HackerTrans
TopNewTrendsCommentsPastAskShowJobs

xori

no profile record

comments

xori
·5 tháng trước·discuss
~~Written by the same people?~~

EDIT: ha, confused with https://wiki.xxiivv.com/site/uxn.html
xori
·8 tháng trước·discuss
The real question is can Windows defender scan these drives?
xori
·12 tháng trước·discuss
I've been wanting to do this for ages. Originally I wanted to do this at the home router level, but that quickly got shut down when I got a test net up and running and my friends could control the Chromecasts in my house.

For us a "tailscale" equivalent with SoftEther is what we used to manage the DNS/Tunneling for our fileshare/services.

So cool to see more people playing in this space. Please post more! <3
xori
·năm ngoái·discuss
"How do you get corporate secrets out of a software engineer? Sit them next to another engineer on a plane."
xori
·năm ngoái·discuss
Well they aren't in Canada for me yet, but that's probably because we aren't the public that needs to know.
xori
·2 năm trước·discuss
"Show me what you got"
xori
·2 năm trước·discuss
I understand, but things like https://github.com/GoogleChromeLabs/comlink enable it. Similar to how iFrames don't have access to their parent page you need a facilitator. My question is why not use a js facilitator that could work in all browsers, rather than just Chrome.

I find it an interesting choice that the author decided to invest in new iFrame technology rather than existing multi-thread technology in the browser.
xori
·2 năm trước·discuss
I see it now, I don't know how I missed it.
xori
·2 năm trước·discuss
Why reach for iFrames over other technology like WebWorkers?
xori
·2 năm trước·discuss
I'm confident then that you can skip the base64 encoded header and just have the server use the jwt passed in the bearer token and the new signature you propose. (As the base64 encoded version can be reconstructed from the JWT itself)

But I think ideally I would use a wrapped JWT with `"alg": "ES256"` and just pass it as normal in a bearer token[0] as JWTs natively support signed primitives.

[0]: https://jwt.io/#debugger-io?token=eyJhbGciOiJFUzI1NiIsInR5cC...
xori
·2 năm trước·discuss
When you `.get` a credential you can provide a challenge that it signs which you can make the JWT. With an added bonus that this passkey can exist on your phone or password manager which you can use to authenticate on a different device while still feeling confident in it's security.
xori
·2 năm trước·discuss
Yeah that does it for new keys generated, any old keys in IDB obviously still are exposed.
xori
·2 năm trước·discuss
Rather than generating key data on the client in the open, and storing it in IDB, I would recommend the Credential Management API[0]. Hand off the responsibility to proper generation and storage to the user agent. Then do your signing of the JWT with them instead.

[0]: https://developer.mozilla.org/en-US/docs/Web/API/Credential_...
xori
·2 năm trước·discuss
so I don't fully understand what you're preventing

    const db = await openDatabase();
    const keyPair = await getKeyPair(db);
    await crypto.subtle.exportKey("jwk", keyPair.privateKey)
exports the private key if I have a XSS vuln.

The recommendation for IP address in the JWT is good, but I don't understand your last recommendation of 1) sending the JWT, 2) additionally sending the base64 JWT in a header 3) sending the signature in the header. The crypto.subtle api only works on https domains so you're not defending against mitm attacks on unsecure networks either. And if we can't trust TLS what can we trust on the web?
xori
·2 năm trước·discuss
Not much here explicitly in the source code dump. A little insight into their worker node infra but no "secret sauce" imo.
xori
·2 năm trước·discuss
Hyperswarm has been my go-to for stuff like this, but you bring up a good point that I don't think it's encrypted.

https://github.com/holepunchto/hyperswarm
xori
·4 năm trước·discuss
I don't know if 5 miles is long enough for the people who actually need it, but if I was a postal worker, these would be pretty sweet. And 1400 USD is cheaper than some car insurance here in Canada for young males.
xori
·4 năm trước·discuss
JPGs are not security, and moving JPGs can be fabricated very easily. Some v-tuber software with a deepfake GAN strapped to it I feel like would fool 1-on-1 meetings too.

I got my weekend project.
xori
·5 năm trước·discuss
> we can't decrypt your data.

But I thought the point of the cages, is that _do_ decrypt the data. And any government mandated backdoors would then go into that process. You're not doing any homomorphic encryption here.

I guess my issue, is that you see both the keys and data, not just one.
xori
·5 năm trước·discuss
It's actually built into vanilla android https://support.google.com/googleplay/answer/9283534?hl=en