Hacker News with Generative AI: Security

Sign in to Have I Been Pwned (But Not Login, Log in or Log On) (troyhunt.com)
How do seemingly little things manage to consume so much time?! We had a suggestion this week that instead of being able to login to the new HIBP website, you should instead be able to log in. This initially confused me because I've been used to logging on to things for decades:
Hello users of Anubis (for fighting malicious bots), I created an alternative (github.com/Zirias)
The pow credentials checker is a special case: It provides a guest login with fixed username and password, but for using it, it requires the client's browser to solve a cryptographic puzzle.
The Policy Puppetry Attack: Novel bypass for major LLMs (hiddenlayer.com)
Researchers at HiddenLayer have developed the first, post-instruction hierarchy, universal, and transferable prompt injection technique that successfully bypasses instruction hierarchy and safety guardrails across all major frontier AI models.
Hegseth had an unsecured internet line set up in his office to connect to Signal (apnews.com)
Russian strike on Kyiv kills at least 12 in biggest attack on Ukrainian capital since last summer
New Linux Rootkit (schneier.com)
The company has released a working rootkit called “Curing” that uses io_uring, a feature built into the Linux kernel, to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market.
Commit signing in 2023 is kinda wack (lobi.to)
I’ve been taking a look at authorisation processes for version control systems at work and had three colleagues independently ask about scope for git commit signing, but they were surprised to discover I’d been soured toward traditional approaches for git commit signing and generally advise shying away from signing due to complexity.
Binary Ninja 5.0 – Gallifrey released (binary.ninja)
Not enough time to reverse engineer everything you want? The Time Lords are here to help in Binary Ninja 5.0 Gallifrey! With major features across the board from huge analysis improvements, fantastic iOS support, many new firmware-specific features, and more, this major version has something for everyone.
Chaos at The Pentagon Threatens Hegseth's Tenure (foreignpolicy.com)
Chaos has been swirling around Defense Secretary Pete Hegseth. He’s at the center of the escalating Signalgate scandal, his inner circle at the Pentagon recently imploded, and there’s growing speculation that he could soon be out of a job.
Hegseth had unsecure internet line in his office for Signal (apnews.com)
Russian strike on Kyiv kills at least 12 in biggest attack on Ukrainian capital since last summer
Free Course on Security Headers, for Developers (semgrep.dev)
Learn about security headers from Scott Helme and Tanya Janca, two enthusiastic web security experts, who will sing the praises of these helpful browser protections!
An Employee Surveillance Company Leaked over 21M Screenshots Online (gizmodo.com)
With the refinement of digital tools, companies are subjecting their employees to increasing levels of surveillance — and increasing risks. Now, the security of thousands of employees and their parents companies is at risk after real-time images of their computers were leaked by an employee surveillance app.
io_uring based rootkit can bypass syscall-focused Linux security tools (armosec.io)
ARMO researchers reveal a major blind spot in Linux runtime security tools caused by the io_uring interface—an asynchronous I/O mechanism that bypasses traditional system calls.
SAML's signature problem: It's not you, it's XML (workos.com)
SAML's signature problem: It’s not you, it’s XML
How I made $64k from deleted files – a bug bounty story (medium.com)
I built an automation that cloned and scanned tens of thousands of public GitHub repos for leaked secrets. For each repository I restored deleted files, found dangling blobs and unpacked .pack files to search in them for exposed API keys, tokens, and credentials. Ended up reporting a bunch of leaks and pulled in around $64k from bug bounties 🔥.
They Stole a Quarter-Billion in Crypto and Got Caught Within a Month (nytimes.com)
In the balmy late afternoon of Aug. 25, 2024, Sushil and Radhika Chetal were house-hunting in Danbury, Conn., in an upscale neighborhood of manicured yards and heated pools.
Hegseth Set Up Signal on a Computer in His Pentagon Office (nytimes.com)
Defense Secretary Pete Hegseth had the consumer messaging app Signal set up on a computer in his office at the Pentagon so that he could send and receive instant messages in a space where personal cellphones are not permitted, according to two people with knowledge of the matter.
One Prompt Can Bypass Every Major LLM's Safeguards (forbes.com)
Protecting NATS and the integrity of open source (cncf.io)
When a company contributes a project to the Cloud Native Computing Foundation (CNCF), it’s not just sharing code—it’s making a commitment to the open source community.
Assignment 5: Cars and Key Fobs (2021) (web.stanford.edu)
Almost all cars currently come with a key fob, which allows you to open the doors, and start the car.
MS's patch for symlink vulnerability introduces another symlink vulnerability (doublepulsar.com)
Microsoft recently patched CVE-2025–21204, a vuln which allows users to abuse symlinks to elevate privileges using the Windows servicing stack and the c:\inetpub folder.
The Secret World of Coupon Fraud: Exploiting Barcode Vulnerabilities (medium.com)
You’ve scanned barcodes countless times — UPC, EAN, and GS1 Databar — but have you ever wondered what they’re encoding? Until 2006, neither had I. That year, I started as a software engineer at Coupons.com, tasked with transitioning our coupons to the GS1 Databar system.
xPal Encyrpted Messenger Security (furry.engineer)
Tarpit ideas: What they are and how to avoid them (2023) [video] (ycombinator.com)
Ex-NSA chief warns AI devs: Don't repeat infosec's early-day screwups (theregister.com)
AI engineers should take a lesson from the early days of cybersecurity and bake safety and security into their models during development, rather than trying to bolt it on after the fact, according to former NSA boss Mike Rogers.
Hyperscaling Have I Been Pwned with Cloudflare Workers and Caching (troyhunt.com)
I've spent more than a decade now writing about how to make Have I Been Pwned (HIBP) fast. Really fast. Fast to the extent that sometimes, it was even too fast:
FBI Claims It Lost Records About Its Mysterious Hacking Abilities (gizmodo.com)
The FBI recently spent hundreds of thousands of dollars buying powerful hacking tools but now the agency claims that it can’t find the documentation associated with those procurements.
Back to the MAC (Part 2): Signal in the Noise (substack.com)
Well, I’ve been staring at MAC addresses again... but this time, things got a lot more interesting.
Exploiting Undefined Behavior in C/C++ Programs: The Performance Impact [pdf] (ist.utl.pt)
Using a dedicated administration workstation for a home infrastructure (dataswamp.org)
As I moved my infrastructure to a whole new architecture, I decided to only expose critical accesses to dedicated administration systems (I have just one). That workstation is dedicated to my infrastructure administration, it can only connect to my servers over a VPN and can not reach the Internet.
Offical XRP NPM package has been compromised and key stealing malware introduced (aikido.dev)
At 21 Apr, 20:53 GMT+0, our system, Aikido Intel started to alert us to five new package version of the xrpl package. It is the official SDK for the XRP Ledger, with more than 140.000 weekly downloads. We quickly confirmed the official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets.