705

December 15th, 2023 × #security#javascript#nodejs

Is Running Random Code From npm Safe? With Feross Aboukhadijeh

Discussion on whether npm packages can be trusted and tools like socket.dev to scan packages for security issues. Also covers misuse of open source packages and peer-to-peer web technologies.

or
Topic 0 00:00

Transcript

Wes Bos

Welcome to syntax. Today, we're talking about, should you just npm install random code? Can you trust All of the random code that is 47 dependencies deep on NPM, we've got for us on from socket dot dev as well as, like, We'll wait till a little later on to talk about it, but I do wanna talk about WebTorrent and, and Wormhole as well because I think that is

Topic 1 00:34

Discussion on whether you can trust random npm packages

Guest 2

Super cool. But, welcome, Frost. Thanks for for coming on. Yeah. You got it. Thanks for having me. It's super cool to be here. Excited to talk to you guys. Yeah. So We we recommended

Wes Bos

to you from from Darcy. I've met you before, on other things that you're working on.

Wes Bos

But it seems like you've been working on socket dotdev for,

Topic 2 01:18

socket.dev launched 1.5 years ago to help pick safe open source packages

Guest 2

I don't know, what, about a year now or so, or is it longer than that? Actually, going on a little a little, like yeah. More like 2 years. Yeah. It's been a little while.

Guest 2

Yeah. Well well, I guess it we we we launched it about a year and a half ago, so that's probably what you're thinking. But we were working on it for a little bit before that too. Yeah. Okay. And what is socket.dev? Yeah. We usually just call it socket, but, but, yeah, the URL is socket.dev.

Guest 2

That's where you can go and learn about it.

Guest 2

So it's a developer tool for, it helps you pick open source packages, and so you can kind of use it to Understand your open source dependencies, what the risks are of using the packages.

Guest 2

And then it's kind of a whole, like, security platform as well. So, you can start off as a developer just using it to kind of do your research, and you can use it instead of npmjs.com or goo you know, using Google. And instead, you can start at socket and just type in, you know, what you're looking for. And, it's sort of like a package browser type tool.

Guest 2

And, it'll tell you lots of useful things about the packages.

Guest 2

Like, you know, for example, they could be malware. It'll tell you, don't install All then.

Topic 3 02:24

Some malicious packages steal environment variables and API keys

Guest 2

It also might tell you that, you know, they're not maintained anymore or, they appear to be, you know, it contains some suspicious code. Maybe they're stealing some of your environment variables and your your API keys and sending them sending them off to a random URL, random IP address.

Guest 2

So we do, like, pretty thorough scans of these packages. And we're trying to make it, like, really easy for developers to understand, like, what's going on without having Then need to go in and open up every file of that dependency and and all of its, you know, additional dependencies all the way down To truly get an understanding of the risk of of the package.

Guest 2

And then, security teams can also use it to kinda get a bigger picture of, like, what is going on. But We're mostly developers here, so I'll just focus on the developer side of things. Yeah.

Wes Bos

Honestly, I I really like it, and it's starting to show up in my search results When I look for a package, which I quite like because at the very least, the security stuff aside, It's a better NPM website than npm.com or whatever, NPM's website is. It shows you, like, more information about What you want. Like, sometimes you do a search on NPM for, like, a package for, like I don't know. Just search for a sink, You know, and they give you these p q and m bar charts. And like, I don't I don't know what that is. I don't I don't know what that means, you know? And it's nice to get a little bit more insights into is this a good quality package or not and how many people are maintaining it? And,

Guest 2

I get npm does show you quite a bit of that stuff, but there's a lot more I wish I could get out of the npm website. Yeah. And we're trying to make our is better all the time too. So, one thing we just rolled out that's really exciting that literally came out today as we're recording this on November 21st Is, AI package summaries.

Guest 2

So we're literally, using chat gpt.

Guest 2

We're pumping in kind of the read me and, like, whatever docs information we can grab. And we're having it, write, like, a better read me for the package than the package came Came with, because sometimes you have these packages which, you know, it's it's it's not very consistent. Some people have great read mes. Other people just Link off to some random URL and tell you to go there. And some some of them don't really have, like, very fleshed out readmes. And so we actually can give you, Like, a really cool description of what the package does along with, like, all the main features of the package with code samples showing you how to use the package.

Guest 2

And finally, even similar, like, related packages along with, like like, written out explanations for, like, what the differences are. So if you're looking at Lodash, will tell you, you know, well, you know, you might wanna consider underscore, and it's like and that's actually a bad example because underscore is deprecated. But other way around, you know, it might tell you why you should Yeah. Consider the other one because it's not deprecated and that type of thought thing. So it's pretty cool. And we're always trying to be, like, ahead of where, like, the NTM website is.

Guest 2

So like when we first started, NPM's website, didn't even have, like, a file explorer to let you see the files inside the packages, which It turns out, if you're actually trying to vet a package and see if it's safe to use or not, like, you really wanna look at the source of truth, which is, like, what Are the files in the npm package? And because they weren't showing it on their website, most people, myself included, would have to basically click the GitHub link, Go to GitHub and just, like, look in the GitHub repo and assume, like, okay, this is probably the same thing that's in the NPM package. But it turns out, like, that's not actually true. You can put a completely different code on GitHub than what you put into the published package, and they're completely separate. There there's no connection between them other than, you know, This little link that goes from the NPM website back, which is, like, I promise that the code in this repo is the same as the code in this package, but that's totally not enforced. So it turns out that's a great way to hide malware, or like sketchy things in your packages.

Guest 2

So, so, you know, we we we had that from day 1. We're, like, we're gonna show people File is the actual source of truth.

Guest 2

Although I think MPM has now since also added that that feature mostly because we I was going around talking about this for, like, a year, and I think they finally got humiliated into, like, actually adding it.

Scott Tolinski

But, that makes so much sense too. Yeah. Yeah. Because you do. You just click the link, and and I've never thought twice about it even though I've published packages, and I know how the connection is. So it's like, why why why had nobody thought about that before other than you're stuck? Oh, yeah. Of course. We're gonna go right to the GitHub link and see the files. Sure. Mhmm. One thing I really love it is these These scores, it makes it nice and easy for people like me to see this kind of stuff. You know, I I I think there's tools like, you know, like, Lighthouse gives us for performance or whatever. Everybody likes a big, big, green number score or whatever, big colored green, red, whatever.

Scott Tolinski

And being able to see very quickly, like, how much Of, packages had maintenance on it, how many open issues there are, their their severity, how much, The supply chain security, it has had 570,000 downloads this week, low level security issues. Man, it it feels Feels like this gives so much easy access to visibility.

Scott Tolinski

Was that the the biggest driver here is to give people visibility?

Guest 2

Yeah. Exactly.

Guest 2

So I I kept so I was a maintainer for, you know, most of my twenties. I started writing open source when I was in college. And then, you know, I I got into I really got into it for real after, I I My 1st company that I started got, bought by Yahoo. We were like a super small team. So when they were really just hiring the 3 of us to go and work, at Yahoo. And I was kind of, disappointed that they ended up really not using the technology that we built at that company.

Guest 2

And so I left after a year, and My mission was I'm gonna build an open source version of that, you know, product that they had acquired, which was which was a peer to peer CDN.

Guest 2

So it was kind of like, you know, a way to offload some of the traffic of your hosting the files on your website to your visitors and have them do, like, a peer to peer kind of, file transfer between between each other, and then sort of make your site faster and more more resilient and not completely reliant on on centralized servers.

Guest 2

And so anyway, I've I've ended up that ended up turning to WebTorrent, which Wes already mentioned earlier.

