frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Since Linux 6.9, LUKS suspend stopped wiping disk-encryption keys from memory

https://mathstodon.xyz/@iblech/116769502749142438
154•IngoBlechschmid•1h ago•62 comments

Launch HN: Manufact (YC S25) – MCP Cloud

https://manufact.com
55•pzullo•2h ago•40 comments

Android Developer Verification: Threat masquerading as protection

https://f-droid.org/2026/07/01/adv-malware.html
1328•drewfax•14h ago•547 comments

PeerTube is a free, decentralized and federated video platform

https://github.com/Chocobozzz/PeerTube
136•doener•5h ago•19 comments

How to ask for help from people who don't know you

https://pradyuprasad.com/writings/how-to-ask-for-help/
113•FigurativeVoid•3h ago•15 comments

AI can't be listed as inventor on patent applications, Japan's top court rules

https://japannews.yomiuri.co.jp/science-nature/technology/20260306-314930/
205•mushstory•3h ago•85 comments

Is One Layer Enough? A Single Transformer Layer Matches Full-Parameter RL Train

https://arxiv.org/abs/2607.01232
81•tcp_handshaker•5h ago•20 comments

German button maker searched rivers of American Midwest for valuable shells

https://www.smithsonianmag.com/smithsonian-institution/how-one-german-button-maker-searched-the-r...
68•bookofjoe•4d ago•21 comments

Show HN: Mail Memories – A desktop app to rescue photos from Gmail

https://mailmemories.com
72•ltiger•2h ago•20 comments

Show HN: QUALITY.md – open format/specification, agent skill, and CLI

https://getquality.md
7•craigsmitham•37m ago•3 comments

Show HN: CLI tool for detecting non-exact code duplication with embedding models

https://github.com/rafal-qa/slopo
32•rkochanowski•2h ago•9 comments

The Egg Bandits Made a Thousand Times the Fine They Just Paid for Price Fixing

https://www.thebignewsletter.com/p/crime-pays-the-egg-bandits-made-a
182•toomuchtodo•3h ago•55 comments

Former Microsoft dev built a 2.5KB Notepad clone

https://theguptalog.blogspot.com/2026/07/former-microsoft-dev-built-25kb-notepad.html
7•sheelagay•43m ago•1 comments

Hazel (YC W24) Is Hiring for Our Largest Government Contract

https://www.ycombinator.com/companies/hazel-2/jobs/3epPWgu-full-stack-engineer-ts-sci
1•augustschen•3h ago

Kimi K2.7 Code is generally available in GitHub Copilot

https://github.blog/changelog/2026-07-01-kimi-k2-7-is-now-available-in-github-copilot/
326•unliftedq•12h ago•135 comments

The primary purpose of code review is to find code that will be hard to maintain

https://mathstodon.xyz/@mjd/115096720350507897
213•ColinWright•5h ago•118 comments

The fall of the theorem economy

https://davidbessis.substack.com/p/the-fall-of-the-theorem-economy
186•varjag•9h ago•81 comments

Show HN: A graph paper generator that renders vector PDFs in the browser

https://freegraphpaper.net/
43•lam_hg94•3h ago•7 comments

Spain Orders Blacklist of Palantir from Public and Private Companies

https://clashreport.com/world/articles/spain-orders-blacklist-of-us-tech-giant-palantir-from-publ...
63•mgh2•2h ago•2 comments

CursorBench 3.1

https://cursor.com/evals
132•handfuloflight•11h ago•73 comments

NSA tries to weaken mlkem standardisation

https://nsa.2026.action.cr.yp.to
34•SuperSandro2000•4h ago•5 comments

Vite+ Beta

https://voidzero.dev/posts/announcing-vite-plus-beta
185•Erenay09•5h ago•105 comments

