
Hacker News Security - itsspring
https://news.ycombinator.com/security.html
======
andrewnicolalde
Wow! That PRNG post from 2009 was a wild ride! Totally worth a read:
[https://news.ycombinator.com/item?id=639976](https://news.ycombinator.com/item?id=639976)

~~~
y42
This is fun to read. Are there ressources where you can read stories like
that, how people discovered security flaws?

~~~
xjwm
Not a ton of stories, but there's some good exercises on how to exploit flaws
in real world crypto on: [https://cryptopals.com/](https://cryptopals.com/)

------
chacha102
I find it impressive that the last recorded entry was in 2017. Over 3 years,
and given the security-centric nature of the audience, I'd imagine if there
were more flaws we'd see them reported.

Sometimes building some simple is the best way to build something secure.

------
maxbond
I have had nothing but good experiences reporting bugs to HN. HN doesn't work
quite like any other web app I've ever audited. It's an interesting challenge.

~~~
snazz
Wasn't the last publicly-released version of Arc even stranger, with
everything being a GET request and links containing a URL parameter that
corresponded to a Lisp closure? I'd be interested in hearing some more up-to-
date information about how HN is hosted and works today.

~~~
ComputerGuru
Yeah, that's no longer the case. If your url predated the gc run or was from
before a restart, you would get a server 500 message.

~~~
voodootrucker
How are those closures identified uniquely? I'm not super familiar with lisp,
but I do get closures and memory addresses and am suspicious.

~~~
maxbond
This was the case when I was poking at Hacker News. I think it may still be
the case to some extent.

Here's an example of an HN password reset link:

hxxps://news.ycombinator.com/x?fnid=<long-random-value>&fnop=passwd-reset

`fnid` identifies a closure. Presumably there's a hashmap of `fnid` values to
closures in memory.

It used to be that this was how any action on the site was represented. I
poked around for a minute though, and it's evidently not the case for upvotes
any more:

hxxps://news.ycombinator.com/vote?id=<integer>&how=up&auth=<long-random-
value>&goto=<return-url>

~~~
snazz
They had to stop using GET requests for upvotes after this issue:
[https://news.ycombinator.com/item?id=3742902](https://news.ycombinator.com/item?id=3742902)

I'm interested in whether the password reset link is a potential issue still.

~~~
maxbond
Well, that URL doesn't have an `fnid` in it. It looks to me like they just
guessed their `id`, which is simply an incrementing identifier. They're still
using GET for upvotes, but they include a CSRF token.

Using GET to change state, like they're discussing in that thread, is really
more of a style issue than a security issue. You need a CSRF token, whatever
verb you use.

And that was a few years before my recollection of upvotes using an `fnid`. (I
could also be misremembering.)

In the case of password resets, I don't think there's a functional difference
between using a map of closures with random tokens and comparing random tokens
stored in a database, as is the more conventional approach. If you can guess
the random token, or if you can extract them via a side channel, then you can
reset passwords. And if you can't, you can't.

Which isn't to say it's not worth having a look :)

------
MattGaiser
I pity he who must check the security logs tomorrow as this rises.

~~~
barbs
Are you suggesting there's some sort of security issue currently? Only asking
because I noticed I was logged out of HN recently and don't remember logging
out myself.

~~~
toomuchtodo
Increased rate of pen testing by interested readers due to this post.

------
arkadiyt
YC also has their own security page, covering all non-hackernews software:
[https://www.ycombinator.com/security/](https://www.ycombinator.com/security/)

------
kevindeasis
dang is pretty good at moderating comments and fixing bugs too when you report
it to him or if he sees it in your comment

------
geekamongus
Kinda bummed you didn't use security.txt for this.

~~~
kogir
Hard to use something before it exists.

Back when I created this we wanted to publicly credit people who had helped us
out and this seemed like a good way to do so.

~~~
eganist
Fair, but now that we have a standard-ish pattern, there's value in embracing
it; quite a number of others have done so as part of their vulnerability
disclosure programs.

[https://securitytxt.org](https://securitytxt.org)

------
rshnotsecure
It has always struck me as strange there is no 2FA function on HackerNews
along with no real delete function.

Also some of us have noticed for a while Hacker News is hosted differently
than the rest of YCombinator. While YCombinator uses AWS, which makes sense,
Hacker News uses a small San Diego firm called M5 Computer Security. They have
commented on here from time to time.

M5 Computer Security, also known as Cloud 5 Hosting and a few other names, has
popped up on other forums too. The IPs that are owned by them (at least
according to WHOIS) wind up holding very strange other websites that aren't
say hosting customers (like how to weld underwater, how to get a foreign visa,
etc). Some of their name servers also hold data for websites that are
definitely not supposed to be there, like the regional government sites of a
foreign country (could be part of the Sea Turtle DNS attack we have thought
[1]). Also for a security company they seem to have strangely out of date
websites [2]. Copyright 2003?

A few weeks ago we wound up calling the FBI's Cyberstorm hotline after we saw
something weird with a government in the United States that traced back to M5
and American Internet Services, LLC (they often appear alongside M5 in the
hosting records). A week later I had someone from DHS interview me at length
(they just showed up at the door) for about 30 minutes. They seemed to be
around organized crime, but near the end of the conversation it was mentioned
"well they also do a lot of Department of Defense stuff". Uh oh. This seems to
be true as they mention it on one of their websites actually [4].

Hopefully someone a few months from now will pick up the case and find out /
connect to one of the many other DNS mysteries out there.

[1] - [https://blogs.cisco.com/security/talos/sea-turtle-keeps-
on-s...](https://blogs.cisco.com/security/talos/sea-turtle-keeps-on-swimming)

[2] - [https://www.m5computersecurity.com/audit-
private.php](https://www.m5computersecurity.com/audit-private.php)

[3] - www.htleng.com

[4] - [https://www.m5hosting.com/about-us/data-centers/san-diego-
li...](https://www.m5hosting.com/about-us/data-centers/san-diego-lightwave-
data-center)

~~~
detaro
This seems like many words around "long-existing hosting company hosts all
kinds of stuff", which is true about pretty much all of them.

~~~
Bucephalus355
Ok I could see this except for one thing I found out recently. "Long-existing
hosting companies" have traded hands a bunch of times. Wild West Domains,
Tucows, etc are like 6 different owners removed from the founders at this
point. Sometimes the founders are kept on, but more as a figurehead who isn't
supposed to ask detailed questions about what does and doesn't go on.

One of the better documented cases of hosting companies being a proxy for
intelligence wars was the 2017 lawsuit Namecheap filed against eNom and
Tucows. Long story short, Namecheap was supposed to be US intelligence, and
eNom and Tucows were unknown/unnamed _other_ intelligence group/agency [1].

[1] - [https://domainnamewire.com/2017/09/01/namecheap-sues-enom-
tu...](https://domainnamewire.com/2017/09/01/namecheap-sues-enom-tucows-
demands-transfer-4-million-domains/)

~~~
detaro
If it's "one of the better documented cases of hosting companies being a proxy
for intelligence wars", can you provide any documentation of that? Your link
describes a bog-standard spat between companies when one leaves a business
relationship with the other.

It's also not a particular secret that hosting companies operate under
multiple brands, buy others and at the same time new ones pop up regularly.

------
SubiculumCode
If you want more bugs, make more commits.

------
btown
Surprising not to see a PGP public key here for secure submissions... unless
that’s no longer advised?

------
borski
Hey, it me!