Guest 2

But I got really into this, like, idea of, like, we need to make, you know, the web peer to peer. And we need to, like, make it so that, you don't need to install a desktop app to use torrents, and make it so it's just as easy as like going to YouTube. You can just go to You go to a website, and and you click play. And then turns out behind the scenes, it's actually getting the content from a bunch of other people all across the world.

Guest 2

And so I got really in into open source.

Guest 2

And, yeah. And then that's kind of where I started realizing the the It's just how how crazy open source actually is if you think about it. Like, everybody's downloading all this code from people on the Internet, including people like me. And I was, like, a random something year old. And the Fortune 500 was using my code to ship their expensive products that were, like, you know, that are all super serious and important. And and I was, like, well, that's that's incredible. Right? They don't even know who I am. And I just, you know, I just started, like, publishing this stuff, like, Not that long ago, I'm not very I wasn't very good when I started. And so that was I mean, that was really cool. But it was also kind of, like, eye opening. Like, wow. So this is how software is made. Developers are just grabbing stuff.

Guest 2

And it might depend on something written by, like, a random person who just started coding, like, a couple years before. Like, that's just That's fine. Yeah. You know, it is wild. And there's there's no there's no possible way that

Wes Bos

anybody could go Comb through every single line of your your node modules because there's there's literally millions of packages in there. And often they're They're compiled. They're minified.

Wes Bos

So even if you could read through every single line, you're not going be able to parse what's going on when all the variables are Encatinate on the same line, right? Mhmm. So the security stuff, I'm curious about what can happen And how do you detect possible security issues that are out there? Right. Like I remember back in the WordPress days, They would scan and simply look for, like, base 64 encoded strings that would inject JavaScript into the page. That was like the big thing, you know? And sometimes if you if you had intentionally base 64 encoded code in there because it was like a license key or something like that, Then it got flagged. So, like, how do how do you figure out what's going wrong? And what what could bad actors actually do? Well, okay. I'll give you one story, and this is the thing that really got Excited or, like, interested in this problem.

Guest 2

And it was something that happened in 2018.

Topic 4 11:12

Event stream node package was hijacked to steal users' cryptocurrency

Guest 2

There was this open source maintainer, a friend of mine, named Dominic Tarr. And he was do you guys remember Dominic Tarr? Yep. Did you use any of his code at any point? So he's he's a He was a prolific maintainer. I think he had, at the time, you know, when when I when I was, like, working with him on stuff. He had, like, 500 NPM packages that he'd written. So he's just like an incredibly, creative and, like, generative person. He was just always writing stuff and publishing it out there, and he was very experimental.

Guest 2

So he he made this 1 package called event stream, which was his take on, like, how to do streams in, in JavaScript and in Node.

Guest 2

And, he he quickly kind of moved on from that, and and came up with a different way to do streams called, Push streams, and then he then moved on to a better thing called pull streams. And he kept, you know, kind of iterating and coming up with these new streaming, paradigms. And some of the That was, you know, influential in the Node. Js stream implementation and stuff like that.

Guest 2

But it turns out that the 1st package he made, event stream, Got really popular even though he had kind of mentally moved on to, like, the next, you know, 2 projects that he was working on in that area.

Guest 2

And Despite the fact that, like, he wasn't really we're, like, working on it anymore, thinking about it. It just kept getting more and more downloads, and getting more and more, you know, people depending on it. And and at some point, somebody came to him and said, hey, you haven't really worked on this package in 4 years, but it's used by my company and there's some critical bugs in it. And I'd love To I'd love to, you know, offer my time to to to help fix those.

Guest 2

And, he did what most Maintainers do when they're when they're kind of through with working on a project, which is Yeah. He just said, like, okay, sure. Like, here's the NPM you know, he gave them NPM publish Permission and gave them the GitHub, repo permissions. Mhmm. And this guy, like, actually did, like, pretty reasonable things for the 1st 30 days. He kind of bumped some dependencies. You know, he fixed a few of the bugs.

Guest 2

But then it turns out, like, after about 30 after those 30 days, then he he did what he really was intending to do, Which was he added, a big blob of code that was totally obfuscated, so you couldn't Tell at first glance what it was doing, although it did look pretty sketchy.

Guest 2

And he just added it to the bottom of one of the files of one of the dependencies.

Guest 2

And Nobody noticed this for, like, about 6 days.

Guest 2

And remember, this is a package that, like, everybody uses. Like, it's it was on everyone's computers. And And this thing, it was so sneaky because it it did actually it didn't actually, do anything unless it was running in A very particular, environment. It was so it was designed to target 1 particular company.

Guest 2

So it It ran probably on it probably ran on my computer. It probably ran on your computers, but it didn't do anything. Because it was literally, like, the first step it the first thing it does is it it would look at The, parent project that it's running in, so it'd go up to their top package JSON file, and it would take the description field. And it would, use that as a decryption key to decrypt this payload of of malicious code. And so if it if it was running in, like, your project or my project, It would fail to decrypt, and it would therefore do nothing. But for this one, like, company they were targeting, it would actually run.

Guest 2

And so, and so then it it ended up getting built into that company's app. And it got shipped to their users.

Guest 2

And nobody found it until after it was already, like, running, you know, on the users' machines. And what it did was it actually stole all their, all their cryptocurrency.

Guest 2

As you can imagine, there's always crypto involved in some way here. But yeah. Yeah. Always. Yeah. Wow. So how does how does somebody find Something like that. Well, so the community found this one because, you know, it turns out it it we got incredibly lucky. The the the attacker happened to In their code, they happen to use a method that got deprecated by Node. Js, in in, like, like, a couple days later in the new Node version that came out. And so a bunch of people who were using that new version of node got this deprecation warning and were curious about it and traced it back to this to this 1 file. And then, you know, somebody opened an issue and said, what the heck is this code doing in here? This looks really sketchy. And then the community kind of, like, investigated it, and And, we're we're able to kinda get to the bottom of it. But, like, I kept seeing that type of thing happen where, like, a totally like like, obvious Piece of bad code was added. If anyone had just taken, like, 2 seconds to look at the file, they would have seen that and been like, what the heck is this? Right? And then a total accident causes us to discover it. And that happened, like, multiple times over, like, 2018, 2019, 2020 With people, like, doing this type of thing in various ways to to open source packages. And each time it happened, I was always, Like, super scared. Like, wow. What hap did I did I happen to you to run that code? And I would search my node modules folder. I wrote a little shelf script to see if I had it in any of my folders, in any of my projects. And every time I got super lucky, and I never was affected. But I remember thinking, Like, there has to be a better way than, like, hoping that that the community finds it before I I install it.

Guest 2

And and that's that's kind of where the idea came from. And and

Topic 5 16:21

Socket scans npm packages for suspicious signals like new network requests

Wes Bos

so how does socket obviously, it scans your code, but, Like like, what are you looking for? Do you are you looking for methods? Are you looking for do you have a massive regex for sketchy stuff?

Guest 2

Yeah.

Guest 2

So yeah. There is there is a bit of, like, of, like, custom knowledge that's just from, like, us, you know, being maintainers. Because our whole team is mostly It's made up of, like, open source maintainers who've been doing this for quite a while and who've seen a lot of these attacks. Mhmm. So some of it is definitely, like, lists of hard coded things. But There's also quite a lot of, like, of a variety of signals that we're looking for. So I'll give you, like, one example. Right? So If you've been using a dependency in your company for or in your one of your projects, you know, for the last couple years, And, that package has never needed to make any network requests or, like, read any of your environment variables.

Guest 2

And suddenly now, like, a new patch version is published, and that patch version is reading environment variables and sending those to the network, Then, you know, that's that's like a suspicious change. Even if, you know, maybe it's legitimate. It's possible it's legitimate. But, You know, that's an example of something that's like it's a pretty significant change to the risk profile of the package.

