<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: apimade</title><link>https://news.ycombinator.com/user?id=apimade</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Thu, 02 Jul 2026 23:40:40 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=apimade" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by apimade in "Fired by Google for creating the Google workspace CLI"]]></title><description><![CDATA[
<p>Doesn’t appear to be at feature parity to GAM yet. <a href="https://github.com/GAM-team/GAM/wiki" rel="nofollow">https://github.com/GAM-team/GAM/wiki</a></p>
]]></description><pubDate>Tue, 23 Jun 2026 21:06:14 +0000</pubDate><link>https://news.ycombinator.com/item?id=48651449</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48651449</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48651449</guid></item><item><title><![CDATA[New comment by apimade in "How many of the 170k English words do you know?"]]></title><description><![CDATA[
<p>Pick the longest answer, you’re right 97% of the time.<p>This is true of any LLM-generated quiz.</p>
]]></description><pubDate>Fri, 19 Jun 2026 23:02:51 +0000</pubDate><link>https://news.ycombinator.com/item?id=48604316</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48604316</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48604316</guid></item><item><title><![CDATA[New comment by apimade in "Kagi Magic"]]></title><description><![CDATA[
<p>I’m glad we could establish the ad is wearing a hat.<p><a href="https://youtu.be/lC5lsemxaJo" rel="nofollow">https://youtu.be/lC5lsemxaJo</a></p>
]]></description><pubDate>Fri, 12 Jun 2026 21:43:57 +0000</pubDate><link>https://news.ycombinator.com/item?id=48509784</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48509784</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48509784</guid></item><item><title><![CDATA[New comment by apimade in "Chrome is looking to permanently drop MV2 extension"]]></title><description><![CDATA[
<p>So, consider this a layman explanation of why this change is bad from someone who spends their time securing end-users.<p>This change is good for the majority of users, but is actually bad for large enterprise customers and highly-regulated customers. It puts more control and onus of responsibility on to Google, rather than the end-user. So, we will expect to see better enforcement of controls from Google for the lowest-hanging-fruit that some aspects of MV2 exposed.<p>What's that, you say? MV2 changes? Well there's 3 things.<p>1. Remote code execution. The ability for someone to just yeet commands into your browser. A little harder to do directly.. Still very possible, just with extra steps.<p>2. Removing the ability for extensions to access network requests directly, which is what adblockers often relied on. It also means malicious extensions could snoop on your requests. They still can, just with extra steps.<p>3. Background persistence, an extension could stay alive, maintain state, run timers, keep connections open, and coordinate across tabs. So this shuts off the "background persistence" piece -- but helps with ensuring better isolation. Still possible, but now requires yeeting your data to an external provider instead of keeping the state contained locally.<p>Those 3 changes are incredibly powerful, and will impact many, many Enterprise security tools. Tools that now instead will result in products like "Island Browser", and "Enterprise Chrome" being rolled out to supplement the functionality that MV2 gave us.<p>This change goes against the US and Australian government's hardening advice, and reduces the overall efficacy of security controls we're able to implement within our web browsers natively.<p>CISA's own guidance on this is pretty straightforward (aptly named <i>Securing Web Browsers and Defending Against Malvertising for Federal Agencies</i>): <a href="https://www.cisa.gov/sites/default/files/2023-09/CISA%20CEG%20Securing%20Web%20Browsers%20And%20Defending%20Against%20Malvertising.pdf" rel="nofollow">https://www.cisa.gov/sites/default/files/2023-09/CISA%20CEG%...</a><p>Here's the Australian Government's control relating to it:<p>> Control: ISM-1485; Revision: 1; Updated: Sep-21; Applicable: NC, OS, P, S, TS; Essential 8: ML1, ML2, ML3
