HackerTrans
TopNewTrendsCommentsPastAskShowJobs

captn3m0

11,453 karmajoined vor 15 Jahren
https://captnemo.in http://about.me/n3m0

[ my public key: https://keybase.io/captn3m0; my proof: https://keybase.io/captn3m0/sigs/MrazMfyap5PnbYUKQhtqeLGfctJcwxsDB6Oo0t6ABxM ]

my email: [email protected]

meet.hn/city/in-Bengaluru

Socials: - github.com/captn3m0 - x.com/captn3m0 - t.me/captn3m0

Interests: Books, Cybersecurity, DevOps, Fintech, Open Source, Privacy, Web Development

---

hnchat:Z44vjhzI6AG5YXzEY5pD

Submissions

Oil prices fall on US-Iran agreement

cnn.com
3 points·by captn3m0·vor 26 Tagen·2 comments

A Namecheap bug got my domain suspended

captnemo.in
3 points·by captn3m0·vor 2 Monaten·0 comments

FOSS – Tracking delayed open-source releases

captnemo.in
3 points·by captn3m0·vor 3 Monaten·1 comments

The Colour of Production

lmika.org
2 points·by captn3m0·vor 4 Monaten·0 comments

Querying India's MoSPI Data with Claude and MCP

aman.bh
1 points·by captn3m0·vor 5 Monaten·0 comments

Show HN: Kurbelfahrplan, a FOSDEM schedule app for the playdate

captnemo.in
2 points·by captn3m0·vor 5 Monaten·1 comments

ESI Language Specification 1.0

w3.org
2 points·by captn3m0·vor 6 Monaten·0 comments

Guidance for GSoC Contributors using AI tooling in GSoC 2026

docs.google.com
2 points·by captn3m0·vor 6 Monaten·0 comments

Eurail Data Security Incident – January 2026

eurail.zendesk.com
1 points·by captn3m0·vor 6 Monaten·1 comments

Amazon will allow ePub and PDF downloads for DRM-free eBooks

kdpcommunity.com
634 points·by captn3m0·vor 7 Monaten·339 comments

SPC Requests for Curiosity, Winter 2025

minusone.com
2 points·by captn3m0·vor 7 Monaten·1 comments

IFF's Statement against mandatory installation of "Sanchar Saathi"

internetfreedom.in
5 points·by captn3m0·vor 7 Monaten·1 comments

Disruption of Docker Hardened Images and Docker Scout

dockerstatus.com
2 points·by captn3m0·vor 8 Monaten·0 comments

The Future of Codewars

codewars.com
1 points·by captn3m0·vor 8 Monaten·0 comments

Foul Play: Privilege Escalation on the Playdate

peterstefek.me
2 points·by captn3m0·vor 8 Monaten·0 comments

Leak of Geedge Networks internal documents

github.com
4 points·by captn3m0·vor 10 Monaten·0 comments

Fenrir – Bootchain exploit for MediaTek devices

github.com
2 points·by captn3m0·vor 10 Monaten·0 comments

comments

captn3m0
·vor 6 Tagen·discuss
There are a lot of other implementations of this idea that don't necessarily rely on trust-on-first-use. The securedrop team explicitly includes malicious JS served by the primary-domain in the threat-model and made WEBCAT[0] as an outcome of that research. Their article on webcrypto is much better than this one.

The solution obviously is to go out-of-band:

> When a user visits a website that has enrolled in WEBCAT, before the site can load the content is checked against a signed manifest to ensure that it has not been tampered with (more on enrollment later). If everything checks out, the page loads normally. If, however, any content does not match what’s expected, the page load is aborted and a warning is displayed, protecting the user from potentially malicious content before it can execute.

[0]: https://securedrop.org/news/introducing-webcat-web-based-cod...

[1]: https://securedrop.org/news/browser-based-cryptography/
captn3m0
·vor 6 Tagen·discuss
This is a OS port (iOS) of an existing functional and maintained fork (MacOS) of the official release (Windows).

Most of these low-hanging bugs would have been caught upstream by now.
captn3m0
·vor 7 Tagen·discuss
Do we know how Apple sends these? Is it just a notification, or also email?
captn3m0
·vor 9 Tagen·discuss
There are 2 complete folds in the Isaac 0 video around 0:40, but speeded up: https://m.youtube.com/watch?v=KhImSR8GuCE

The about page claims 1000+ lbs of laundry folded every week.
captn3m0
·vor 11 Tagen·discuss
10% apparently for .tk. I also remember .tv windfall, which is 8-9% of their GDP.
captn3m0
·vor 13 Tagen·discuss
I wrote superbright to be able to force it: https://github.com/captn3m0/superbright (fork of BrightIntosh). The display does get hit after 10-15 minutes of this though.
captn3m0
·vor 17 Tagen·discuss
When I read the title, I thought it would be for research papers.
captn3m0
·vor 18 Tagen·discuss
Hooks are not a new standard. Package managers have always supported hooks. It is just a call to get us to parity.
captn3m0
·vor 18 Tagen·discuss
> The problem of everchanging malware isn't fixable by global policies and global rulesets.

