-half-price/
1063•Kaibeezy•6h ago•368 comments

Apple fixes bug that cops used to extract deleted chat messages from iPhones

https://techcrunch.com/2026/04/22/apple-fixes-bug-that-cops-used-to-extract-deleted-chat-messages...
181•cdrnsf•2h ago•56 comments

We found a stable Firefox identifier linking all your private Tor identities

https://fingerprint.com/blog/firefox-tor-indexeddb-privacy-vulnerability/
282•danpinto•5h ago•77 comments

Qwen3.6-27B: Flagship-Level Coding in a 27B Dense Model

https://qwen.ai/blog?id=qwen3.6-27b
579•mfiguiere•9h ago•288 comments

Over-editing refers to a model modifying code beyond what is necessary

https://nrehiew.github.io/blog/minimal_editing/
250•pella•4h ago•135 comments

5x5 Pixel font for tiny screens

https://maurycyz.com/projects/mcufont/
330•zdw•3d ago•88 comments

Windows 9x Subsystem for Linux

https://social.hails.org/@hailey/116446826733136456
842•sohkamyung•12h ago•198 comments

The Illuminated Man: an unconventional portrait of JG Ballard

https://www.theguardian.com/books/2026/apr/20/the-illuminated-man-by-christopher-priest-and-nina-...
35•agronaut•2h ago•11 comments

Website streamed live directly from a model

https://flipbook.page/
76•sethbannon•4h ago•36 comments

The Neon King of New Orleans

https://gardenandgun.com/new-orleans-neon-king
14•renameme•1h ago•1 comments

Technical, cognitive, and intent debt

https://martinfowler.com/fragments/2026-04-02.html
157•theorchid•6h ago•30 comments

Scoring Show HN submissions for AI design patterns

https://www.adriankrebs.ch/blog/design-slop/
253•hubraumhugo•7h ago•190 comments

Our eighth generation TPUs: two chips for the agentic era

https://blog.google/innovation-and-ai/infrastructure-and-cloud/google-cloud/eighth-generation-tpu...
366•xnx•10h ago•178 comments

3.4M Solar Panels

https://tech.marksblogg.com/american-solar-farms-v2.html
265•marklit•10h ago•206 comments

The great Scouse pasty war

https://www.livpost.co.uk/the-great-scouse-pasty-war/
29•DamonHD•2d ago•6 comments

Parallel agents in Zed

https://zed.dev/blog/parallel-agents
122•ajeetdsouza•4h ago•71 comments

Books are not too expensive

https://www.millersbookreview.com/p/no-books-are-not-remotely-too-expensive
10•herbertl•2d ago•4 comments

Workspace Agents in ChatGPT

https://openai.com/index/introducing-workspace-agents-in-chatgpt/
75•mfiguiere•4h ago•27 comments

Surveillance Pricing: Exploiting Information Asymmetries

https://lpeproject.org/blog/surveillance-pricing-exploiting-information-asymmetries/
80•cainxinth•5h ago•33 comments

Ultraviolet corona discharges on treetops during storms

https://www.psu.edu/news/earth-and-mineral-sciences/story/treetops-glowing-during-storms-captured...
179•t-3•9h ago•52 comments

Bodega cats of New York

https://bodegacatsofnewyork.com
132•zdw•4d ago•52 comments

What killed the Florida orange?

https://slate.com/business/2026/04/florida-state-orange-food-houses-real-estate.html
84•danso•2d ago•79 comments

GitHub CLI now collects pseudoanonymous telemetry

https://cli.github.com/telemetry
373•ingve•10h ago•284 comments

You don't need advice from editors on rejected manuscripts

https://twitter.com/orsonscottcard/status/2046702294406680751
80•MrBuddyCasino•14h ago•52 comments

Another Day Has Come

https://daringfireball.net/2026/04/another_day_has_come
166•ndr42•1d ago•134 comments

Show HN: Broccoli, one shot coding agent on the cloud

https://github.com/besimple-oss/broccoli
42•yzhong94•6h ago•33 comments

Anonymous credentials: an illustrated primer (Part 2)

https://blog.cryptographyengineering.com/2026/04/17/anonymous-credentials-an-illustrated-primer-p...
21•kkl•2d ago•0 comments

