HackerLangs
TopNewTrendsCommentsPastAskShowJobs

captn3m0

11,453 karmajoined 15 ปีที่แล้ว
https://captnemo.in http://about.me/n3m0

[ my public key: https://keybase.io/captn3m0; my proof: https://keybase.io/captn3m0/sigs/MrazMfyap5PnbYUKQhtqeLGfctJcwxsDB6Oo0t6ABxM ]

my email: [email protected]

meet.hn/city/in-Bengaluru

Socials: - github.com/captn3m0 - x.com/captn3m0 - t.me/captn3m0

Interests: Books, Cybersecurity, DevOps, Fintech, Open Source, Privacy, Web Development

---

hnchat:Z44vjhzI6AG5YXzEY5pD

Submissions

Oil prices fall on US-Iran agreement

cnn.com
3 points·by captn3m0·26 วันที่ผ่านมา·2 comments

A Namecheap bug got my domain suspended

captnemo.in
3 points·by captn3m0·2 เดือนที่ผ่านมา·0 comments

FOSS – Tracking delayed open-source releases

captnemo.in
3 points·by captn3m0·3 เดือนที่ผ่านมา·1 comments

The Colour of Production

lmika.org
2 points·by captn3m0·4 เดือนที่ผ่านมา·0 comments

Querying India's MoSPI Data with Claude and MCP

aman.bh
1 points·by captn3m0·5 เดือนที่ผ่านมา·0 comments

Show HN: Kurbelfahrplan, a FOSDEM schedule app for the playdate

captnemo.in
2 points·by captn3m0·5 เดือนที่ผ่านมา·1 comments

ESI Language Specification 1.0

w3.org
2 points·by captn3m0·6 เดือนที่ผ่านมา·0 comments

Guidance for GSoC Contributors using AI tooling in GSoC 2026

docs.google.com
2 points·by captn3m0·6 เดือนที่ผ่านมา·0 comments

Eurail Data Security Incident – January 2026

eurail.zendesk.com
1 points·by captn3m0·6 เดือนที่ผ่านมา·1 comments

Amazon will allow ePub and PDF downloads for DRM-free eBooks

kdpcommunity.com
634 points·by captn3m0·7 เดือนที่ผ่านมา·339 comments

SPC Requests for Curiosity, Winter 2025

minusone.com
2 points·by captn3m0·7 เดือนที่ผ่านมา·1 comments

IFF's Statement against mandatory installation of "Sanchar Saathi"

internetfreedom.in
5 points·by captn3m0·7 เดือนที่ผ่านมา·1 comments

Disruption of Docker Hardened Images and Docker Scout

dockerstatus.com
2 points·by captn3m0·8 เดือนที่ผ่านมา·0 comments

The Future of Codewars

codewars.com
1 points·by captn3m0·8 เดือนที่ผ่านมา·0 comments

Foul Play: Privilege Escalation on the Playdate

peterstefek.me
2 points·by captn3m0·8 เดือนที่ผ่านมา·0 comments

Leak of Geedge Networks internal documents

github.com
4 points·by captn3m0·10 เดือนที่ผ่านมา·0 comments

Fenrir – Bootchain exploit for MediaTek devices

github.com
2 points·by captn3m0·10 เดือนที่ผ่านมา·0 comments

comments

captn3m0
·6 วันที่ผ่านมา·discuss
There are a lot of other implementations of this idea that don't necessarily rely on trust-on-first-use. The securedrop team explicitly includes malicious JS served by the primary-domain in the threat-model and made WEBCAT[0] as an outcome of that research. Their article on webcrypto is much better than this one.

The solution obviously is to go out-of-band:

> When a user visits a website that has enrolled in WEBCAT, before the site can load the content is checked against a signed manifest to ensure that it has not been tampered with (more on enrollment later). If everything checks out, the page loads normally. If, however, any content does not match what’s expected, the page load is aborted and a warning is displayed, protecting the user from potentially malicious content before it can execute.

[0]: https://securedrop.org/news/introducing-webcat-web-based-cod...

[1]: https://securedrop.org/news/browser-based-cryptography/
captn3m0
·6 วันที่ผ่านมา·discuss
This is a OS port (iOS) of an existing functional and maintained fork (MacOS) of the official release (Windows).

