HackerTrans
TopNewTrendsCommentsPastAskShowJobs

seanieb

no profile record

Submissions

Show HN: PanicLock – Close your MacBook lid disable TouchID –> password unlock

github.com
265 points·by seanieb·3 miesiące temu·115 comments

I Infected My iPhone with Russian Spyware. Here's What I Found [video]

youtube.com
5 points·by seanieb·4 miesiące temu·0 comments

[untitled]

3 points·by seanieb·4 miesiące temu·0 comments

Giving iOS Lockdown Mode Another Look

conic.al
2 points·by seanieb·4 miesiące temu·0 comments

[untitled]

1 points·by seanieb·4 miesiące temu·0 comments

Passkeys and the Quiet Revolution in Corporate Crypto

conic.al
1 points·by seanieb·5 miesięcy temu·3 comments

Show HN: PanicLock – macOS has no Touch ID kill switch like iOS, so I built one

github.com
10 points·by seanieb·5 miesięcy temu·4 comments

A field guide to sandboxes for AI

luiscardoso.dev
3 points·by seanieb·6 miesięcy temu·0 comments

EU to build no-fee payments service like Visa/Mastercard and Apple/Google Pay

independent.ie
164 points·by seanieb·6 miesięcy temu·174 comments

comments

seanieb
·9 dni temu·discuss
GitHub Copilot costs have ballooned in recent week, what once took $100 requires $300. I like using Claude with VS Code through Copilot and I feel it’s given me much better code, that I can control the quality. It’s much more transparent than Claude Code. It’s open source but and the IDE interface gives so many more features to have you context and control over whats generated. The increase in cost isn’t purely due to their price increases but also the Opus models agents use more tokens. So I’ve moved to Claude Code and I’m happily still using Opus 4.6. Fable and 4.7 seem to do much larger units of work, go off on tangents and make assumptions that frequently results in slop.
seanieb
·12 dni temu·discuss
It's always amazed me that a tech company will pay $300,000+ for a good engineer, because talent is so hard hard to find... meanwhile their recruiter operates unsupported, has a very different idea about what good looks like. Their ATS black-holes >50% the resumes because it's filtering heuristics are garbage because recruiting selected the ATS system because it has a google Gmail integration or something, and the ATS's filtering technology was not reviewed by anyone in the engineering or data teams.
seanieb
·w zeszłym miesiącu·discuss
Would Taiwan, Ireland, Israel and maybe others be higher on that list?
seanieb
·w zeszłym miesiącu·discuss
Sorry I don’t understand. Can you outline why trade would indicate that there isn’t a shortage of chemical fertilizer that would impact crops not yet harvested in developing countries?
seanieb
·w zeszłym miesiącu·discuss
There’s probably going to be a famine or famines due to lack of, and expense, of fertilizer resulting in less food for the developing world.
seanieb
·2 miesiące temu·discuss
Your company getting hacked because of random plugins for emerging or dysfunctional ecosystems that don’t have enterprise management solutions yet is worth it to avoid friction?
seanieb
·2 miesiące temu·discuss
> This is not to defend Microsoft

But you are defending MS, conflating a bunch of things, mainly full disk encryption and cloud backups.

There's a big difference between Apples cloud backup which has documented behavior and a backdoor. I'm also fairly confidant in Apple's full disk encryption, they've gone to court to defend it. There also a lot more data points we can use to judge Apple vs Microsoft on privacy and security, and MS comes out looking bad.
seanieb
·2 miesiące temu·discuss
At what point will Security professionals start turning down roles that involve “securing” MS Products? I’m already at this point.

Securing Microsoft products is busy work while waiting to have it undercut by the next wave of MS’s insane tech debt and greed. And now backdoors!
seanieb
·2 miesiące temu·discuss
Not low quality if it works!
seanieb
·3 miesiące temu·discuss
The issue is only an issue if your phone is physically taken, then unlocked and the message notifications extracted from a iOS cache database. Todays update by Apple fixes issue for every app, not just Signal.
seanieb
·3 miesiące temu·discuss
Oh please, Telegram being mentioned positively during a discussion of security, privacy or state surveillance? Telegram is a security nightmare, it’s not e2ee no mater what BS their very very untrustworthy founder keeps spouting, it’s not default and what they do offer is probably not secure. Servers owned by Russian oligarchs loyal to Putin. Durovs rebel persona, where he’s persona non grata in Russia is also BS. He was shown to be freely traveling in and out of Russia and having negotiations with the Russian government around censorship of Telegram all while Durov was telling us he couldn’t return. And the Russian FSB won’t use it because it’s known in their circles as being compromised.