A Vompeccc Case Study: Spotify as Pure ICR in Emacs

https://www.chiply.dev/post-vompeccc-spot
8•chiply•1d ago•3 comments

Columnar Storage Is Normalization

https://buttondown.com/jaffray/archive/columnar-storage-is-normalization/
91•ibobev•10h ago•35 comments

How does GPS work?

https://perthirtysix.com/how-the-heck-does-gps-work
211•alfanick•13h ago•48 comments
Open in hackernews

Apple fixes bug that cops used to extract deleted chat messages from iPhones

https://techcrunch.com/2026/04/22/apple-fixes-bug-that-cops-used-to-extract-deleted-chat-messages-from-iphones/
174•cdrnsf•2h ago

Comments

unethical_ban•1h ago
I wonder if the same flaw exists on Android/GrapheneOS.
nxobject•1h ago
Note that Signal offers the option to use generic “You’ve received messages” notifications - it’s good practice in general.
sunnybeetroot•1h ago
So does every app, go to iOS settings > notifications shows previews > never.
elashri•1h ago
I wish it can be disabled for particular apps and not an all or nothing situation.
Barbing•1h ago
Can be!

Settings > Apps > choose an app > Lock Screen Appearance: Show Previews - Never

bradyd•1h ago
That setting is available for each individual app.
Barbing•1h ago
Is setting it from Signal directly more trustworthy?

Or maybe it’s impossible for iOS to store the preview content if it never showed in the first place, but not sure if it’s even documented.

rvnx•1h ago
Most likely changes the preview on the client-side, but the message is still full on the server-side
modeless•1h ago
Oh, I was originally confused about this because I had thought the push notifications were end-to-end encrypted, so they couldn't be cached in readable form by the push notification service, and only decrypted by the app on device upon receiving the notification. But it seems like after the notification was decrypted by the app and shown to the user using OS APIs, the notification text was was then stored by the OS in some kind of notification history DB locally on the device?
pixel_popping•1h ago
In privacy circles, this was always known, as Google/Apple often sends notification content to their servers (which means that it bypass the App realm).

Some people talking about it (different but in the same scope of issue): https://blog.davidlibeau.fr/push-notifications-are-a-privacy...

6thbit•1h ago
in the case reported the content did not leave the device. feds retreived them directly from the phone.
massel•1h ago
I expect that Signal encrypts the notification data prior to sending it to Apple, then decrypts it on-device using a Notification Service Extension – this is a common pattern to avoid trusting Apple with any sensitive data.

That would mean Apple stored the cleartext on-device after decryption.

eggnet•58m ago
Signal doesn’t provide anything in the message other than… “there are pending messages.” Signal wakes up, fetches them, then generates notifications on the phone itself.
rvnx•1h ago
+ Messengers like Snapchat and WhatsApp;

despite "end-to-end" encryption (for WhatsApp) they are sending copy of some messages based on keywords to authorities, PRISM-like.

Officially to protect kids, but who knows what is in this keywords list.

itopaloglu83•1h ago
Thankfully Apple backported the fix the iOS 18 as well.
ilikepi•1h ago
Not only that, but iOS 18.7.8 actually seems to be available to devices capable of running iOS 26 without any workarounds, unlike 18.7.3 through .6. It makes me wonder if those intermediate releases really were supposed to be available but weren't due to some issue on the distribution side that no one bothered to fix.
itopaloglu83•1h ago
I think that was another attempt by Apple to push users to iOS 26, but after seeing how many people with compatible devices refuse to upgrade, they finally caved in and provided an update.
lynndotpy•27m ago
They caved, but they're still pulling out new tactics to trick users into installing iOS 26.

The new iOS 18 update will _also_ toggle Automatic Updates back on. I had it happen just now on my 13 Mini against my will. I had to go back into settings and very carefully navigate to disable automatic updates.

layer8•37m ago
There seems to have been a change of mind, maybe also due to the severity of the exploits. The non-availability of security updates for models that are upgradable to a newer major version has been Apple's practice for many years now.

