HackerTrans
TopNewTrendsCommentsPastAskShowJobs

jackbeck

123 karmajoined 6 tahun yang lalu

Submissions

Show HN: Runtime and install-time enforcement for NPM dependencies`

github.com
2 points·by jackbeck·11 hari yang lalu·0 comments

Show HN: Hagana – Runtime protection for Node.js to block supply chain attacks

github.com
11 points·by jackbeck·4 tahun yang lalu·4 comments

VanillaJS web based video editor

2 points·by jackbeck·4 tahun yang lalu·1 comments

SaaS Product Adoption for Dummies

blog.driftly.app
1 points·by jackbeck·4 tahun yang lalu·0 comments

comments

jackbeck
·11 hari yang lalu·discuss
[flagged]
jackbeck
·9 bulan yang lalu·discuss
I wasn’t aware that there were places that had semi-precious stones just lying around. Where are you from?
jackbeck
·9 bulan yang lalu·discuss
I have strongly negative connotations with rock tumblers. When I was about 8 I saw one in a store and thought it would turn regular rocks into precious stones. One of the biggest disappointments of my childhood.
jackbeck
·3 tahun yang lalu·discuss
I would assume that you could just search the heap by the value shown on the page to find out what the key is.
jackbeck
·3 tahun yang lalu·discuss
Rick Doblin recently went on a Joe Rogan podcast where he went more in depth about his experience with this.
jackbeck
·4 tahun yang lalu·discuss
What’s the difference between this and LogSnag?
jackbeck
·4 tahun yang lalu·discuss
Thanks! This sort of "deno"-fies Node, but in my opinion it's a bit smarter. With Deno, it's an all or nothing approach where 3rd party libraries still have the same access as the main application.

Hagana is still not at the stage where it's fully ready to block all attacks, there's still work to be done, but I do want to be transparent about the approach taken so that the open source community can create issues that show sandbox breakouts (as someone already has).

Eventually it'll get to the point where the security will be tight enough that having it open source won't make a difference.

Additionally, even having this rudimentary protection is still more effective at blocking generic supply chain attacks than not having any protection at all.
jackbeck
·4 tahun yang lalu·discuss
Thank you!

I've given this exact question some thought. I think that the only real way to make sure this doesn't happen is by not allowing any 3rd party packages into the codebase. That means any package I want to install will have to be manually copied over. Granted, that this isn't the state now in the repo since I wanted to get to a POC phase as quickly as possible, but it's something I'm going to do.
jackbeck
·4 tahun yang lalu·discuss
Yup, I agree with you about this. It’d be interesting to do a deep dive into a library like FingerprintJS and see what has the most weight in terms of uniqueness. Maybe getImageData is worthwhile blocking, but perhaps other APIs will increase the amount of entropy.
jackbeck
·4 tahun yang lalu·discuss
At the moment it’s not the default though. So people who enable this feature will, ironically be more unique and therefore more accurately fingerprintable.
jackbeck
·4 tahun yang lalu·discuss
The problem with a lot of these attempts at fingerprinting prevention is that they cause additional data which can be used to more accurately fingerprint users.

getImageData() is blocked - datapoint

Any detectable difference from what a “regular” browser would return is another point of entropy.