HackerTrans
TopNewTrendsCommentsPastAskShowJobs

skaul

no profile record

Submissions

How far behind is each major Chromium browser?

chromium-drift.pages.dev
197 points·by skaul·2 месяца назад·66 comments

Bash script to check if you were hit by the axios supply chain attack

github.com
1 points·by skaul·3 месяца назад·0 comments

Why Brave is opposing Google's Android developer registry

brave.com
7 points·by skaul·4 месяца назад·0 comments

Brave overhauled its Rust adblock engine with FlatBuffers, cutting memory 75%

brave.com
507 points·by skaul·6 месяцев назад·274 comments

Comet sends all your URLs to Perplexity servers and there's no way to stop it

shivankaul.com
2 points·by skaul·8 месяцев назад·2 comments

comments

skaul
·2 месяца назад·discuss
Credit to bsclifton for the idea!
skaul
·2 месяца назад·discuss
It's not but given that Perplexity doesn't have an API and blocks automated downloads, I'm not sure what else to use. Explained in the docs: https://github.com/ShivanKaul/chromium-drift/blob/main/docs/...
skaul
·2 месяца назад·discuss
Sorry about that! I've fixed the colors and contrast now.
skaul
·2 месяца назад·discuss
Thanks, fixed now.
skaul
·5 месяцев назад·discuss
I worked with Ralph when he was at Brave. I fondly remember many long walks in downtown Vancouver with him, getting tea at Matchstick and chatting about Rust and privacy and ancient Egyptian hieroglyphics. I still can't believe this. Huge loss.
skaul
·5 месяцев назад·discuss
Programming languages need to give the developer a way to iterate (map, fold, for-loop, whatever) over a collection of items. Over time we've come up with more elegant ways of doing this, but as a programmer, until LLMs, you've still had to be actively involved in the control logic. My point is that a developer's relationship with the code is very different now, in a way that wasn't true with previous low-to-high level language climbs.
skaul
·5 месяцев назад·discuss
Programming with LLMs is fundamentally different than going from a lower-level to a higher-level language, even apart from the whole non-determinism thing. With a programming language, you're still writing a for-loop, whether that's in C, Java or Rust. There's language primitives that help you think better in certain languages, but they're still, at the end of the day, code and context that you have to hold in your head and be intimately familiar with.

That changes with LLMs. For now, you can use LLMs to help you code that way; a programming buddy whose code you review. That's soon going to become "quaint" (to quote the author) given the projected productivity gains of agents (and for many developers it already has).
skaul
·6 месяцев назад·discuss
You can add these to your `~/.claude/settings.json`:

  "env": {
    "CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY": "1",
    "CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC": "1",
    "DISABLE_AUTOUPDATER": "1",
    "IS_DEMO": "1"
  }
skaul
·6 месяцев назад·discuss
We used to use Bloom filters in 2019, funnily enough: https://brave.com/blog/improved-ad-blocker-performance/
skaul
·6 месяцев назад·discuss
That is correct.
skaul
·6 месяцев назад·discuss
We use the same adblocking engine (adblock-rust) on all platforms, including iOS, hence the shared memory savings.
skaul
·6 месяцев назад·discuss
> Or does it still replace them with ads for scanmy cryptocurrency?

Brave never did that.

Brave blocks third-party ads & trackers by default.

(disclaimer: I lead privacy and adblocking at Brave)
skaul
·6 месяцев назад·discuss
[BOTH FILLED] Brave Software | C++ Engineer, Filterlist Engineer | REMOTE | Full-time

Brave is building a privacy-first browser and a more transparent Web for over 100M users.

On the privacy team, we are looking for:

- C++ Engineer: Working on privacy features in our Chromium-based core engine. Link: https://job-boards.greenhouse.io/brave/jobs/7339167

- Filterlist Engineer: Working on adblocking and JavaScript fixes for websites. Link: https://job-boards.greenhouse.io/brave/jobs/7434948

We are a remote-friendly company with a very-low-meeting culture.
skaul
·8 месяцев назад·discuss
Self-plug but if anyone is interested in learning more about how browser fingerprinting works and the different protections browser makers deploy against it, I wrote a longer post about this a few months ago: https://pitg.network/news/techdive/2025/08/15/browser-finger...
skaul
·8 месяцев назад·discuss
This would be akin to Chrome sending the user's (unmodified) URLs to Google. Even Chrome thinks that that would be really bad for user privacy, and goes through elaborate techniques to not leak the user's direct browsing to Google, even for security-positive use-cases like Safe Browsing.
skaul
·9 месяцев назад·discuss
This is easy in Brave, just go to brave://settings/shields/filters and enable the "YouTube Anti-Shorts" filter list.
skaul
·11 месяцев назад·discuss
> Even if you know the source of the text before you feed it to the model you still need to solve the problem of how to send untrusted text from a user through a model without that untrusted text being able to trigger additional tool calls or actions.

We're exploring taking the action plan that a reasoning model (which sees both trusted and untrusted text) comes up with and passing it to a second model, which doesn't see the untrusted text and which then evaluates it.

> The most credible pattern I've seen for that comes from the DeepMind CaMeL paper

Yeah we're aware of the CaMeL paper and are looking into it, but it's definitely challenging from an implementation pov.

Also, I see that we said "The browser should clearly separate the user’s instructions from the website’s contents when sending them as context to the model" in the blog post. That should have been "backend", not "model". Agreed that once you feed both trusted and untrusted tokens into the LLM the output must be considered unsafe.
skaul
·11 месяцев назад·discuss
You're right that if the user logs into a sensitive website, the "isolated browsing" mitigation stops helping. We don't want the user to accidentally end up in that state though. Separately, I can also imagine use-cases for agentic browsing where the user doesn't have to be logged into sensitive websites. Summarizing Hacker News front page, for one.
skaul
·11 месяцев назад·discuss
> I haven't seen a single credible technique from anyone that can distinguish content from instructions

You specifically mean that it's ~impossible to distinguish between content and instructions ONCE it is fed to the model, right? I agree with that. I was talking about a prior step, at the browser level. At the point that the query is sent to the backend, the browser would be able to distinguish between web contents and user prompt. This is useful for checking user-alignment of the output of the reasoning model (keeping in mind that the moment you feed in untrusted text into a model all bets are off).

We're actively thinking and working on this, so will have more to announce soon, but this discussion is useful!
skaul
·11 месяцев назад·discuss
> you reply to me like I need to be lectured

That's not my intention! Just stating how we're thinking about this.

> defense in depth is to prevent one layer failure from getting to the next

We think a separate model can help with one layer of this: checking if the planner model's actions are aligned with the user's request. But we also need guarantees at other layers, like distinguishing web contents from user instructions, or locking down what tools the model has access to in what context. Fundamentally, though, like we said in the blog post:

"The attack we developed shows that traditional Web security assumptions don’t hold for agentic AI, and that we need new security and privacy architectures for agentic browsing."