Hacker News with Generative AI: Security

Story of a Pentester Recruitment (silentsignal.eu)
In 2015, we published a blog post about the recruitment challenges we devised for candidates who’d like to join our pentester team. The post got much attention, with supportive comments and criticism as well. Learning from this experience, we created a completely new challenge that we’re retiring today, and we’d once again share our experiences (and the solutions!) we gained from this little game.
Cybersecurity, Penetration Testing, Recruitment, Security
5 points by ramimac 4 hours ago | 0 comments
GrapheneOS: Private and secure mobile OS with Android app compatibility (grapheneos.org)
GrapheneOS is a privacy and security focused mobile OS with Android app compatibility developed as a non-profit open source project.
Privacy, Security, Open Source, Android
21 points by saikatsg 7 hours ago | 8 comments
Good Docker Files (gooddockerfiles.com)
Not sure about your Dockerfile? Confused? Overwhelmed? Get expert guidance for production-ready containers that are faster, smaller and more secure.
Docker, DevOps, Security, Optimization
10 points by codegeek 10 hours ago | 1 comments
Phishing with Gmail's Gemini Summarize via prompt injection (twitter.com)
Security, AI, Email, Google, Prompt Injection
3 points by k5hp 11 hours ago | 1 comments
Over 660k Rsync servers exposed to code execution attacks (bleepingcomputer.com)
Over 660,000 exposed Rsync servers are potentially vulnerable to six new vulnerabilities, including a critical-severity heap-buffer overflow flaw that allows remote code execution on servers.
Security, Server Security, Vulnerabilities
19 points by nimar 17 hours ago | 5 comments
Trusting clients is probably a security flaw (liberda.nl)
If your service needs to trust the clients, hold my Big Mac
Security, Trust, Software, Cybersecurity
152 points by aquastorm 18 hours ago | 122 comments
Let's talk about AI and end-to-end encryption (cryptographyengineering.com)
Recently I came across a fantastic new paper by a group of NYU and Cornell researchers entitled “How to think about end-to-end encryption and AI.” I’m extremely grateful to see this paper, because while I don’t agree with every one of it’s conclusions, it’s a good first stab at an incredibly important set of questions.
Artificial Intelligence, Cryptography, Security, Research Papers
151 points by chmaynard 20 hours ago | 54 comments
Bypassing disk encryption on systems with automatic TPM2 unlock (oddlama.org)
Have you setup automatic disk unlocking with TPM2 and systemd-cryptenroll or clevis? Then chances are high that your disk can be decrypted by an attacker who just has brief physical access to your machine - with some preparation, 10 minutes will suffice. In this article we will explore how TPM2 based disk decryption works, and understand why many setups are vulnerable to a kind of filesystem confusion attack.
Security, Hardware, Operating Systems, Cryptography
188 points by arjvik 23 hours ago | 106 comments
AWS Management Console supports simultaneous sign-in for multiple AWS accounts (amazon.com)
Today, AWS announces multi-session support, which enables AWS customers to access multiple AWS accounts simultaneously in the AWS Console.
AWS, Cloud Computing, Security, User Interface, Software
7 points by dbaupp 1 day ago | 0 comments
Major authentication providers still doesn't support TLS 1.3 (okta.com)
Security, TLS, Authentication
4 points by Alcatros552 1 day ago | 1 comments
Microsoft patches Windows to eliminate Secure Boot bypass threat (arstechnica.com)
For the past seven months—and likely longer—an industry-wide standard that protects Windows devices from firmware infections could be bypassed using a simple technique. On Tuesday, Microsoft finally patched the vulnerability. The status of Linux systems is still unclear.
Security, Microsoft Windows, Operating Systems, Firmware
24 points by jron 1 day ago | 4 comments
Six day and IP address certificate options in 2025 (letsencrypt.org)
This year we will continue to pursue our commitment to improving the security of the Web PKI by introducing the option to get certificates with six-day lifetimes (“short-lived certificates”). We will also add support for IP addresses in addition to domain names. Our longer-lived certificates, which currently have a lifetime of 90 days, will continue to be available alongside our six-day offering.
Security, Web PKI, Certificates, Domain Names, IP Addresses
183 points by SGran 1 day ago | 145 comments
Show HN: Fed up with compliance tools? Help us make SOC-2 OSS (github.com/getprobo)
Security, Open Source, Software, Compliance
30 points by gearnode 2 days ago | 1 comments
Russian hackers nearly killed my Django based business (reddit.com)
My wife and I were hiking through the scenic hills of Belgium when I received a concerning email from Amazon Web Services (AWS). The email, titled "Amazon SES Complaint Review Period for AWS Account []", contained the following warning:
Security, Django, Business, Hacking
3 points by makaimc 2 days ago | 0 comments
Rsync vulnerabilities (openwall.com)
Two independent groups of researchers have identified a total of 6 vulnerabilities in rsync. In the most severe CVE, an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on.
