frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

How to Build a Minimal ZFS NAS Without Synology, QNAP, TrueNAS (2024)

https://neil.computer/notes/how-to-setup-minimal-zfs-nas-without-truenas/
133•4diii•3h ago•73 comments

GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos

https://noma.security/blog/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos/
56•ColinEberhardt•2h ago•18 comments

Tenda firmware (multiple versions) contains hidden authentication backdoor

https://kb.cert.org/vuls/id/213560
168•miniBill•7h ago•49 comments

Copy That Floppy – Cambridge guide for preserving data from fragile floppy disks

https://www.digipres.org/the-floppy-guide/
46•whiteblossom•4h ago•9 comments

GAO: DOE Is Prematurely Excluding Less Expensive Options for Nuclear Cleanup

https://www.gao.gov/products/gao-26-108193
187•Jimmc414•9h ago•87 comments

Structure and Interpretation of Computer Programs Video Lectures (1986)

https://ocw.mit.edu/courses/6-001-structure-and-interpretation-of-computer-programs-spring-2005/v...
137•gjvc•7h ago•14 comments

Canada's only watchmaking school still ticking after 80 years

https://www.cbc.ca/news/canada/montreal/canada-s-only-watchmaking-school-9.7254211
116•throw0101a•3d ago•51 comments

Chat Control 1.0 and 2.0 Explained

https://fightchatcontrol.eu/chat-control-overview
590•gasull•17h ago•207 comments

Local, CPU-Friendly, High-Quality TTS (Text-to-Speech) with Kokoro

https://ariya.io/2026/03/local-cpu-friendly-high-quality-tts-text-to-speech-with-kokoro/
381•speckx•13h ago•76 comments

GPT-5.6 Sol, along with Terra and Luna, will launch publicly this Thursday

https://twitter.com/OpenAI/status/2074704958419792299
143•jfrbfbreudh•3h ago•76 comments

Show HN: Neil the Seal Game

https://neiltheseal.app/
42•dalemhurley•2d ago•35 comments

The difference between "today's task" and "accretive work"

https://pluralistic.net/2026/07/02/canonization/
29•hn_acker•5d ago•14 comments

30papers.com – Ilya's 30 essential ML papers, in a beginner friendly format

https://30papers.com/
480•notmcrowley•15h ago•72 comments

LineageOS Statistics

https://stats.lineageos.org
54•pentagrama•6h ago•24 comments

Show HN: Davit, a Apple Containers UI

https://davit.app
281•xinit•12h ago•63 comments

Herdr: One terminal to rule them all

https://herdr.dev/
254•handfuloflight•6d ago•114 comments

Show HN: Chiptune Radio

https://chiptune-radio.alephvoid.com/
41•bootbloopers•6h ago•8 comments

Show HN: Rowboat – Open-source, local-first alternative to Claude Desktop

https://github.com/rowboatlabs/rowboat
147•segmenta•15h ago•41 comments

Automate Excel with Python: From manual grind to one-click workflow

https://nostarch.com/automate-excel-with-python
4•teleforce•3d ago•0 comments

l: A new runtime for k and q

https://lv1.sh/
134•skruger•13h ago•73 comments

Scheme Is a Hoot

https://gracefulliberty.com/notes/scheme-is-a-hoot/
63•signa11•2d ago•5 comments

We're extending access to Fable 5 on all paid plans through July 12

https://twitter.com/claudeai/status/2074548242386178258
166•minimaxir•13h ago•171 comments

IEEE Rolls Out Large Language Models Training Course

https://spectrum.ieee.org/large-language-models-ieee-course
62•JeanKage•1w ago•8 comments

Every new car sold in the European Union must include a driver monitoring camera

https://allaboutcookies.org/eu-mandatory-distracted-driver-system
572•nickslaughter02•10h ago•732 comments

Out of the Armchair

https://literaryreview.co.uk/out-of-the-armchair
5•Thevet•6d ago•0 comments

Why skilled workers come to Germany and then leave again

https://www.dw.com/en/germany-migrants-skilled-workers-integration-labor-market-bureaucracy-langu...
236•theanonymousone•20h ago•600 comments

Jim's TrueType QR Code Font

https://github.com/jimparis/qr-font
168•arantius•15h ago•22 comments

Is The Economist Always Wrong?