Guest 2

Other examples might be, like, it added an install script. So now the package is running code automatically on installation. That turns out to be something that almost All malware authors love to do, because they want their their attack to run right away.

Guest 2

So they'll just put it into an install script. So if you see these things, it doesn't necessarily mean you're dealing with, like, a hijacked or compromised package, but it's definitely, like, worth A second look. And so what we do at Soc is we have, like, about 70 of these signals. And if there's enough of them that we find in the package, we will actually, Put it into chat GPT. I kid you not. We actually we actually have an LLM in the process, which actually helps us to to explain the code and understand what is it what is it doing.

Guest 2

Like like, why is it collecting this data? What is it doing with the data? And then we have it actually determine whether it's suspiciousness is, you know, worthy of a human review.

Guest 2

And so that then puts it into a human review queue. And then we have a little literally a team of, like, security experts that look at anything that ends up in that queue and, market as, like, malware or not malware. So it's like a multi step process.

Wes Bos

Yeah. Wow. And, like, how how and this is just constantly happening every time someone publishes Selling to NPM? Like, are are you ingesting all of NPM? This is something we asked Darcy.

Wes Bos

How big is NPM? Right?

Scott Tolinski

Yeah.

Guest 2

Yeah. Yeah. No. We have a complete, copy of NPM, a complete copy of Pypi, and, and a complete copy to the extent well, I put an asterisk on that one up for Go. Because Go doesn't really have, like, a central you know, as much of a centralized registry as the other ecosystems.

Guest 2

And what we do is we actually scan, every package that's been published that has at least 500 downloads ever.

Guest 2

And, and then what we do is for all new publishes, we we we follow the NPM feed in real time.

Guest 2

And, we download those packages right away and scan them even if they don't have that many downloads. And that's really interesting and useful to do because a lot of times, the newly published stuff can Can give you a hint as to, like, an attack that's happening. Like, you might spot it in a newly published package, and so it's really useful for us to collect those packages. And the other thing that's really useful about collecting them is that if, somebody reports them as malware and they get deleted, which happens sometimes, Then we already have a copy of that package that we've collected that we can use to improve our training. So if we ever miss something, we'll we'll be we'll we'll be able to improve our Our system. Oh, that's nice. Yeah. I'm looking at a couple of the

Topic 6 20:27

Socket scans every package with over 500 downloads and new publishes

Wes Bos

unpublished packages that were were nabbed as malware, and it's kinda interesting to see One of them just put a curl in a in a pre install script. You know, it was just a test, but it's an example of. Yeah. Before you install it, you could just Literally run, curl? Like, you could RM, RF someone's entire hard drive, couldn't you?

Guest 2

Yeah. Someone someone literally did that. So there there was, there was literally It was literally during the, like, the beginning of the Russia, Ukraine war. And I I don't wanna get political here, because it doesn't really have anything to do with your position on the on the on the war. But, yeah. But somebody was, was, protesting. And so they there's this thing that started during that time called protest wear, which was a bunch of maintainers just decided to start using their their influence with their packages to kind of promote their their political positions, Which, which is which I totally get. You know? I I mean, I've I've definitely done a bit of some of that myself when it comes to, like, getting open source maintainers some funding, you know? And I've done some some funding Experiments that that, we can talk about if you're interested. But, but but basically, this person decided that they wanted to, like, take it to the extreme. So they, They added a a bit of code that would check your IP address. And if it appeared to be a Russian IP, then it would just r m r f your hard drive. And it did it in, like, this really Hilarious way where it would, like, go 1 file at a time, and it wouldn't just delete it. It would actually replace the contents with, a flower emoji.

Guest 2

So your whole heart day would just get filled with flower emoji files. Gosh. It was really intense. And and, they've got a lot of pushback from the community about that. Because, You know, there are people who could be using a VPN, who could be affected by that, who aren't even the intended target. And then it could also be, like, just innocent people being affected. So Anyway, this person ended up, I think, taking that coat out or it got taken down in some way, but that's, like, an example. There's been less extreme examples of similar people Pro the the people protesting, where they'll they'll do things like we've seen one where they added a set time out into their, front end code that would wait 15 seconds, And then it would, read it would open a pop up window to a petition website.

Guest 2

And it would only do it if your computer's Time zone was set to Eastern European time zones. So if you're if you're only testing it, like, in America or Europe or whatever, you wouldn't even know that this, like, extra code was in there that was running on some people's browsers.

Guest 2

So that was one that actually was I thought was particularly interesting because GitHub, and NPM decided not to take that code down after they were after they learned about it because they considered I don't actually I don't know I don't know the exact reasons, but it Seems to me that they considered that to be, like, not crossing the line into into malicious behavior enough that they wanted to actually go and delete it. And so they kind of, I guess, thought of it more as like a freedom of speech thing. And so they kept the code up there.

Topic 7 23:15

Protestware packages add unwanted code based on user's location

Guest 2

And and so to to till this day, it's been up for, like, over a year now. Until this day, if you install that package, which is a very popular polyfill package. You're actually embedding this code into your into your website that's gonna be doing, like, this extra pop up window thing on some people's browsers. Really? Yeah. What? So Can are you are you can you name which one that is? I'm just curious.

Guest 2

Or or do you want now I wanna get into it? No. No. I'm happy to name it. I mean, like, look, I I'm not I'm not trying to judge anyone here. Everyone has, you know, like Yeah. Like I said, everyone has their reasons for doing what they do. But, The whole point of socket and our whole goal is, like, we just wanna be we just wanna provide information to people about what these packages are doing. We're not trying to, like, necessarily judge anybody. We're just saying, like, look, if you're building an app, like, you should know what your dependencies are doing. Like Totally. So it's fine if it's Stolen npm, but we just on socket, we put a big warning on the top of that that says, this thing is not you know, this thing has protest wear in it, and it has an unwanted Additional behave potentially unwanted additional behavior. Yeah. So it's called event source polyfill. That's the package. Event dash source dash polyfill.

Guest 2

And if you if you visit that, page on socket.dev, you'll see that, and if you go back to the version that's affected, which is 1 dot, I believe it's 1.0.26, then you'll see the the the hidden code in there. And it's it's quite, it's It's quite it's quite interesting.

Guest 2

I'll drop a link into the into the into the show notes for people if they wanna take a look at the dip there. It feels like that type of,

Scott Tolinski

You know, that type of I guess you you'd call that a an attack even though it's not, like, super malicious. I guess that type of attack It seems to be that the the message is that if you're making those types of attacks, you don't, have them affect everyone, and they could last Longer before they're discovered or they're maybe a little bit more compartmentalized into who they're affecting? Because I guess that's where your service comes in handy because right? You now you're not relying on user reports.

Guest 2

You're actually scoping these things out before it gets there. Yeah. Exactly. It's a whole whole world. Yeah. That's the whole intention. Right? It's like we shouldn't be reactive. We shouldn't be sitting around waiting for, like, somebody Mhmm. To discover these things. Like, we're programmers. Like, we're we're smart. We have computers. We can we have automation. We have, you know, We we have servers. Like, we can just we can just scan for this stuff, and, you know, and you can enumerate all the things. And and you can even use LLMs as like a stop gap where, You know, even if you can't definitively say that something's malicious, you can even, like, get a second opinion from from an LLM, which turns out is actually surprisingly effective. And you can catch a lot of this stuff. So, you know, we find, like I think it's about 400 malicious packages per week now, that we that we discovered. Wow. Yeah.

