Management of IP numbers by peg-DHCP (1998) (datatracker.ietf.org)

1 points by sjmulder 1m ago 0 comments

Max Read's 'A Literary History of Fake Texts in Apple's Marketing Materials' (daringfireball.net)

1 points by Bogdanp 4m ago 0 comments

Z-Wave Reborn – Home Assistant Connect ZWA-2 (home-assistant.io)

1 points by mike-cardwell 4m ago 0 comments

Is McKinsey losing its crown to AI? [video] (youtube.com)

1 points by mgh2 7m ago 0 comments

Amazon Ads Multi-Touch Attribution (arxiv.org)

1 points by dakial1 8m ago 0 comments

Show HN: Cinematic Rolplay with Wan 2.2 (reveriedr.com)

1 points by amit0365 8m ago 0 comments

Ask HN: Is there an AI that can read code aloud and explain it?

2 points by djfobbz 9m ago 0 comments

Evals as Code: CI for LLMs with Dagger (dagger.io)

2 points by shad42 11m ago 1 comments

Ask HN: Is https://web.whatsapp.com/ loading for you atm?

1 points by gjvc 11m ago 1 comments

A Good Find (justinjackson.ca)

1 points by mooreds 13m ago 0 comments

If You Could Fix One Thing About AI Search, What Would It Be?

1 points by zyruh 14m ago 0 comments

Eca: Editor Code Assistant – AI pair programming capabilities agnostic of editor (github.com)

1 points by simonpure 15m ago 0 comments

Show HN: Deploy Any Web App Directly from Claude Code (disco.cloud)

1 points by gregsadetsky 17m ago 0 comments

The Tulpa in Your Pocket (default.blog)

1 points by exolymph 18m ago 0 comments

Water Cremation (Alkaline Hydrolysis) (en.wikipedia.org)

1 points by 1659447091 18m ago 0 comments

Temporary tattoo could detect an unwanted drug in your drink (phys.org)

3 points by wglb 23m ago 1 comments

How I Use Computers Now [video] (youtube.com)

1 points by abhi_kr 23m ago 0 comments

Memento Mori (Short Story) (en.wikipedia.org)

1 points by mooreds 24m ago 0 comments

Meta's superintelligence isn't here yet but its AI bets are already paying off (cnn.com)

1 points by heresie-dabord 24m ago 0 comments

NIST Finalizes 'Lightweight Cryptography' Standard to Protect Small Devices (nist.gov)

9 points by gnabgib 26m ago 0 comments

Tony Hoare on record handling. (1965) (dl.acm.org)

2 points by fanf2 28m ago 1 comments

Job board for hidden PERM jobs (H1B) (twitter.com)

1 points by exolymph 30m ago 0 comments

Tensor Auto Demo Video (youtube.com)

1 points by didip 32m ago 0 comments

Show HN: Videolangua – end-to-end video translate and subtitle/ dub (videolangua.com)

1 points by 3Sophons 32m ago 0 comments

A Conjecture Regarding SMT Instability [pdf] (ceur-ws.org)

1 points by luu 33m ago 0 comments

Humans, not glacial transport, brought bluestones to Stonehenge (new research) (phys.org)

2 points by wglb 33m ago 1 comments

Edcapit Presented Its Project at Keiretsu Forum Texas (USA) (edcapit.com)

1 points by edcapit 34m ago 3 comments

All Souls exam questions and the limits of machine reasoning (resobscura.substack.com)

2 points by benbreen 36m ago 0 comments

The quiet work of changing your mind (mfelix.org)

1 points by objcts 38m ago 0 comments

Gemini rolling out personalization based on your chat history (arstechnica.com)

2 points by nevir 39m ago 0 comments

The Online Safety Act isn't just about age verification – encryption is at risk (techradar.com)

2 points by nickslaughter02 39m ago 1 comments

Show HN: Docker container for Claude Code with complete host isolation (github.com)

1 points by nezhar 40m ago 1 comments

Ask HN: A way to know wich businesses are English speaking

2 points by pomdevv 40m ago 0 comments

Sam Altman's new startup wants to merge machines and humans (theverge.com)

1 points by ccenten 40m ago 1 comments

Decoding sweet potato DNA: New research reveals surprising ancestry (phys.org)

1 points by wglb 40m ago 1 comments

Clarity Is Speed (hellmayr.com)

1 points by shellmayr 41m ago 0 comments

Ask HN: A tool to automatically block AI job applications

1 points by pomdevv 42m ago 0 comments

New Stanford AI Coding Course: The Modern Software Developer (themodernsoftware.dev)

2 points by nutellalover 42m ago 1 comments

Analysis and protection against HTTP/2 'Made You Reset' CVE-2025-8671 (tempesta-tech.com)

1 points by krizhanovsky 44m ago 0 comments

Better Access Control by Default with Phoenix 1.8.0 Scopes (fullstack.ing)

1 points by fullstacking 44m ago 0 comments

Josef Prusa Warns Open Hardware 3D Printing Is Dead (hackaday.com)

3 points by josephcsible 44m ago 0 comments

Vector Search Capabilities for SQLite (github.com)

1 points by marcobambini 44m ago 0 comments

Show HN: Catalyst, a tool for short, playable interactive videos (usecatalyst.xyz)

1 points by abracadabratony 44m ago 0 comments

Humanity's Tech Tree (techdag-d6e56.web.app)

2 points by clairemiao123 48m ago 1 comments

Developing Artificial Life from Scratch (2019) (blog.labtag.com)

1 points by hakonbogen 49m ago 0 comments

Show HN: Learn what CQRS, Event Sourcing and co. Are all about (cqrs.com)

1 points by goloroden 51m ago 0 comments

LLM Tokenization Demo (github.com)

2 points by tokfan 52m ago 0 comments

Idk

1 points by heheehe 52m ago 1 comments

A New List Reveals Top Websites Meta Is Scraping of Copyrighted Content (dropsitenews.com)

2 points by exiguus 53m ago 0 comments

The road to artificial general intelligence (technologyreview.com)

2 points by birriel 53m ago 0 comments

New downgrade attack can bypass FIDO auth in Microsoft Entra ID

13 mikece 5 8/13/2025, 7:26:02 PM bleepingcomputer.com ↗

Comments (5)

parliament32 · 50m ago

It's not clear who this is an attack for.. organizations that have implemented phishing-resistant MFA will already have CA policy to block any sign-ins that don't have the required authentication strength (that same "You can't get there from here" message users in unsupported browsers get). Maybe it's effective if the organization is in the middle of a rollout, where FIDO is enabled but old MFA methods haven't been disabled yet?

EDIT: This is actually called out in the article:

> The attack sequence relies on the existence of an alternative authentication method (usually MFA), besides FIDO, for the targeted user account. But luckily, this tends to be the case with FIDO implementations, as most admins prefer to maintain a practical option for account recovery.

Most orgs will have TAP for account recovery, but that's not really phishable for other reasons.

dvno42 · 48m ago

Since this relies on simulating safari as the broswer, I wonder if a conditional access policy enforcing browser selection would help mitigate this.

While only realistic for a small number of users, I've started enforcing users of privileged tools to go through a wireguard instance before being allowed to access Azure hosted tools that rely on Entra auth. Services I publish then have a ingress whitelist of said wireguard VM.

lousken · 52m ago

What if you have conditional access policy requiring phishing resistant auth to be able to login?

Loudergood · 54m ago

Safari on Windows? That browser hasn't been supported since 2012...

moi2388 · 1h ago

Pff.. again an Entra ID security flaw? It’s incredibly how sloppy their single auth solution is..