Feed aggregator

Article URL: https://www.sciencedaily.com/releases/2025/04/250421163507.htm

Comments URL: https://news.ycombinator.com/item?id=43762005

Points: 1

# Comments: 1

Article URL: https://www.hey.earth/posts/duckdb-doom

Comments URL: https://news.ycombinator.com/item?id=43761998

Points: 25

# Comments: 2

I was facing a possible move and wanted an easier way to visualize how my furniture might fit into different apartments. The tools I found were complicated and didn't do what I needed, so I used AI (Augment) to create a tool for it callled FurniMapper [0] and a demo/tutorial [1].

I'm a product manager, used to be a dev and can still code. I'm not an LLMs-to-AGI guy, and I still find these models unbelievably useful - I would have never spent the time to build this otherwise.

[0]: https://furnimapper.pages.dev

[1]: https://www.youtube.com/watch?v=OewO1WTooBA

Comments URL: https://news.ycombinator.com/item?id=43761990

Points: 2

# Comments: 0

No more surprise cleaning charges, as a new FTC rule will require disclosure of hidden costs.

Cybercriminals are abusing Google’s infrastructure, creating emails that appear to come from Google in order to persuade people into handing over their Google account credentials.

This attack, first flagged by Nick Johnson, the lead developer of the Ethereum Name Service (ENS), a blockchain equivalent of the popular internet naming convention known as the Domain Name System (DNS).

Nick received a very official looking security alert about a subpoena allegedly issued to Google by law enforcement to information contained in Nick’s Google account. A URL in the email pointed Nick to a sites.google.com page that looked like an exact copy of the official Google support portal.

Recently I was targeted by an extremely sophisticated phishing attack, and I want to highlight it here. It exploits a vulnerability in Google's infrastructure, and given their refusal to fix it, we're likely to see it a lot more. Here's the email I got: pic.twitter.com/tScmxj3um6

— nick.eth (@nicksdjohnson) April 16, 2025

As a computer savvy person, Nick spotted that the official site should have been hosted on accounts.google.com and not sites.google.com. The difference is that anyone with a Google account can create a website on sites.google.com. And that is exactly what the cybercriminals did.

Attackers increasingly use Google Sites to host phishing pages because the domain appears trustworthy to most users and can bypass many security filters. One of those filters is DKIM (DomainKeys Identified Mail), an email authentication protocol that allows the sending server to attach a digital signature to an email.

If the target clicked either “Upload additional documents” or “View case”, they were redirected to an exact copy of the Google sign-in page designed to steal their login credentials.

Your Google credentials are coveted prey, because they give access to core Google services like Gmail, Google Drive, Google Photos, Google Calendar, Google Contacts, Google Maps, Google Play, and YouTube, but also any third-party apps and services you have chosen to log in with your Google account.

The signs to recognize this scam are the pages hosted at sites.google.com which should have been support.google.com and accounts.google.com and the sender address in the email header. Although it was signed by accounts.google.com, it was emailed by another address. If a person had all these accounts compromised in one go, this could easily lead to identity theft.

How to avoid scams like this

• Don’t follow links in unsolicited emails or on unexpected websites
• Carefully look at the email headers when you receive an unexpected mail
• Verify the legitimacy of such emails through another, independent method
• Don’t use your Google account (or Facebook for that matter) to log in at other sites and services. Instead create an account on the service itself.

Technical details

Analyzing the URL used in the attack on Nick, (https://sites.google.com[/]u/17918456/d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/edit) where /u/17918456/ is a user or account identifier and /d/1W4M_jFajsC8YKeRJn6tt_b1Ja9Puh6_v/ identifies the exact page, the /edit part stands out like a sore thumb.

DKIM-signed messages keep the signature during replays as long as the body remains unchanged. So if a malicious actor gets access to a previously legitimate DKIM-signed email, they can resend that exact message at any time, and it will still pass authentication.

So, what the cybercriminals did was:

• Set up a Gmail account starting with me@ so the visible email would look as if it was addressed to “me.”
• Register an OAuth app and set the app name to match the phishing link
• Grant the OAuth app access to their Google account which triggers a legitimate security warning from no-reply@accounts.google.com
• This alert has a valid DKIM signature, with the content of the phishing email embedded in the body as the app name.
• Forward the message untouched which keeps the DKIM signature valid.

Creating the application containing the entire text of the phishing message for its name, and preparing the landing page and fake login site may seem a lot of work. But once the criminals have completed the initial work, the procedure is easy enough to repeat once a page gets reported, which is not easy on sites.google.com.

Nick submitted a bug report to Google about this. Google originally closed the report as ‘Working as Intended,’ but later Google got back to him and said it had reconsidered the matter and it will fix the OAuth bug.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

A food scientist explains cultured and hybrid meats are the food of the future.

The Experience More and Experience Beyond plans replace Go5G at the top of the carrier's offerings.

The new X5 has bigger sensors and loads of other improvements. I've been checking it out and like what I've seen so far.