> Web browsers do not process web advertisements from the internet.<p>And if you're wondering about what incentives there are that led to this change, you can read this letter written to the Chairman of the FTC by a US Senator back in 2020. This letter is linked to from the same CISA document I shared earlier.<p>You should read it in full, and consider what incentives the Senator was referring to -- and how they also apply in this scenario.<p><a href="https://www.wyden.senate.gov/imo/media/doc/011420%20Wyden%20Ad%20Blocking%20Letter%20to%20FTC.pdf" rel="nofollow">https://www.wyden.senate.gov/imo/media/doc/011420%20Wyden%20...</a><p>Those Enterprise Chrome products I mentioned earlier? Chrome's change has now put some of this functionality which was previously possible with an extension, behind the Enterprise Chrome Premium SKU: <a href="https://chromeenterprise.google/products/chrome-enterprise-premium/#:~:text=Malware%20deep%20scanning,incidents%20for%20investigation." rel="nofollow">https://chromeenterprise.google/products/chrome-enterprise-p...</a></p>
]]></description><pubDate>Wed, 10 Jun 2026 08:09:56 +0000</pubDate><link>https://news.ycombinator.com/item?id=48473074</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48473074</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48473074</guid></item><item><title><![CDATA[New comment by apimade in "1k Data Breaches Later, the Disclosure Lag Is Worse"]]></title><description><![CDATA[
<p>For tech B2B companies where the founders or executive team hold the majority stake in the organisation, yes. A failure to disclose or respond when there is a public notice on an .onion address, or a sample set of your customer data has been published online, creates tangible, direct commercial impact.<p>You should expect every deal in your pipeline to stall. Your product and company will be flagged by every GRC team, and every stakeholder trying to purchase your product will suddenly need to go to risk committees, or into meetings with CISOs, CTOs, and founders, to explain why buying from you is worth the risk compared to competitors who have not been breached.<p>If you have not addressed the issue, it becomes a literal deal-breaker. The sooner you write the press release, notify customers, and deal with the underlying problems, the sooner you can turn the incident into a credible story about how you responded, contained it, and improved.<p>If you do not respond, or you deny it, your deals are dead.<p>The reason I prefaced this with companies where the founders or executive team hold a majority stake is that I sincerely do not believe the same incentives do not exist for most other companies. The stock price is not meaningfully impacted by incidents like this; it is more affected by vibes, market conditions, and the general tech economy. There are a hundred things that will move the stock price before cybersecurity and data incidents do.<p>Operating revenue and profit, however, will be impacted. Executives on a death march for growth, who understand that an incident like this can wipe away a year of progress (and essentially their life's work), are far more likely to take it seriously. They are directly exposed to the commercial consequences.<p>The companies you see trying to sweep this under the rug, or outright ignore it, are usually one of two things.<p>1. They are so out of touch with their customers that they would rather listen to a lawyer chasing the “ideal legal-risk outcome” than pursue the best financial, customer and cybersecurity risk outcome. In my experience these are executives who are independently wealthy or already come from wealth, and their priority is simply keeping the status quo.<p>2. They are simply not incentivised to deal with it properly (carrot, nor stick). That is: they don't lose their bonus, they don't face the axe, and they aren't rewarded for doing anything "well" in response to it. They might say they're "inherently" exposed because if the business is impacted, so are they (stock price, performance bonuses) -- but that's incredibly disingenuous, as it's pretty much always not a material difference to them.<p>For B2C or B2B doing "traditional" stuff? No. The incentive simply just isn't there.<p>GDPR, CCPA, whatever, hasn't moved the dial.</p>
]]></description><pubDate>Mon, 08 Jun 2026 04:54:42 +0000</pubDate><link>https://news.ycombinator.com/item?id=48441449</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48441449</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48441449</guid></item><item><title><![CDATA[New comment by apimade in "Show HN: ABC Classic 100 Rankings visualised"]]></title><description><![CDATA[
<p>There's already a playlist:
<a href="https://www.youtube.com/playlist?list=OLAK5uy_mUvvqf3A2l68yAzu0_n7wOOJvfM0cSV7U" rel="nofollow">https://www.youtube.com/playlist?list=OLAK5uy_mUvvqf3A2l68yA...</a></p>