But it is an important tool that's missing in our toolbox. You could do most of the above, and still get pwned by a typo in an `npx` command. Capability based access management is not likely to land in any large package manager in the next few years, and we need solutions that work today.
captn3m0
·vor 18 Tagen·discuss
Package-level hooks are everywhere: https://github.com/ecosyste-ms/package-manager-hooks

I wrote this in response to the recent AUR attacks. The problem isn’t really too many dependencies - it is that most users cannot be auditing everything they install and we need mechanisms that help users where they are.

I audit my AUR pkg builds, and I would have likely caught any malware. But so would a Dependency Cooldown or a third-party threat feed. Package Managers should make it easy to build this tooling via hooks.
captn3m0
·vor 18 Tagen·discuss
Aliases and pre-hooks are nowhere near the guarantees you want, that’s what I am arguing - not everything is invoked from a blessed shell. Safely-bump-does.sh is also impossibly hard to write because you are replicating _all of the work NPM does in transitive dependency resolution_. Unless you are re-generating the lock file from scratch - it isn’t safe. Just updating package.json isn’t sufficient for eg.
captn3m0
·vor 18 Tagen·discuss
Author here - people are definitely looking at other places. This just happens to be where the attacks are, and gets disproportionate attention as a result.

Do you have examples of campaigns that weren’t flagged? Everything except xz had a 1 day window and Dependency Cooldowns are super effective against most campaigns for that reason.

See papers at https://kokkonisd.github.io/ for eg.
captn3m0
·vor 18 Tagen·discuss
`PreInstall` mainly. But `PreFetch/PreBuild` also for source-repositories, such as AUR helpers.

homebrew doesn't support hooks as a system package manager: https://github.com/ecosyste-ms/package-manager-hooks as an example.

I think the packaging ecosystem is varied enough that this should be left for the package managers to decide. Yarn allows dependency resolution and WebFetch overrides in its hooks for eg.
captn3m0
·vor 18 Tagen·discuss
(Author here). I don’t really care _how and what you decide to do with it_, the post is about package managers giving users the ability to decide.

Dependency Cooldowns can be implemented with global hooks, git-commit-signing checks can be implemented, LLM-scans can be implemented, someone can run the code in a jail and use the eBPF logs to publish a threat feed.

Modern language packaging is also _source available_, and we have a huge leg up over traditional virus scans - we have the source code almost always. You can do amazing static analysis.

Yes, it’s hard work. But package managers are doing it already. Yay and Paru both now support hooks. I’m offering to help for AUR to publish more metadata: https://lists.archlinux.org/archives/list/[email protected]...
captn3m0
·vor 18 Tagen·discuss
(Author here). It isn’t a matter of pre-install hooks. I don’t want known malware on my system irrespective of whether it runs at install-time or not. Pre-install hooks are going away in NPM, but we will have code injected in index.js next.

Modern package managers are not amenable to letting another script override its resolutions, and that is what needs fixing.
captn3m0
·vor 18 Tagen·discuss
Has anyone reversed their SDKs to run a swarm that captures enough traffic to see what requests are actually getting made?
captn3m0
·vor 19 Tagen·discuss
You can route an encrypted video stream through a server, same as messages. Zoom supports this as well now. You can’t do fancy stuff like transcoding at the server to support an older client, but WhatsApp dropped support for non-e2e really-old clients eons ago (Symbian and the like).
captn3m0
·vor 20 Tagen·discuss
There is also microformats.
captn3m0
·vor 22 Tagen·discuss
This was published in April, and we are far from consensus on what is “varnish”. Lots of distributions are now packaging vinyl and calling it varnish, some are pointing to the varnish repo instead (Fedora, Homebrew).

I’d left a comment last time, but haven’t tracked it since: https://news.ycombinator.com/item?id=47728216
captn3m0
·vor 23 Tagen·discuss
> I don't think there exist a password manager that is explicitly designed for a compromised/hostile device.

The crypto people tried this with hardware only password managers but they were too annoying. I have a halfway solution of using pass with Yubikey/GPG where each password decryption requires a touch. It does protect against the entire vault being decrypted at once and exfiltrated.