Cassidy's blog·12wHow passkeys work
A beginner-friendly explainer on how passkeys work using public/private key cryptography, where a private key stays on your device and a public key is shared with the website. Covers the core handshake mechanism, compares passkeys to passwords and password managers, and offers a measured take on their real-world trade-offs — including device dependency and phishing resistance — without overselling them as a universal solution.
Tech Lead Digest·14wNorth Korean infiltrator caught working in Amazon IT department thanks to lag — 110ms keystroke input raises red flags over true location [Updated]
Amazon detected a North Korean infiltrator working as a contract system developer by monitoring keystroke input lag. The imposter's 110ms keystroke delay revealed they were remotely controlling a laptop located in Arizona from North Korea. Amazon has blocked over 1,800 DPRK infiltration attempts since April 2024, with attempts increasing 27% quarter-over-quarter. The company's Chief Security Officer emphasizes that active monitoring is essential, as these infiltrators would go undetected without proactive security measures. A woman facilitating this fraud was sentenced to prison earlier this year.
Programmers are also human·14wInterview with a ‘Just use a VPS’ bro (OpenClaw version)
A satirical dialogue highlighting the complexity and security challenges of setting up a VPS server. The piece walks through hardening SSH access, configuring firewalls, managing automatic updates, installing dependencies, and setting up systemd services—all while poking fun at the 'just use a VPS' mentality that oversimplifies server administration. The humor underscores how what seems like a simple one-click install actually requires extensive security configuration, system administration knowledge, and ongoing maintenance.
Socket·12wSocket Joins the OpenJS Foundation
Socket, a JavaScript supply chain security company, has joined the OpenJS Foundation as a Silver Member. The company highlights its deep roots in the JavaScript open source community, noting that its engineers collectively maintain packages accounting for roughly 10% of all npm downloads. The membership reinforces Socket's commitment to improving security and governance of the JavaScript ecosystem, with goals around making the open source supply chain safer and more resilient.
Mozilla Hacks·12wGoodbye innerHTML, Hello setHTML: Stronger XSS Protection in Firefox 148
Firefox 148 is the first browser to ship the standardized Sanitizer API, which provides built-in XSS protection by sanitizing untrusted HTML before DOM insertion. The new `setHTML()` method replaces the error-prone `innerHTML` assignment, stripping dangerous elements and attributes by default. Developers can customize the sanitization configuration for stricter or more permissive rules, and can combine `setHTML()` with Trusted Types for centralized control over HTML injection. This approach requires minimal code changes and no dedicated security team, making XSS prevention accessible to a broader range of developers.
Socket·11wMalicious Go “crypto” Module Steals Passwords and Deploys Re...
Socket's Threat Research Team discovered a malicious Go module, github.com/xinfeisoft/crypto, impersonating the legitimate golang.org/x/crypto package. The backdoor was inserted into ssh/terminal/terminal.go's ReadPassword function, which captures passwords, exfiltrates them to attacker-controlled infrastructure, and executes a remote shell stager. The stager adds an SSH key for persistence, weakens iptables firewall rules, and downloads two disguised payloads — one of which is confirmed as the Rekoobe Linux backdoor linked to APT31. The module used GitHub Raw as a rotating C2 pointer to avoid republishing. The Go module proxy now blocks the package with a 403 SECURITY ERROR after Socket's report. Defenders are advised to treat go.mod changes as security-sensitive, use dependency scanning in CI, and watch for curl|sh execution, authorized_keys modifications, and iptables policy changes.
ByteMonk·11wOpenClaw: The Most Dangerous AI Project on GitHub?
OpenClaw is a self-hosted AI agent with 200,000+ GitHub stars that connects to messaging apps, file systems, and terminals to act autonomously. Its architecture uses four layers: a WebSocket gateway, an LLM reasoning layer, a markdown-based memory system with write-ahead logging, and a skills execution layer. However, serious security issues have emerged: a WebSocket origin validation vulnerability allowed one-click full compromise, 20% of its plugin marketplace (Claw Hub) was found to contain malware, and over 30,000 instances are exposed on the public internet with no authentication. Six additional CVEs were recently disclosed. Safe usage recommendations include running it in Docker or rootless Podman with two-layer container isolation, binding the gateway to localhost only, and vetting every plugin before installation.
AI LABS·15wThis Is What Clawdbot Was Missing
OpenClaw (formerly Claudebot/Moltbot) is a self-hosted AI assistant with significant security vulnerabilities and cost concerns. Security issues include credentials stored in plain JSON files, malicious community skills, and prompt injection risks. The architecture sends full conversation context with each query, causing high token costs ($128/month for a single daily cron job) and increasing response times (2-119 seconds). Mitigation strategies include using Docker sandboxing, limiting skill installations, setting API budget alerts, using models with built-in guardrails, and running in isolated environments without sensitive data access.
Lobsters·14wMicrosoft Has Killed Widgets Six Times. Here's Why They Keep Coming Back.