WinPE as a stateless harness for Windows driver testing and fuzzing

https://bednars.me/blog/winpe-harness
60•piotrbednarsalt•3d ago•3 comments

Comparing Fable and 10 other LLMs on refactoring a LangGraph god node

https://wtf.korridzy.com/twilight-of-the-gods/
34•Korridzy•3h ago•12 comments

Show HN: Claudoro, Pomodoro timer embedded in the Claude Code statusline

https://github.com/emson/claudoro
29•emson•1d ago•24 comments

What Breaks a Cell's Ribs Can Make It Stronger

https://www.quantamagazine.org/what-breaks-a-cells-ribs-can-make-it-stronger-20260629/
5•jnord•2d ago•0 comments

Germany’s Infineon opens major chip plant as EU seeks tech autonomy

https://www.rfi.fr/en/international-news/20260702-germany-s-infineon-opens-major-chip-plant-as-eu...
114•giuliomagnifico•4h ago•32 comments

Show HN: ZeroFS – A log-structured filesystem for S3

https://www.zerofs.net/
83•Eikon•3h ago•39 comments

24-bit/192kHz music downloads and why they make no sense

https://people.xiph.org/~xiphmont/demo/neil-young.html#toc_wd2bm
46•Kaapeine•48m ago•51 comments

Senior SWE-Bench: open-source benchmark that assesses agents as senior engineers

https://senior-swe-bench.snorkel.ai/
135•matt_d•14h ago•95 comments
Open in hackernews

Since Linux 6.9, LUKS suspend stopped wiping disk-encryption keys from memory

https://mathstodon.xyz/@iblech/116769502749142438
151•IngoBlechschmid•1h ago

Comments

bitbasher•57m ago
I don't see any other way? When you sleep (suspend to RAM), everything is stored in RAM and is encrypted but the master key is present in kernel memory (if I recall correctly).

However, if you hibernate (suspend to disk) the entire contents of RAM (including the master key) is written/encrypted to disk and the RAM is cleared.

When you wake the machine up you have to re-enter the passphrase to decrypt the master key to re-load disk contents back to memory.

IngoBlechschmid•51m ago
Yes, if you simply suspend your laptop on most stock Linux distributions, then everything including the master key is still kept in memory. But Debian pioneered the (optional) cryptsetup-suspend addon. This issues a luksSuspend command which is supposed to wipe the key from memory, and on resume asks you to resupply your passphrase.

Up to kernel 6.8, this worked as described; starting with kernel 6.9, it silently didn't.

naturalmovement•45m ago
FYI: VeraCrypt is not the defacto encryption software for Windows.
IngoBlechschmid•44m ago
Oh, which one is it?

(You don't mean BitLocker, right?)

naturalmovement•41m ago
It absolutely is and they have most the enterprise market.
nacs•28m ago
Reminder that by using Bitlocker, you're using a closed source encryption for which Microsoft will happily hand out your recovery key on request.

https://www.forbes.com/sites/thomasbrewster/2026/01/22/micro...

philipallstar•21m ago
Does that mean it's not the de facto standard on Windows?
john_strinlai•21m ago
for enterprises, where this doesn't really matter, bitlocker is great.
dijit•13m ago
if by "great" you really mean "fine".

It's still brittle, awkward and puzzlingly awful UX despite being the literal standard for the platform.

Compare it to any of the actively maintained alternatives, Filevault for MacOS (which is wonderful and never sends your key to be kept somewhere else) or LUKS on Linux.. heck, even Veracrypt is actually easier to understand and more robust.

herywort•18m ago
So you would still be asked for a passphrase, even though it's already available?
IngoBlechschmid•15m ago
Exactly. Cryptsetup wouldn't know about the extra copy of the volume key in kernel memory. Which is why, dramatically, it appeared secure ("surely I wouldn't be asked to resupply the passphrase if the volume key is still in memory, right?").
dist-epoch•9m ago
Both Intel/AMD CPUs produced in the last 5 years or so support full transparent (to the OS) memory encryption. So cold boot attacks are a thing of the past if you enable this feature (it's typically disabled because it reduces RAM speed by about 0.5%).
CodesInChaos•54m ago
I don't have to re-enter my boot password after Sleep, so obviously the encryption key is still in memory.
wrs•49m ago
Obviously your distro isn’t using cryptsetup-luksSuspend.
unethical_ban•13m ago
Correct.

