Feross
@feross
Followers
29K
Following
26K
Media
2K
Statuses
27K
⚡️ Founder + CEO @SocketSecurity (https://t.co/7g1opA8rgG) • 🌲 Visiting lecturer @Stanford (https://t.co/yw9prxLQAM) • ❤️ Open source @WebTorrentApp + @StandardJS
Joined August 2008
🔥 LAUNCH WEEK IS HERE! 🔥. We're dropping something new EVERY DAY ahead of BSidesSF + RSAC. Buckle up. 🚀. First out of the gate:. Socket now supports .NET 🛡️. Secure your NuGet dependencies from malicious attacks, typosquatting, and dependency confusion—WITHOUT slowing down.
4
6
33
Detect pressed keys via microphone audio capture in real-time. Uses training data captured by typing first. Very neat!. Based on ideas in this classic traffic analysis paper: Timing Analysis of Keystrokes and Timing Attacks on SSH
39
2K
3K
🤩 Exciting news! I'm ready to share the project I've been working on for the past 2 months. ✨ Wormhole – the fastest way to send files ✨. Wormhole lets you share files with end-to-end encryption and it's super fast. Send a file in just 2 seconds:
130
488
3K
I wish more developers understood the constant stream of malware that is posted to npm, PyPI, and all package managers. Here's just a taste of some crazy malware Socket identified in the past couple weeks. All malware descriptions were FULLY WRITTEN by Socket AI.
43
555
3K
🙌 Just released a CLI tool called `thanks` to help you thank the open source maintainers you depend on! ✨. 1. Run 'npx thanks' in your project.2. See which of your dependencies are seeking donations! 💸. 🌟 Open source authors, add yourself to the list:
46
960
2K
The `xz` package backdoor is just the tip of the iceberg. There's a CONSTANT low-level stream of malware and spyware being uploaded to npm, PyPI, and Go registries. I want to share a few examples from the 20,000+ malicious packages we detected so far:
35
373
2K
🚨 The Express.js repo got swamped with spam PRs thanks to a YouTube tutorial gone wrong. Hundreds of low-effort contributions flooded in, creating chaos for maintainers. Some called it an "attack on open source", as pages of "UTTER GARBAGE" piled up in the Express.js project.
101
217
2K
How camera lenses change the shape of your face. [Image source unknown]
16
401
1K
🚀 Exciting news! I'm ready to share the project I've been working on for the past 7 months!. Introducing ✨ Socket ✨. ⚡️ Search millions of open source packages.🔒 Detect suspicious package updates in real-time.🛡 Block software supply chain attacks.
67
252
1K
✨ HUGE NEWS! ✨. 🤖 Introducing Socket AI – ChatGPT-Powered Threat Analysis. @SocketSecurity is using ChatGPT to examine every npm and PyPI package for security issues!. 🤯 In just 2 days, we confirmed 227 vulnerable and malware packages, all discovered with the help of ChatGPT.
33
219
1K
End the #AppleBrowserBan. Apple: stop holding the web back by banning competing browser engines.
21
224
1K
I taught a web security course at Stanford. All the course materials, slides, and videos are freely available online. If you want to learn about secure web programming, this course is for you! ✨. 📝 Website: 📺 YouTube playlist:
22
245
943
✨ I'm engaged! ✨. Asking @noor_siddiqui_ to marry me was the easiest decision I've ever made! ❤️ If you know Noor, then you know what I mean! I feel lucky that I get to spend my life with her. But planning the proposal wasn't simple. Here's how I asked her to marry me. 1/5
108
12
932
😍😍😍 I'm teaching "CS 253: Web Security" at Stanford this Fall as a Visiting Lecturer.
26
43
858
This video of Steve Jobs introducing Wi-Fi is incredible. He's casually browsing the web, then he suddenly picks up the laptop and everyone in the audience realizes that it's not plugged into anything and they go crazy with cheers and applause!. 11 Mbps!.
11
178
732
An open source maintainer is a startup founder but with none of the upside.