https://www.youtube.com/watch?v=a2eBDU5ea0A&t=392s

> "That largely depends on what an officer does outside of work. If someone is involved in corrupt dealings, and in fact, I know very few who aren't, then they reason like this. Can this messenger be monitored by internal security officers? Previously, many used WhatsApp. Almost no one used telegram because there's a wellfounded belief that this messenger is to some extent controlled by the Russian authorities. People used signal. Some use three months, but all that has now been shut down again. Why is it monitored? I think they're worried about a possible coup and trying to limit the ability to coordinate mass actions via communication channels from abroad. Hence the Max messenger. So now most security officers have switched to Chatty. That's a Dubai based messenger, but it's definitely not a universal remedy. Some have moved to Zangi, which is [clears throat] an Armenian app that markets itself as American. When it comes to targeting the opposition, the state will always find the resources. It's one of the main priorities, more important than any financial or commercial issue, even more than counterterrorism."
seanieb
·3 miesiące temu·discuss
This comment is based on one of my commits. The round-trip through Int is exactly what makes it safe.Int(value) will return nil (and be rejected) for anything that isn't a valid integer. no ; rm -rf /, no shell. String(seconds) on a Swift Int can only ever produce a decimal number. (which is probably overkill and not needed in this context.) > Please don't use slop machines to write READMEs. Trust me, they do a better job than I ever will.

Having said all that, it's probably something that could be dropped from the readme. I'll edit now.

edit: updated the readme. Thanks for taking the time to proof read it.
seanieb
·3 miesiące temu·discuss
Thank you!
seanieb
·3 miesiące temu·discuss
Correct. This is a classic security vs convenience tradeoff. I mention that trade off on the landing page, PanicLock vs Shutdown

> Use shutdown when you can, PanicLock when you can't. Shutting down is the most secure option—but when you need your Mac locked now and you'll be back in five minutes, PanicLock is your answer.

*PanicLock* - Fast "oh shit" button - Lid closed when in transit. - Instant lock (1 second). Disables Touch ID immediately - Preserves your session - Back to work in minutes

*Full Shutdown* - Maximum security - Purges encryption keys - Fully locks FileVault - Takes time to shutdown & restart - Kills your session
seanieb
·3 miesiące temu·discuss
That's good feedback. I just added it to the readme:

> "PanicLock fills a gap macOS leaves open: there is no built-in way to instantly disable Touch ID when it matters. Biometrics are convenient day-to-day, and sometimes preferable when you need speed or want to avoid your password being observed. But in sensitive situations, law enforcement and border agents in many countries can compel a biometric unlock in ways they cannot with a password. PanicLock gives you a one-click menu bar button, a customizable hotkey, or an automatic lock-on-lid-close option that immediately disables Touch ID and locks your screen, restoring password-only protection without killing your session or shutting down."

I've more details on the apps landing page - paniclock.github.io
seanieb
·3 miesiące temu·discuss
I wrote this after the case of a Washington Post reporter, Hannah Natanson, was compelled to unlock her computer with her fingerprint. This resulted in access to her Desktop Signal on her computer, revealing sources and their conversations.

https://www.yahoo.com/news/articles/washington-post-raid-pro...

Edit: I've a lot more details about the legality and precedence on the apps landing page https://paniclock.github.io/
seanieb
·4 miesiące temu·discuss
Congrats to to the Wiz team. Wiz is amazing. But, ugh, joining Google will result in less competition and all that entails. Not great for customers.

It's a pity going public isn't worth it anymore.
seanieb
·4 miesiące temu·discuss
Never realized that this wasn’t a common expression in the US till now.

> “(Ireland, informal, UK, dialect) To come to understand; twig, cotton on.”
seanieb
·4 miesiące temu·discuss
Fantastic. And it's from the Norwegian Consumer Council!
seanieb
·4 miesiące temu·discuss
> "Even if there were explanatory text, Erika, like most users, doesn’t typically read through every dialog box, and they certainly can’t be expected to remember this technical detail a year from now."

Passkeys are a step in the right direction, ironically for the exact reason the author advises caution. We've been telling people to "store your backup key somewhere safe" for the best part of a decade now, and your average Erika hasn't got on well with that at all. Locking themselves out and losing data left, right and centre.

If you've worked at any kind of scale you'll know well that a certain percentage of users will lose their data with E2EE, full stop. It's just different from everything else they've ever used. These are the same people who'd be lost without the "forgot password" link, and there's no shame in that. That's just the reality of it. And passkeys can help people like this to not lose their keys.

If the product is truly E2EE, the best options right now are the passkey implementations baked into Chrome or Apple. Windows, as ever, needs a bit of work, but the password managers seem to be picking up the slack well enough. We also need to educate people that with true E2EE there is no "forgot password" email. Passkeys and the tooling around them still have a ways to go, but we're getting there.