<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Hacker News: captn3m0</title><link>https://news.ycombinator.com/user?id=captn3m0</link><description>Hacker News RSS</description><docs>https://hnrss.org/</docs><generator>hnrss v2.1.1</generator><lastBuildDate>Sun, 12 Jul 2026 03:27:37 +0000</lastBuildDate><atom:link href="https://hnrss.org/user?id=captn3m0" rel="self" type="application/rss+xml"></atom:link><item><title><![CDATA[New comment by captn3m0 in "Web-based cryptography is always snake oil"]]></title><description><![CDATA[
<p>There are a lot of other implementations of this idea that don't necessarily rely on trust-on-first-use. The securedrop team explicitly includes malicious JS served by the primary-domain in the threat-model and made WEBCAT[0] as an outcome of that research. Their article on webcrypto is much better than this one.<p>The solution obviously is to go out-of-band:<p>> When a user visits a website that has enrolled in WEBCAT, before the site can load the content is checked against a signed manifest to ensure that it has not been tampered with (more on enrollment later). If everything checks out, the page loads normally. If, however, any content does not match what’s expected, the page load is aborted and a warning is displayed, protecting the user from potentially malicious content before it can execute.<p>[0]: <a href="https://securedrop.org/news/introducing-webcat-web-based-code-assurance-and-transparency/" rel="nofollow">https://securedrop.org/news/introducing-webcat-web-based-cod...</a><p>[1]: <a href="https://securedrop.org/news/browser-based-cryptography/" rel="nofollow">https://securedrop.org/news/browser-based-cryptography/</a></p>
]]></description><pubDate>Sun, 05 Jul 2026 10:05:20 +0000</pubDate><link>https://news.ycombinator.com/item?id=48792831</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48792831</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48792831</guid></item><item><title><![CDATA[New comment by captn3m0 in "Command and Conquer Generals natively ported to macOS, iPhone, iPad using Fable"]]></title><description><![CDATA[
<p>This is a OS port (iOS) of an existing functional and maintained fork (MacOS) of the official release (Windows).<p>Most of these low-hanging bugs would have been caught upstream by now.</p>
]]></description><pubDate>Sun, 05 Jul 2026 06:06:22 +0000</pubDate><link>https://news.ycombinator.com/item?id=48791645</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48791645</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48791645</guid></item><item><title><![CDATA[New comment by captn3m0 in "Command and Conquer Generals natively ported to macOS, iPhone, iPad using Fable"]]></title><description><![CDATA[
<p>upstream is a MacOS+linux build. <a href="https://github.com/fbraz3/GeneralsX" rel="nofollow">https://github.com/fbraz3/GeneralsX</a>.</p>
]]></description><pubDate>Sat, 04 Jul 2026 20:56:39 +0000</pubDate><link>https://news.ycombinator.com/item?id=48789017</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48789017</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48789017</guid></item><item><title><![CDATA[New comment by captn3m0 in "Espionage Against the European Parliament"]]></title><description><![CDATA[
<p>Do we know how Apple sends these? Is it just a notification, or also email?</p>
]]></description><pubDate>Fri, 03 Jul 2026 21:34:01 +0000</pubDate><link>https://news.ycombinator.com/item?id=48780270</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48780270</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48780270</guid></item><item><title><![CDATA[New comment by captn3m0 in "Weave Robotics launches Isaac 1, a $7,999 home robot with Fall 2026 deliveries"]]></title><description><![CDATA[
<p>There are 2 complete folds in the Isaac 0 video around 0:40, but speeded up: <a href="https://m.youtube.com/watch?v=KhImSR8GuCE" rel="nofollow">https://m.youtube.com/watch?v=KhImSR8GuCE</a><p>The about page claims 1000+ lbs of laundry folded every week.</p>
]]></description><pubDate>Wed, 01 Jul 2026 22:03:41 +0000</pubDate><link>https://news.ycombinator.com/item?id=48753717</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48753717</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48753717</guid></item><item><title><![CDATA[New comment by captn3m0 in ".self: A new top-level domain designed to support self-hosting"]]></title><description><![CDATA[
<p>10% apparently for .tk. I also remember .tv windfall, which is 8-9% of their GDP.</p>
]]></description><pubDate>Mon, 29 Jun 2026 22:10:11 +0000</pubDate><link>https://news.ycombinator.com/item?id=48725985</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48725985</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48725985</guid></item><item><title><![CDATA[New comment by captn3m0 in "Streaming services' obnoxiously loud ads become illegal on July 1 in California"]]></title><description><![CDATA[
<p>I wrote superbright to be able to force it: <a href="https://github.com/captn3m0/superbright" rel="nofollow">https://github.com/captn3m0/superbright</a> (fork of BrightIntosh). The display does get hit after 10-15 minutes of this though.</p>
