Hacker News with Generative AI: Security

Proof-of-work to protect lore.kernel.org and git.kernel.org against AI crawlers (kernel.org)
I'm sad to say that we're following the lead of many others and putting in proof-of-work proxies into place to protect ourselves against "AI" crawler bots. Yes, I hate this as much as you, but all other options are currently worse (such as locking us into specific vendors).We'll be rolling it out on lore.kernel.org and git.kernel.org in the next week or so.
Tell HN: Google Authenticator lost all of my codes (ycombinator.com)
Gmail Users Can Send Encrypted Email to Anyone (forbes.com)
Gmail gets EE2E as it turns 21.
GitHub found 39M secret leaks in 2024. Here's what we're doing to help (github.blog)
If you know where to look, exposed secrets are easy to find. Secrets are supposed to prevent unauthorized access, but in the wrong hands, they can be—and typically are—exploited in seconds.
Record thefts boost North Korea to third-largest Bitcoin holder (thetimes.com)
Zero Day in Microchip SAM Microcontrollers (recessim.com)
This write-up will cover analysis of the Microchip (ATMEL) SAM4C32 microcontroller vulnerability that allows an attacker to gain unlocked JTAG access to a previously locked device.
Show HN: Arrakis – Open-source, self-hostable sandboxing service for AI Agents (github.com/abshkbh)
AI agents can generate malicious or buggy code that can attack the host system its run on.
Matrix.org Will Migrate to MAS (matrix.org)
On Monday 7th of April 2025 at 7am UTC, we will migrate the Matrix.org homeserver's authentication system over to MAS (Matrix Authentication Service) in order to benefit from Next-generation authentication.
When parameterization fails: SQL injection in Nim using parameterized queries (nns.ee)
I discovered a potential SQL injection vulnerability in Nim's standard library module db_postgres.
Porting Tailscale to Plan 9 (tailscale.com)
It’s been said that nothing helps land a joke like explaining it, so here we are to explain yesterday’s Tailscale Plan 9 announcement, even at the risk of killing the joke.
Abusive AI Web Crawlers: Get Off My Lawn (mythic-beasts.com)
As many other folks have reported in the last few weeks, we have also been seeing a huge increase in the amount of traffic from abusive web crawlers.
Cell Phone OPSEC for Border Crossings (schneier.com)
I have heard stories of more aggressive interrogation of electronic devices at US border crossings. I know a lot about securing computers, but very little about securing phones.
Call for testing: OpenSSH 10.0 (DSA support removed) (mindrot.org)
Hi all. OpenSSH 10.0p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is primarily a bugfix release, although one notable change is the introduction of the sshd-auth binary (see below).
Tailscale Enterprise Plan 9 Support (tailscale.com)
MURRAY HILL, NJ — Tailscale, the leading provider of effortless, private networking for modern distributed computing, today announced support for Plan 9™ from Bell Labs™, the operating system redefining how networks, resources, and computation are managed.
SSLyze – SSL configuration scanning library and CLI tool (github.com/nabla-c0d3)
SSLyze is a fast and powerful SSL/TLS scanning tool and Python library.
2.8B Twitter IDs Leaked (forbes.com)
Elon Musk’s social media platform, X, is no stranger to the news. What with the reported purchase of X by xAI for $33 billion, attackers claiming responsibility for platform outages, and X password scams targeting users. Now, another shock awaits the users of what used to be Twitter: a self-proclaimed data enthusiast has just given away what is claimed to be a database containing details of some 200 million X user records. Here’s what we know so far.
DEDA – Tracking Dots Extraction, Decoding and Anonymisation Toolkit (github.com/dfd-tud)
Document Colour Tracking Dots, or yellow dots, are small systematic dots which encode information about the printer and/or the printout itself. This process is integrated in almost every commercial colour laser printer. This means that almost every printout contains coded information about the source device, such as the serial number.
Apple's App Store used to host free VPN apps with ties to China military (appleinsider.com)
The App Store hosted a number of VPN apps with ties to a Chinese military-affiliated company sanctioned by the US, with millions of downloads between them all.
Apple Patches Older iPhones Against 'Sophisticated' Hacker Attacks (bitdefender.com)
Apple is offering a batch of updates across its product lineup this week to address dozens of important security flaws, including some that criminals are already exploiting.
Breach of X allegedly leaks over 200M users' email addresses (mashable.com)
An alleged X data breach has leaked the email addresses of more than 200 million users.
New in Gmail: Making E2E encrypted emails easy to use for all organizations (workspace.google.com)
At Google, we believe that secure, confidential communication should be available for organizations of all sizes. However, end-to-end encrypted (E2EE) email was historically a privilege reserved for organizations with significant IT resources, due to the complexity of S/MIME and proprietary solutions.
Fix U.S. National Security (github.com/signalapp)
This pull request introduces a COMSEC (communications security) advisory banner to chat threads, reminding specific pool of users that Signal—despite its robust encryption—is not an appropriate venue for discussing classified information, coordinating military operations, or engaging in off-the-books foreign policy.
Tailscale Enterprise Plan 9 Support (tailscale.com)
MURRAY HILL, NJ — Tailscale, the leading provider of effortless, private networking for modern distributed computing, today announced support for Plan 9™ from Bell Labs™, the operating system redefining how networks, resources, and computation are managed.
Tips for Travelers Entering the U.S. Now: Check Your Visa, Turn Off Your Phone (nytimes.com)
At airports and land borders across the country, tourists and other visitors coming to the United States have reported being caught up in the Trump administration’s campaign of “enhanced vetting.”
DIY automation using only Linux (medium.com)
You may sometimes feel overwhelmed in a world where CircleCI, TeamCity, JFrog, Jenkins, and many other solutions manage continuous integration and auto-deployment. When you work with security products, you also have some confidentiality concerns. Having a good tutorial to create straightforward automation is quite handy.
CVE-2025-24259: Leaking Bookmarks on macOS (wts.dev)
Happy Monday! You should probably update your Macs now. macOS Ventura 13.7.5, macOS Sonoma 14.7.5, and macOS Sequoia 15.4, are out. They include a lot of patches, with 15.4 including patches for 131 CVE's. If you're curious and want to validate that, just open the security release notes for that update and search for the string CVE-202. You'll find 131 matches on that page as of writing.
JEP draft: Prepare to make final mean final (openjdk.org)
Issue warnings about uses of deep reflection to mutate final fields. The warnings aim to prepare developers for a future release that ensures integrity by default by restricting final field mutation; this makes Java programs safer and potentially faster. Application developers can avoid both current warnings and future restrictions by selectively enabling the ability to mutate final fields where essential.
Microsoft reports several bootloader vulnerabilities (microsoft.com)
By leveraging Microsoft Security Copilot to expedite the vulnerability discovery process, Microsoft Threat Intelligence uncovered several vulnerabilities in multiple open-source bootloaders, impacting all operating systems relying on Unified Extensible Firmware Interface (UEFI) Secure Boot as well as IoT devices.
Hetzner root servers get traffic for other machines (kiwi.fuo.fi)
Is BIND9 suitable as a recursive resolver in 2025? (szafka.net)
Recently, we have been engaged in consulting work and providing DNS training for a major IT corporation, boasting an employee count exceeding 10,000. Thankfully, not every staff member attended the course.