zuck9 on Hacker News

Ask HN: How are you mitigating the risks of node modules?

It is widely known that node modules are a big security risk because of its deeply nested tree and developers tend to not install new packages just for this.

From a recent HN comment [0]:

> Does anyone know if there has been reliable research towards the security of the entire RN dependency tree? Seeing a stray dep there that has 1 maintainer on npm/GitHub who has been inactive for over a year makes me nervous. Any one of those JavaScript projects could do something nefarious deep under the hood, and this to me seems to expose a huge surface area for attackers.

How are you personally mitigating against the risks or what are the policies/processes at your company?

[0] https://news.ycombinator.com/item?id=23160588

2zuck96y ago0

Ask HN: What can I do to be more secure online and offline?

Are there any checklists I can follow for improving my opsec?

2zuck96y ago0

Ask HN: Why aren't tech giants using their gTLDs?

Google owns the .google gTLD but they haven't been using it for any of their existing products. So far blog.google is the most used. Why haven't they moved * .google.com to * .google?

Gmail (mail.google.com) to mail.google, docs.google.com to docs.google and so on.

Browser support in 2018 should have caught up to support them.

I'd at least expect them to redirect mail.google to mail.google.com if they plan to keep the existing domains.

1zuck97y ago0

Ask HN: End-to-end encrypted messaging app that doesn't require a phone number

Signal et al. require a phone number which makes it a no-go for anonymity. What do people recommend for communicating with end-to-end encryption and preferably ephemeral/self-destructing messages?

4zuck98y ago4

Ask HN: How are you mitigating the risks of node modules?

It is widely known that node modules are a big security risk because of its deeply nested tree and developers tend to not install new packages just for this.

From a recent HN comment [0]:

How are you personally mitigating against the risks or what are the policies/processes at your company?

[0] https://news.ycombinator.com/item?id=23160588

2zuck96y ago0

Ask HN: What can I do to be more secure online and offline?

Are there any checklists I can follow for improving my opsec?

2zuck96y ago0

Ask HN: Why aren't tech giants using their gTLDs?

Google owns the .google gTLD but they haven't been using it for any of their existing products. So far blog.google is the most used. Why haven't they moved * .google.com to * .google?

Gmail (mail.google.com) to mail.google, docs.google.com to docs.google and so on.

Browser support in 2018 should have caught up to support them.

I'd at least expect them to redirect mail.google to mail.google.com if they plan to keep the existing domains.

1zuck97y ago0

Ask HN: End-to-end encrypted messaging app that doesn't require a phone number

Signal et al. require a phone number which makes it a no-go for anonymity. What do people recommend for communicating with end-to-end encryption and preferably ephemeral/self-destructing messages?

4zuck98y ago4

zuck9

Recent submissions

Punch: Command line time tracking and invoicing (opens in new tab)

Ask HN: How are you mitigating the risks of node modules?

Ask HN: What can I do to be more secure online and offline?

Ask HN: How to harden my opsec / digital security?

Ask HN: Why aren't tech giants using their gTLDs?

The William – an innovative reimagined stove top [video] (opens in new tab)

Stripe Issuing – An API for creating physical and virtual cards (opens in new tab)

Ask HN: End-to-end encrypted messaging app that doesn't require a phone number

Recent submissions

Punch: Command line time tracking and invoicing (opens in new tab)

Ask HN: How are you mitigating the risks of node modules?

Ask HN: What can I do to be more secure online and offline?

Ask HN: How to harden my opsec / digital security?

Ask HN: Why aren't tech giants using their gTLDs?

The William – an innovative reimagined stove top [video] (opens in new tab)

Stripe Issuing – An API for creating physical and virtual cards (opens in new tab)

Ask HN: End-to-end encrypted messaging app that doesn't require a phone number