Security, Vulnerabilities, Software, Open Source
144 points by pavodive 3 days ago | 22 comments
Proof of location for online polls (ip-vote.com)
Information about a device's physical location can be inferred by measuring the time it takes for signals to travel between the device and a known server location.
Privacy, Online Voting, Security, Location Data
108 points by c-riq 3 days ago | 86 comments
Rsync: Vulnerabilities (openwall.com)
Two independent groups of researchers have identified a total of 6 vulnerabilities in rsync. In the most severe CVE, an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on.
Security, Vulnerabilities, Software, Networking
31 points by todsacerdoti 3 days ago | 3 comments
Google’s OAuth login doesn’t protect against purchasing a failed startup domain (trufflesecurity.com)
Millions of Americans can have their data stolen right now because of a deficiency in Google’s “Sign in with Google” authentication flow. If you’ve worked for a startup in the past - especially one that has since shut down - you might be vulnerable.
Security, Google, Startups, Privacy
497 points by simiones 3 days ago | 285 comments
What Every Hacker Should Know About TLB Invalidation [pdf] (grsecurity.net)
Security, Operating Systems, Computer Architecture
90 points by abhi9u 4 days ago | 18 comments
Show HN: Another ELF Analysis Toolkit (github.com/M3rcuryLake)
Nyxelf is a powerful tool for analyzing malicious Linux ELF binaries, offering both static and dynamic analysis.
Security, Linux, Malware Analysis, Tools
50 points by M3rcurylake 4 days ago | 1 comments
PostgreSQL Anonymizer (readthedocs.io)
PostgreSQL Anonymizer is an extension to mask or replace personally identifiable information (PII) or commercially sensitive data from a Postgres database.
Data Privacy, PostgreSQL, Databases, Security
232 points by chynkm 4 days ago | 48 comments
DJI No Longer Blocks Flights over Airports and Military Bases (hntrbrk.com)
DJI, the world’s leading drone manufacturer, announced today that it will remove “Restricted Zones” from its Fly and Pilot flight apps in the U.S.
DJI, Drones, Regulations, Aviation, Security
45 points by wumeow 4 days ago | 31 comments
403ing AI Crawlers (coryd.dev)
Now that I'm self-hosting this site and the associated infrastructure, the public facing part of the site (where you're reading this) is served via a boring old Linux/Apache/PHP stack. Which means I had to write an .htaccess file.
Web Development, Security, Self-Hosting
23 points by cdme 4 days ago | 7 comments
Snyk security researcher deploys malicious NPM packages targeting cursor.com (sourcecodered.com)
Every morning I get up and check what malicious packages my detector had found the night before.   It’s like someone checking their fishing nets to see what fish they caught.
Security, Software Development, Open Source, JavaScript
569 points by arkadiyt 4 days ago | 311 comments
Stupidfs: Hide files by storing them in the metadata of other files (github.com/GoldenStack)
More files per file: hide files by storing them in the metadata of other files
Security, Data Hiding, File Systems
4 points by aw1621107 4 days ago | 0 comments
Camouflaged motorcycle hides from bike thieves in plain sight (newatlas.com)
Bike thieves can't steal it if they don't know it's there ... This remarkable motorcycle looks for all the world like a telecom signal box covered in graffiti – but at the touch of a button it rises up on wheels and rides away.
Motorcycles, Security, Design, Innovation
16 points by Brajeshwar 4 days ago | 1 comments
Sweden neither at war nor at peace, says PM (theguardian.com)
The Swedish prime minister has said that his country is neither at war nor at peace as he announced that Sweden would be sending armed forces into the Baltic Sea for the first time as part of increased surveillance efforts amid a spate of suspected sabotage of undersea cables.
Politics, Sweden, Military, Security, International Relations
14 points by belter 5 days ago | 2 comments
Cheap rj45 ethernet to USB adapter contains malware (twitter.com)
Security, Hardware, Malware
32 points by rsecora 5 days ago | 23 comments
Qubes OS: Templates (qubes-os.org)
In Getting Started, we covered the distinction in Qubes OS between where you install your software and where you run your software.
Operating Systems, Security, Virtualization
35 points by doener 5 days ago | 4 comments
Superior Internet Privacy with Whonix (whonix.org)
Whonix gives your desktop Maximum privacy and anonymity on the Internet More reliability and security than any other tool on the market!
Privacy, Security, Anonymity, Operating Systems
41 points by doener 5 days ago | 11 comments