HackerTrans
TopNewTrendsCommentsPastAskShowJobs

scottmotte

no profile record

Submissions

Show HN: Keysee – deterministic identicons for public keys

keysee.io
1 points·by scottmotte·قبل شهرين·1 comments

Show HN: Vestauth – Auth for Agents

github.com
11 points·by scottmotte·قبل 5 أشهر·1 comments

comments

scottmotte
·قبل شهرين·discuss
Cryptographic systems are mostly designed for machines, not humans. We end up staring at long strings. I wanted to experiment with how to better visualize them - in a more human way. The result is KEYSEE⎔. Try it out and hope you enjoy! There is also a whitepaper that goes into more details (under the /api section).
scottmotte
·قبل 3 أشهر·discuss
> If you did 'dotenvx run -- env', all your secrets would be printed right there in plaintext

Same for sops.

> The equivalent in vercel would be encrypted in the database (the encrypted '.env' file), with a decryption key in the backend

The encrypted .env file is actually committed to source code, and the decryption key is placed in Vercel's environment variables dashboard. The attacker only gained access to the latter here if using dotenvx so they can't get your secrets. Unless they also gained access to the codebase in which they have terabytes of data to go through and match up private keys from the database with encrypted .env files from the source code exfiltration - much more effort for attackers.
scottmotte
·قبل 3 أشهر·discuss
Creator of dotenvx here.

There is no silver bullet, but Dotenvx splits your secrets into two separate locations.

1. The private decryption key - which lives on Vercel in this example 2. The encrypted .env file which lives in your source code pushed to Vercel

Attackers only got access to the first (as far as I know was reported). So your secrets would be safe in this attack if using Dotenvx. (A private key is useless without its corresponding encrypted .env file. Attackers need both.)

The whitepaper goes into the problem and solution in more detail: https://dotenvx.com/whitepaper.pdf
scottmotte
·قبل 6 سنوات·discuss
I wish there was a standardized or common methodology for classifying notifications. App developers could adopt this and consumers could take the pattern with them across all types of interfaces - desktop, smartphone, speakers, tv. Maybe someone knows if any government entity or force has a methodology for this?
scottmotte
·قبل 6 سنوات·discuss
That's a novel thought. I imagine then the native mail apps would expand in settings in order to block some bad senders from abusing that email header.

Tangentially related, iOS mail app has a VIP setting.

[1] https://support.apple.com/lv-lv/HT207213#vip