De-anonymization attacks against the privacy coin XMR
(monero.forex)
Monero (XMR), a cryptocurrency renowned for its privacy-centric design, has drawn the attention of governments, cybersecurity experts, and analytics firms seeking to deanonymize its transactions.
Monero (XMR), a cryptocurrency renowned for its privacy-centric design, has drawn the attention of governments, cybersecurity experts, and analytics firms seeking to deanonymize its transactions.
How to disappear– Inside the world of extreme-privacy consultants
(theatlantic.com)
You could easily mistake Alec Harris for a spy or an escaped prisoner, given all of the tradecraft he devotes to being unfindable.
You could easily mistake Alec Harris for a spy or an escaped prisoner, given all of the tradecraft he devotes to being unfindable.
Uninitialized garbage on ia64 can be deadly (2004)
(microsoft.com)
On Friday, we talked about some of the bad things that can happen if you call a function with the wrong signature.
On Friday, we talked about some of the bad things that can happen if you call a function with the wrong signature.
The Captcha Paradox
(talkingrobot.com)
The very companies building the most advanced AIs are also investing heavily in mechanisms—captchas—designed to prevent machines from impersonating humans.
The very companies building the most advanced AIs are also investing heavily in mechanisms—captchas—designed to prevent machines from impersonating humans.
A privilege escalation from Chrome extensions (2023)
(0x44.xyz)
In July, I was poking around in chrome://file-manager, ChromeOS's file manager, when I saw an interesting URL in localStorage:
In July, I was poking around in chrome://file-manager, ChromeOS's file manager, when I saw an interesting URL in localStorage:
Google introduces webcam "liveness check" option to reCAPTCHA
(google.com)
You’ll need to allow temporary camera access to capture your hand movements
You’ll need to allow temporary camera access to capture your hand movements
Signal to Windows Recall: Drop Dead
(computerworld.com)
Microsoft’s Recall is a security disaster disguised as a feature. Messaging app Signal is doing what it can to block it.
Microsoft’s Recall is a security disaster disguised as a feature. Messaging app Signal is doing what it can to block it.
Show HN: Malai – securely share local TCP services (database/SSH) with others
(malai.sh)
malai-0.2.5 is out now! It brings a new feature to share your local TCP server with the world!
malai-0.2.5 is out now! It brings a new feature to share your local TCP server with the world!
BGP handling bug causes widespread internet routing instability
(benjojo.co.uk)
At 7AM (UTC) on Wednesday May 20th 2025 a BGP message was propagated that triggered surprising (to many) behaviours with two major BGP implementations that are often used for carrying internet traffic.
At 7AM (UTC) on Wednesday May 20th 2025 a BGP message was propagated that triggered surprising (to many) behaviours with two major BGP implementations that are often used for carrying internet traffic.
Bank transactions cleared by FTP-ing files
(twitter.com)
Something went wrong, but don’t fret — let’s give it another shot.
Something went wrong, but don’t fret — let’s give it another shot.
Accessing private GitHub repositories via MCP
(invariantlabs.ai)
Invariant has discovered a critical vulnerability affecting the widely-used GitHub MCP integration (14k stars on GitHub). The vulnerability allows an attacker to hijack a user's agent via a malicious GitHub Issue, and coerce it into leaking data from private repositories.
Invariant has discovered a critical vulnerability affecting the widely-used GitHub MCP integration (14k stars on GitHub). The vulnerability allows an attacker to hijack a user's agent via a malicious GitHub Issue, and coerce it into leaking data from private repositories.
Claude 4 and GitHub MCP will leak your private GitHub repositories
(twitter.com)
Something went wrong, but don’t fret — let’s give it another shot.
Something went wrong, but don’t fret — let’s give it another shot.
How I found a Star Wars website made by the CIA
(ourbigbook.com)
This article is about covert agent communication channel websites used by the CIA in many countries from the late 2000s until the early 2010s, when they were uncovered by counter intelligence of the targeted countries circa 2010-2013.
This article is about covert agent communication channel websites used by the CIA in many countries from the late 2000s until the early 2010s, when they were uncovered by counter intelligence of the targeted countries circa 2010-2013.
TeleMessage Explorer: a new open source research tool
(micahflee.com)
I've spent the last week or two writing code to make sense of the massive hack of data from TeleMessage, the comically insecure company that makes a modified Signal app that Trump's former national security advisor Mike Waltz was caught using. I've decided to publish my code as open source in the hopes that other journalists will use it to find revelations in this dataset.
I've spent the last week or two writing code to make sense of the massive hack of data from TeleMessage, the comically insecure company that makes a modified Signal app that Trump's former national security advisor Mike Waltz was caught using. I've decided to publish my code as open source in the hopes that other journalists will use it to find revelations in this dataset.
