Hasty Briefsbeta

All tags

#security

683 stories total

Bilingual

Reflections on Unikernels
a year ago
- Unikernels are single-purpose appliances combining application and kernel drivers into a single binary.
- They enable rethinking OS interfaces and removing unnecessary code layers.
- Mirage OS, based on OCaml, provides libraries for network stacks and device drivers.
- Unikernels reduce attack surfaces by linking only necessary code.
- Xenstore service in Xen was ported to a MirageOS unikernel for enhanced security.
- OCaml Irmin database library increased xenstore's fault tolerance with state snapshots.
- QubesOS uses MirageOS unikernels for secure firewall components.
- Unikernels allow experimenting with new interfaces, like hiding VM startup latency for network requests.
- UniKraft and Nanos are other unikernel projects supporting various languages and features.
- Linux is embracing unikernel approaches with Unikernel Linux (UKL).
Show HN: Attune - Build and publish APT repositories in seconds
a year ago
- Attune is a tool for securely publishing and hosting Linux packages.
- It offers flexible deployment options: self-hosted or managed cloud infrastructure.
- Designed for security: CLI performs repository index signing locally, keeping signing keys private.
- Optimized for speed: incremental repository index rebuilds make package management fast.
- Currently supports APT (Debian and Ubuntu) repositories, with more to come.
- Quick setup guide provided for setting up an APT repository in about 5 minutes.
- Setup involves cloning the repository, configuring environment variables, and starting services with Docker.
- CLI installation, repository creation, and package addition steps are outlined.
- GPG key generation and usage for signing and deploying the repository are detailed.
- Apache 2 licensed, with a user guide available for more detailed instructions.
Sandbox-Exec: macOS's Command-Line Sandboxing Tool
a year ago
- sandbox-exec is a macOS command-line utility for running applications in a sandboxed environment.
- Sandboxing restricts application access to system resources, enhancing security and privacy.
- Benefits include protection from malicious code, damage limitation, privacy control, and resource restriction.
- Usage involves creating a sandbox profile with rules and executing commands within those constraints.
- Two approaches to sandboxing: Deny by Default (more secure) and Allow by Default (more permissive).
- Practical examples include sandboxed terminal sessions and using pre-built system profiles.
- Debugging sandbox issues can be done using the Console App or Terminal for real-time logs.
- Advanced techniques include creating sandbox aliases and importing existing profiles.
- Limitations include deprecation status, complexity with modern applications, and lack of GUI.
- sandbox-exec remains a powerful tool for security-conscious users and developers despite its challenges.
Show HN: DeadDrop – Tiny tool to share files anonymously
a year ago
- Deaddrop allows secure and anonymous file sharing.
- Users can upload files up to 10 MB for free without needing an account.
- Files are shared via a name and key or a direct link.
- The service features end-to-end encryption for security.
Infisical (YC W23) Is Hiring Design Engineer in San Francisco
a year ago
- Infisical is hiring for engineering and product teams to build open-source security infrastructure.
- Looking for a Design Engineer to enhance user experience, focusing on React and TypeScript.
- Responsibilities include translating product requirements, developing UI components, and leading frontend architecture.
- Requirements: 3+ years in React/TypeScript, product design skills, and based in San Francisco.
- Bonus skills include familiarity with frontend trends, devops tools, and strong communication.
- Opportunity to shape Infisical's design engineering and grow with the company.
- Team includes alumni from Figma, AWS, and Sentry; offers competitive compensation and benefits.
- Infisical manages over 1.5 billion secrets monthly, backed by Y Combinator and Google.
- Raised $3M from notable investors and serves customers like Hugging Face and LG.
Staying Private When the Government Doesn't Want You to Be
a year ago
- The government is increasingly encroaching on digital privacy, especially under administrations with poor privacy records.
- Macs are recommended for their default encryption and strong security features, including hardware-software integration and regular security reports.
- Signal is highlighted as the most secure messaging app, featuring open-source code, independent audits, and censorship circumvention tools.