Wes Bos

Wow. I I probably could sit here all day and and listen to stories, but, like like, what what other kinds of stuff Are people trying to do, you know? Like, I get like, probably crypto is is a big one. Obviously, protest is a big one. Is there any other, like, major categories

Topic 8 26:00

Socket finds about 400 malicious packages per week

Guest 2

Of, nefarious people? One one thing we've noticed, that that definitely, gets Gets our attention is when people start spam campaigns on NPM. This is when somebody publishes a package to NPM that just contains a readme that has a bunch of links to their To their spam sites that they're trying to promote for for SEO purposes. Mhmm. And they do this because they realize that there's actually hundreds of websites out there that will just replicate Any NPM package, Socket is one of those. You know, we we we have a page for every NPM package. So it turns out the spammers realized, Okay. Well, if we wanna just get, like, 300 free links from people on the Internet, we can just publish, you know, a read me with our links. And then and then all these, you know, Hundreds of sites will just start linking to us for free. And so there was this massive spam attack that happened earlier this year, that, was trying to promote The John Wick, the new John Wick movie.

Guest 2

And, it was it was crazy. There was, like, actually about, 5,000 NPM packages published about John Wick in a single day.

Scott Tolinski

Oh my god. What?

Wes Bos

Like, somebody obviously got paid to SEO, and it probably got passed down,

Guest 2

like, 3 or 4 Factors, and then someone did that. Exactly. And and they they they just, they just it was like it was just it was pretty blatant, and it was to the point where, like, If you look at a chart of the number of packages on NPM, this John Wick spam attack shows up as like a massive Spike, and you can just it stands out as as very clearly there. And at one point, it was it was, something like 0.05% or something like that of of the of the MPM registry was just dedicated to John Wick spam.

Guest 2

And for that for for that day, for that single for the couple days when they were doing this, it was 50% of the of the NPM publishes were about John Wick.

Wes Bos

Oh my gosh. I do not man, I do not envy the people that have to sort of deal with that type of stuff as it pops up. People just Being I've I've had to deal with a handful of people trying to be nefarious, and it's always such a pain in the butt because it happens when you're least expecting it, and you gotta

Guest 2

Scramble to to fix stuff. Yeah. Well, I mean, that's what happens when you when you run basically what's a big public Wiki. I mean, that's kind of what I mean, it's It's the beauty of it, and it's also the it's the it's the bad part of it. Like, anyone can publish, which is amazing.

Guest 2

It means that, like, you know, when I was learning How to do open source? I was able to just put my terrible code online and and, you know, and it felt like, you know, pretty cool to just To be able to publish with, you know, 1 command, and that was what Isaac I mean, Isaac, I think that's why NPM was so successful. It's that decision he made to make To build that npm publish command right into npm and to make it, like, one one command, like, there's no vetting process. There's no, like, Even even just the fact that Python, I think, takes, like, 2 or 3 commands to publish, like, makes it so much less, like, fun to do.

Guest 2

And, and you have to remember the order, and there's it's annoying flags and everything. And NPM just made it really, really easy. So it's why NPM grew so much and And is what it is today, and all this great creativity. And, you know, and and people like me who started off publishing terrible code eventually Started publishing better code and, you know, learned, and it's it's awesome. But it's also it also means that anyone can publish anything they want, and and if you, if you are unfortunate enough to make a typo when you're typing npm install and you install, like, 1 letter off package, you're just gonna be getting someone's random Garbage.

Wes Bos

It's it's terrible. Yeah. That was my next question is, how do you so how does socket like, how do I hook it up To my project as well as my GitHub.

Wes Bos

Like, if if I'm I'm a boss at a bank and I've got 500 devs that are npm installing all day, How do I make sure that 3 minutes ago somebody published a nefarious Package version. And then somebody it's like a point release. So someone types npm install, boom, post install, hacked the entire bank.

Wes Bos

Like, how does the socket stop you? Does it run at the NPM install

Guest 2

level, or how does it work? Yeah. A great question. Most people install our GitHub integration because it's, it's pretty easy to do. It takes, like, 2 clicks, and we're in the GitHub marketplace. And you can just Remind socket there and click install. Click all repos, and then we'll start giving you feedback on pull requests. If, You know, any anytime you add a dependency or update a dependency, you'll get feedback in the PR that tells you, you know, hey. This is like a risk that we found. You might not wanna merge this, and then your whole team can see it. And so it's a very easy way to get going, but you're totally right that you also wanna protect the developer's machine too. So if they're Yeah. If they're running npm install, you don't wanna wait until the PR to catch the problem. You actually wanna stop it before the you know, before that bad package even runs on their computer.

Guest 2

So, we bought this thing we call safe NPM, which is really like an NPM wrapper.

Guest 2

It wraps the CLI so that when you run NPM install, You actually you alias the npm command so that it's actually running socket npm.

Guest 2

And that will that will actually Figure out what packages are about to be installed on your machine, and then whether any of those have serious risks. And if there is a risk, let's say you typo it, let's say you type npm Install reacts with an s on the end instead of react. Then Yeah. We will we will, like, print a message that Says, hey, this appears to be a typo squad. Like, are you sure you wanted to install React? And then if you say you get, like, a yes, no prompt. And if you say no, Then it will abort the installation before the package code has even been downloaded onto your computer, so you're totally safe. It, like, never touches your machines. And do you do you recommend, like, pinning your

Wes Bos

Your dependencies in your package, JSON, or like, I guess you would have to go even further into the, like, the lock file. Is that that's is that what the saran wrap is? What's well, what's what's all those factors?

Guest 2

They call it shrink-wrap. I know what you're talking about. Wrap. Not saran wrap.

Scott Tolinski

It might be a lawsuit.

Wes Bos

Oh, that's good.

Wes Bos

Saran wrap. Shrink wrap. Yes. Is that what shrink-wrap is, where you pin All your dependencies all the way down your tree? So I would say today, there's no need to ever use shrink-wrap.

Guest 2

It it's kind of a deprecated thing. I think maybe there's a use Case or 2 left for it. But for the most part, people should just use lock files.

Guest 2

Lock file does just pretty much what you want, which is It goes down the whole tree, and it pins everything down to an exact version.

Guest 2

And if you do that, then you you're gonna get, like, A reproducible install when someone else on your team, clones the GitHub repo and onto their machine and they run and KIM install, they're gonna get the same set of dependencies.

Guest 2

For the most part, I will say there's a little asterisk on that, which is that if you're using an HTTP dependency or a git URL in your dependencies, You know, some I don't know if you know that, but you can actually put, like, a literally you can put, like, a random HTTP URL in Yeah. Instead of a version. And then it will just Download the code that's there, and then you completely bypassed your whole log file.

Guest 2

But assuming you don't do that, then Yeah. You you you get, like, a pretty nice, reproducible kind of build where the versions are never changing out from underneath you without you knowing. But Yeah. I would I would say that the still you still have this problem, which is that, like, okay, so now I have this this lock file, but nobody looks at the lock file.

Guest 2

GitHub doesn't even show you the diff when the lock file changes, because it's so it's, like, so giant that they just compress it down and say file's been hidden.

Guest 2

So, like, In practice, it it's cool that the lock valve's there. It's cool that you have, like, a log of, like, what versions you have, you know, you were depending on. But in practice, most people will, You know, install stuff, and then it will change the lock file, and they never look at it, and they're never really Yeah. Like Or is there using it to merge. Merge conflict. If I'll tell you what I do when there's a merge conflict,

Wes Bos

delete the whole thing and and and do this all again. You know? Can't deal with that. I've done that before. Absolutely. Talking about that, your that Git issue, that's a possible issue. So the other day, I was on Some GitHub issue and someone said someone had fixed the bug, but they didn't publish a new version. And, like, that happens all the time. Can you please, please, please just publish a new version? And then somebody comes along and says, hey, put this in your package, JSON.

