HackerTrans
TopNewTrendsCommentsPastAskShowJobs

behindsight

177 karmajoined 7년 전

Submissions

NPM Package Provenance (2023)

github.blog
2 points·by behindsight·10개월 전·2 comments

comments

behindsight
·어제·discuss
very well said, and I have been rooting for the team big time!

if you have an alliance hub for discussions with those also building open infrastructure tooling, please let me know!

have already been in the Mozilla AI discord since last year and had a great time being one of the 2 external participants during the name brainstorming for renaming any-llm ^_^
behindsight
·15일 전·discuss
Project Glasswing is already a thing, and the other labs have started their own initiatives too if they want to collaborate and work on securing closed-source software.

Still not addressed the moral clarity point being brought up, nor the ramifications of the Linux Foundation choosing which closed source projects to focus on and alienating their mission statement.

Again, your idea is noble but why should the Linux Foundation be saddled with it when those other options exist? OSS needs their focus as their mission outlines.
behindsight
·지난달·discuss
if you go to the full changelog on the blog and click on the "retired" button, the url will have type=deprecations as the parameter.

It's a holdover from previous posts where there were more clearly defined deprecations.

but yes, in this case it's more of a behavioural change of defaults, so they just picked the closest vaguely mapped retired/deprecations tag.

1: https://github.blog/changelog/?type=deprecations
behindsight
·지난달·discuss
> Retired? What does that even mean in this context

"retired" is probably a followup to functionality that was "deprecated".

I agree "breaking" would be clearer
behindsight
·2개월 전·discuss
the CTO of Cloudflare (hn: dknecht) said:

> It is in the works. The billing team has been sprinting to fix a lot of debt in this area. I don’t have a date.

https://x.com/dok2001/status/2051220429973389622
behindsight
·2개월 전·discuss
been cranking on this too but not just for snark but for spam/scam heuristics too.

it's something I feel is finally viable to combat at zero cost to the user.

This plus webmcp would allow it to serve as a form of automod too on websites that you authenticate with (imagine a world where your social media profile has an automod of its own powered locally. can use this to steer your feed or to mute/block/moderate as needbe). Even without WebMCP I have been working on making it autodetect html elements and extract UGC (comments/threads..etc) automatically to moderate (since my initial tests with a small group found some websites with frequent UI changes would break if hardcoded or if they did a lot of AB testing)

Even better, the concept would allow you to also use it to hide certain spoilers (imagine sports or new movies that just came out and you want to not have to hide away from all socials).

didn't find any contacts on your new HN account, but in a few weeks will be able to reach out to you with it fleshed out. :)

We have a community of nearly 14k that we will distribute this to
behindsight
·5개월 전·discuss
I'm building this. Initially it was to do codegen for tools/sdks/docs but will incorporate webmcp as part of it.

I wanted to make FOSS codegen that was not locked behind paywalls + had wasm plugins to extend it.
behindsight
·5개월 전·discuss
On a similar vein is the "argument from fallacy" aka fallacist's fallacy. [1]

Essentially if you dismiss someone's argument as false just because it may have had a fallacy within it, that reasoning is itself a fallacy.

Some fallacy-seeking people ironically ignore this and just dismiss anything when they have the "gotcha, you made a fallacy therefore everything you said can be concluded as false" moment.

1: https://en.wikipedia.org/wiki/Argument_from_fallacy
behindsight
·5개월 전·discuss
It's explicitly called out as excluded in the blue info bubble they have there.

> Fast mode usage is billed directly to extra usage, even if you have remaining usage on your plan. This means fast mode tokens do not count against your plan’s included usage and are charged at the fast mode rate from the first token.

https://code.claude.com/docs/en/fast-mode#requirements
behindsight
·6개월 전·discuss
While it's commendable, the reality is they should have already "figured out" how to play the system and just farmed the reward points from credit cards and immediately pay them off without incurring any interest.

You get a good credit score and still live within your means while also getting additional points + bank covering any fraudulent activity if the card got stolen.

Of course this method probably won't work for people that feel they would rather just cut themselves off from temptation fully or those without access to banking systems, which I sympathise with.
behindsight
·7개월 전·discuss
Out of curiosity, do you have watch history enabled/disabled?

