Feed aggregator

Commentary: The idea of a touchscreen MacBook doesn't worry me after a recent report on how it could work.

Article URL: https://edri.org/our-work/chat-control-is-in-the-final-stretch-but-it-could-be-a-marathon-not-a-sprint/

Comments URL: https://news.ycombinator.com/item?id=47180016

Points: 1

# Comments: 0

Article URL: https://threeemojis.com/en-US/play/globs/en-US/2026-02-27?size=big

Comments URL: https://news.ycombinator.com/item?id=47180007

Points: 1

# Comments: 0

Article URL: https://init7.friendlyautomate.ch/email/preview/377

Comments URL: https://news.ycombinator.com/item?id=47180001

Points: 1

# Comments: 0

Article URL: https://www.sfgate.com/tech/article/jack-dorsey-block-layoffs-21944033.php

Comments URL: https://news.ycombinator.com/item?id=47179999

Points: 1

# Comments: 0

Article URL: https://www.youtube.com/watch?v=xjo0iLssbI8

Comments URL: https://news.ycombinator.com/item?id=47179991

Points: 1

# Comments: 0

Schema drift happens when:

User documents start with { name: "John", email: "john@..." } Later, someone adds { name: "Jane", email: "jane@...", profile: {...} } Even later: { name: "Bob", email: "bob@...", profile: "basic" } Now profile is sometimes an object, sometimes a string, sometimes missing entirely.

When this breaks:

javascript// This works for some docs, fails for others user.profile.avatar // TypeError: Cannot read property 'avatar' of undefined

Security gaps emerge because:

You write rules assuming a consistent schema: allow read: if resource.data.profile.role == "admin" But when profile is a string or missing, this rule behaves unexpectedly (usually throwing evaluation errors and blocking access for legitimate users, or worse, leaving loopholes if rules are overly permissive). Collections get added without proper rules (bankInfo, userSecrets, etc.) Test collections (debugUsers, tempData) stay in production with open access. The real problem: Firestore doesn't enforce schemas, and there's no built-in way to audit for these issues across your entire database.

I got burned by this enough times that I built an open-source CLI tool to scan for schema inconsistencies and security red flags:

npx lintbase scan firestore --key ./service-account.json

It samples your collections, flags type mismatches, and pattern-matches collection names against common sensitive data indicators.

GitHub: github.com/lintbase/lintbase

Question for the community: How do you currently catch these issues in your Firestore projects? Manual audits? Or do you just wait for production bugs?

Comments URL: https://news.ycombinator.com/item?id=47179989

Points: 1

# Comments: 0

Article URL: https://en.wikipedia.org/wiki/McNamara_fallacy

Comments URL: https://news.ycombinator.com/item?id=47179988

Points: 1

# Comments: 0

Article URL: https://www.ia.nato.int/niapc/Product/iOS-and-iPadOS-26-with-Indigo-configuration_968

Comments URL: https://news.ycombinator.com/item?id=47179984

Points: 1

# Comments: 0

For Pokémon Day, I wanted to show something small and fun. I made PokeInvasion, a Chrome extension that makes Pokémon appear while you are browsing the web. They pop up from corners on any website when the extension is activated.

It's mostly a fun experiments for those fans like me who always want to catch Pokemons!

Source code: https://github.com/IvanR3D/pokeinvasion_chrome-extension

Would love feedback, ideas, or suggestions for fun improvements.

Happy Pokémon Day! :)

Comments URL: https://news.ycombinator.com/item?id=47179977

Points: 1

# Comments: 1

Article URL: https://www.hetzner.com/pressroom/statement-price-adjustment/

Comments URL: https://news.ycombinator.com/item?id=47179967

Points: 1

# Comments: 0

Article URL: https://medium.com/ai-in-plain-english/who-believes-in-vibe-coding-1796fdd27b43

Comments URL: https://news.ycombinator.com/item?id=47179954

Points: 1

# Comments: 0

Article URL: https://github.com/Voxos-ai-Inc/tas

Comments URL: https://news.ycombinator.com/item?id=47179951

Points: 1

# Comments: 0

Article URL: https://claude.ai/#

Comments URL: https://news.ycombinator.com/item?id=47179947

Points: 5

# Comments: 4

Article URL: https://www.viewert.com

Comments URL: https://news.ycombinator.com/item?id=47179924

Points: 1

# Comments: 0

I’m building what I hope will be sane agent-to-agent communication.

Agents use aw (auditable OSS Go CLI) to do real-time chat and async mail on the https://claweb.ai network. ClaWeb is built on the open aWeb protocol: https://github.com/awebai/aweb.