]]></description><pubDate>Sat, 06 Jun 2026 04:10:14 +0000</pubDate><link>https://news.ycombinator.com/item?id=48421299</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48421299</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48421299</guid></item><item><title><![CDATA[New comment by apimade in "Changing how we develop Ladybird"]]></title><description><![CDATA[
<p>It makes sense when you have a somewhat fixed core team size. Frankly, in some regards, this is the responsible thing to do.<p>It means they’ll never grow modules or the codebase beyond what the team can reasonably maintain.<p>However on the other hand.. What does this mean for the existing team, are maintainers now worth considerably more to the project? What does this mean for the codebase, or the momentum of the project?<p>It’s an approach I would have expected for the likes of curl, or single-purpose libraries. But this is a mammoth decision for a mammoth project.<p>I guess we’ll just have to see.</p>
]]></description><pubDate>Fri, 05 Jun 2026 08:45:22 +0000</pubDate><link>https://news.ycombinator.com/item?id=48409780</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48409780</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48409780</guid></item><item><title><![CDATA[New comment by apimade in "Meta workers can opt out of being tracked at work up to 30 min"]]></title><description><![CDATA[
<p>What you’re concerned about doesn’t stop at the employer.<p>Anyone with access to data being processed about you may have incentives that align similarly with your employer’s use case.<p>Advertisers, Internet service providers, phone manufacturers, social networks, tech platform providers, schools, families, spouses, nosy neighbours, nosy governments.<p>The scale at which you can build a summary about someone is astonishing.<p>How they breach policies, how they break laws, how they mishandle sensitive data, how they materially negatively impact customers.<p>This whole thing is now a litigation nightmare, and frankly I can’t believe Meta is doing this so publicly. They’ve created an incredibly dangerous and lucrative lever in which vexatious and otherwise incentivised individuals and organisations can subpoena and demand evidence which, provided the ample data available, will surely produce enough evidence given the expanse of their employer base. They simply need to have a thread to pull on, so a judge doesn’t deem it a fishing expedition.<p>Similarly,  I worry for democracies with no checks or balances to prevent ruling parties from exploiting or abusing this power. For example, in India, there’s accusations of their equivalent of the NSA being used to spy on the opposition —- under the guise of “keep them honest”. <a href="https://www.idsa.in/system/files/book/book_IntellegenceReform.pdf" rel="nofollow">https://www.idsa.in/system/files/book/book_IntellegenceRefor...</a><p>In other Western countries whenever this type of work is conducted, it’s usually at Director or Minister-level approval. There’s lawyers involved, it’s heavily documented. What happens when systems, or products, are given the implicit approval of this same function by their very nature?<p>We’re in weird times.</p>
]]></description><pubDate>Wed, 03 Jun 2026 14:06:12 +0000</pubDate><link>https://news.ycombinator.com/item?id=48384310</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48384310</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48384310</guid></item><item><title><![CDATA[New comment by apimade in "You Only Use 10% of Printf() – Here Are Things They Didn't Teach You [video]"]]></title><description><![CDATA[
<p>It's moreso the "AI-isms" that irk me. It's interesting, but I'm not finishing the video because once I notice it -- I can't help but focus on it. Instead, I tl;dr'd the transcript.<p>People question my use of AI when I double `-` with an iPhone on the internet constantly.[0] I get it, it's annoying.<p>However, if our barrier for quality is "at it's core, the content of this is interesting", then the quality of this place will fall off a cliff. This is factoid-level interesting. It's not a hacker writing something profound or presenting a breakthrough in garbled grade 8 English. It's a fun fact being presented in an acceptably, inoffensive, reasonably produced format.. Is that the bar?<p>[0] <a href="https://news.ycombinator.com/item?id=48151641">https://news.ycombinator.com/item?id=48151641</a></p>