Wes Bos

And, they basically just, like, directed it to a git repo.

Wes Bos

And there was like a 1,000 thumbs ups on it. And I went right below it. I was like, hey, folks, like, at least pin this to the commit. So I updated it And said, like, I put the commit hash on the end so that, like, first of all, they might break Have a breaking change and you're you're gonna be out of luck. But second of all, they could you could put malicious code in there. And if it's not pinned to that commit,

Guest 2

You are in trouble, friend. Yeah. That's a great that's a great piece of advice.

Guest 2

Yeah. I mean, look, developers just wanna get their jobs done. I mean, they're not, like not everyone's a security expert. And a lot of times, you just wanna, like, get something working. So I totally understand the the reason why that got so many thumbs ups. It's because it solves the problem that people have. I I remember back in the WordPress days when

Wes Bos

WordPress would have or, like, Apache or something would have, or your server would have issues With a plug in, like saving files. And there was always some guy coming in being, like, just schmod it, 777, and it works. And everyone, thank you. Thank you. And, like, no one's realizing that. You just, like, opened up the like, wide open read, write, whatever. What's Read, write. What's the 3rd one? Execute. Execute. Yeah. Exactly. The really important one.

Guest 2

Wide open to to absolutely everyone. So It's sometimes those quick fixes are hurt. Probably back in the in the day too when you were when you were doing this stuff, it it was on, like, a shared web host back where, you know, Like shared hosting where, like, you know, you'd have everybody on 1 machine. Instead of 777 probably really did open it up to, like, everybody else at the at the web host.

Wes Bos

Let's talk about, WebTorrent.

Topic 9 36:37

WebTorrent uses WebRTC data channels for peer-to-peer file transfer

Wes Bos

And you have another project called Wormhole.

Wes Bos

And, like, my mind was blown When WebTorrent came out because, like, first of all, it was a a torrent app built in JavaScript, but then it it also played it. And then I saw you like, you go to webtorrent.

Wes Bos

Io, and it starts downloading, Like a video file, and it's it's peering it to other people that are on the website as well. And at the time, I was like, man, like, I have my entire business is streaming video. Bandwidth at the time was super expensive, and I was like, what if the people watching my videos could be Serving it up to the other people watching it. You know, like, that's the whole idea behind Torrance is you have this peer network. How did you how do you implement

Guest 2

The the torrents the torrents spec, I guess, in JavaScript. I mean, JavaScript is a programming language like any other. Yeah. So yeah.

Guest 2

It's a real do family language.

Guest 2

You can do things in it.

Guest 2

No. So, I mean, I think at the time, you know, it was sort of fucking like, when we when I started WebTorrent, it was 2013, I think, is when I when I started working on it. And Wow. You know, node was pretty new.

Guest 2

People people were still skeptical that you should even be using JavaScript on the back end of a server.

Guest 2

People hadn't really started using it for hardware yet.

Guest 2

You know, like, I think, you know, those early Node conferences, there were people putting Node on quadcopters. And there was, like, you know, the Node copter project. And there's all this stuff. Johnny died. Yeah. Yeah. Node votes. Yeah. So, like, it was it was people were trying to show, like, hey, JavaScript can do anything any other language can. And, and so it was it was surprising to a lot of people that you could build a torrent app in JavaScript. But, really, it turns out it's actually a really good, like you know, Node is a really good Platform for building a torrent app, because so much of torrenting is is actually having a ton of open connections to a bunch of different people on the Internet, and Node being like a non blocking, you know, event loop based, you know, kind of server kind of, or, you know, programming paradigm means that You can open up connections to, like, a 100 peers, keep those sockets open, and then just kind of react to the events when data comes across them. And it's actually a pretty pretty amazing way to to to, I mean, it's a pretty amazing environment to actually code a torrent app in. You don't need threads or, you know, things like that to make it, to make it work.

Guest 2

And so Yeah. I just started by building, like, a normal BitTorrent app in JavaScript.

Guest 2

So I read the spec, and, it turns out BitTorrent is actually pretty simple.

Guest 2

It's a really great way for people who are interested in, like, peer to peer stuff or networking stuff to get inter and even security stuff, I would say. Because, Obviously, when you're dealing with untrusted random people on the Internet, like, sending you stuff, the aspect of the torrent where you actually, like, Hash the contents and verify that it's what you're expecting is actually pretty important to do.

Guest 2

It's a really simple pro like, relatively simple protocol. You can read the spec Probably in, like, 20 minutes. Like, it's just a it's like a 1 pager kind of thing. Like, you or maybe 2 or 3 pages. And you can build a torrent app that, like, works. You know, I started off with that. And then and then I, you know, I I I knew that, the cool thing was by building it in JavaScript, like, in theory, you could run it in a web browser too.

Guest 2

But the problem with the web browser environment is you can't actually open up a socket. Like, you can't do TCP or or UDP sockets. You only have, like, a WebSocket or WebRTC.

Guest 2

Those are your 2 choice other choices. Mhmm. And so web a WebSocket isn't useful, because it means you're only gonna be able to connect to a web server. And we're trying to build, like, a peer to peer network where I my browser tab can connect to your browser tab. And so a WebSocket doesn't really work for that. That's actually part of the problem with the web, to be honest with you, is, like, it's as cool as it is, like, it was really designed to be like a client server Relationship. So the the Yeah. Server has a lot of power, and the client, the browser is pretty can't really function without, like, A server. So there's always a you start with by typing in a URL. And the URL, you know, does a DNS lookup, and then it connects to a server. It there's no way to, like, To, like, have a peer to peer website, really, unfortunately.

Guest 2

So you always gotta start with the connection to a server. But the idea with WebTorrent was, well, once you Connect to the server, and you get your initial JavaScript app. Could you then just be fully peer to peer from that point on and just connect to peers to get all your content? And it turns out you can do that with WebRTC, which is which is what what WebTorrent uses.

Guest 2

And so that's kind of how it works. It's it's the same technology that's used to make Video chat applications like web, like, Google Meet or, you know, I don't know. River chat. Examples that What we're what we're Hang on right now. Yeah. Mhmm.

Guest 2

Yeah. Yeah. Yeah. Exactly. Exactly. Wow. So so, yeah, that's how that's how it uses. So it uses WebRTC. And and, really, There's this one part of WebRTC that nobody really, focused much on before before I, you know, before I think WebTorrent really kind of drew a lot of attention to it. I don't wanna maybe that's too much too strong of a statement to say, but I just think a lot of people were really focused on kind of video and voice Uses of WebRTC, because that's what it was made for. But there was this third part that was that was really, like, cool that nobody I didn't think there was enough attention on, which is the they called it the data Channel.

Guest 2

And that was basically, like, a way to just get, like, a similar interface to a WebSocket, where you just, like, can send data and you can receive data Over a over a socket connection, and you could do that with any other browser on the Internet. And once you have that, you can basically make any protocol you want. It doesn't have to be like a voice call or video call. You can just send whatever files you want over it, and that's pretty powerful because you can build anything with that. That's so

Wes Bos

cool. And you didn't run into issues. Like, anytime I get into WebRTC, it's always like, yeah, you can connect peer to peer.

Wes Bos

But most people have firewalls in place, and you have to use this, like, $6,000 a month service to to do your,

Guest 2

turn, stun, server, handshake thing. Did did you have to do that as well? Yeah. So there are some ask you know, some details there to get it working, correctly. But I will say, here's the cool thing about Torrance. Right? Like, you don't need to connect successfully to every peer. You just need to connect to some.