]]></description><pubDate>Sat, 27 Jun 2026 21:41:14 +0000</pubDate><link>https://news.ycombinator.com/item?id=48702037</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48702037</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48702037</guid></item><item><title><![CDATA[New comment by captn3m0 in "No AI Co-Authors. A Manifesto"]]></title><description><![CDATA[
<p>When I read the title, I thought it would be for research papers.</p>
]]></description><pubDate>Wed, 24 Jun 2026 07:13:17 +0000</pubDate><link>https://news.ycombinator.com/item?id=48656309</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48656309</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48656309</guid></item><item><title><![CDATA[New comment by captn3m0 in "Package Managers need global hooks"]]></title><description><![CDATA[
<p>Hooks are not a new standard. Package managers have always supported hooks. It is just a call to get us to parity.</p>
]]></description><pubDate>Tue, 23 Jun 2026 20:47:03 +0000</pubDate><link>https://news.ycombinator.com/item?id=48651153</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48651153</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48651153</guid></item><item><title><![CDATA[New comment by captn3m0 in "Package Managers need global hooks"]]></title><description><![CDATA[
<p>> The problem of everchanging malware isn't fixable by global policies and global rulesets.<p>But it is an important tool that's missing in our toolbox. You could do most of the above, and still get pwned by a typo in an `npx` command. Capability based access management is not likely to land in any large package manager in the next few years, and we need solutions that work today.</p>
]]></description><pubDate>Tue, 23 Jun 2026 12:53:19 +0000</pubDate><link>https://news.ycombinator.com/item?id=48644214</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48644214</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48644214</guid></item><item><title><![CDATA[New comment by captn3m0 in "Package Managers need global hooks"]]></title><description><![CDATA[
<p>Package-level hooks are everywhere: <a href="https://github.com/ecosyste-ms/package-manager-hooks" rel="nofollow">https://github.com/ecosyste-ms/package-manager-hooks</a><p>I wrote this in response to the recent AUR attacks. The problem isn’t really too many dependencies - it is that most users cannot be auditing everything they install and we need mechanisms that help users where they are.<p>I audit my AUR pkg builds, and I would have likely caught any malware. But so would a Dependency Cooldown or a third-party threat feed. Package Managers should make it easy to build this tooling via hooks.</p>
]]></description><pubDate>Tue, 23 Jun 2026 07:40:01 +0000</pubDate><link>https://news.ycombinator.com/item?id=48641611</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48641611</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48641611</guid></item><item><title><![CDATA[New comment by captn3m0 in "Package Managers need global hooks"]]></title><description><![CDATA[
<p>Aliases and pre-hooks are nowhere near the guarantees you want, that’s what I am arguing - not everything is invoked from a blessed shell. Safely-bump-does.sh is also impossibly hard to write because you are replicating _all of the work NPM does in transitive dependency resolution_. Unless you are re-generating the lock file from scratch - it isn’t safe. Just updating package.json isn’t sufficient for eg.</p>
]]></description><pubDate>Tue, 23 Jun 2026 07:34:38 +0000</pubDate><link>https://news.ycombinator.com/item?id=48641579</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48641579</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48641579</guid></item><item><title><![CDATA[New comment by captn3m0 in "Package Managers need global hooks"]]></title><description><![CDATA[
<p>Author here - people are definitely looking at other places. This just happens to be where the attacks are, and gets disproportionate attention as a result.<p>Do you have examples of campaigns that weren’t flagged? Everything except xz had a 1 day window and Dependency Cooldowns are super effective against most campaigns for that reason.<p>See papers at <a href="https://kokkonisd.github.io/" rel="nofollow">https://kokkonisd.github.io/</a> for eg.</p>
]]></description><pubDate>Tue, 23 Jun 2026 07:30:56 +0000</pubDate><link>https://news.ycombinator.com/item?id=48641551</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48641551</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48641551</guid></item><item><title><![CDATA[New comment by captn3m0 in "Package Managers need global hooks"]]></title><description><![CDATA[