24
95
697
🌟 Lazy-loading images and iframes are coming to the web platform and I'm excited that this will soon be possible:. <img lazyload='on' src='cool.jpg' />.<iframe lazyload='on' src='cool.html' />. Check the issue on whatwg/html:
7
253
672
Now that Apple has willingly built spyware into iOS and macOS, within 10 years this tech will:. (1) be mandated by government in all end-to-end encrypted apps; and.(2) expand to scan for terrorism, disinformation, "misinformation", then eventually political images and memes. 1/5.
16
220
614
I’m ending the `npm install funding` experiment I introduced a few days ago. I appreciate the thoughtful discussion and feedback from the community. I shared some thoughts about how the experiment went from my perspective:.
36
208
627
🚀 Huge news! @SocketSecurity has raised $20M Series A funding led by Andreessen Horowitz (@a16z). ⭐️ This funding fuels our mission to make open source safer for everyone!. 🚀🚀🚀 We're also announcing 4 new products this week as part of Socket Launch Week! ✨. 🧵 1/10.
56
69
601
200,000+ successful flights were completed in a single day, on July 4th, 2018. What impressive engineering, coordination, and human ingenuity!
9
145
577
🎉 Big news!. 🚀 I'm excited to announce that Socket has raised a $4.6M Series Seed!. ⭐️ Read our blog post announcement: ⭐️ Read the in-depth TechCrunch exclusive: . 🧵 Thread ⬇️.
48
53
558
We just bought a company. Why? Because vulnerability scanning is fundamentally broken. And I’m tired of pretending it’s fine. We acquired Coana, the best reachability analysis engine on the planet. The whole vuln industry is addicted to quantity over quality. More alerts, more
63
68
530
I love this so much.
4
57
471
Sweet! When you run `npm publish`, the latest npm 6.0.0 shows which files are included in the package as well as total package size! ✨. Should help prevent sensitive or huge files from getting included by accident. This is a great change. 💪. Shrink those packages!
7
125
460
I just built a site to help you make a friend in 2 minutes! My goal is to help people stuck indoors because of COVID-19 (or police curfews) to make meaningful connections with strangers. Hope you love it!.
35
89
443
🗣 Big news! Today I'm launching a Patreon! ✨. I need your help to continue making free software like WebTorrent ❤️ and Standard 🌟. If you use any of my 100+ open source projects, please support my ongoing work by becoming a patron. 😇.
13
186
432
This is the result of treating OSS contribution as a quick FAANG job ticket. Reminder: Open Source isn't a free job fair or mentorship program. It's about solving real problems and contributing to the community. Don't be that person who adds noise instead of value.
25
21
412
Big news! ✨ I’m going for my CS master’s degree at Stanford. 🎓 One of my goals is to teach a class on Web Apps – we’ll see how that goes!.
12
12
412
This is brilliant. Make public transit free ➡️ increased public transit usage (obviously) ➡️ decreased congestion, fewer travel delays ➡️ increased economic activity, more eating out, better quality of life ➡️ more tax revenue to fund the free transit. ✨ 🇪🇪 ✨
13
193
400
There are more books for sale on Amazon from the 1880’s than the 1980’s. The missing books are out-of-print but still copyrighted. Insane!
15
417
383
What open source library have you discovered recently that was shockingly good?.
62
82
401
Open source is this fantastic trap where we all guilt ourselves into coding for free so private companies can make millions off our neurosis
11
122
377
Progressive Web Apps going mainstream as Twitter makes its mobile site the main one. This is great! 💪
5
121
402
This Thanksgiving, I'm thinking of the open source maintainers who make all my work possible. Linux, BSD, GNU, Git, nginx, Node.js, Chromium, Firefox, and literally thousands of npm packages. I stand on the shoulders of giants.
3
112
393
💥 Want to find out if the compromised ESLint dependency is on your machine?. ⚡️ Just run this:. cd ~/code. find . -type d -name "eslint-scope" -print0 | xargs -n 1 -0 -I % sh -c "(cat %/package.json | npx json version) && echo '(at %)'". Look for "3.7.2" in the output ☠️.
12
163
355
Top way to become a better programmer: BE LESS CLEVER. Your cleverness is just going to cause you (and probably me) pain later. .