Each agent has an address (e.g. claweb/marvin) and a self-certifying signing identity (did:key). Messages are signed and verifiable offline. For continuity across key rotation / server moves, agents can also publish a stable ID (did:claw) and an append-only mapping log via the fully OSS https://clawdid.ai registry.

Comments URL: https://news.ycombinator.com/item?id=47179915

Points: 1

# Comments: 0

The 24-year-old suspect has been accused of trafficking over 26,000 cards from a single brand.

The post Chilean Carding Shop Operator Extradited to US appeared first on SecurityWeek.

Anthropic said it sought narrow assurances from the Pentagon that Claude won’t be used for mass surveillance of Americans or in fully autonomous weapons.

The post Anthropic Refuses to Bend to Pentagon on AI Safeguards as Dispute Nears Deadline appeared first on SecurityWeek.

Google Maps/Cloud API (Application Programming Interface) keys that used to be safe to publish can now, in many cases, be used as real Gemini AI credentials. This means that any key sitting in public JavaScript or application code may now let attackers connect to Gemini through its API, access data, or run up someone else’s bill.

Researchers found around 2,800 live Google API keys in public code that can authenticate to Gemini, including keys belonging to major financial, security, recruiting firms, and even Google itself.

Historically, Google Cloud API keys for services like Maps, YouTube embeds, Firebase, etc., were treated as non‑secret billing identifiers, and Google’s own guidance allowed embedding them in client‑side code.

If we compare this issue to reusing your password across different sites and platforms, we see that using a single identifier can become a skeleton key to more valuable assets than users or developers ever intended. 

The key difference is where responsibility sits. With password reuse, end users are explicitly warned. Every service tells them to pick unique passwords, and the security community has hammered this message for years. If the same password is reused across three sites and one breach compromises all of them, the risk comes from a user decision, even if convenience drove that decision.

With Google API keys, developers and security teams were following Google’s own historical guidance that these keys were just billing identifiers safe for client‑side exposure. When Gemini was turned on, those old API keys suddenly worked as real authentication credentials.

From an attacker’s perspective, password reuse means you can take one credential stolen from a weak site and replay it against email, banking, or cloud accounts using credential stuffing. The Gemini change means a key originally scoped in everyone’s mental model as “just for Maps” now works against an AI endpoint that may be wired into documents, calendars, or other sensitive workflows. It can also be abused to burn through someone’s cloud budget at scale.

How to stay safe

The difference with this instance of what is effectively password reuse is that this time it’s been effectively baked in by design rather than chosen by users.

The core problem is that Google uses a single API key format for two fundamentally different purposes: public identification and sensitive authentication. The Gemini API inherited a key management architecture built for a different purpose.

The researchers say Google has recognized the problem they reported and took meaningful steps, but have yet to fix the root cause.

Advice for developers

Developers should check whether Gemini (Generative Language API) is enabled on their projects and audit all API keys in their environment to determine if any are publicly exposed and rotate them immediately.

• Check every Google Cloud Platform (GC project for the Generative Language API. Go to the GCP console, navigate to APIs & Services > Enabled APIs & Services, and look for the Generative Language API. Do this for every project in your organization. If it’s not enabled, you’re not affected by this specific issue.
• If the Generative Language API is enabled, audit your API keys. Navigate to APIs & Services > Credentials. Check each API key’s configuration. You’re looking for two types of keys:
  • Keys showing a warning icon, meaning they are set to unrestricted
  • Keys that explicitly list the Generative Language API in their allowed services

Either configuration allows the key to access Gemini.

• Verify that none of those keys are public. This is the critical step. If you find a key with Gemini access embedded in client-side JavaScript, checked into a public repository, or otherwise exposed online, you have a problem. Start with your oldest keys first. Those are the most likely to have been deployed publicly under the old guidance that API keys are safe to share, and then retroactively gained Gemini privileges when someone on your team enabled the API. If you find an exposed key, rotate it.

Advice for individuals

For regular users, this is less about key management and more about keeping your Google account locked down and being cautious about third-party access.

• Only link Gemini to accounts or data stores (Drive, Mail, Calendar, enterprise systems) you’re comfortable being reachable via API and regularly review which integrations and third‑party apps have access to your Google account.
• When evaluating apps that integrate Gemini (browser extensions, SaaS tools, mobile apps), favour those that make Gemini calls from their backend rather than directly from your browser.
• If you use Gemini via a Google Cloud project (e.g., you’re a power user or use it for work), monitor GCP billing reports and usage logs for unusual Gemini activity, especially spikes that do not match your own usage.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

Aeternum operates on smart contracts, making its command-and-control (C&C) infrastructure difficult to disrupt.

The post Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience appeared first on SecurityWeek.