HN Reader

Major reversal in ocean circulation detected in the Southern Ocean (icm.csic.es)

5 points by riffraff 15m ago 0 comments

Introducing tmux-rs (richardscollin.github.io)

672 points by Jtsummers 14h ago 216 comments

Flounder Mode – Kevin Kelly on a different way to do great work (joincolossus.com)

204 points by latentnumber 13h ago 41 comments

Launch HN: K-Scale Labs (YC W24) – Open-Source Humanoid Robots

159 points by codekansas 12h ago 83 comments

AV1@Scale: Film Grain Synthesis, The Awakening (netflixtechblog.com)

182 points by CharlesW 12h ago 150 comments

Wind Knitting Factory (merelkarhof.nl)

101 points by bschne 8h ago 27 comments

Manipulating trapped air bubbles in ice for message storage in cold regions (cell.com)

48 points by __rito__ 3d ago 13 comments

Peasant Railgun (knightsdigest.com)

216 points by cainxinth 15h ago 157 comments

Poor Man's Back End-as-a-Service (BaaS), Similar to Firebase/Supabase/Pocketbase (github.com)

161 points by dcu 13h ago 99 comments

Sound Chip, whisper me your secrets [video] (media.ccc.de)

12 points by rasz 2d ago 1 comments

Electronic Arts Leadership Are Out of Their Goddamned Minds (aftermath.site)

24 points by dotmanish 1h ago 17 comments

Context Engineering for Agents (rlancemartin.github.io)

5 points by 0x79de 2d ago 0 comments

Ubuntu 25.10 Raises RISC-V Profile Requirements (omgubuntu.co.uk)

82 points by bundie 2d ago 24 comments

Opening up ‘Zero-Knowledge Proof’ technology (blog.google)

252 points by doomroot13 11h ago 151 comments

Where is my von Braun wheel? (angadh.com)

131 points by speckx 15h ago 98 comments

High-Fidelity Simultaneous Speech-to-Speech Translation (arxiv.org)

75 points by Bluestein 8h ago 41 comments

Caching is an abstraction, not an optimization (buttondown.com)

95 points by samuel246 2d ago 81 comments

Postcard is now open source (contraption.co)

94 points by philip1209 12h ago 29 comments

Converge (YC S23) well-capitalized New York startup seeks product developers (runconverge.com)

1 points by thomashlvt 8h ago 0 comments

CO2 sequestration through accelerated weathering of limestone on ships (science.org)

37 points by PaulHoule 5h ago 31 comments

An Algorithm for a Better Bookshelf (cacm.acm.org)

82 points by pseudolus 2d ago 12 comments

Experiment: Colocating agent instructions with eng docs (technicalwriting.dev)

7 points by dannyrosen 3d ago 2 comments

White House claims expansive power to nullify TikTok ban and other laws (nytimes.com)

27 points by ytpete 31m ago 5 comments

Fei-Fei Li: Spatial intelligence is the next frontier in AI [video] (youtube.com)

266 points by sandslash 2d ago 137 comments

Encoding Jake Gyllenhaal into one million checkboxes (2024) (ednamode.xyz)

55 points by chilipepperhott 13h ago 14 comments

AI for Scientific Search (arxiv.org)

94 points by omarsar 13h ago 22 comments

Show HN: I rewrote my notepad calculator as a local-first app with CRDT syncing (numpad.io)

30 points by tonyonodi 3d ago 12 comments

Stalking the Statistically Improbable Restaurant with Data (ethanzuckerman.com)

61 points by nkurz 11h ago 31 comments

Michael Madsen has died (nytimes.com)

98 points by anigbrowl 6h ago 30 comments

Astronomers discover 3I/ATLAS – Third interstellar object to visit Solar System (abc.net.au)

291 points by gammarator 1d ago 161 comments

About AI Evals (hamel.dev)

172 points by TheIronYuppie 3d ago 40 comments

Alice's Adventures in a Differentiable Wonderland (arxiv.org)

141 points by henning 3d ago 25 comments

Nintendo locked down the Switch 2's USB-C port and broke third-party docking (theverge.com)

7 points by snvzz 1h ago 4 comments

Show HN: HomeBrew HN – Generate personal context for content ranking (hackernews.coffee)

109 points by azath92 16h ago 42 comments

Copper is Faster than Fiber (2017) [pdf] (arista.com)

76 points by tanelpoder 2d ago 71 comments

Tools: Code Is All You Need (lucumr.pocoo.org)

281 points by Bogdanp 18h ago 204 comments

Trans-Taiga Road (2004) (jamesbayroad.com)

150 points by jason_pomerleau 1d ago 86 comments

Whole-genome ancestry of an Old Kingdom Egyptian (nature.com)