The point being made is: If one isn't re-entering their passphrase after suspend, how are they surprised that the encryption keys are somewhere in memory during suspend?

ksbd-pls-finish•9m ago
Because debian users with luks-suspend have to re-enter their boot password after sleep.
weaksauce•6m ago
> The point being made is: If one isn't re-entering their passphrase after suspend, how are they surprised that the encryption keys are somewhere in memory during suspend?

If that was the case for the people using the debian extra secure extension that should have wiped the memory clean then someone would have found this bug much earlier than two years. Their password was required to be re-entered even though the key was still in memory somewhere.

akerl_•6m ago
The reason this bug is unexpected is that the user is expecting to have to enter their password (because they expect the key to be wiped on suspend), and then _they are_ asked for their password. But there was a copy of the key elsewhere in kernel memory that was never cleared.
naturalmovement•52m ago
Definitely not a symptom of Linux being a hodgepodge of code thrown together from a thousand different sources and no one person could tell you how it all fits.
stackghost•42m ago
Of course it's (indirectly) a symptom of that.

What's the alternative? Proprietary closed-source operating systems owned by corps who can be compelled to insert covert backdoors?

If BSD was as popular as Linux it would have the exact same problems.

steve918•42m ago
I wonder if you think other OSes are any different?

TempleOS is the only thing that comes to mind that doesn't fit your description and it's not practically useful.

Any sufficiently large codebase is a mix of ideas and concepts implemented by different people with different priorities over a large timespan and if you can fit the entire thing in your head it's not very interesting or complex.

naturalmovement•38m ago
The *BSDs, Mac, and Windows all keep critical code in the same tree as the OS.

Something like disk encryption would be immediately visible.

So you don't have this mess of 80 different distros with 60 different versions of systemd, 20 that don't use it, a million kernel versions and it's all thrown together in a Costco-sized trash bag and we call the output "Linux".

yaris•27m ago
In my experience any software system (not just operating system) after crossing a certain limit on complexity and age looks exactly as hodgepodge of code pieces thrown together, sometimes from different sources even if developed by one org. All major OSs have long crossed those limits, I believe.
johnathan101•29m ago
This is one of those regressions that's easy to miss because everything still "works." Security bugs often don't announce themselves.
IngoBlechschmid•17m ago
Right! Which is why integration tests for these kinds of features are all the more important.

It was also fun to write, and enabled git-bisecting to isolate the specific kernel refactoring which introduced this bug: https://github.com/NixOS/nixpkgs/pull/532499

deng•29m ago
> Except that, for more than two years, the encryption key remained resident in memory across suspend, leaving it there for the taking by anyone who seized the still-powered laptop.

I don't get it. Obviously, the laptop is locked when it resumes, how is that key "for the taking by anyone"? I'm not saying it is impossible to read out RAM from a locked laptop, but surely not by "anyone".

nicce•18m ago
Anyone with physical access. I think it is understandable from the phrase.

There is a common misconception about how lock-screens in general work - they usually just prevents using the current hardware and software as it is to access the current OS. But the disk encryption is the main thing that prevents modification and other kind of access to actual data. And if the disk encryption key is lying in the memory, then effectively, the disk encryption is bypassed if someone can access the machine physically and assuming that there are no sufficient tampering protections in place for that machine.

deng•15m ago
> Anyone with physical access. I think it is understandable from the phrase.

Sorry, I'm probably dense, I still don't get it. You steal a laptop, you open it, the screen is locked with a password/fingerprint whatever. How do you read out the RAM from that laptop?

john_strinlai•13m ago
>How do you read out the RAM from that laptop?

the term to look up is "cold boot attack" (https://en.wikipedia.org/wiki/Cold_boot_attack).

tons of cool live demonstrations of how it works on youtube if you've got the 20-40 minutes to spare

kokada•15m ago
While it is certainly an interesting bug, I kinda feel that the title is click bait? Because this `cryptsetup luksSuspend` from what I understood is not really officially supported but an extension done in Debian, so if anything this regression only affected Debian? I am not sure if you can blame the kernel for something that is not supported or even widely tested.

