惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LINUX DO - 最新话题
V
Visual Studio Blog
博客园 - 司徒正美
小众软件
小众软件
量子位
J
Java Code Geeks
美团技术团队
Latest news
Latest news
T
Threatpost
V
Vulnerabilities – Threatpost
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
酷 壳 – CoolShell
酷 壳 – CoolShell
C
CERT Recently Published Vulnerability Notes
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Security Latest
Security Latest
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
大猫的无限游戏
大猫的无限游戏
I
Intezer
S
Securelist
TaoSecurity Blog
TaoSecurity Blog
A
Arctic Wolf
罗磊的独立博客
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Cisco Blogs
V2EX - 技术
V2EX - 技术
W
WeLiveSecurity
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
NISL@THU
NISL@THU
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Project Zero
Project Zero
L
LINUX DO - 热门话题
博客园 - Franky
WordPress大学
WordPress大学
月光博客
月光博客
PCI Perspectives
PCI Perspectives
L
Lohrmann on Cybersecurity
C
Cyber Attacks, Cyber Crime and Cyber Security
博客园 - 聂微东
博客园 - 三生石上(FineUI控件)
有赞技术团队
有赞技术团队
Jina AI
Jina AI
爱范儿
爱范儿
博客园 - 叶小钗
T
Threat Research - Cisco Blogs
IT之家
IT之家
Security Archives - TechRepublic
Security Archives - TechRepublic
V
V2EX
博客园_首页
宝玉的分享
宝玉的分享