https://www.economist.com/interactive/finance-and-economics/2026/07/02/is-the-economist-always-wrong
120•nreece•5h ago•113 comments

Notes on Software Quality

https://anthonyhobday.com/blog/20260410
117•speckx•13h ago•50 comments

StreetComplete: Fixing OpenStreetMap, one tiny quest at a time

https://streetcomplete.app/
738•kls0e•18h ago•173 comments
Open in hackernews

GitLost: We Tricked GitHub's AI Agent into Leaking Private Repos

https://noma.security/blog/gitlost-how-we-tricked-githubs-ai-agent-into-leaking-private-repos/
52•ColinEberhardt•2h ago

Comments

sixtyj•55m ago
1. The issue is already solved.

2. Or issue is not solved yet by GitHub, and meanwhile bad actors gonna try vulnerability on repos. Due to number of repos there is non-zero probability. But as with scams almost nobody’s going to admit the leakage.

Anything else?

marak830•53m ago
Who thought having a LLM with access to private information, with public access to ask it questions, would ever be a secure process?

Look I like interacting with these tools as much as the next guy, but I'm certainly not going to trust them with access to information and then allow anyone to send them prompts.

Edit/further thoughts: So (assumable as they said this is disclosed with github's knowledge) this has been patched. But how many different word combinations will it take to find another way to have this occur?

sevenzero•47m ago
Yea agreed. LLM guardrails are either just written prompts as in "Please do not bad stuff :(" or other LLMs verifying that the first LLM didn't so some bs. Both of wich methods do not work sufficiently as time shows again and again.

Funnily enough, nobody expects quality software anymore and errors became tolerable. So thats a win (for someone like me that lost all passion for the industry).

eloisius•27m ago
Agree with your assessment of guardrails. They barely work on the best days. We need to flip the idea of “agent” on its head. The agent here is an agent of the user interfacing with GitHub. Not an agent of GitHub interfacing with the user. Prompts and guardrails cannot keep the agent loyal to the company. Stop giving these things any permissions the user doesn’t have, and recognize them for what they are: a different UI than web forms, but still the same security model.
adamddev1•4m ago
But that would mean they would have to give up on so much data for their agent. People are losing all moral scruples as they are driven on by pressure and greed to get more training data.
consp•26m ago
That last part is I think called negligence. And in some industries that becomes criminal negligence quite quickly.
sevenzero•6m ago
Most companies I ever worked for inherently operate on criminal negligence, and even when addressed, have no interest in fixing it.
gitaarik•37m ago
It must be something to do with Microsoft being the owner now of GitHub
marak830•30m ago
You know what? I had honestly forgotten about that xD. /thread
7bit•7m ago
Now that's just speculation
toomuchtodo•23m ago
My Lethal Trifecta talk at the Bay Area AI Security Meetup - https://news.ycombinator.com/item?id=44846922 - August 2025 (115 comments)

https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

jofzar•21m ago
> Responsible Disclosure GitLost was responsibly disclosed to GitHub. Vulnerability details are shared here with their knowledge.

Why does this section not have when it was fixed or GitHub acknowledge/rejected this?

Did they not fix this?

dzikimarian•4m ago
Fix what? They setup LLM with access to private data and ability to read public comments. That's simply misconfiguration.
neya•20m ago
Large corporations like Microsoft under constant pressure from investors are slapping AI onto every single product offering just so they can claim they're an AI company now. Just like what Adobe did. So yeah, that didn't end well and probably this wouldn't either. Consumers are getting tired of these half-assed AI integrations and there will be a breaking point soon.
adamddev1•12m ago
I'm done. Moving to Forgejo. It's wonderful and everything works better.
yieldcrv•9m ago
Agreed but I think enterprise AI offerings are pretty impressive, investors and consumers aren’t really aware, employees aren’t able to trade

The revenue is there and also impressive, and supplanting consumer and seat based revenue

The market is still shedding SaaS multiples, which I think is accurate, but break out the revenue in those quarterly reports and there is a huge growth story, from real efficiencies

commentry•6m ago
Why would anyone ever trust private repos on GitHub or other cloud solutions to offer any real privacy for codebases? Of course they are going to steal your code as soon as you upload it by pushing it, LLMs just enables them to obfuscate their intentional theft and let them get away with it and profit from it.