- Brave browser is praised for its privacy features, ad-blocking, and de-Googled Chromium base, offering a private alternative to mainstream browsers.
- Dangerzone is introduced as a tool to safely open potentially malicious PDFs by converting them into a secure format.
- Proton VPN and its suite of privacy-focused products are recommended for secure internet use, backed by Swiss privacy laws.
- Documenso is presented as an open-source alternative to DocuSign for secure document signing.
- AFFiNE is mentioned as a versatile, privacy-focused workspace tool that can be self-hosted.
- Open WebUI and Ollama allow for local AI model usage, enhancing privacy over cloud-based alternatives.
- Privacy.sexy offers scripts to enhance OS and browser privacy settings across different platforms.
- The article concludes by emphasizing the universal importance of privacy, supported by a quote from Edward Snowden.
Electromagnetism as a Purely Geometric Theory
a year ago
- Confirmation required to verify human interaction for website safety.
- Instructions provided for users unable to complete the verification process.
- Contact link offered for further assistance with a screenshot of the issue.
Eccfrog512ck2: An Enhanced 512-Bit Weierstrass Elliptic Curve [pdf]
a year ago
- Introduction of Eccfrog512ck2, a new 512-bit Weierstrass elliptic curve offering 256-bit security.
- Comparison with existing curves like NIST P256, secp256k1, NIST P-521, Curve 448, and Brainpool-P512.
- Eccfrog512ck2 provides enhanced performance with a 61.5% speed-up on scalar multiplication and 33.3% on point generation over NIST P-521.
- Designed with side-channel resistance and protection against weaknesses like the MOV attack.
Show HN: Ibex – a cross-platform iOS backup decryption tool
a year ago
- ibex is a cross-platform tool for decrypting and extracting iOS backups.
- It supports macOS, Linux, and Windows.
- Requires explicit consent from the backup data owner for use.
- Built for researchers and defenders aiding victims of spyware and stalkerware.
- Features include decryption of encrypted iOS backups, support for latest iOS versions, and cross-platform compatibility.
- Can automatically detect backups and extract single files based on filename match.
- Organizes output in a structured directory.
- Detailed manifest parsing and extraction capabilities.
- Installation options include building from source, using Homebrew, or downloading pre-built releases.
- Supports various command-line flags for customization.
- Follows a specific process to decrypt and extract iOS backups.
- Creates an organized output directory structure.
- Security best practices include working with copies of backup data and storing extracted data securely.
- Currently developed independently, with plans for future collaboration.
- Encourages donations to digital privacy and free speech organizations.
- Provides resources for victims of spyware and stalkerware.
- Licensed under the MIT License.
Bootstrapping Rustc from Source
a year ago
- Minimal reliable setup for compiling Rust from source on Linux without pre-compiled binaries.
- Uses mrustc (a C++ Rust compiler) in a Debian chroot for consistency and firejail for network security.
- Aims to verify official Rust releases by comparing hashes with independent bootstrap chains.
- Future goal: Establish independent bootstrap chains at reputable organizations for verification.
- Steps include installing dependencies, downloading sources, initializing chroot, and building inside chroot.
- Complete bootstrap requires significant disk space (140 GB for rustc 1.83).
- Licensed under Creative Commons Attribution-ShareAlike 4.0 International License.
OAuth's Role in MCP Security
a year ago
- The NSA's approach: 'We don’t break standards, we break implementations' is highlighted in the context of OAuth and MCP.
- Anthropic's Model Context Protocol (MCP) is a new integration layer for models, tools, and APIs, requiring quick security solutions.
- OAuth is considered a starting point for MCP security but may not inherently improve security due to potential over-permissioned access.
- OAuth lacks out-of-the-box features for strong authentication, preventing credential theft, device identification, and detailed access control policies.
- OAuth does not inherently limit asset discovery or lateral movement and requires additional setup for monitoring access.
- Security teams must go beyond OAuth, focusing on identity proxies and policy decisions to address MCP's new attack surfaces.