Show HN: Directory of 100 SaaS tools that support enterprise SSO (SAML, SCIM)
(ycombinator.com)
I’ve been working on enterprise SSO integrations and realized there’s no simple way to check which SaaS tools actually support SAML, SCIM, or OIDC.
I’ve been working on enterprise SSO integrations and realized there’s no simple way to check which SaaS tools actually support SAML, SCIM, or OIDC.
GitHub MCP exploited: Accessing private repositories via MCP
(invariantlabs.ai)
Invariant has discovered a critical vulnerability affecting the widely-used GitHub MCP integration (14k stars on GitHub). The vulnerability allows an attacker to hijack a user's agent via a malicious GitHub Issue, and coerce it into leaking data from private repositories.
Invariant has discovered a critical vulnerability affecting the widely-used GitHub MCP integration (14k stars on GitHub). The vulnerability allows an attacker to hijack a user's agent via a malicious GitHub Issue, and coerce it into leaking data from private repositories.
Linux 6.15 Released with Continued Rust Integration, Bcachefs Stabilizing
(phoronix.com)
As anticipated the Linux 6.15 kernel is out today in stable form. Linux 6.15 brings a lot of new hardware support, security improvements, various other kernel innovations, and more.
As anticipated the Linux 6.15 kernel is out today in stable form. Linux 6.15 brings a lot of new hardware support, security improvements, various other kernel innovations, and more.
Ask HN: What are the most underrated tools you use regularly?
(ycombinator.com)
Qubes OS, a security-oriented OS with fewer vulnerabilities than in Xen thanks to a clever design and reliance on hardware-assisted virtualization: https://www.qubes-os.org/security/xsa/#statistics
Qubes OS, a security-oriented OS with fewer vulnerabilities than in Xen thanks to a clever design and reliance on hardware-assisted virtualization: https://www.qubes-os.org/security/xsa/#statistics
The Darknet Bible- research document on using the dark web and Monero safely
(darknetbible.info)
Welcome to the DNM Buyer’s Bible
Welcome to the DNM Buyer’s Bible
Scaling the Let's Encrypt rate limits to prepare for a billion active TLS cert
(letsencrypt.org)
Let’s Encrypt protects a vast portion of the Web by providing TLS certificates to over 550 million websites—a figure that has grown by 42% in the last year alone. We currently issue over 340,000 certificates per hour. To manage this immense traffic and maintain responsiveness under high demand, our infrastructure relies on rate limiting. In 2015, we introduced our first rate limiting system, built on MariaDB.
Let’s Encrypt protects a vast portion of the Web by providing TLS certificates to over 550 million websites—a figure that has grown by 42% in the last year alone. We currently issue over 340,000 certificates per hour. To manage this immense traffic and maintain responsiveness under high demand, our infrastructure relies on rate limiting. In 2015, we introduced our first rate limiting system, built on MariaDB.
A thought on JavaScript "proof of work" anti-scraper systems
(utoronto.ca)
One of the things that people are increasingly using these days to deal with the issue of aggressive LLM and other web scrapers is JavaScript based "proof of work" systems, where your web server requires visiting clients to run some JavaScript to solve a challenge; one such system (increasingly widely used) is Xe Iaso's Anubis.
One of the things that people are increasingly using these days to deal with the issue of aggressive LLM and other web scrapers is JavaScript based "proof of work" systems, where your web server requires visiting clients to run some JavaScript to solve a challenge; one such system (increasingly widely used) is Xe Iaso's Anubis.
Ten years of JSON Web Token and preparing for the future
(self-issued.info)
Ten years ago this week, in May 2015, the JSON Web Token (JWT) became RFC 7519.
Ten years ago this week, in May 2015, the JSON Web Token (JWT) became RFC 7519.
AI system resorts to blackmail if told it will be removed
(bbc.com)
Artificial intelligence (AI) firm Anthropic says testing of its new system revealed it is sometimes willing to pursue "extremely harmful actions" such as attempting to blackmail engineers who say they will remove it.
Artificial intelligence (AI) firm Anthropic says testing of its new system revealed it is sometimes willing to pursue "extremely harmful actions" such as attempting to blackmail engineers who say they will remove it.
Show HN: Fwtui – A terminal UI for managing UFW (built with Bubble Tea)
(github.com/Beny406)
fwtui is a terminal-based UI built in Go to help you manage UFW (Uncomplicated Firewall) rules with ease.
fwtui is a terminal-based UI built in Go to help you manage UFW (Uncomplicated Firewall) rules with ease.