Guest 2

Right? So unlike a video call where, like, if I'm trying to call my mom and, like, the connection can't connect to her, Now I'm gonna be really upset. With a torrent, I'm trying to connect to maybe a 100 peers. But if I can only connect to 60 of them, like, it's fine. It still works. So that's that's that's the advantage of of,

Wes Bos

of the torrent use case. And you so you also built Wormhole, which is a, basically a spot where you can drop a file and it will encrypt it and then you can send somebody the link and they can download that. And, I read through it and under 5 gigs, they will throw it on a Backblaze bucket.

Guest 2

And then over 5 gigs, you can you can literally peer to peer Send large files that someone has to keep their tab open. Is that true? Mhmm. Yeah. Yeah. Wormhole Wormhole is I built with a friend, John, who's also now at socket. And, this was like a project that we both started together that ended up actually leading to to the idea for Socket.

Guest 2

And that's because our goal with Wormhole was to build something that was as secure as humanly possible on the web.

Topic 10 44:00

Wormhole provides end-to-end encrypted file sharing

Guest 2

So unlike other services like Dropbox, that can see all your files, you know, Google Drive has the same problem. You're giving a copy of your files to them, and they can They can see them see the files.

Guest 2

With Wormhole, it's end to end encrypted, similar to, like, signal messaging app, where, you know, only you and the recipient can can see the contents.

Guest 2

We did everything we could to make this thing as secure as as as humanly possible. So, like, you know, it uses the same Crypto that was used in, and I mean when I say crypto, I mean, cryptography.

Wes Bos

Yeah. Yes. Yeah.

Guest 2

The same cryptography that was used in Firefox Send. You guys remember that? Do you remember that app? Yep. So they shut down for some reason. And so, you know, we wanted to basically build like That, but even more secure and with even better user experience.

Guest 2

So we started with their cryptography, and so we knew that it would was vetted to some extent. And then we improved that further. And then we made, the UX of Wormhole as good as we could possibly think to make it. And so, like, I'll give you an example. Like, one thing we did that was just bonkers, like, an insane amount of engineering work to do. But we wanted to do it because we thought it would make it better. Which is with a lot of these services, you drop, like, your files on the page, or you you can take, like, Google Drive. Right? You wanna say you wanna share some link to somebody using Google Drive. So you drop your files into Google Drive, and then it starts to upload. Right? And it might say, like, 4 hours remaining if you're un unfortunately on a Terrible connection. Mhmm. During that 4 hours, you can't get a share link because it's not finished being uploaded.

Guest 2

So you have to come back when it's done, and then get the link, and then send it to the person.

Guest 2

And just that alone is, like, so annoying. Because, like, I I I wanna just send them the link. Yeah. And then just forget about it. Leave the tab open. I don't wanna have to remember to come back. So, like, we just made it so that on 1 wall, you drop the files on there, and then you just get the link, and then you can send the link, and then you're done. And then you leave the tab open, and it'll finish uploading. The other thing we did is, say, they click the link before it's finished uploading. So you might think, oh, well, they're gonna be stuck waiting on a loading screen, or they're gonna get a four zero four or something.

Guest 2

Not the case. What if you just said, hey.

Guest 2

We've uploaded 3% of the files so far. Why don't we just let them view the 3% that we've uploaded? Let's just stream it to them. Like, if it's a video file, let them click it. Let them click Yeah. Yeah. Let them click the video, and let them see the let them see the first 3%. In fact, Even we even took it a step further. What if they open the video file and then they seek to the to the end of the video? Well, then why don't we Make this the uploader start uploading that part next so that they can get unblocked on their end and actually start viewing the v video. We do all that. Did you build this just for fun? Yeah. Yeah. Pretty much. I mean, well, it was it was it was technically a company. I mean, we're we're trying to come up with business Ideas and, you know, and something that could be, like, a a company. And and, we started with that. And and then we that's where we realized, like, hey, this thing is You know, it actually started getting used by a lot of people, and and including, like, I think something like 30, 40% of the traffic was coming from China. And so we were like, oh, People could be using this for some serious stuff. Like, we should probably make sure the security is really, really good. And and then that's when we started realizing, like, oh, Our dependencies are like a pile of a pile of code that we'd it's like thousands of things. Like, what's in there? And then we started thinking about socket, and that's that's where we switched to Woonsocket. Isn't isn't that what they say? They said the the the product you

Scott Tolinski

you land on is the product you built while building the product you were building or something. You know? It's Always that thing. You you end up solving your own problem. Yeah. You solve your own problem, and you stumble upon something, like, brilliant. And you're just footing the bill for all this bandwidth? Like, I can't believe I could just Throw a 10 gig

Wes Bos

file on here and have somebody download it. Like, I know that Backblaze is incredibly cheap. I did the math and it's Like, 20¢ per terabyte per day.

Wes Bos

So it's it's relatively cheap, but I can't imagine

Guest 2

If it scales, it's it's probably expensive, isn't it? It turns out it's not that expensive because we only store the files for you for one day, and then the files self destruct.

Guest 2

And we also use peer to peer wherever possible.

Guest 2

So if that person opens the link at the same time, Then, you know, it's gonna use peer to peer streaming with WebRTC and WebTorrent, and the server's, You know, not gonna be used. So so and then the thing we did is you can only you can only download a file at most a 100 times before it also gets self destructed.

Guest 2

So there's like a lot of kind of these Livingston Place, I think the bill is less than 1,000 a month right now. Oh, man.

Guest 2

Really not too much. Do you ever get,

Wes Bos

between WebTorrent and Wormhole, do you ever get, Like movie studios or anyone knocking on your door, trying to point the finger at you for piracy or anything?

Guest 2

It's never happened.

Guest 2

And I think I mean, I've been really, really careful from day 1 with WebTorrent to be very clear that this project is not intended for piracy.

Guest 2

And It's been really squeaky clean from day 1. I mean, there's no we know we don't we never encourage anyone to use it for piracy.

Guest 2

We don't use any examples of piracy.

Guest 2

And in fact, there's I mean, there's so many, like, other cool there's so many cool things you can do with this tech that I almost feel like it's a lack of creativity to focus on piracy use case. Yeah.

Guest 2

You know, just being able to build a peer to peer app is so cool. And, like, the the the idea of it, you know, It's it's such a cool idea, like, you know, decentralizing kind of the web and and and cutting out the middleman.

Guest 2

I know that now a lot of the I feel so weird talking about this because so much of this This kind of discourse has been taken over by, like, the cryptocurrency crowd and, and a lot of the a lot of the I know there are some true believers out there, But I do feel like a lot of the discussion around decentralization and this kind of stuff is actually kind of cynically motivated For these people's get rich quick schemes in some ways. So I I I I don't there were there are a bunch of people who were who were working on this stuff before all that happened that were, you know, Working on this because of, you know, idealism.

Wes Bos

Because decentralization was awesome. Right. That's true. Yeah. You, like, you think about it. Certainly muddied the conversation. Crypto guys ruining everything.

Guest 2

Yeah. And I don't even wanna generalize too much too there because I also feel like, you know, even within crypto Blue currency, there are some people I do feel like, like, the some of the Ethereum core people I mean, I'm not that up to speed on all that stuff, but I do feel like there's some kind of The core of, like, true believers there who are actually doing it for the for the true reasons too? Yeah. Totally. They just have, like, this this giant Giant, giant, giant orbit of, like like, cruft and scammers all around them, basically.

Wes Bos

Yeah. Crypters, scammers. Yeah. Do you have any opinions on, like, what was it? Radical. They're trying to be, like, the distributed GitHub, and I, like, I was like, oh, god. Check this out. Head over to GitHub to download it.

