Hacker News with Generative AI: Security

Sign in to Have I Been Pwned (But Not Login, Log in or Log On) (troyhunt.com)
How do seemingly little things manage to consume so much time?! We had a suggestion this week that instead of being able to login to the new HIBP website, you should instead be able to log in. This initially confused me because I've been used to logging on to things for decades:

Security, User Experience, Web Design

5 points by dmarto 13 hours ago | 1 comments

Hello users of Anubis (for fighting malicious bots), I created an alternative (github.com/Zirias)
The pow credentials checker is a special case: It provides a guest login with fixed username and password, but for using it, it requires the client's browser to solve a cryptographic puzzle.

Security, Software, Cryptography

4 points by Zirias 19 hours ago | 1 comments

The Policy Puppetry Attack: Novel bypass for major LLMs (hiddenlayer.com)
Researchers at HiddenLayer have developed the first, post-instruction hierarchy, universal, and transferable prompt injection technique that successfully bypasses instruction hierarchy and safety guardrails across all major frontier AI models.

Generative AI, Security, AI Safety

272 points by jacobr1 20 hours ago | 208 comments

Hegseth had an unsecured internet line set up in his office to connect to Signal (apnews.com)
Russian strike on Kyiv kills at least 12 in biggest attack on Ukrainian capital since last summer

Security, Cybercrime, Russia-Ukraine Conflict

150 points by doener 22 hours ago | 153 comments

New Linux Rootkit (schneier.com)
The company has released a working rootkit called “Curing” that uses io_uring, a feature built into the Linux kernel, to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market.

Security, Linux, Rootkits

10 points by watermelon0 1 day ago | 1 comments

Commit signing in 2023 is kinda wack (lobi.to)
I’ve been taking a look at authorisation processes for version control systems at work and had three colleagues independently ask about scope for git commit signing, but they were surprised to discover I’d been soured toward traditional approaches for git commit signing and generally advise shying away from signing due to complexity.

Version Control, Git, Security

25 points by codeAligned 1 day ago | 28 comments

Binary Ninja 5.0 – Gallifrey released (binary.ninja)
Not enough time to reverse engineer everything you want? The Time Lords are here to help in Binary Ninja 5.0 Gallifrey! With major features across the board from huge analysis improvements, fantastic iOS support, many new firmware-specific features, and more, this major version has something for everyone.

Software, Security, Reverse Engineering, Mobile Development

3 points by notactuallyben 1 day ago | 0 comments

Chaos at The Pentagon Threatens Hegseth's Tenure (foreignpolicy.com)
Chaos has been swirling around Defense Secretary Pete Hegseth. He’s at the center of the escalating Signalgate scandal, his inner circle at the Pentagon recently imploded, and there’s growing speculation that he could soon be out of a job.

Politics, Government, Military, Security, Scandal

13 points by petethomas 1 day ago | 1 comments

Hegseth had unsecure internet line in his office for Signal (apnews.com)
Russian strike on Kyiv kills at least 12 in biggest attack on Ukrainian capital since last summer

Security, Politics, Ukraine, Russia

19 points by zelon88 1 day ago | 3 comments

Free Course on Security Headers, for Developers (semgrep.dev)
Learn about security headers from Scott Helme and Tanya Janca, two enthusiastic web security experts, who will sing the praises of these helpful browser protections!

Security, Web Development, Courses, Web Security

9 points by shehackspurple 2 days ago | 3 comments

An Employee Surveillance Company Leaked over 21M Screenshots Online (gizmodo.com)
With the refinement of digital tools, companies are subjecting their employees to increasing levels of surveillance — and increasing risks. Now, the security of thousands of employees and their parents companies is at risk after real-time images of their computers were leaked by an employee surveillance app.

Privacy, Security, Employee Surveillance, Data Leaks

8 points by rntn 2 days ago | 0 comments

io_uring based rootkit can bypass syscall-focused Linux security tools (armosec.io)
ARMO researchers reveal a major blind spot in Linux runtime security tools caused by the io_uring interface—an asynchronous I/O mechanism that bypasses traditional system calls.

Security, Linux, Operating Systems, Rootkits, System Calls

36 points by hexhu 2 days ago | 13 comments

SAML's signature problem: It's not you, it's XML (workos.com)
SAML's signature problem: It’s not you, it’s XML

Security, Identity Management, XML

7 points by rdegges 2 days ago | 1 comments

How I made $64k from deleted files – a bug bounty story (medium.com)
I built an automation that cloned and scanned tens of thousands of public GitHub repos for leaked secrets. For each repository I restored deleted files, found dangling blobs and unpacked .pack files to search in them for exposed API keys, tokens, and credentials. Ended up reporting a bunch of leaks and pulled in around $64k from bug bounties 🔥.

Bug Bounties, Security, GitHub, Automation, Data Recovery

35 points by giuliomagnifico 2 days ago | 1 comments

They Stole a Quarter-Billion in Crypto and Got Caught Within a Month (nytimes.com)
In the balmy late afternoon of Aug. 25, 2024, Sushil and Radhika Chetal were house-hunting in Danbury, Conn., in an upscale neighborhood of manicured yards and heated pools.

