Best of SecurityAugust 2025

  1. 1
    Article
    Avatar of medium_jsMedium·40w

    Authentication Explained: When to Use Basic, Bearer, OAuth2, JWT & SSO

    Authorization controls what users can do after authentication through three main models: RBAC assigns permissions to roles, ABAC uses attributes and context for fine-grained control, and ACL attaches permissions to individual resources. Real applications like GitHub and Stripe often combine these models. OAuth2 enables delegated authorization without sharing credentials, while JWTs and bearer tokens carry user identity and permissions across systems. The key is choosing the right combination of models and mechanisms based on your application's complexity and security requirements.

  2. 2
    Article
    Avatar of hnHacker News·42w

    Read That F*cking Code!

    AI coding tools like Claude Code enable developers to generate working code without reading it, but this practice leads to three critical issues: architectural decay, loss of domain knowledge, and security vulnerabilities. The author advocates for two responsible approaches: fast prototyping with post-session review for peripheral features, and synchronous pair-coding for core functionality. A comprehensive checklist covers architecture consistency, security scoping, meaningful tests, documentation, error handling, and performance considerations.

  3. 3
    Article
    Avatar of uxplanetUX Planet·41w

    I Opened My Credit Card App While on a Call, & This UX Surprised Me

    Robinhood's credit card app demonstrates excellent context-aware UX design by showing a security warning only when users are on phone calls. The bright yellow banner warns users that Robinhood isn't calling them, helping prevent phone scams. This just-in-time design approach is more effective than constant warnings because it appears exactly when the risk is highest, avoiding alert fatigue while building user trust through thoughtful security communication.

  4. 4
    Video
    Avatar of bigboxswebigboxSWE·38w

    The Dark Side of GitHub

    An investigation into the underground economy of fake GitHub engagement, including services that sell artificial stars, followers, forks, and entire accounts. The content explores different tiers of fake engagement, from cheap anonymous accounts to premium services using legitimate profiles, and examines motivations like impressing investors, recruiters, and establishing credibility for potential security exploits. Detection tools like Astronomer can identify fake engagement, but the practice highlights how even technical platforms remain vulnerable to manipulation and social engineering.

  5. 5
    Article
    Avatar of hnHacker News·39w

    A German ISP tampered with their DNS - specifically to sabotage my website

    A German developer created a website to expose blocked domains by the CUII (Copyright Clearinghouse for the Internet), a private organization that decides what websites German ISPs should block. After publishing an article about CUII's mistakes, Telefonica (o2's parent company) modified their DNS blocking mechanism, making it harder to detect blocked domains. The timing suggests this was done specifically to sabotage the transparency tool, as Telefonica first tested their own domain on the website, then changed their blocking method two hours later.

  6. 6
    Article
    Avatar of khokbmumuz4w1vbvtnmldClaudette·42w

    Ethical Hacking Roadmap

    A comprehensive roadmap for learning ethical hacking, covering essential foundations like networking and operating systems, programming languages (Python, Bash, JavaScript), key tools (Nmap, Burp Suite, Metasploit), lab setup with virtual environments, and safe practice platforms like TryHackMe and Hack The Box. The guide emphasizes building knowledge systematically from basic concepts to hands-on practice.

  7. 7
    Article
    Avatar of supabaseSupabase·41w

    Supabase Auth: Build vs. Buy

    Supabase Auth offers a Postgres-native authentication solution that significantly reduces development time and costs compared to building custom auth systems. The service provides JWT-based authentication with Row Level Security integration, supporting multiple providers and security features. Building authentication from scratch typically requires 320-680 hours in the first year, while Supabase Auth can be implemented in 4-24 hours, representing potential savings of $47,400-$98,700. The comparison with Auth0 shows Supabase's advantages in cost predictability, database integration, and open-source flexibility, though Auth0 excels in enterprise features. Teams should only build custom auth for specialized compliance requirements, legacy system integration, or unique authentication flows.

  8. 8
    Article
    Avatar of khokbmumuz4w1vbvtnmldClaudette·41w

    Hack Smarter, Not Harder: Sitadel Revolutionizes Web App Security

    Sitadel is an updated version of WAScan, a web application security scanner compatible with Python 3.4+. It offers enhanced flexibility for writing custom modules, includes interface framework detection, CDN detection, configurable risk levels, an add-on system, and Docker support for easy deployment.

  9. 9
    Article
    Avatar of omgubomg! ubuntu!·38w

    NetPeek is a New, User-Friendly Network Scanner for Linux

    NetPeek is a new open-source network scanner for Linux that provides a user-friendly GTK4/libadwaita interface as an alternative to command-line tools like nmap. Built in Python, it offers basic network scanning features including device discovery, port scanning, multi-threaded operations, and support for various IP input formats. The tool aims to make network scanning accessible to users who prefer GUI applications over terminal-based solutions.

  10. 10
    Article
    Avatar of devblogsDevBlogs·41w

    Go 1.25.0-1 Microsoft build now available

    Microsoft released Go 1.25.0-1 with system-provided cryptography enabled by default (OpenSSL on Linux, CNG on Windows) and introduced opt-out telemetry collection. The build aligns with Microsoft's security policies but may require action for Linux builds without cgo or distroless containers. Users can disable systemcrypto via GOEXPERIMENT=nosystemcrypto and telemetry via MS_GOTOOLCHAIN_TELEMETRY_ENABLED=0.

  11. 11
    Article
    Avatar of theregisterThe Register·40w

    McDonald's not lovin' it when hacker exposes rotten security

    A white-hat hacker discovered multiple critical security vulnerabilities in McDonald's systems, including client-side only validation allowing free food orders, exposed API keys in JavaScript, faulty OAuth implementation giving unauthorized access to executive portals, and missing admin authorization on franchise portals. The company took months to fix issues and fired an employee who helped with the research. Additional vulnerabilities were found in the AI chatbot used for job applications, which had a password of 123456 and exposed 64 million applicant records.

  12. 12
    Article
    Avatar of itsfossIt's Foss·39w

    VPNs With "No Logging Policy" You Can Use on Linux

    A curated list of 8 VPN services that claim no-logging policies and work well on Linux systems. The list includes Mullvad VPN (anonymous account creation), Proton VPN (Swiss privacy laws), Internxt VPN (browser extension only), IVPN (multi-hop connections), AirVPN (power user features), Surfshark (unlimited devices), NordVPN (large server network), and ExpressVPN (premium performance). Each service offers different features like WireGuard protocol support, independent security audits, and various privacy-focused capabilities for Linux users.

  13. 13
    Article
    Avatar of khokbmumuz4w1vbvtnmldClaudette·41w

    Take your cybersecurity skills to the next level! 🚀 Practice with these FREE labs and become a CTF master 🔥

    A collection of free cybersecurity practice labs and resources designed to help security professionals and enthusiasts develop their skills through hands-on CTF challenges, penetration testing exercises, and practical security training scenarios.

See all Security archives