Hacker News: Front Page

SPICE simulation → oscilloscope → verification with Claude Code — Lucas Gerads GitHub - GainSec/AutoProber: Hardware hacker’s flying probe automation stack for agent-driven target discovery, microscope mapping, safety-monitored CNC motion, probe review, and controlled pin probing. Introducing Claude Opus 4.7 Qwen Studio The Future of Everything is Lies, I Guess: Where Do We Go From Here? GitHub - SeanFDZ/macmind: Single-layer transformer in HyperTalk for the classic Macintosh Virginia Bans Sale of Geolocation Data Show HN: Agent-cache – Multi-tier LLM/tool/session caching for Valkey and Redis Ancient DNA reveals pervasive directional selection across West Eurasia [pdf] AI cybersecurity is not proof of work Moving a large-scale metrics pipeline from StatsD to OpenTelemetry / Prometheus GitHub - Nightmare-Eclipse/RedSun: The Red Sun vulnerability repository GitHub - SethPyle376/hiraeth: Local AWS emulator focused on fast integration testing, with SQS support, SQLite-backed state, and a debug-friendly web UI. A Better Ludum Dare; Or, How to Ruin a Legacy GitHub - macOS26/Agent: Any AI, replaces Claude Code, Cursor, OpenClaw. Over 18 LLM providers (Claude, OpenAI, Gemini, Ollama, Zai, HF, Qwen) wired into a native Mac app that writes code, builds Xcode projects, bumps versions, manages git, automates Safari, use AppleScript, JS or Accessibility, extend Agent! w/ MCP Servers, run tasks from your iPhone via Messages. YouTube now lets you turn off Shorts I Made a Terminal Pager Burgers | マクドナルド公式 Commands — HackerNews CLI documentation ChatGPT for Excel PiCore - Raspberry Pi Port of Tiny Core Linux Live Nation illegally monopolized ticketing market, jury finds Google Broke Its Promise to Me. Now ICE Has My Data. Founding Engineer at Adaptional | Y Combinator CRISPR takes important step toward silencing Down syndrome’s extra chromosome GitHub - saffron-health/libretto: The AI toolkit for building reliable browser automations US v. Heppner (S.D.N.Y. 2026) no attorney-client privilege for AI chats [pdf] Unexpected €54k billing spike in 13 hours: Firebase browser key without API restrictions used for Gemini requests Fragments: April 14 Cal.com Goes Closed Source: Why AI Security Is Forcing Our Decision | Cal.com - Scheduling Software for Online Bookings Laravel raised money and now injects ads directly into your agent Codex Hacked a Samsung TV Tech Valuations Back to Pre-AI Boom Levels A perfectable programming language — Soter GitHub - halfwhey/claudraband: Claude Code for the Power User Partnership through Play: Investigating How Long-Distance Couples Use Digital Games to Facilitate Intimacy Textbooks and Methods of Note-Taking in Early Modern Europe (2008) Eternity in six hours: Intergalactic spreading of intelligent life (2013) Seven countries now generate 100% of their electricity from renewable energy Tell HN: OpenAI silently removed Study Mode from ChatGPT Pro Max 5x Quota Exhausted in 1.5 Hours Despite Moderate Usage Show HN: Oberon System 3 runs natively on Raspberry Pi 3 (with ready SD card) Tell HN: docker pull fails in spain due to football cloudflare block Bring Back Idiomatic Design No one owes you supply-chain security GitHub - xsawyerx/curl-doom: DOOM, played over cURL Apple update turns Czech mate for locked-out iPhone user The Grand Line Cache TTL silently regressed from 1h to 5m around early March 2026, causing quota and cost inflation Building a Z-Machine in the worst possible language The peril of laziness lost Iran war: We spoke to the man making Lego-style AI videos that experts say are powerful propaganda AI Will Be Met With Violence, and Nothing Good Will Come of It GitHub - duguyue100/midnight-captain: Inspired by Midnight Commander, tailored to my taste. How to build a `git diff` driver · Jamie Tanna | Software Engineer Center for Responsible, Decentralized Intelligence at Berkeley The Local Universe’s Expansion Rate Is Clearer Than Ever, but Still Doesn’t Add Up - A new synthesis of astronomical measurements confirms a persistent mismatch that could point to physics beyond current models The disturbing white paper Red Hat is trying to erase from the internet – OSnews NetBlocks (@netblocks@mastodon.social) The Future of Everything is Lies, I Guess: Annoyances ‘Abhorrent’: the inside story of the Polymarket gamblers betting millions on war Productive procrastination — Max van IJsselmuiden maps, territory and LMs 447 Terabytes per Square Centimetre at Zero Retention Energy: Non-Volatile Memory at the Atomic Scale on Fluorographane Show HN: Pardonned.com – A searchable database of US Pardons 20 Years on AWS and Never Not My Job The Seasons are Wrong The FAA wants gamers to apply for air traffic control jobs Artemis II crew splashes down near San Diego after historic moon mission Why weekends are under threat We gave an AI a 3 year retail lease in SF and asked it to make a profit | Andon Labs How a dancer with ALS used brainwaves to perform live On filing the corners off my MacBooks Installing every* Firefox extension OpenClaw’s memory is unreliable, and you don’t know when it will break Steve Blank Nowhere Is Safe Chimpanzees in Uganda locked in vicious 'civil war', say researchers watgo - a WebAssembly Toolkit for Go linux/Documentation/process/coding-assistants.rst at master · torvalds/linux GitHub - callumlocke/json-formatter: Makes JSON easy to read. Founding Product Engineer at Bild AI | Y Combinator A compelling title that is cryptic enough to get you to take action on it GitHub - Keychron/Keychron-Keyboards-Hardware-Design: Industrial design files for Keychron keyboards and mice. 100+ models with CAD assets in STEP, DXF, DWG, and PDF. Source-available, with commercial use allowed for original compatible accessories within the license terms. [ANNOUNCE] WireGuardNT v0.11 and WireGuard for Windows v0.6 Released 1D-Chess Helium Is Hard to Replace Keeping a Postgres queue healthy — PlanetScale Serenity Forge (@serenityforge.com) Our response to the Axios developer tool compromise Do Americans read print books, e-books or audiobooks more? Uncharted island soon to appear on nautical charts The Problem That Built an Industry Fragments: April 2 Python Release Python install manager 26.1 Bitcoin miners are losing $19,000 on every BTC produced as difficulty drops 7.8% God sleeps in the minerals Harness engineering: leveraging Codex in an agent-first world Apple Silicon and Virtual Machines: Beating the 2 VM Limit What have been the greatest intellectual achievements? The APL Programming Language Source Code
Welcome to the strip mining era of open source security
salsakran · 2026-05-15 · via Hacker News: Front Page