Windows widgets have been implemented and killed six times since 1997, each iteration failing due to performance, security, screen space, or engagement issues. Active Desktop crashed systems, Vista Sidebar consumed too much screen space, Windows 7 gadgets had catastrophic security flaws, Windows 8 Live Tiles disrupted workflow, and early Windows 11 attempts felt invasive. The current Widget Board uses declarative Adaptive Cards with native WinUI 3 rendering, eliminating code execution vulnerabilities while maintaining interactivity. Every architectural constraint in today's platform exists as a direct response to a specific past failure.
Socket·13wIntroducing PHP and Composer Support in Socket
Socket now supports PHP and Composer, offering package search, SBOM generation, and supply chain security protection for PHP dependencies. The platform provides AI-powered analysis to detect zero-day threats, typosquatting, and backdoors beyond traditional CVE scanning. Key features include lockfile analysis, dev dependency tracking, vulnerability detection with CISA KEV enrichment, and proactive Packagist monitoring. Package search is available now for everyone, while SBOM generation and full security scanning are rolling out experimentally to customers.
The Daily WTF·15wThis Router Says **** You
A router's web interface prevents password managers from working due to a custom password masking implementation that uses duplicate HTML IDs and JavaScript event interception instead of standard input type="password". The codebase exhibits numerous quality issues including duplicate jQuery libraries, unnecessary F5 key handling, bloated hexadecimal validation functions, and a password field that clears entirely when using backspace or arrow keys. These problems illustrate common issues in embedded device interfaces, often written by networking engineers without frontend expertise.
Veronica Explains·12wGrapheneOS can help you retake your privacy, right now.
A personal account of nearly three years using GrapheneOS as a daily driver on Pixel devices, covering why it's a compelling privacy-focused Android alternative. GrapheneOS strips out Google Play Services by default, leaving a minimal 14-app experience that can be selectively expanded. Sandboxed Google Play is available for those who need banking or travel apps, while a fully de-Googled setup is viable for users willing to use alternatives like Signal, F-Droid, and Obtainium. Key trade-offs include no tap-to-pay support, reduced push notification reliability without Google Play, and some GPS app limitations. Standout features include a duress PIN, PIN scrambling, storage scopes, and dramatically improved battery life. The author also candidly criticizes the GrapheneOS team's combative social media behavior while still endorsing the project as the best privacy option on Android.
Phoronix·11wsudo-rs Breaks Historical Norms With Now Enabling Password Feedback By Default
sudo-rs, the Rust-based sudo replacement shipping in Ubuntu 26.04, has enabled password feedback (asterisks) by default when entering passwords in the terminal. This breaks decades of Unix tradition where no feedback was shown to avoid revealing password length to shoulder surfers. The upstream developers justified the change as a major UX improvement for new Linux users, noting that virtually all other password interfaces already show asterisks. The change is controversial, with some users upset about the silent default change. Users who want to restore the old behavior can add 'Defaults !pwfeedback' to their sudo configuration.
Security Boulevard·12wAnthropic Didn’t Kill Cybersecurity. It Just Reminded Us There Are Two Doors.
Anthropic's Claude Code Security announcement triggered a sharp selloff in cybersecurity stocks, with companies like Okta, SailPoint, and CrowdStrike dropping significantly. The panic was misplaced: AI-powered code scanning addresses only one of two primary attack vectors — software vulnerabilities. The second and equally significant vector — identity theft, credential abuse, phishing, and social engineering — remains entirely untouched by code scanning tools. Identity-focused companies like Okta and SailPoint don't compete with Claude Code Security at all; they solve a structurally different problem. The identity attack surface is durable because it stems from architectural patterns and human behavior, not patchable bugs. Analysts from Barclays and Jefferies called the selloff illogical, and the security industry's own data (Verizon DBIR, MITRE ATT&CK) consistently shows credentials and human manipulation as dominant breach vectors.
Ramp Engineering·12wWe fixed ~100 security issues in 6 days with 0 humans
Ramp's security engineering team built a multi-agent pipeline that autonomously found, validated, and patched nearly 100 security vulnerabilities in their backend codebase in under a week, with no human involvement until PR review. The system used specialized detector agents for specific vulnerability classes (e.g., IDOR), adversarial manager agents to filter false positives (rejecting 40% of initial findings), a validator agent that wrote integration tests to confirm real issues, and a fixer agent that applied patches using test-driven development. The approach uncovered novel high-severity issues missed by penetration testing, bug bounties, and 10+ commercial scanning tools. The entire setup required only a four-hour hackathon and one week of work by a single engineer.
Low Level Learning·14wthis makes me really upset
Curl project discontinued its HackerOne bug bounty program due to overwhelming AI-generated false vulnerability reports. Daniel Stenberg and maintainers faced a flood of low-quality submissions with fabricated security issues, including reports about non-existent buffer overflows and use-after-free bugs in unrelated code. The signal-to-noise ratio became unsustainable, with AI-generated reports wasting time that could be spent on legitimate security work. While AI security research tools like Expo show promise when used properly, indiscriminate automated submissions are forcing critical open-source projects to abandon bug bounty programs entirely.