I still find this impressive, and it is nice that we now have a test (NixOSTests BTW are awesome, I agree with OP) to avoid this regression from coming back. But from the title it seems to be a widespread issue, not something that affects only one Distro.

john_strinlai•11m ago
>if by "great" you really mean "fine".

no, i mean great.

managing a fleet of 100+ laptops with bitlocker is a breeze. its so seemless that the users don't even realize its enabled (i.e. no UX issues, at all).

on the other hand, i am not managing 100+ laptops that use veracrypt. sounds absolutely awful. i've never managed an apple fleet, so i can't speak to that, and will take your word on it.

for personal use, i do not recommend bitlocker (or windows, really), but for already-windows enterprises? absolutely

akerl_•7m ago
Managing an Apple fleet is similarly fine, and that includes using any of the MDM tooling that also does key escrow on enterprise Filevault devices.
andrewpiroli•19m ago
Only if you store your key with Microsoft, which is not required or the default if you're using a local account which I assume most privacy sensitive people are.
naturalmovement•14m ago
So exactly like FileVault?
briHass•13m ago
Bitlocker can use keys that are local only, but the default for home editions of Windows was to use the online account to back it up.

'Happily' is also a stretch, as they really don't have a choice if served a valid court order.

If you want encryption that is safe from the US government, keys need to be stored in your head. Anything physical is subject to court orders.

IngoBlechschmid•24m ago
Okay, yes, sure. It definitely is the most-used encryption software for Windows.

But I would never trust it a second, being property and known for issues. You likely know that, but for the benefit of others:

38C3 - Windows BitLocker: Screwed without a Screwdriver https://media.ccc.de/v/38c3-windows-bitlocker-screwed-withou... https://www.youtube.com/watch?v=5eNtT2p12cM

brainwad•13m ago
Windows for ages did not really keep all the code in one repo. There were like a dozen parallel repos for e.g. the shell, kernel, IE, etc. Also every feature was developed on team-level branches; integrating all those branches often caused unexpected bugs.
IngoBlechschmid•20m ago
Qubes OS, the Linux distribution aspiring to offer a reasonably secure operating system, pioneering a "every app runs in a virtual machine" approach in the Linux laptop/desktop space, tracks this at the following issue:

https://github.com/QubesOS/qubes-issues/issues/2890

cevn•38m ago
Bugs happen in all code. The difference is, anyone can fix stuff in open source. Closed source bugs are out of control and must be worked around. Usually by switching to OSS
dist-epoch•6m ago
"Mythos, find me a bug in LUKS. I know there is one in there".
deng•10m ago
Still, this is a pretty crazy definition of "anyone".
IngoBlechschmid•11m ago
Several options. One is you restart and boot from a live system where you are root, and then dump all memory. This is described in the paper with the witty title "Lest We Remember: Cold Boot Attacks on Encryption Keys":

https://www.usenix.org/legacy/event/sec08/tech/full_papers/h...

Other options: DMA attacks. Also you never know what the Intel Management Engine hidden in your computer is doing. It's running a version of Minix you don't have any control over, and it has full access to memory.

acdha•11m ago
Anyone with physical access, significant tools, and experience. The FBI has people who can pull data out of memory after freezing the RAM but the average laptop thief doesn’t so how serious this is depends significantly on your threat model. If you’re not a major criminal, bitcoin whale, or intelligence target this is almost certainly academic.
jakewins•14m ago
There are attacks that allow dumping RAM if the device is powered on though and you have physical access. Depending on config it may be very easy (just plug in a dumper over Thunderbolt on USB C and do direct memory access) or hard (freeze and swap physical RAM to an unlocked machine).. but the idea was defense-in-depth here; a well configured device should both be hard to dump RAM on and it should not give encryption keys if an attacker succeeds.