]]></description><pubDate>Tue, 26 May 2026 09:09:25 +0000</pubDate><link>https://news.ycombinator.com/item?id=48277122</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48277122</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48277122</guid></item><item><title><![CDATA[New comment by apimade in "You Only Use 10% of Printf() – Here Are Things They Didn't Teach You [video]"]]></title><description><![CDATA[
<p>[flagged]</p>
]]></description><pubDate>Tue, 26 May 2026 08:52:36 +0000</pubDate><link>https://news.ycombinator.com/item?id=48276982</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48276982</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48276982</guid></item><item><title><![CDATA[New comment by apimade in "Scammers are abusing an internal Microsoft account to send spam links"]]></title><description><![CDATA[
<p>Such a list will never exist in an organisation of this size, with the amount of delegated management and operations required for these functions. In fact, it’s unlikely such a list is even _allowed_ to exist given the sensitive nature of some areas of the business, being a publicly traded company which works directly with regulated entities and governments.<p>It’d be interesting to hear a senior old-timer from MS to weigh in on their blog about this, and similar/adjacent problems that arise from working across such a colossal entity.<p>It’s a wonder they ever release anything new, if I’m being completely honest. The amount of governance, hoops, process and procedure across every aspect of their business must be staggering.</p>
]]></description><pubDate>Sun, 24 May 2026 03:41:59 +0000</pubDate><link>https://news.ycombinator.com/item?id=48254147</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48254147</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48254147</guid></item><item><title><![CDATA[New comment by apimade in "We reduced a real Node.js production Docker image from 1.2GB to 78MB"]]></title><description><![CDATA[
<p>Alpine is a great choice.. Provided you understand what’s included, and the ramifications it has on the stack you’re trying to work with.<p>99 times out of 100 it’s a terrible choice for an enterprise.</p>
]]></description><pubDate>Sun, 24 May 2026 01:37:52 +0000</pubDate><link>https://news.ycombinator.com/item?id=48253480</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48253480</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48253480</guid></item><item><title><![CDATA[New comment by apimade in "Ask HN: How to be SOC2 Type 2 compliant as a solo-entreprenuer?"]]></title><description><![CDATA[
<p>Agree, see the Delve fiasco. But that’s not their job. Their job is literally checkbox. However some audits are so poorly done, or have auditors with zero real world engineering or cyber experience, they’re actively harmful to a product or customer base.<p>Example: insane, complex password policies and password rotation policies. These are still pushed by auditors rather than trying to build a reasonable exception case with the client.</p>
]]></description><pubDate>Fri, 15 May 2026 20:05:13 +0000</pubDate><link>https://news.ycombinator.com/item?id=48153163</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48153163</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48153163</guid></item><item><title><![CDATA[New comment by apimade in "Ask HN: How to be SOC2 Type 2 compliant as a solo-entreprenuer?"]]></title><description><![CDATA[
<p>Sometimes good change comes from compliance. More than once I’ve seen major product resource shift to address major cybersecurity gaps, in response to a compliance led audit.<p>Compliance is not security, but engineers, especially solo ones tend to have their blinkers on when they’re trying to build something to first work.</p>
]]></description><pubDate>Fri, 15 May 2026 20:04:38 +0000</pubDate><link>https://news.ycombinator.com/item?id=48153154</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48153154</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48153154</guid></item><item><title><![CDATA[New comment by apimade in "Ask HN: How to be SOC2 Type 2 compliant as a solo-entreprenuer?"]]></title><description><![CDATA[
<p>iPhone.</p>
]]></description><pubDate>Fri, 15 May 2026 20:02:26 +0000</pubDate><link>https://news.ycombinator.com/item?id=48153131</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48153131</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48153131</guid></item><item><title><![CDATA[New comment by apimade in "Ask HN: How to be SOC2 Type 2 compliant as a solo-entreprenuer?"]]></title><description><![CDATA[