Wes Bos

I don't know anything about this business. It was like a like, when, like, when web 3 was was popping, Everyone's like, radical. Like, they're not gonna be able to take your code down. No one can take your code down. It's it's on the it's on the blockchain. Right? So curious what you think about about decentralized code repositories when there's so much nefarious stuff happening on Centralized ones.

Guest 2

Yeah. I mean, you certainly lose the ability I mean, from a security perspective, you do lose the ability to, like, take things down.

Guest 2

You do have to rely even more on, like, kind of scanning or your own protection, your own kind of out of band reputation system that can tell you whether something's good or not.

Guest 2

That's that's that's the security angle of it. But, I mean, I think these projects are cool. I hope people keep making them. I think that the one thing I will say, and I'm not don't like, I'm not super familiar with Radical. I've definitely seen it before. I think it's a cool idea. I like their Yeah. Website design and stuff. But I, I think one problem with a lot of these, decentralized projects is that they just they get really fixated on, like, How cool it would be if this thing was decentralized.

Guest 2

And and I understand that because, like, I also think it's cool. I like the idea of, like, my computer connecting to all these people and, like, Pulling pieces of the file and combining them together, and, you know, it's like it's super, like, you know, cryptopunk, you know, cypherpunk. It's like super cool. And, like, you know, no one can stop me, man. It's the It's the Internet. You know, like, we're all connected.

Guest 2

It's so it's it's a cool it's a cool vision and and, but I I think they don't oftentimes, they'll they won't think about, like, What is it actually gonna do for the user? Like, what is does that matter? Because, I mean, there's a limited number of people that think that that's cool. That stuff is cool. It has to be cool For other reasons that that, like, normal people care about. And the the decentralization has to, like, make it Has to be almost invisible or in some way make it better. But what typically happens is the decentralization makes it slightly worse. It's like, oh, it's it's just like GitHub except for it's like It's like broken in these in these 5 ways. Okay. Or, like, it's just like GitHub except for it takes 20 minutes to sign up because you have to generate keys. Or and I'm not picking on Radical because I how they work. But I'm just saying, it's usually these things are usually, like, just like this other thing except for worse. And then you're, like, well, okay, why would anyone use this except for the true believers? And that's the problem. They don't they don't think about that. And they're and it and it's partly, it's not their fault. Because, I mean, the it's harder to build things in a decentralized way. It's like it's like fighting with 1 hand behind your because you do have to, like, work twice as hard to, like, do everything and make it have as good of a user experience, and we learned that on Wormhole. You know? And then encrypting everything makes it harder to, like, You know, show a file preview because you can't see the files. You know? You have to do everything in a different way. And and this is why signal messenger is, like, slightly worse the other messengers in terms of the user experience, because they're doing everything with their hand tied behind their back. And Mhmm. I don't know. It's just it's it's a it's a hard problem. And then, You know, it's so it's not surprising that a lot of people don't make something that's as good as as the centralized stuff. I don't know. That's my thoughts.

Wes Bos

Yeah. I I Yeah. I feel exactly the same way. I we've been a little bit critical on this podcast of it. And not that we don't think it is, but we're just like, Just show me something that is better, you know? And, like, I had a bunch of people send me this, like, decentralized store.

Wes Bos

It's just it's like a decentralized Shopify, essentially.

Wes Bos

And I was like, sounds great. You know, like decentralized Amazon, decentralized. But, like, Why is nobody using it? And, like, why is it not very good? So interesting. You have to start from the from the, like, end user experience

Guest 2

And and then kind of work back, not from, like, the tech and work work forward. Yeah. That's

Wes Bos

I've that's the thing. We have a show, the 1 password Folks are coming on to talk about passkeys, which is like trying to get normal people to care about security.

Wes Bos

You know, I'm I'm sure you have all kinds of thoughts about that. But, like, these normal people don't want an authenticator app on their phone. It's not gonna work. You know? They're not gonna save it. They're not gonna remember their login for that type of thing.

Guest 2

So we need something else other than these Two factor authentication. I need to listen to that episode because I'll be totally honest. Even though I'm, like, usually really up on security stuff, especially web security. You know, like, web Web authentication is like, I have a whole section in the class that I teach about web web security.

Guest 2

You know, or sorry about about authentication, I mean. I actually haven't looked too much into passkeys. I just haven't had time. Been, like, really busy with with socket stuff. So That's ex exactly why we're doing this podcast. We'd I thought, Like, yeah, everybody's talking about passkeys, but I feel like most people don't know

Wes Bos

what they are.

Wes Bos

And spoiler there, it's just public Private keys, but they do it in just a way that nicer you want. IPhone is the public key, you know? Or

Guest 2

Yeah. We'll we'll we'll talk to the folks from 1Password. They are the experts at it. Yeah. I'm not that'll probably be really, really good. Yeah. I I just been saying no whenever those prompts come up so far because I'm like, well, I like that I you know, I have 1 password set up. I have my password there. I have my 2 2 FA code right there in 1 password.

Guest 2

So, like, I don't wanna change I I don't I don't even know what's gonna happen when I say yes to that prompt. I actually Yeah. I just so I just been I just been like, no. I don't no. Don't break it. It's already working. Just go away. You know? That's been my reaction, so I'm really I kind of really wanna know now what, what their Explanation of it is. Alright. Well, let's get into the part of the show where we do our supper club questions. These are the questions that we take and kind of just ask general questions like,

Scott Tolinski

for instance, what text editor theme and font do you prefer? Well, that's a good question.

Guest 2

I think the theme I'm using is the GitHub dark theme, in Versus Code.

Guest 2

And the font I'm using is, I I usually use Source Code Pro, but I think it was having some trouble in, NBS code, so I think I might just be using the default now, which is, I think, Menlo or whatever is in there by default.

Wes Bos

Yeah. When you, NPM, install something, are you using NPM, PNPM, or Yarn? I'm still using NPM.

Guest 2

I Hey. I like the NPM a lot.

Guest 2

Not a not a huge huge fan of Yarn. Mhmm.

Guest 2

Yeah. And and, but But I'm still I still stick with NPM. I don't know. I haven't, you haven't we haven't made the switch over yet in soccer.

Scott Tolinski

Yeah. And, ultimately, they'll kind of are the same at the end of the day. I mean, there there's in in terms of for the most part I mean, we use PMPM for the workspaces and stuff. It's nice. But, hey, everybody kinda

Guest 2

Gets the features. Part of the reason too is that our safe NPM, feature only works with NPM right now. So I wanna have that in place. Obviously, it would be really embarrassing if I, if I might I got compromised.

Scott Tolinski

Oh, yeah. Yeah. Yeah. Right. Yeah. Yeah. Working on something. What was the That guy who had the billboard that was, like, shapelock or something, their Social Security number on the billboard, and he he still got hacked? Yeah. That's embarrassing.

Scott Tolinski

Oh, man. What do you what do you do to stay up up to date on web tech? You seem to,

Guest 2

you know, know a lot of the newer APIs. Yeah. So I actually do this mostly because I have a kind of a security hacker mindset, and I always wanna break things. And it turns out that, Knowing the newest APIs is a great way to, like, discover things that are aren't haven't been hammered on as much, and so have, like, potentially have a lot of Laws or or or or ways they can be used that people haven't thought, like, thought of thought of all the ways they could they could be used yet. So, what's really good for that is is, just looking at the at the browser change Angelog posts that they do. Like, I think Chrome has a good one where every time a new, you know, version comes out, they'll just they'll just put in, you know, all the All the new APIs that they're shipping, and I just I usually just follow that.

Guest 2

There's also an amazing page called, project Fugu, which is also very Chrome specific.

Guest 2

I'll send the I'll post the link here. And project Fugu is basically Google's effort to, like, make the Web have all the capabilities of native apps.