Cryptocurrency, Crime, Security, Law Enforcement

12 points by otterley 2 days ago | 2 comments

Hegseth Set Up Signal on a Computer in His Pentagon Office (nytimes.com)
Defense Secretary Pete Hegseth had the consumer messaging app Signal set up on a computer in his office at the Pentagon so that he could send and receive instant messages in a space where personal cellphones are not permitted, according to two people with knowledge of the matter.

Defense, Security, Messaging Apps, Technology

9 points by jbegley 2 days ago | 0 comments

One Prompt Can Bypass Every Major LLM's Safeguards (forbes.com)

Security, Artificial Intelligence, Generative AI

40 points by TechTalker22 2 days ago | 1 comments

Protecting NATS and the integrity of open source (cncf.io)
When a company contributes a project to the Cloud Native Computing Foundation (CNCF), it’s not just sharing code—it’s making a commitment to the open source community.

Open Source, Cloud Computing, Security, Software Engineering

119 points by tomncooper 2 days ago | 36 comments

Assignment 5: Cars and Key Fobs (2021) (web.stanford.edu)
Almost all cars currently come with a key fob, which allows you to open the doors, and start the car.

Cars, Technology, Security

230 points by Pikamander2 2 days ago | 186 comments

MS's patch for symlink vulnerability introduces another symlink vulnerability (doublepulsar.com)
Microsoft recently patched CVE-2025–21204, a vuln which allows users to abuse symlinks to elevate privileges using the Windows servicing stack and the c:\inetpub folder.

Security, Microsoft, Vulnerability, Symlinks

8 points by croes 2 days ago | 0 comments

The Secret World of Coupon Fraud: Exploiting Barcode Vulnerabilities (medium.com)
You’ve scanned barcodes countless times — UPC, EAN, and GS1 Databar — but have you ever wondered what they’re encoding? Until 2006, neither had I. That year, I started as a software engineer at Coupons.com, tasked with transitioning our coupons to the GS1 Databar system.

Security, Retail, Data Encoding, Fraud

10 points by brianhama 2 days ago | 0 comments

xPal Encyrpted Messenger Security (furry.engineer)

Security, Messaging, Encryption

18 points by luu 3 days ago | 4 comments

Tarpit ideas: What they are and how to avoid them (2023) [video] (ycombinator.com)

Software Development, Security, Programming, Web Development

135 points by dgs_sgd 3 days ago | 137 comments

Ex-NSA chief warns AI devs: Don't repeat infosec's early-day screwups (theregister.com)
AI engineers should take a lesson from the early days of cybersecurity and bake safety and security into their models during development, rather than trying to bolt it on after the fact, according to former NSA boss Mike Rogers.

Artificial Intelligence, Cybersecurity, Security, Information Security

5 points by rntn 3 days ago | 0 comments

Hyperscaling Have I Been Pwned with Cloudflare Workers and Caching (troyhunt.com)
I've spent more than a decade now writing about how to make Have I Been Pwned (HIBP) fast. Really fast. Fast to the extent that sometimes, it was even too fast:

Security, Performance Optimization, Cloud Computing, Web Development

53 points by todsacerdoti 3 days ago | 66 comments

FBI Claims It Lost Records About Its Mysterious Hacking Abilities (gizmodo.com)
The FBI recently spent hundreds of thousands of dollars buying powerful hacking tools but now the agency claims that it can’t find the documentation associated with those procurements.

Government, Security, Hacking, Law Enforcement

12 points by fortran77 3 days ago | 0 comments

Back to the MAC (Part 2): Signal in the Noise (substack.com)
Well, I’ve been staring at MAC addresses again... but this time, things got a lot more interesting.

Networking, Security, MAC Addresses

8 points by beeburrt 3 days ago | 1 comments

Exploiting Undefined Behavior in C/C++ Programs: The Performance Impact [pdf] (ist.utl.pt)

C/C++, Programming, Performance, Security, Undefined Behavior

86 points by luu 4 days ago | 70 comments

Using a dedicated administration workstation for a home infrastructure (dataswamp.org)
As I moved my infrastructure to a whole new architecture, I decided to only expose critical accesses to dedicated administration systems (I have just one). That workstation is dedicated to my infrastructure administration, it can only connect to my servers over a VPN and can not reach the Internet.

Home Networking, Security, Infrastructure, VPN

8 points by nivethan 4 days ago | 0 comments

Offical XRP NPM package has been compromised and key stealing malware introduced (aikido.dev)
At 21 Apr, 20:53 GMT+0, our system, Aikido Intel started to alert us to five new package version of the xrpl package. It is the official SDK for the XRP Ledger, with more than 140.000 weekly downloads. We quickly confirmed the official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets.

Security, Cryptography, Cryptocurrency, Software, Malicious Software

55 points by flxga 4 days ago | 17 comments