Open source software is in for a rough 2026 summer. If you’re an Open Source maintainer, there’s something afoot you should already know about. If you’re an OSS user, you should be aware of it as it’ll explain some behavior around you that might otherwise seem odd.

TL;DR: High volume, LLM-powered scanning for security vulnerabilities is going to uncover lots of security issues in anything with public source code.

This all started a few months ago

Historically, Metabase averaged 10 submissions per month to our security@metabase.com, most of which were trivial or not actually vulnerabilities. Many were false positives from scanning tools, and we spent most of our time explaining to the reporter that what they found wasn’t actually a problem.

At the turn of the year, things changed. Starting in January, we’ve been averaging 10 submissions per week, and many of these are legit. Most are not serious, and we’ve quietly fixed them, thanked the researcher, and went our merry way. However, it was a step change in both volume and quality of reporting. These come from a wide variety of locations and people, and sometimes, but not always, are looking for bug bounties. More often than not, the reports are in markdown, and read like they’re LLM generated. Others are seeing this as well.

It doesn’t take too insightful an eye to realize we’re seeing a remarkable improvement in automated code scanning. We’ve since tried out a few vendors in the space, and what do you know — more (thankfully minor) issues found. There’s no one vendor or model that’s the root cause. While we originally thought it could be Claude Security, that was only announced in February, after things had already picked up. And OpenAI is also getting into the game. Does this mean there’s another wave coming after everyone gets access to these? Likely. But regardless of specific foundational models, this is just a consequence of coding agents in general getting better at scanning codebases for flaws.

Historically, we tended to get two styles of vulnerability research:

Superficial scanners run in bulk: Running an OWASP scanner or other out-of-the-box vuln scanner. These tended to be mostly false positives.

Motivated deep digging: This was typically a serious user paying researchers, often with a knowledge of the application area or framework deeply and knowing where to probe. These tended to find a cluster of similar issues, often related to the style or speciality of the researcher.

Vulnerabilities are now being strip mined

If your code is available, and someone is willing to spend tokens, they can scan the code in bulk. As coding agents get better at understanding code bases (and as a sane person — don’t take the other side of that bet), we’ll be getting layer after layer of progressively deeper vulnerabilities uncovered.

The Bright side with some dark implications

Now, if there’s any bright side to all of this, it’s that so far, there seems to be an alignment of incentives between ethical research and open core companies. If you’re a budding security researcher, the play is:

1) Wrap up claude/codex/etc in a bunch of skills and turn that into a SaaS offering. 2) Bulk scan commercial open source repositories 3) Send out every finding with a footer advertising your automated scanning SaaS service to the Commercial OSS company and any big users you can scrape from their website.

Needless to say, there are now approximately 1000 of these SaaS offerings, so it’s a competitive game, but thankfully, there is a pro-social path that pays. With non-commercial open source, it’s a bit less lucrative - you’re stuck mining for bounties that users of the OSS project offer. I’m not sure I want to know what’s happening in the unethical side of security research these days.

For our broader security posture: https://www.metabase.com/security

What this means for OSS maintainers

Now, in the Long Run, this is great. We have a lot of third parties burning tokens to help you find any possible exploitable flaws in your software. And once they’re fixed, any software you’re running is more secure and less likely to have issues. These scanners will proliferate and eventually probably make their way into your CI workflows.