Article URL: https://speakerdeck.com/marcoroth/empowering-developers-with-html-aware-erb-tooling-at-rubykaigi-2025-matsuyama-ehime

Comments URL: https://news.ycombinator.com/item?id=43761551

Points: 1

# Comments: 0

Article URL: https://spectrum.ieee.org/small-modular-reactor-united-states

Comments URL: https://news.ycombinator.com/item?id=43761546

Points: 1

# Comments: 0

Article URL: https://www.scmp.com/opinion/world-opinion/article/3306624/china-can-offer-trump-trillions-investment-dollars-america-needs

Comments URL: https://news.ycombinator.com/item?id=43761540

Points: 1

# Comments: 0

Article URL: https://cacm.acm.org/news/nanoscale-makes-a-power-play/

Comments URL: https://news.ycombinator.com/item?id=43761538

Points: 1

# Comments: 0

Article URL: https://www.science.org/doi/10.1126/sciadv.adq5484

Comments URL: https://news.ycombinator.com/item?id=43761526

Points: 1

# Comments: 0

First time trying the whole “vibe coding” approach — build something fast, minimal setup, just to solve a tiny-but-annoying problem for myself. I work with remote teams and kept running into the same thing: meetings scheduled on public holidays because my calendar wasn’t blocked. So I built a tiny tool that connects to Google Calendar and does that automatically.

Over the weekend, while I was still polishing a few things, I checked my Paddle dashboard and saw I had money. Someone found it on Google, signed up, and paid. No welcome email. No alert. Just vibes.

It’s called Autolidays — lightweight, quiet, and automatic. This was a one-person, nights-and-weekends thing, took less than a month. Vibe coding is wild — the speed is insane, but there’s still a gap to close when it comes to getting something truly production-ready. Curious to see where this path leads.

Check it out and lmk what you think https://autolidays.com

Comments URL: https://news.ycombinator.com/item?id=43761515

Points: 1

# Comments: 0

Article URL: https://www.insta.page/read/the-anxious-generation

Comments URL: https://news.ycombinator.com/item?id=43761489

Points: 1

# Comments: 0

It seems that using Cursor has become really repetitive. My workflow typically goes like this: - Get a task to accomplish on a codebase - Research the web and codebase to create a plan - Send the entire plan to cursor and sit back for it to finish

This flow works really well with a high level of accuracy for the most part and it's becoming obvious that the margin between where it is today and "perfect" is quickly closing.

Because of this flow, I feel that I can replicate it through an SDK that uses a AI cli coder tool with low level control.

In this SDK, you can also use the best coder in the world per: https://aider.chat/docs/leaderboards/

As shown here:

```python from cloudcode import Local import os

def main(): # Use the current directory cwd = os.getcwd() example_file = "example.py"

# Initialize the Aider SDK in architect mode agent = Local( working_dir=cwd, model="o3", # Main (planner) model editor_model="gpt-4.1", # Editor model for implementing changes architect_mode=True, use_git=False, api_key=os.getenv("CLOUDCODE_API_KEY") ) # Create or overwrite a simple Python file to modify using the SDK agent.create_file( example_file, """def add(a, b): return a + b """ )

# Run a coding task using the two-model workflow result = agent.code( prompt="make this function super cool. just make the math functions better", editable_files=[example_file] ) # Print the results print("\nTask completed!") print(f"Success: {result['success']}") print("\nChanges made:") print(result["diff"]) # Display cost information print("\nTask completed!") if __name__ == "__main__": main()

```

Given that you can mimic your workflows from cursor and claude code into this sdk, you shouldn't have to sit around on your computer waiting for the long running task to finish.

That's why I built in a Sandbox class that mounts the ai coder into a remote sandbox directory instead of a local folder so you can deploy an ai coder to the cloud, enabling use cases such as coding from your phone and the browser.

I have already found so many low-handing fruit use cases for this sdk to automate prompting, information gathering, and auto-docs as shown in our github https://github.com/LMSystems-ai/cloud-coding

But I want to take it a step further.

You can get started for free today with this sdk and see our favorable pricing model here: https://docs.cloudcoding.ai/pricing

Comments URL: https://news.ycombinator.com/item?id=43761446

Points: 1

# Comments: 0

Article URL: https://make.wordpress.org/project/2025/04/16/a-new-cadence-for-wordpress-core/

Comments URL: https://news.ycombinator.com/item?id=43761436

Points: 1

# Comments: 0

Article URL: https://ssh-keys.arent-real.com

Comments URL: https://news.ycombinator.com/item?id=43761423

Points: 2

# Comments: 2

I have an idea for optimizations using a dedicated backend for pytorch. It only applies to eager mode execution. From my understanding, eager mode is used for development and debugging. Are there real production workloads that work in that way ? I assume people optimize by compiling graphs using JIT but then again, people are lazy...

Comments URL: https://news.ycombinator.com/item?id=43761400

Points: 1

# Comments: 0