146 points by A_D_E_P_T 1d ago 100 comments

The End of Moore's Law for AI? Gemini Flash Offers a Warning (sutro.sh)

108 points by sethkim 11h ago 67 comments

ASCIIMoon: The moon's phase live in ASCII art (asciimoon.com)

264 points by zayat 2d ago 79 comments

My open source project was relicensed by a YC company [license updated] (twitter.com)

238 points by sohzm 3h ago 84 comments

Importance of context management in AI NPCs (walterfreedom.com)

54 points by walterfreedom 3d ago 24 comments

FossFLOW: Make beautiful isometric infrastructure diagrams (github.com)

10 points by nateb2022 9h ago 0 comments

Parallelizing SHA256 Calculation on FPGA (controlpaths.com)

58 points by hasheddan 13h ago 31 comments

When will ad tech measurement not be a mess of fraud? (twitter.com)

6 points by dotcoma 1h ago 1 comments

Nano-engineered thermoelectrics enable scalable, compressor-free cooling (jhuapl.edu)

114 points by mcswell 3d ago 59 comments

Gmailtail – Command-line tool to monitor Gmail messages and output them as JSON (github.com)

131 points by c4pt0r 1d ago 29 comments

Spending Too Much Money on a Coding Agent (allenpike.com)

143 points by GavinAnderegg 2d ago 152 comments

ICEBlock, an app for anonymously reporting ICE sightings, goes viral (techcrunch.com)

458 points by exiguus 1d ago 711 comments

A Higgs-Bugson in the Linux Kernel (blog.janestreet.com)

209 points by Ne02ptzero 1d ago 48 comments

Tell HN: Google says "not vuln", fixes hours later without attribution

17 Eikon 3 7/3/2025, 3:58:46 PM
The Certificate Transparency system protects you from malicious HTTPS certificates. When CT logs have predictable private keys, the entire web PKI security model breaks down. This compromises every certificate the log ever signed - past, present, and future.

I reported security vulnerabilities in Certificate Transparency infrastructure that Google Chrome trusts. They dismissed them as "not vulnerabilities," made my private report public without consent, then silently implemented my fixes hours later.

The discovery:

While benchmarking, I used echo " " > seed.bin (32 spaces). Sunlight accepted this and generated valid but predictable private keys for a CT log. No warnings, no errors.

Why this matters:

1. Operator correctly runs: cat /dev/urandom > seed.bin

2. Filesystem corruption fills seed with nulls/spaces (happens in production)

3. Sunlight silently generates predictable keys from corrupted seed

4. CT log operates "normally" - valid signatures, no errors

5. Anyone knowing about corruption can recreate the private keys

Without checksums, even perfect operators get silently compromised. This is PKI infrastructure that protects HTTPS certificates.

This isn't hypothetical - filesystem corruption is common in production systems. Power failures, kernel panics and storage failures regulary cause partial writes and null bytes.

Google's response:

- "Not a vulnerability": https://groups.google.com/a/chromium.org/g/ct-policy/c/qboz9s8b9j8/m/B6JXa2q1BAAJ

- Published my private security report without consent

- Implemented my exact fixes hours later

  - https://github.com/FiloSottile/sunlight/commit/f62f9084016c4c377d3855471720d7d0cdea3663

  - https://github.com/FiloSottile/sunlight/commit/32cc3ea2524e89f93febb967683c6467753f484d
- Banned me for pointing out the contradiction: https://groups.google.com/g/certificate-transparency/c/u8SsXgSFbz4/m/14ePyeCrBAAJ

Bonus vulnerability:

They authenticate using User-Agent strings. Anyone can spoof these headers to bypass rate limits and overwhelm the service:

- https://github.com/FiloSottile/sunlight/blob/main/cmd/skylight/skylight.go#L176

- https://github.com/FiloSottile/sunlight/blob/main/cmd/skylight/skylight.go#L148

This is production code, trusted by Google Chrome today (https://www.gstatic.com/ct/log_list/v3/all_logs_list.json) see the "sunlight" logs.

The exact email that got me banned is here https://groups.google.com/g/certificate-transparency/c/u8SsXgSFbz4/m/14ePyeCrBAAJ - judge for yourself if it violates any reasonable code of conduct.

Has anyone else experienced retaliation for responsible security disclosure? How do we fix a system where reporting vulnerabilities gets you banned while the issues get quietly patched?

Comments (3)

ipaddr · 12h ago
Stop sending bugs to Google and expecting to get paid. This has been going on forever.
_Reo · 13h ago
This sounds like a footgun and not a vulnerability.
owebmaster · 11h ago
What a great way to waste time doing free work for Google.