In the short term, it’s gonna be rough.

To start with, you should assume that any vulnerability that was disclosed to you is trivially discoverable now, regardless of how buried it was in your code. While some researchers are doing novel work, the majority of this will be low-ish effort bulk code scans. If one person running Claude Code on your codebase found it, you can expect someone else using e.g., Codex to find it soon enough.

What this means is that even if you have an agreement with the researcher to not make it public before you have had a chance to fix the problem, you need to treat the vulnerability as fundamentally “out in the wild”. Did you have other plans for the weekend? Or a long term project you’re prioritizing? That’s nice, you have a new plan — fix every vulnerability that comes in NOW.

Closed source developers get to find and fix issues on their own schedule, and at least in theory are able to get ahead of third party researchers. If your code is available, you’re going to be living in reactive mode for a while.

Net-net, it’s a lot of short term pain you’ll experience on the OSS path that just isn’t there if you’re closed source. And to add insult to injury - we’ll all get to a similar state. You can make the case that historically, being open source would get you attention from high end security researchers, and in exchange for them getting attribution and/or bounties, the net result was that you could expect OSS to be more secure than if it had been released as closed source. With coding agents being the main driver, this advantage largely dissipates. Whether you’re spending the tokens or someone else is, all classes of vulnerabilities that can be automatically scanned will be easily found.

So it’s understandable that Cal.com is going closed source as a result, and will likely be joined by other commercial operations who a) have customers they care about and b) don’t want to devote the next couple of months to chasing down every publicly findable security issue.

It also bears stating that if you’re a non-commercial OSS project, you’re now getting even more pressure from LLMs. Commercial operations (if they’re doing well) have people getting paid to deal with security issues at 4am on a Saturday. If you’re just running a big OSS project out of the goodness of your heart or you have a promising but not yet At-Scale commercial offering, I’m sorry. Side note: for unknown reasons, this year, Metabase seemed to get notice of serious vulnerabilities either on Friday Nights or holiday weekends. The only upside is that we’ve been able to block, patch and deploy fixes before our customers get back into the office on Monday.

What should you be doing?

What does this mean for you, dear reader?

If you make software for a living, open or closed source, you’re in for a fun summer - expect to have layer after layer of your security issues uncovered. Try to run as many trials of scanning products as you can and aggressively prompt your own coding agents.

If you don’t already have frequent security patches, start. Get your users used to upgrading frequently. If you can make your system easier to upgrade/patch, you won’t regret it.

Fix everything you get your hands on. If you’re smart, you’ve architected your system to have multiple layers of protection, but you can’t rely on any given layer right now. So any opening, no matter how small, should be fixed immediately so it can’t be chained into a larger attack.

If you’re selling a closed source product, you have a new security threat: code leakage. You should assume that any compromise of your source code will unearth a large number of vulnerabilities.

What should you do if you’re using Open Source Software?

Short answer: Treat every OSS dependency as if a new vulnerability will be disclosed against it this quarter, and build your patching, monitoring, and access controls around that assumption.

The five practices that matter most:

1) You should expect that you’ll need to upgrade a lot more frequently, and budget for that ahead of time. 2) Monitor and pin all of your OSS dependencies. Get used to upgrading them ALL THE TIME. 3) Practice Defense-in-Depth and do your best to create layers of separation. They will be tested. 4) Level up your logging and observability game, and make sure someone is watching the logs. 5) Exercise the principles of least privilege, and make sure any credentials used by any software has only the bare minimum privileges.

Really, just do all of the things you should have been doing all along, just at a much more aggressive level. Similar to how the proliferation of drive-by network scanning means that regardless of how small an operation you are, you can expect port scans, you can expect bulk attacks on any OSS you use no matter how small you or the project are.

In closing, all of this will be discovering bugs currently in the code. After the initial short term pain, both the code that currently exists and the code that will be written will be more secure.

It’s just going to suck getting there.