<p>`PreInstall` mainly. But `PreFetch/PreBuild` also for source-repositories, such as AUR helpers.<p>homebrew doesn't support hooks as a system package manager: <a href="https://github.com/ecosyste-ms/package-manager-hooks" rel="nofollow">https://github.com/ecosyste-ms/package-manager-hooks</a> as an example.<p>I think the packaging ecosystem is varied enough that this should be left for the package managers to decide. Yarn allows dependency resolution and WebFetch overrides in its hooks for eg.</p>
]]></description><pubDate>Tue, 23 Jun 2026 06:46:07 +0000</pubDate><link>https://news.ycombinator.com/item?id=48641235</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48641235</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48641235</guid></item><item><title><![CDATA[New comment by captn3m0 in "Package Managers need global hooks"]]></title><description><![CDATA[
<p>(Author here). I don’t really care _how and what you decide to do with it_, the post is about package managers giving users the ability to decide.<p>Dependency Cooldowns can be implemented with global hooks, git-commit-signing checks can be implemented, LLM-scans can be implemented, someone can run the code in a jail and use the eBPF logs to publish a threat feed.<p>Modern language packaging is also _source available_, and we have a huge leg up over traditional virus scans - we have the source code almost always. You can do amazing static analysis.<p>Yes, it’s hard work. But package managers are doing it already. Yay and Paru both now support hooks. I’m offering to help for AUR to publish more metadata:  <a href="https://lists.archlinux.org/archives/list/aur-dev@lists.archlinux.org/thread/MFKTM44GYSHLAQXRNUAPUSBRDZUEIPDV/" rel="nofollow">https://lists.archlinux.org/archives/list/aur-dev@lists.arch...</a></p>
]]></description><pubDate>Tue, 23 Jun 2026 06:24:40 +0000</pubDate><link>https://news.ycombinator.com/item?id=48641100</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48641100</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48641100</guid></item><item><title><![CDATA[New comment by captn3m0 in "Package Managers need global hooks"]]></title><description><![CDATA[
<p>(Author here). It isn’t a matter of pre-install hooks. I don’t want known malware on my system irrespective of whether it runs at install-time or not. Pre-install hooks are going away in NPM, but we will have code injected in index.js next.<p>Modern package managers are not amenable to letting another script override its resolutions, and that is what needs fixing.</p>
]]></description><pubDate>Tue, 23 Jun 2026 06:15:54 +0000</pubDate><link>https://news.ycombinator.com/item?id=48641042</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48641042</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48641042</guid></item><item><title><![CDATA[New comment by captn3m0 in "Nearly half of LG smart TV apps contain residential proxy SDKs"]]></title><description><![CDATA[
<p>Has anyone reversed their SDKs to run a swarm that captures enough traffic to see what requests are actually getting made?</p>
]]></description><pubDate>Mon, 22 Jun 2026 22:25:35 +0000</pubDate><link>https://news.ycombinator.com/item?id=48637164</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48637164</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48637164</guid></item><item><title><![CDATA[New comment by captn3m0 in "WhatsApp's "End-to-End Encryption" Is the Biggest Lie in Tech History"]]></title><description><![CDATA[
<p>You can route an encrypted video stream through a server, same as messages. Zoom supports this as well now. You can’t do fancy stuff like transcoding at the server to support an older client, but WhatsApp dropped support for non-e2e really-old clients eons ago (Symbian and the like).</p>
]]></description><pubDate>Mon, 22 Jun 2026 15:57:12 +0000</pubDate><link>https://news.ycombinator.com/item?id=48631989</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48631989</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48631989</guid></item><item><title><![CDATA[New comment by captn3m0 in "JSON-LD Explained for Personal Websites"]]></title><description><![CDATA[
<p>There is also microformats.</p>
]]></description><pubDate>Sun, 21 Jun 2026 20:01:56 +0000</pubDate><link>https://news.ycombinator.com/item?id=48622102</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48622102</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48622102</guid></item><item><title><![CDATA[New comment by captn3m0 in "Vinyl Cache and Varnish Cache"]]></title><description><![CDATA[
<p>This was published in April, and we are far from consensus on what is “varnish”. Lots of distributions are now packaging vinyl and calling it varnish, some are pointing to the varnish repo instead (Fedora, Homebrew).<p>I’d left a comment last time, but haven’t tracked it since: <a href="https://news.ycombinator.com/item?id=47728216">https://news.ycombinator.com/item?id=47728216</a></p>
]]></description><pubDate>Fri, 19 Jun 2026 15:46:00 +0000</pubDate><link>https://news.ycombinator.com/item?id=48599917</link><dc:creator>captn3m0</dc:creator><comments>https://news.ycombinator.com/item?id=48599917</comments><guid isPermaLink="false">https://news.ycombinator.com/item?id=48599917</guid></item></channel></rss>