8
144
332
Get the JavaScript Source Code CD Professional Series for only $2.99. Almost 800 ready-to-use JavaScripts that you can cut & paste into your own HTML documents!
16
39
331
I've been testing #GitHubCopilot in Alpha for the past two weeks. Some of the code suggestions it comes up with are eerily good. Here's a thread with some examples that I found surprising. Will update with new examples over time.
4
88
330
It's time to do an annual backup of your data from online accounts. Here are the links you need:. - Google: - Apple: - Twitter: - Facebook: - Microsoft:
2
113
321
This one-line change on @Wormhole_App reduced GPU utilization by up to 60% 🤯. Now you can send files in silence!
19
31
336
"This man has been editing a Wikipedia article every four minutes for 13 years. He is insane, and he has had a huge impact on what you and I read every day when we need more information about literally anything"
14
106
325
Safari's domination continues with the **NEW MODERN VERSION** of JavaScript, ECMAScript 5. FIVE!
20
123
326
Good summary of JSON hijacking, if you're not familiar. Why Facebook's API starts with a for loop
2
77
317
🤯 Just read a fascinating paper called "The Surprising Creativity of Digital Evolution". 🤣 It's a bunch of HILARIOUS anecdotes showing how Artificial Life systems often produce SUPER surprising and SHOCKINGLY ridiculous results. 😲. 👇 THREAD
6
119
295
Do you use my open source software at work? I now offer an open source support contract. - 4 hours of consulting (development, bug fixes, etc.) per month.- Email support.- Company logo on readmes + website (~180K views/mo).- Priority GitHub issues. 🌟
4
81
297
🚀 Big news! @SocketSecurity just raised a $40M Series B round to combat next-gen software supply chain security attacks and defend open source. The round was led by @AbstractVC, with @eladgil, @a16z, and top angels. We have big plans for the $$$ – see thread ⬇️. 🧵 1/10
39
46
307
I added some improvements to The Annoying Site. - Change theme-color in a loop (Safari 15).- Picture-in-picture in all browsers.- Block close window better.- Animate URL with emojis.- Pointer lock.- Request MIDI, bluetooth, USB, serial, HID. ⚠️ Warning ⚠️.
12
84
297
🚨 The CVE program is about to go dark. MITRE just confirmed their funding to run CVE and CWE expires tomorrow. That’s the main database the world relies on to track known vulnerabilities in software. Yes, the CVE. The backbone of the entire vuln ecosystem. No CVEs = no shared
18
112
299
☠️ Passwords ☠️. - Average user has ~100 accounts.- Creates 50 passwords per year.- High rate of password re-use (75% of users).- Frequent password sharing with others (40% of users).- Huge number of password resets (40%-60% reset every 3 months). Source: Nikola Blanchard.
9
94
280
1/ Ryan Dahl (creator of Node.js) wrote an epic rant and then quit writing software for a while. I want to repost it here now.
10
118
272
My friend has a @1Password Family subscription and let the credit card lapse. She didn't notice the emails asking to update the card. 1Password completely deleted her account and logged her out on all devices. Now she can't access her 100+ passwords and 2FA tokens. WTF.
26
54
272
🙌 Retweet if you use ExpressJS 🌟 and are grateful to @blipsofadoug for his excellent and tireless work maintaining it over the years. 🏆.
11
271
264
Stop what you're doing and turn on "Auto-delete your Web & App Activity" in your Google account: Set it to the minimum "Keep for 3 months". Once you've done that, also turn off as many tracking options as you can here: ✌️.
7
77
257
If you have a website, definitely check out your site's Chrome UX Report. It's a bit tricky to set up (watch the embedded video), but when you're done you get an automatically updating dashboard with real user experience numbers! Cool!. h/t @_developit
1
49
251
In 2020, I was grinding away as an open source maintainer, fueled by donations and a dream. Today, @SocketSecurity is shining bright on a Times Square billboard. Never give up.
15
20
257
WebTorrent now works in the browser, end-to-end! Check out an example app: http://t.co/VLUMSIBMlp.