Most of these low-hanging bugs would have been caught upstream by now.
captn3m0
·7 วันที่ผ่านมา·discuss
Do we know how Apple sends these? Is it just a notification, or also email?
captn3m0
·9 วันที่ผ่านมา·discuss
There are 2 complete folds in the Isaac 0 video around 0:40, but speeded up: https://m.youtube.com/watch?v=KhImSR8GuCE

The about page claims 1000+ lbs of laundry folded every week.
captn3m0
·11 วันที่ผ่านมา·discuss
10% apparently for .tk. I also remember .tv windfall, which is 8-9% of their GDP.
captn3m0
·13 วันที่ผ่านมา·discuss
I wrote superbright to be able to force it: https://github.com/captn3m0/superbright (fork of BrightIntosh). The display does get hit after 10-15 minutes of this though.
captn3m0
·17 วันที่ผ่านมา·discuss
When I read the title, I thought it would be for research papers.
captn3m0
·17 วันที่ผ่านมา·discuss
Hooks are not a new standard. Package managers have always supported hooks. It is just a call to get us to parity.
captn3m0
·18 วันที่ผ่านมา·discuss
> The problem of everchanging malware isn't fixable by global policies and global rulesets.

But it is an important tool that's missing in our toolbox. You could do most of the above, and still get pwned by a typo in an `npx` command. Capability based access management is not likely to land in any large package manager in the next few years, and we need solutions that work today.
captn3m0
·18 วันที่ผ่านมา·discuss
Package-level hooks are everywhere: https://github.com/ecosyste-ms/package-manager-hooks

I wrote this in response to the recent AUR attacks. The problem isn’t really too many dependencies - it is that most users cannot be auditing everything they install and we need mechanisms that help users where they are.

I audit my AUR pkg builds, and I would have likely caught any malware. But so would a Dependency Cooldown or a third-party threat feed. Package Managers should make it easy to build this tooling via hooks.
captn3m0
·18 วันที่ผ่านมา·discuss
Aliases and pre-hooks are nowhere near the guarantees you want, that’s what I am arguing - not everything is invoked from a blessed shell. Safely-bump-does.sh is also impossibly hard to write because you are replicating _all of the work NPM does in transitive dependency resolution_. Unless you are re-generating the lock file from scratch - it isn’t safe. Just updating package.json isn’t sufficient for eg.
captn3m0
·18 วันที่ผ่านมา·discuss
Author here - people are definitely looking at other places. This just happens to be where the attacks are, and gets disproportionate attention as a result.

Do you have examples of campaigns that weren’t flagged? Everything except xz had a 1 day window and Dependency Cooldowns are super effective against most campaigns for that reason.

See papers at https://kokkonisd.github.io/ for eg.
captn3m0
·18 วันที่ผ่านมา·discuss
`PreInstall` mainly. But `PreFetch/PreBuild` also for source-repositories, such as AUR helpers.

homebrew doesn't support hooks as a system package manager: https://github.com/ecosyste-ms/package-manager-hooks as an example.

I think the packaging ecosystem is varied enough that this should be left for the package managers to decide. Yarn allows dependency resolution and WebFetch overrides in its hooks for eg.
captn3m0
·18 วันที่ผ่านมา·discuss
(Author here). I don’t really care _how and what you decide to do with it_, the post is about package managers giving users the ability to decide.

Dependency Cooldowns can be implemented with global hooks, git-commit-signing checks can be implemented, LLM-scans can be implemented, someone can run the code in a jail and use the eBPF logs to publish a threat feed.

Modern language packaging is also _source available_, and we have a huge leg up over traditional virus scans - we have the source code almost always. You can do amazing static analysis.

Yes, it’s hard work. But package managers are doing it already. Yay and Paru both now support hooks. I’m offering to help for AUR to publish more metadata: https://lists.archlinux.org/archives/list/[email protected]...
captn3m0
·18 วันที่ผ่านมา·discuss
(Author here). It isn’t a matter of pre-install hooks. I don’t want known malware on my system irrespective of whether it runs at install-time or not. Pre-install hooks are going away in NPM, but we will have code injected in index.js next.

Modern package managers are not amenable to letting another script override its resolutions, and that is what needs fixing.
captn3m0
·18 วันที่ผ่านมา·discuss
Has anyone reversed their SDKs to run a swarm that captures enough traffic to see what requests are actually getting made?
captn3m0
·18 วันที่ผ่านมา·discuss
You can route an encrypted video stream through a server, same as messages. Zoom supports this as well now. You can’t do fancy stuff like transcoding at the server to support an older client, but WhatsApp dropped support for non-e2e really-old clients eons ago (Symbian and the like).
captn3m0
·19 วันที่ผ่านมา·discuss
There is also microformats.
captn3m0
·22 วันที่ผ่านมา·discuss
This was published in April, and we are far from consensus on what is “varnish”. Lots of distributions are now packaging vinyl and calling it varnish, some are pointing to the varnish repo instead (Fedora, Homebrew).

I’d left a comment last time, but haven’t tracked it since: https://news.ycombinator.com/item?id=47728216
captn3m0
·22 วันที่ผ่านมา·discuss
> I don't think there exist a password manager that is explicitly designed for a compromised/hostile device.

The crypto people tried this with hardware only password managers but they were too annoying. I have a halfway solution of using pass with Yubikey/GPG where each password decryption requires a touch. It does protect against the entire vault being decrypted at once and exfiltrated.