frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

TS-2026-009: Insecure argument handling in Tailscale SSH permitted root access

https://tailscale.com/security-bulletins
42•jervant•1h ago

Comments

tptacek•1h ago
This is such a venerable and ancient class of bugs, going at least as far back as AIX 3. Glad to see they're still makin' 'em like they used to.

(If you had SSH access to a host in your Tailscale ACL, you could log in as `-i` and get a root login.)

e40•1h ago
So, giving access via tailscale but using OpenSSH is safe, right?
lugoues•1h ago
Yes, this only involves their wrapper that is managed by ACL rules.
kbumsik•59m ago
Why own numbering instead of CVE?
vngzs•53m ago
It lets organizations (Tailscale) control the timing and narrative around the disclosure more directly. Organizations sometimes avoid the bureaucracy of going through CVE Numbering Authorities by self-publishing. Often a CVE assignment follows self-disclosure, especially when there's pressure to interoperate with vuln-scanning/compliance tooling
cyberax•51m ago
> "Tailscale SSH now rejects usernames with leading dashes."

Really? That's the fix?

A proper fix is to use "--" to separate arguments.

sedatk•48m ago
Their fix just future-proofs it in case the same bug gets reintroduced.
cyberax•21m ago
This is just a dirty fix. It adds weird restrictions and masks issues.

Refactoring external invocations to use safe argument handling is a better way to fix it. Along with tests that exercise weird names.

valleyer•24m ago
A proper fix is not to shell out to a command at all; use getpwnam(3) or similar.
doublepg23•43m ago
I’m a heavy Tailscale user, so I do trust them quite a bit, but I never used the Tailscale SSH feature. I feel like OpenSSH’s security record is pretty unbeatable, not sure why I’d swap over for such a security-sensitive tool.
jdiff•33m ago
I've used it before to access my tailnet machines through a browser on a machine I can't download software on.
isatty•32m ago
Convenience for the most part but in general, I agree. I like having it as an option.
bakies•19m ago
Yeah pretty much just use tailscale as a vpn.. do one thing as they say.
dgacmu•8m ago
I used it for a bunch of remote monitor boxes to have a way of centrally managing ssh access to things that were often on- and off-line. It was simple and convenient and access was easily revocable.
modeless•35m ago
Tailscale SSH has caused me other problems in the past because it takes over port 22. I'm not a fan.

Vancouver PD website features Quick Escape button that wipes itself from history

https://vpd.ca/
117•LookAtThatBacon•2h ago•41 comments

TS-2026-009: Insecure argument handling in Tailscale SSH permitted root access

https://tailscale.com/security-bulletins
43•jervant•1h ago•18 comments

Bonsai 27B: A 27B-Class model that runs on a phone

https://prismml.com/news/bonsai-27b
453•xenova•8h ago•170 comments

Dependabot version updates introduce default package cooldown

https://github.blog/changelog/2026-07-14-dependabot-version-updates-introduce-default-package-coo...
107•woodruffw•5h ago•68 comments

The Tower Keeps Rising

https://lucumr.pocoo.org/2026/7/13/the-tower-keeps-rising/
358•cdrnsf•9h ago•170 comments

Solving 20 Erdős Problems with 20 Codex Accounts Running in Parallel

https://www.starfleetmath.com/
33•colin7snyder•2h ago•9 comments

Financing the AI boom: from cash flows to debt [pdf]

https://www.bis.org/publ/bisbull120.pdf
98•1vuio0pswjnm7•4h ago•45 comments

Cursor 0day: When Full Disclosure Becomes the Only Protection Left

https://mindgard.ai/blog/cursor-0day-when-full-disclosure-becomes-the-only-protection-left
265•Synthetic7346•8h ago•112 comments

Your 'app' could have been a webpage (so I fixed it for you)

https://danq.me/2026/07/09/your-app-could-have-been-a-webpage/
741•MrVandemar•3d ago•450 comments

LeMario: Training a JEPA World Model on Super Mario Bros

https://www.benjamin-bai.com/projects/lemario
57•kevinjosethomas•4h ago•7 comments

Mathematical texts from a Maya site in Guatemala identify an ancient astronomer

https://www.nature.com/articles/d41586-026-02170-8
49•homarp•15h ago•9 comments

How I use HTMX with Go

https://www.alexedwards.net/blog/how-i-use-htmx-with-go
126•gnabgib•6h ago•27 comments

An unusual way for your DHCP server to run out of dynamic IPs

https://utcc.utoronto.ca/~cks/space/blog/sysadmin/DHCPServerAndScreamingHost
25•speckx•4d ago•3 comments

Data centers have hiked electricity prices on the public by $23B

https://fortune.com/2026/07/14/data-centers-23-billion-electricity-bills/
65•measurablefunc•2h ago•32 comments

How to stop Claude from saying load-bearing

https://jola.dev/posts/how-to-stop-claude-from-saying-load-bearing
444•shintoist•14h ago•508 comments

Global Warming at 3 °C by 2050? What's Behind the New German Climate Warning

https://worldcrunch.com/focus/green-or-gone/global-warming-at-3c-by-2050-what-s-behind-the-new-ge...
9•tejohnso•59m ago•1 comments

Microsoft Patches a Record 570 Security Flaws

https://krebsonsecurity.com/2026/07/microsoft-patches-a-record-570-security-flaws/
37•robin_reala•5h ago•20 comments

The largest available Minecraft world, totalling 15 TB

https://2b2t.place/1million
172•_____k•3d ago•57 comments

I'm a USB-C Maximalist

https://shkspr.mobi/blog/2026/07/im-a-usb-c-maximalist/
177•speckx•11h ago•280 comments

The Estranged Worlds of J. G. Ballard

https://lareviewofbooks.org/article/jg-ballard-illuminated-man-christopher-priest-nina-allan/
41•Caiero•1d ago•7 comments

Ambient Website Background Clouds

https://github.com/paradise-runner/background-clouds
4•dividedcomet•5d ago•0 comments

The kids with phones are alright

https://heatherburns.tech/2026/07/08/the-kids-with-phones-are-alright/
137•JumpCrisscross•3d ago•95 comments

Guardian Angels: LLM Personalization for Productivity and Security

https://gwern.net/guardian-angel
59•andsoitis•13h ago•9 comments

The zero-cost fallacy: open-source software in the agentic era

https://www.thoughtworks.com/insights/blog/open-source/zero-cost-fallacy-open-source-agentic-era
111•backlit4034•4d ago•90 comments

Kontigo (YC S24) Is Hiring (Head of Security)

https://www.ycombinator.com/companies/kontigo/jobs/uNttrlv-head-of-security
1•jecastillof•9h ago

Unlocking the PSP's Dual Core Setup

https://wololo.net/2026/06/16/unlocking-the-psps-dual-core-setup/
49•msephton•4d ago•4 comments

Are we offloading too much of our thinking to AI?

https://www.artfish.ai/p/offloading-thinking-to-ai
386•yenniejun111•11h ago•389 comments

Show HN: Opening lines of famous literary works

https://www.verbaprima.com/
145•plicerin•11h ago•86 comments

Probably check on your smart appliances

https://xeiaso.net/notes/2026/check-your-smart-tv/
26•xena•4h ago•8 comments

Show HN: Juggler – an open-source GUI coding agent, by the creator of JUCE

https://github.com/juggler-ai/juggler
185•julesrms•2d ago•80 comments