LaurieWired·12w2026 Computer Science Predictions
A set of five technical predictions for 2026 covering: (1) CXL-backed tiered memory becoming a cloud offering as RAM prices rise and the Linux kernel matures its memory tiering support; (2) a coordinated lunar time standard being officially published, driven by general relativity making moon-time drift from Earth-time; (3) CHERI (Cherry) capability-based hardware memory safety gaining traction as a hardware-level alternative to rewriting codebases in Rust; (4) a major package repository like npm being forced to shut down registrations due to AI-assisted supply chain attacks and 'slop squatting'; and (5) LLVM adding a third ML-guided optimization heuristic, making compiler output non-deterministic at maximum optimization levels.
MIT Technology Review·14wMoltbook was peak AI theater
Moltbook, a viral social network where AI agents interact, reveals more about current AI hype than future capabilities. While millions of LLM-powered agents posted content and formed communities, experts argue the platform demonstrates pattern-matching rather than true intelligence or autonomy. Humans remain involved at every step, from setup to prompting, making it more entertainment than emergent AI behavior. The experiment exposed security risks as agents with access to private data interact with unvetted content, but ultimately shows how far we are from truly autonomous AI systems.
Arcjet·15wArcjet JS SDK v1.0: Stability as a Developer Feature
Arcjet has released v1.0 of its JavaScript SDK after two years of development, marking the transition from beta to a stable, production-ready API. The release emphasizes stability and minimal breaking changes as core features, with only three breaking changes introduced during the entire alpha/beta period. The team prioritizes predictable monthly releases, backwards compatibility, and reducing dependency churn to prevent developer fatigue. This milestone represents a commitment to long-term API stability, allowing teams to integrate security tooling without ongoing migration overhead.
Laravel News·13wGenerate Secure, Memorable Passphrases in PHP with PHP Passphrase
PHP Passphrase is a Bitwarden-inspired package that generates secure, human-readable passphrases by combining random words from the EFF word list. It offers customizable options for word count, separators, capitalization, and number inclusion, with first-class Laravel integration through facades and dependency injection, plus standalone PHP usage. The package supports custom word lists and includes publishable configuration for Laravel projects.
Filippo Valsorda·12wTurn Dependabot Off
Dependabot generates excessive noise by opening PRs for vulnerabilities that don't actually affect your code, causing alert fatigue and discouraging proper security triage. Using a real case study—a filippo.io/edwards25519 security fix that triggered thousands of irrelevant PRs—the author argues for replacing Dependabot with two scheduled GitHub Actions: one running govulncheck (which uses static analysis to filter alerts to only reachable vulnerable symbols), and one running CI against the latest dependency versions. This approach eliminates false positives, reduces supply chain risk by not auto-merging updates, and ensures security alerts are actionable rather than routine noise.
Laravel News·11wLivewire v4.2.0 Released with Security Hardening and Laravel 13 Support
Livewire v4.2.0 has been released with Laravel 13 compatibility and seven targeted security hardening improvements. Security changes include lifecycle method protection against frontend invocation, timing-safe checksum comparison using hash_equals(), payload schema validation, stricter X-Livewire header and JSON content type requirements, and web middleware enforcement on custom update routes. New developer features include reactive props during boot hooks and a $errors.clear() method on the JavaScript errors object. Bug fixes address an EventBus listener memory leak under Octane, silent failures for non-UTF-8 property data, broken route model binding with cached middleware, and wire:model failures with string array keys. No breaking changes are expected for typical applications.
.NET Blog·14w.NET and .NET Framework February 2026 servicing releases updates
.NET 10.0, 9.0, and 8.0 received February 2026 servicing updates with security and non-security fixes. The releases include versions 10.0.3, 9.0.13, and 8.0.24 across runtime, ASP.NET Core, Entity Framework Core, SDK, and other components. No new .NET Framework updates were released this month. Detailed changelogs and release notes are available on GitHub for each affected component.
Hacker News·14wmicrosoft/litebox: A security-focused library OS supporting kernel- and user-mode execution
LiteBox is a security-focused library OS from Microsoft that reduces attack surface by minimizing the host interface. It supports both kernel and user-mode execution with a modular architecture featuring "North" shims and "South" platforms. The library provides a Rust-based interface inspired by nix/rustix and enables use cases like running unmodified Linux programs on Windows, sandboxing Linux applications, executing on SEV SNP, and running OP-TEE programs. The project is under active development with APIs subject to change before stable release.
Fireship·14wHow to become a degenerate hacker... a beginner's guide
An introductory overview of ethical hacking covers 10 open-source security tools available in Kali Linux, including Nmap for network mapping, Wireshark for packet inspection, Metasploit for exploit frameworks, Aircrack for WiFi security testing, Hashcat for password cracking, and tools for web vulnerability scanning, forensics, and SQL injection testing. The guide emphasizes legal and ethical use with proper authorization, explaining basic concepts like port scanning, packet analysis, hash cracking, and common attack vectors while warning about the legal consequences of unauthorized penetration testing.