The way major upgrades are presented in the Settings UI makes it clear that users installing these security updates while not upgrading to a newer major version do so very intentionally. So Apple is now supporting these users deliberately.

lynndotpy•28m ago
Very serious vulns were being exploited in the wild, I think that's what forced their hand. I don't think Apple ever had a discrepancy like the one with iOS 18.7.3 through .6 being held back.

For those on iOS 18, beware that the update to iOS 18.7.8 will toggle Automatic Updates back on. Make sure to switch it back off so you don't wake up to a nasty surprise when iOS 26 is non-consensually forced onto your iPhone.

maerF0x0•1h ago
Cat and Mouse, good. This is the adversarial setup that results in a better outcome for all.
dlcarrier•1h ago
This was a bug that left it cached on the device. Apple and Google have put themselves in the middle of most notifications, causing the contents to pass through their servers, which means that they are subject to all the standard warrantless wiretapping directly from governments, as well as third-party attacks on the infrastructure in place to support that monitoring.

If you don't want end-to-end messages made available to others, set your notifications to only show that you have a message, not what it contains or who its from.

gruez•1h ago
> Apple and Google have put themselves in the middle of most notifications, causing the contents to pass through their servers, which means that they are subject to all the standard warrantless wiretapping directly from governments, as well as third-party attacks on the infrastructure in place to support that monitoring.

>If you don't want end-to-end messages made available to others, set your notifications to only show that you have a message, not what it contains or who its from.

This incorrect on two counts:

1. As per what you wrote immediately before the quoted text, the issue was that the OS keeps track of notifications locally. Google/Apple's notification servers have nothing to do with this

2. It's entirely possible to still have end-to-end messaging even if you're forced to send notifications through Google/Apple's servers, by encrypting data in the notification, or not including message data at all. Indeed that's what signal does. Apple or Google's never sees your message in cleartext.

mdavidn•1h ago
You are correct, but you omitted one complication: Clients trust Google's and Apple's servers to faithfully exchange the participants' public keys.
pcl•59m ago
Apps (such as Signal) that care about end-to-end encryption do their own key management. So, Apple / Google servers only ever see ciphertext, and don't have access to the key material that's used for the encryption.
toast0•19m ago
Afaik, e2e messengers don't include ciphertext with push notifications. It's an empty push to wake the client. Then the client contacts the origin to fetch the ciphertext.
ls612•54m ago
Isn’t that what Contact Key Verification solves? Or do I misunderstand how that works?
soamv•52m ago
Which clients?
qurren•48m ago
... and hold participants' private keys truly private, which you cannot verify without a rooted phone.
xmx98•46m ago
Sending public keys through the notification system is an unnecessary complication.
asdfman123•1h ago
Seems like you should use an app like Signal for anything sensitive at all so you don't have to worry about megacorp ecosystems as much.
ryanisnan•1h ago
This is also an oversimplification. If I understand the issue correctly, the notification with the message contents was what was cashed locally and then accessed. This same vulnerability would exist with Signal if you had the notifications configured to display the full message contents. In this case, it has nothing to do with either Apple or Signal.
mingus88•1h ago
Nope, Signal messages were stored in the phones notification DB even after the app was deleted

https://www.404media.co/fbi-extracts-suspects-deleted-signal...

jdwithit•55m ago
As mingus88 said, this story is literally in response to Apple leaking messages sent through Signal. Doesn't matter if the message is securely transmitted if the operating system then keeps it lying around in plain text in a cache.