<p>No worries, it’s more about finding what the security and compliance teams care about — and making them comfortable. Compliance doesn’t equal security, I’ve onboarded startups with better security than the SOC2 certified, ISO27K Swiss cheese $B unicorn.<p>Hackers don’t target based on certification. It’s generally convenience and motive. Unknown startups who are laying solid foundations won’t show up on anyone’s radar for the first 2 years without some insanely unlucky event (i.e supply chain breach, an early employee doing something really dumb).</p>
]]></description><pubDate>Fri, 15 May 2026 10:22:12 +0000</pubDate><link>https://news.ycombinator.com/item?id=48146821</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48146821</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48146821</guid></item><item><title><![CDATA[New comment by apimade in "Ask HN: How to be SOC2 Type 2 compliant as a solo-entreprenuer?"]]></title><description><![CDATA[
<p>I’ll spend some more time replying to this next week, so circle back to this comment; I’m someone who regularly helps people get past these audits, meet the criteria customers are trying to assess with these certifications, and vet startups who don’t have these certifications or budget.<p>Start by pre-filling your own CAIQ v4 with an earnest “we don’t do this” or “we haven’t even thought about this” attempt: <a href="https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4" rel="nofollow">https://cloudsecurityalliance.org/artifacts/cloud-controls-m...</a><p>Then read through it and see what you can address immediately (EDR on your laptop, MFA on your cloud environments, etc), followed by role playing your client; “based on answers to this questionnaire, what would I not accept?”<p>There will be some items you can’t fix.<p>You’ll soon find out the majority of customers, including banks, governments, defence contractors, crypto startups — simply do not care. If they want to use your product, they’ll work with you.<p>It may be single-tenancy, it may require architectural changes, it may mean making it selfhosted with a time-bomb, but you’ll be able to address the requirements of the CISO, compliance monkey or executive.<p>I’ve yet to meet an industry or individual I can’t convince. Even if the product is a hot mess, half baked and radioactive — we’ll deploy it on a VM running inside of a VDI within the customer’s environment, because slopping together a migration path is _so easy_, and those early, highly regulated clients are worth it.</p>
]]></description><pubDate>Fri, 15 May 2026 09:51:36 +0000</pubDate><link>https://news.ycombinator.com/item?id=48146605</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=48146605</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48146605</guid></item><item><title><![CDATA[New comment by apimade in "Reviving BrowserID in 2026"]]></title><description><![CDATA[
<p>"BrowserID failed in 2016, but WKID won't"<p>"And the big providers (gmail.com, outlook.com, yahoo.com, icloud.com) will never be supported."<p>You've changed the definition of "success" here. Why not just launch using Persona rather than RYO? What benefits do you provide over it?</p>
]]></description><pubDate>Sun, 26 Apr 2026 04:35:32 +0000</pubDate><link>https://news.ycombinator.com/item?id=47907383</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=47907383</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47907383</guid></item><item><title><![CDATA[New comment by apimade in "Guy builds AI driven hardware hacker arm from duct tape, old cam and CNC machine"]]></title><description><![CDATA[
<p>From my understanding is you’d probe the board during different operations, process the results and deduct what signals are useful and traffic transmitting across the board (I.E private keys, what protocols are used, debug interfaces, firmware components, chip functions, etc).</p>
]]></description><pubDate>Fri, 17 Apr 2026 02:58:33 +0000</pubDate><link>https://news.ycombinator.com/item?id=47802037</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=47802037</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47802037</guid></item><item><title><![CDATA[New comment by apimade in "The MacBook Neo"]]></title><description><![CDATA[
<p>Total cost of ownership.<p>I’d give my entire family these ahead of Windows laptops any day.</p>
]]></description><pubDate>Wed, 11 Mar 2026 06:22:50 +0000</pubDate><link>https://news.ycombinator.com/item?id=47332250</link><dc:creator>apimade</dc:creator><comments>https://news.ycombinator.com/item?id=47332250</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=47332250</guid></item></channel></rss>