- Historical precedents show technology often outpaces security, with MCP presenting unique challenges due to its consumption of existing assets.
Show HN: npx -y @considered/harmful
a year ago
- MCP servers commonly recommend using 'npx -y' for installation.
- This method downloads and executes arbitrary scripts from the internet, posing security risks.
- The author criticizes this practice as insecure and suggests MCP should adopt safer distribution methods.
- The package '@considered/harmful' was created as a joke to highlight these security concerns.
Python's new t-strings
a year ago
- Template strings (t-strings) are officially accepted in Python 3.14, shipping late 2025.
- T-strings provide safer and more flexible string processing compared to f-strings.
- F-strings, while popular, can be misused for unsafe operations like SQL or HTML formatting with user input.
- T-strings evaluate to a Template type, not a string, requiring processing before use.
- Templates allow safe escaping of dynamic content, preventing vulnerabilities like SQL injection or XSS.
- T-strings are similar to JavaScript's tagged templates, offering pythonic string processing.
- Template instances provide .strings and .values properties for accessing components before final string assembly.
- Developers can write custom processing functions for templates, like converting text to pig latin.
- T-strings support direct instantiation and detailed access to interpolation components.
- Future tooling support (e.g., Black, Ruff, VSCode) is anticipated for t-strings to enhance usability.
Windows 11 Recall–and what Microsoft has (and hasn't) fixed
a year ago
- Microsoft is reintroducing Recall to Windows 11, limited to Copilot+ PCs.
- Recall was controversial for creating an extensive database of user activities, including text and screenshots.
- Initial version had major security flaws, recording everything by default with minimal safeguards.
- It lacked automatic exclusion of sensitive data like bank details and credit card numbers.
- The feature was rushed, bypassing normal Windows Insider preview and testing processes.
- Microsoft has since made changes: Recall is now off by default and can be removed entirely.
- Data is encrypted at rest, with automated filters for sensitive information and Windows Hello reauthentication required.
- Recall is being rolled out to the Windows Insider Release Preview channel after extensive testing.
Show HN: BioLight – Passive entropy engine: raw randomness and 0 post-processing
a year ago
- BioLight is a transparent entropy engine that passively collects high-quality entropy from raw inputs without hashing, whitening, or compression.
- Operates indefinitely in the background, building a 'battery' of entropy blocks that grow stronger over time.
- Uses passive-only entropy collection from system events and natural variations, avoiding active probing or synthetic noise.
- Stores entropy in raw form without mandatory post-processing like SHA or XOR, allowing direct export and analysis.
- Implements selective refinement, preserving only samples that exceed a predefined entropy threshold for high-quality output.
- Transparent inputs include screen state, timing jitter, volatile memory, system noise, and RAM feedback.
- Designed for indefinite runtime, silently capturing rich input activity while rejecting weak input.
- Achieves ≥ 7.9999 bits per byte of raw entropy, with symmetric and statistically uniform bitstreams.
- Each entropy block includes timestamp, entropy score, input source classification, and raw 32-byte payload.
- Suitable for cryptographic entropy injection, identity seed generation, scientific simulation, and entropy benchmarking.
- Released under the Ladaxia_Public_License, permitting educational, research, and personal use but restricting commercial use without agreement.
OAuth Explained
a year ago
- OAuth is designed to solve authorization problems, not authentication.
- OAuth allows LinkedIn to import Google contacts without needing the user's Google password.
- The process involves redirecting the user to Google's OAuth consent page, where they approve access.
- Google provides a one-time code to LinkedIn, which is exchanged for an access token.
- LinkedIn uses the access token to fetch the user's contacts via Google's API.
- The client_id and client_secret are used to verify LinkedIn's identity.
- OAuth 2.0 relies on HTTPS for security and uses bearer tokens instead of signed requests.
- The state parameter is critical for preventing CSRF attacks.
- A Node.js example demonstrates handling OAuth 2.0 login with Google and storing user data in SQLite.
The Dauug House - Dauug|36 minicomputer documentation
a year ago
