HackerTrans
TopNewTrendsCommentsPastAskShowJobs

jackbeck

123 karmajoined 6 лет назад

Submissions

Show HN: Runtime and install-time enforcement for NPM dependencies`

github.com
2 points·by jackbeck·11 дней назад·0 comments

Show HN: Hagana – Runtime protection for Node.js to block supply chain attacks

github.com
11 points·by jackbeck·4 года назад·4 comments

VanillaJS web based video editor

2 points·by jackbeck·4 года назад·1 comments

SaaS Product Adoption for Dummies

blog.driftly.app
1 points·by jackbeck·4 года назад·0 comments

comments

jackbeck
·11 дней назад·discuss
[flagged]
jackbeck
·9 месяцев назад·discuss
I wasn’t aware that there were places that had semi-precious stones just lying around. Where are you from?
jackbeck
·9 месяцев назад·discuss
I have strongly negative connotations with rock tumblers. When I was about 8 I saw one in a store and thought it would turn regular rocks into precious stones. One of the biggest disappointments of my childhood.
jackbeck
·3 года назад·discuss
I would assume that you could just search the heap by the value shown on the page to find out what the key is.
jackbeck
·3 года назад·discuss
Rick Doblin recently went on a Joe Rogan podcast where he went more in depth about his experience with this.
jackbeck
·4 года назад·discuss
What’s the difference between this and LogSnag?
jackbeck
·4 года назад·discuss
Thanks! This sort of "deno"-fies Node, but in my opinion it's a bit smarter. With Deno, it's an all or nothing approach where 3rd party libraries still have the same access as the main application.

Hagana is still not at the stage where it's fully ready to block all attacks, there's still work to be done, but I do want to be transparent about the approach taken so that the open source community can create issues that show sandbox breakouts (as someone already has).

Eventually it'll get to the point where the security will be tight enough that having it open source won't make a difference.

Additionally, even having this rudimentary protection is still more effective at blocking generic supply chain attacks than not having any protection at all.
jackbeck
·4 года назад·discuss
Thank you!

I've given this exact question some thought. I think that the only real way to make sure this doesn't happen is by not allowing any 3rd party packages into the codebase. That means any package I want to install will have to be manually copied over. Granted, that this isn't the state now in the repo since I wanted to get to a POC phase as quickly as possible, but it's something I'm going to do.
jackbeck
·4 года назад·discuss
Yup, I agree with you about this. It’d be interesting to do a deep dive into a library like FingerprintJS and see what has the most weight in terms of uniqueness. Maybe getImageData is worthwhile blocking, but perhaps other APIs will increase the amount of entropy.
jackbeck
·4 года назад·discuss
At the moment it’s not the default though. So people who enable this feature will, ironically be more unique and therefore more accurately fingerprintable.
jackbeck
·4 года назад·discuss
The problem with a lot of these attempts at fingerprinting prevention is that they cause additional data which can be used to more accurately fingerprint users.

getImageData() is blocked - datapoint

Any detectable difference from what a “regular” browser would return is another point of entropy.