I found the feed with it enabled is much better than disabled and I have it finetuned to be more in line with the niches I care about.

I am also very proactive with marking channels or content I don't prefer with the "Not interested" or "Don't recommend channel" as well as going through and pruning any content I don't want from my watch history directly.

It's not perfect but it's orders of magnitude better than my logged out or watch history disabled account (though not sure if they have since updated it to not show anything at all)
behindsight
·7개월 전·discuss
ah thank you for the context
behindsight
·7개월 전·discuss
sidenote: just a heads up that I tried emailing you recently to let you know that you might want to contact the HN mods to find out why all your comments get set to dead/hidden automatically.

Your account might have triggered some flag sometime back and relies on users vouching for your comments so they can become visible again.
behindsight
·7개월 전·discuss
> You can also do some inbetween systems programming in C# if you don’t care about a VM or msft.

C# Native AOT gets rid of the JIT and gives you a pretty good perf+memory profile compared to the past.

It's mostly the stigma of .NET Framework legacy systems that put people off, but modern C# projects are a breeze.
behindsight
·8개월 전·discuss
oh this is very cool!

I've been building in my spare time a spam/scam blocking extension and was also playing around with the experimental in-browser LLM feature for this (alongside Aho–Corasick, Naive Bayes and other classifiers)

It's great to see more people tackling this head on, kudos
behindsight
·8개월 전·discuss
> The Gell-Mann amnesia effect is a cognitive bias describing the tendency of individuals to critically assess media reports in a domain they are knowledgeable about, yet continue to trust reporting in other areas despite recognizing similar potential inaccuracies.

https://en.wikipedia.org/wiki/Gell-Mann_amnesia_effect
behindsight
·8개월 전·discuss
great stuff, working on something around agentic tooling and hope to collab with Mozilla AI as well in the future as they share the same values I have
behindsight
·10개월 전·discuss
Interesting questions, I can later provide more links to more indepth security resources that go over similar points if you would be interested but currently on my phone so I will just jot down some quick surface level points.

> If a malicious website reads the clipboard, what good is knowing an arbitrary password with no other information?

Even if assuming unique username+url pairings, clipboard history can store multiple items including emails or usernames which could be linked to any data breach and service (or just shotgunned towards the most popular services). It's not really a "no other information" scenario and you drastically reduce the effort required for an attacker regardless.

> If you're talking about a malicious desktop app running on the same system, it's game over anyway because it can read process memory, read keystrokes, etc.

The app does not have to be overtly malicious, AccuWeather (among others) was caught exfiltrating users' clipboard data for over 4 years to an analytics company who may or may not have gotten compromised. Even if the direct application you are using is non-malicious, you are left hoping wherever your data ends up isn't a giant treasure trove/honeypot waiting to be compromised by attackers.

The same reasoning can be used for pretty much anything really, why protect anything locally since they could just keylog you or intercept requests you make.

In that case it would be safer for everyone to run Qubes OS and stringently check any application added to their system.

In the end it's a balancing act between convenience and security with which striving for absolute perfection ends up being an enemy of good.

> Sidenote: Most password managers I've used automatically clear the clipboard 10-15s after you copy a credential.

That is true, good password managers took these steps precisely to reduce the clipboard attack surface.

Firefox also took steps in 2021 to also limit leaking secrets via the clipboard.
behindsight
·10개월 전·discuss
> I always have to manually copy/paste the credentials.

I really hope you clear your clipboard history entirely after doing your copy/paste method because your credentials would otherwise persist for any other application with clipboard perms to just exfiltrate (which has already been exploited in the wild before)
behindsight
·10개월 전·discuss
Reminder, you can audit all your npm packages to see if they provide provenance attestation with:

    npm audit signatures
you can use this to also provide a gentle reminder to package authors to consider setting one up (or replacing those that can't/won't)

Additional resources:

- Trusted publishing via OIDC [1]

- Requiring 2FA for package publishing [2]

1: https://docs.npmjs.com/trusted-publishers

2: https://docs.npmjs.com/requiring-2fa-for-package-publishing-...