Guest 2

And, if you go there, there's, a great kind of, like, overview page where you can see, on their Fugu tracker, like, all these crazy web APIs that are, like, very have very powerful capabilities That, they are hoping to ship in future Chrome versions and ones that they've already shipped. And so if you just follow this page, you can see kind of all kinds of, You know, crazy app ideas that you would not think could work on the web that that might now be possible. So it's a really fun page to look through, because you can get a lot of ideas For, like, you know, things you never would have thought of before. But when you see you just you just can see an API, and then it's like, oh, just that 1 API can give you, like, 5 or 10 app ideas, You know? Yeah. New new types of apps. You know what? I went down,

Wes Bos

the other the other day at lunch. The rabbit hole is, the there's a new serial port API, and you know what runs on serial port is receipt printers.

Wes Bos

And I was just thinking, like, man, how old would it be to print a receipt on, like, a thermal paper directly From the browser. And there's a couple, there's there's there's even a React API for rendering receipts And, like, converting it to whatever receipt printers need. It's like a special syntax, but I don't think there's anything that will directly Like, I've control I control the drone from the browser once, but I had to use a a server in the middle. And now I'm thinking, like, You still can't do it. It's it was TCP, like you talked about. That's some cool stuff there.

Guest 2

Yeah. Yeah. That's super cool. Yeah. I know. I love I love this type of stuff because, you know, again, it's So what was I love surprising people with, like, what, you know, with whatever you build, you know, that that getting that reaction on their face of, like, oh my gosh. Like, that I didn't think that was possible. Like, that's the thing that I love the most. Yeah. So so, like, these APIs are a great way to do that because you can shock people with, like, you know, wow, Torrance in the browser, like, that didn't seem possible. You know? That that that reaction is the best. One thing that, you can do to or, like, one thing that's that that I did with this, like, API, knowledge is I built a site that tried to basically use all of the APIs at once.

Guest 2

So, like, You could, just try to build the most, like, annoying website. So I don't know if you guys have seen this, but I'll post the link there. And I don't recommend actually, Visiting it unless you're, in a in an alternative browser because you might need to push quit your browser. Don't do you're doing it right Yeah. Yeah. Don't do it. You block Or Jennifer, you blocked me from loading it. Oh. Did you know? So, yeah, we got listed on yeah. We got listed by ublock and and Twitter.

Guest 2

So you actually can't Share the link on Twitter now. It's I I promise you it's not malware.

Guest 2

I promise you I promise you it's just an it's just annoying JavaScript. There's nothing, you know, malicious about it. It's I promise you, it's totally safe. The source code is on my GitHub. If you wanna look at the source for it, or you can just view the source. All it does is it just Opens up, like, as many pop ups as possible. It moves them around your screen. It, it it it, downloads files into your downloads folder automatically.

Guest 2

It it basically does it's like what what does the web let you do, and what if you just did all those APIs at once? Just just make it obnoxious page. And that's kind of what it is. So It's kind of the, it's the reason why people I opened it. Uh-oh.

Guest 2

What's happening?

Wes Bos

Oh, I forced quit it. Good. Wow. That's that's I don't recommend that. That is awful.

Wes Bos

Sorry. Go ahead.

Guest 2

Yeah. So it's it's one of the reasons why some people say that, you know, Chrome and these are you know, there's, like, kind of 2 visions for the web. Right? Like, Add more functionality in. And there's other people who just say it should be a document viewer, you know. And, like, I don't really think anyone really argues for that anymore. But, like, you know, This is kind of an example of what happens when you you know, one of the downsides, I guess, of making the web so powerful is that, you know, you do visit of untrusted sites, and you do run untrusted code all the time from these random URLs you go to. And but, yeah, the browser does a pretty good job. I mean, at the end of the day, this annoying site Can't really compromise you, so it's really just annoying.

Guest 2

It's just not.

Scott Tolinski

Oh, that's great. Cool.

Wes Bos

Thing we have here is,

Guest 2

a sick pick and a shameless plug. So my sick pick is the Harry Potter audiobooks.

Guest 2

I've been listening to the I've been relistening to the Harry Potter audiobooks by Jim Dale, and he's the best voice actor. He He just he does all the voices himself, and I think he set the Guinness Book of World Records for the most voices acted by a single voice actor in a in an audiobook Production.

Guest 2

And, it's just really good. And, and and I just also will give a shout out to audiobooks in general As as a person who spends all day on the computer screen looking at stuff and using my eyes, I I really love being able to just Rest my eyes.

Scott Tolinski

And What's your preferred, app for consuming audiobooks?

Guest 2

WebTorrent.

Guest 2

You know No. You should not use web chart for piracy. Do not use that web chart for piracy.

Guest 2

They They tend to use audible like everybody else. And, yeah, that's that's kind of the market leader.

Guest 2

You They're probably a monopoly at this point. I mean, everybody uses Audible, I feel like. What is there something else I should consider that's not audible? Actually,

Wes Bos

Spotify just rolled out,

Scott Tolinski

Yeah, they did. Like a 170,000 audiobooks, which I don't know if that's a lot or not. It seems like a lot. So and if you pay for Spotify, you have access To the mall, apparently. I haven't checked checked it out yet, though. Yeah. There's some weirdness too when you try to do it. You you can't buy it through the app even though you're not buying it, so you have to, like, do it on the website and then Really? Listen on the app. I yeah. There's some wonkiness, at least in the states. Interesting.

Wes Bos

Can I do an can I do one more pick? Yeah. As many as you want. You could beat Darcy. Darcy hit, like, 7.

Guest 2

Oh, wow.

Guest 2

I'll do another pick for chat g p t.

Guest 2

I know everybody's, like, already aware of this and using it. But I just I I noticed when I watch, like, my friends or other people in my family using, just using a computer. There's all these tasks that they're not using JAD GPT for that they could be. Mhmm. And I I would recommend people if they wanna understand, like, What can this technology do? Just decide you're gonna use it for everything.

Guest 2

Like, don't write a single email Ever again, like, just for a whole week, just decide, like, I'm not gonna I'm not gonna do anything except through chat GPC. And it'll really give you a bunch of ideas for, like, things that can be Used for that, you might not have thought of, and and that's been pretty pretty cool and inform like, pretty eye opening for me to just to just do that and and see. And I and I use it for a bunch of stuff. Hell, yeah. Awesome. Yeah. And then, Seamus plug? I mean, use socket.

Guest 2

Go install socket. It's a it's It's a free install from the GitHub marketplace. That's probably the easiest way to get started.

Guest 2

Go to socket.dev, Click install and, like, literally 2 or 3 clicks to get it, to get it on all your repos. And and, if you're at a big company or, you know, you wanna use it at at work, get in touch with us. You can schedule a demo and, you know, either I or somebody on our team will will, demo it for you. And, And we have a lot of cool customers now using us. You can see some of them on our website.

Guest 2

Companies like Figma, companies like Vercel, They're all customers of Socket and, and and and and so, you know, it it is really being used by some of the best teams now, and it's really exciting to see that. So, if you wanna use it at work and you don't you like it you like a tool that's built for developers and not, not, annoying Or noisy to use like some of the other security tools you might be familiar with, then give it a shot. Or or tell your security team to come talk to us, and we'll we'll explain to them why it's Awesome. And why they should why they should consider using it. Awesome. Thank you so much for your time. Appreciate it. Yeah. It's awesome. Yeah. Yeah. This is really fun. This is a cool conversation, guys. Thanks for having me. You're welcome.

Scott Tolinski

Please.

Scott Tolinski

Please.

Scott Tolinski

Head on over to syntax.fm for a full archive of all of our shows, And don't forget to subscribe in your podcast player or drop a review if you like this show.