From the linked article:

> The independent news outlet reported that the FBI had been able to extract deleted Signal messages from someone’s iPhone using forensic tools, due to the fact that the content of the messages had been displayed in a notification and then stored inside a phone’s database — even after the messages were deleted inside Signal.

stavros•34m ago
You can easily configure Signal not to show the message contents if you want, though.
jim33442•26m ago
The original comment mentions this but gives the wrong reasoning. The APNs are encrypted either way, but this setting prevents Signal from decrypting them client-side and letting the notification cache store it. Yeah this is more secure because it means not trusting Apple to do their job right with local storage, but it's also kind of a reasonable thing to trust.
asteroidburger•1h ago
Both Apple and Google offer the ability for your app to intercept and modify messages before being displayed. Use that to send encrypted messages and decrypt them there, using your own code on the user’s device.
ls612•51m ago
In fact this is what both iMessage and Signal (and maybe Whatsapp too but I can’t tell from a quick google) do.
Zak•17m ago
That framing Makes it sound like the app developer has to do something active to keep message cleartext out of notifications. That's not how it is on Android.

A Firebase Cloud Messaging push notification contains what the app developer's server puts in it. That could include the message body or it could just be an instruction to the app to poll the server for new messages. It has nothing to do with the notification that's displayd on an Android device. Those are entirely local.

An app that cares about privacy wouldn't send anything more than a poll instruction over FCM.

xmx98•36m ago
You are right in that it is Google’s and Apple’s OS notification api, and we do give them the plaintext messages.
6thbit•1h ago
The "bug" discussed in the article is only part of the problem.

The main problem, which is notifications text is stored on a DB in the phone outside of signal, is not addressed. To avoid that you have to change your settings.

In this case, the defendant had deleted the signal app completely, and that likely internally marks those app's notifications for deletion from the DB, so the bug fixed here is that they were not removing notifications from the local database when the app that generated them was removed, now they do.

  Impact: Notifications marked for deletion could be unexpectedly retained on the device
  Description: A logging issue was addressed with improved data redaction.
  CVE-2026-28950
They classify this as "loggging issue" so it sounds like notifications were not actually in the database itself but ended up in some log.
concinds•51m ago
You're speculating. "Marked for deletion" could mean after you dismiss it, not just after you delete the whole app.
twoodfin•42m ago
SQLite WAL?
tcfhgj•1h ago
bug or backdoor?
6thbit•51m ago
"Never attribute to malice that which is adequately explained by stupidity."
varun_ch•51m ago
This makes me wonder: Cellebrite makes tools for law enforcement to break into iPhones, likely exploiting weaknesses/vulnerabilities. Does Apple buy Cellebrite’s tools and reverse engineer them? Or would they not have a way of acquiring them legally?
bilbo0s•35m ago
I bet Apple has access to Mythos now.

Not saying they should use it to reverse engineer hacking tools.

Just saying they have access to Mythos now.

lynndotpy•30m ago
Heads up. They have released an iOS 18 update (good!) but, and please bear the caps:

UPDATING IOS WILL ENABLE AUTOMATIC UPDATES TO IOS 26.

(Bad!) This is a new shady tactic they're using trying to get iOS 18 users to install iOS 26.

xmx98•27m ago
Thanks for the warning!
layer8•27m ago
This was already the case for 18.7.7. However, after turning automatic updates off in 18.7.7, after updating to 18.7.8 it remained off (reproducibly on several devices I updated). Maybe there is a one-time flag that is set so that after turning off automatic updates after having been turned on automatically, they aren't automatically turned on again on subsequent updates.
jim33442•23m ago
Avoid iOS 26 at all costs. I was forced to update to it because I needed to factory reset my phone, and it's super buggy. I'm not even one of those people harping on the Liquid Glass design decisions, those are w/e, the problem is just that the phone routinely freaks out doing basic tasks like trying to open the camera app or close the keyboard. They should roll it back.
skrtskrt•29m ago
It's not new that push notifications should be presumed to be insecure, with their content passing through - and probably persisted - outside the app sandbox and anything in control of in-app encryption.

Apple should have fixed this long ago (not that you can trust a closed system), but Signal should also have strong guardrails & warnings around allowing message content in push notifications.

cubefox•27m ago
It is completely unclear from this article whether this means Apple does no longer cache dismissed notifications somewhere.
ashishb•4m ago
This has nothing to do with Apple/Firebase notification service.

It has to do with the fact that any notification displayed on your device goes via a separate system service which was caching them.

It is amusing to see how often people confuse device notifications with Apple notification service.