- Dauug|36 is a 36-bit minicomputer architecture designed for owner-built CPUs and controllers.
- It requires only maker-scale assembly tools, a bare circuit board, about 300 components, and soldering skills.
- Features include paged virtual memory, preemptive multitasking, and a rich instruction set of nearly 200 opcodes.
- Dauug|36 emphasizes transparency and owner control, with no proprietary silicon or hidden logic.
- It avoids common security vulnerabilities by prohibiting DRAM, lacking memory cache, and avoiding speculative execution.
- The architecture uses a separate SRAM chip for the stack, preventing stack overflow and recursion issues.
- Arithmetic instructions set persistent flags for overflow/underflow, simplifying error checking.
- Dauug|36 simplifies programming by handling signed/unsigned operations seamlessly without promotion rules.
- Designed for longevity, it avoids the need for security updates by being secure from the outset.
IAM Role Trust Policies: Misconfigurations Hiding in Plain Sight
a year ago
- IAM role trust policies in AWS can lead to critical privilege escalation risks if misconfigured.
- AWS's documentation on trust policies is confusing and fragmented, making them easy to misconfigure.
- IAM roles consist of trust policies (defining who can assume the role) and permission policies (defining actions allowed once assumed).
- Trust policies include principals, actions, and conditions, but are less understood than permission policies.
- AWS lacks dedicated documentation for trust policies, leading to inconsistent terminology and understanding.
- Two common misconfigurations: trusting all principals in the same AWS account and misunderstanding logical OR vs. AND in multiple principals.
- Trusting all principals in the same account allows any identity in the account to assume the role, creating a privilege escalation risk.
- Multiple principals in a trust policy are evaluated as OR, not AND, which can lead to unintended access if misunderstood.
- These misconfigurations are not flagged by AWS Access Analyzer, increasing their risk.
- Upcoming posts will cover cross-account trust mistakes and other IAM role security issues.
MS's patch for symlink vulnerability introduces another symlink vulnerability
a year ago
- Microsoft patched CVE-2025–21204, a symlink privilege escalation vulnerability.
- The fix involves precreating the c:\inetpub folder on all Windows systems starting April 2025 updates.
- This fix introduces a new denial of service vulnerability in the Windows servicing stack.
- Non-admin users can create a junction point from c:\inetpub to c:\windows\system32\notepad.exe.
- This action prevents future Windows security updates from installing, causing systems to remain unpatched.
- The issue was reported to MSRC two weeks ago with no response yet.
How I made $64k from deleted files – a bug bounty story
a year ago
- Sharon Brizinov built an automation tool to scan GitHub repositories for leaked secrets by restoring deleted files and analyzing Git internals.
- The process involved collecting targets from public bug bounty programs, cloning repositories, and using tools like TruffleHog to find active secrets.
- Key findings included production tokens from GCP, AWS, Slack, and GitHub, with bounties ranging from $300 to $15,000.
- Common reasons for leaks included lack of Git knowledge, accidental commits of binary files, and ineffective use of history-rewriting tools.
- The project resulted in $64,350 in bug bounty rewards and improved security for affected companies.

first prev2next

About|Login

#security

Reflections on Unikernels

Show HN: Attune - Build and publish APT repositories in seconds

Sandbox-Exec: macOS's Command-Line Sandboxing Tool

Show HN: DeadDrop – Tiny tool to share files anonymously

Infisical (YC W23) Is Hiring Design Engineer in San Francisco

Staying Private When the Government Doesn't Want You to Be

Electromagnetism as a Purely Geometric Theory

Eccfrog512ck2: An Enhanced 512-Bit Weierstrass Elliptic Curve [pdf]

Show HN: Ibex – a cross-platform iOS backup decryption tool

Bootstrapping Rustc from Source

OAuth's Role in MCP Security

Show HN: npx -y @considered/harmful

Python's new t-strings

Windows 11 Recall–and what Microsoft has (and hasn't) fixed

Show HN: BioLight – Passive entropy engine: raw randomness and 0 post-processing

OAuth Explained

The Dauug House - Dauug|36 minicomputer documentation

IAM Role Trust Policies: Misconfigurations Hiding in Plain Sight

MS's patch for symlink vulnerability introduces another symlink vulnerability

How I made $64k from deleted files – a bug bounty story