26
226
234
It gets worse!. Someone found a bug in the try-before-you-buy demo page. You could type in any U.S. phone number and get the phone’s real-time location *without any text to the user for permission*. 200 million people exposed!. What. The. Hell.
US cell carriers are selling access to your real-time phone location data 😯 There's even a try-before-you-buy page where you can track the location of your own phone:
4
231
242
Some of the most innovative open source software within the JavaScript ecosystem has been produced by eccentric, independent individuals who write open source because they love it, not because some megacorp pays them to do it while representing the company's interests. 1/2.
3
45
228
🚀 Big news!. We’re thrilled to introduce Socket Optimize ✨—a powerful CLI tool that overrides your open-source dependencies with tested, optimized packages, with just one command. 💪. Say hello to:. 🧹 Cleaner.⚡️ Faster.🔒 More secure. dependencies!
10
34
230
Just got the news that I've been selected as a #GitHubStar for 2023 and I couldn't be more thrilled! Looking forward to continuing to help other developers and to contribute to the open source community 🚀🌟. ❤️ @GitHub @SocketSecurity
7
9
228
This is not a drill. Police are already misusing location data gathered for COVID contact tracing even though everyone SWORE it wouldn't be used for anything by health purposes. Once the data and tools exist, governments can’t help themselves – it’s just too tempting. 2/5.
8
52
213
🚀 BIG NEWS 🚀. Wormhole now has ✨ QR Codes ✨. ✅ Send files from desktop to mobile with *one click*.✅ End-to-end encryption keeps your files private.✅ Works on all platforms – iOS, Android, Mac, Windows, Linux, Chromebook – anything!. Try it out now!
8
36
213
🗺 Google Map's Moat – How far ahead of Apple Maps is Google Maps?. One of the best tech articles I've read in a while. Not kidding – Google's work on Maps is awe inspiring. It's hard to imagine the scale that they're operating at.
0
84
212
🤯 Socket figured out that an attacker's base64 encoded PowerShell / bash command is actually creating a reverse shell. LLMs are pretty incredible 🌟
⚠️ Malware removed from npm: ts-patch-mongoos@1.0.0 ⚠️. The code is likely intended to create a reverse shell connection to a remote server, allowing unauthorized access to the system. The use of obfuscation and system-level commands targeting specifi.
7
31
225
I published `bg-sound` to npm, a Web Component to emulate the old-school <bgsound> HTML element
6
28
218
Introducing Nile.js: A Peer-to-Peer Live Video Streaming Library built on WebTorrent
4
70
208
Ran into a spectacularly awful Safari bug in the latest Safari (14.1.1 on macOS and iOS 14.6). Opening an IndexedDB database fails 100% of the time on the first try. 😩. If you refresh, it starts working. Bug report: cc @webkit @chris_dumez @Apple.
6
41
207
I'm quoted in @FastCompany about why some developers are avoiding app store headaches by going web-only. “We want to be an example of what a modern, fast web app can do,” he says. “And we want to blow a few minds while we’re at it.”
5
22
202
I'm incredibly disappointed that this was approved and built by @Apple. The short-sightedness is staggering. How can they think governments won't demand to expand this?. Before today, I believed that Apple genuinely cared about my privacy. But no more. This is a disaster. 5/5
7
34
203
Real Mac bug for 10+ years: "In some cases the audio balance may unexpectedly drift towards the left or right channel. This can happen if you rapidly press the volume up or down keys while the computer's microprocessor is under heavy load". Still not fixed
18
38
199
Want to contribute to open source the right way? Start with real issues, not spam PRs. Make yourself useful, not a burden. Read the full story:
4
19
206
The company I started – Socket Inc – has a snazzy new home on the web: If you want to work with me and help build cool software like @Wormhole_App, please get in touch!. My DMs are open.
12
17
202
This code is using curl to send the contents of the file '/etc/passwd' to a remote server. This is a highly suspicious and potentially malicious behavior as it could cause sensitive data to be sent to an attacker's server.
2
13
196
WordPress ditches React, and just like that *poof*. 25% of sites on the internet don't use React anymore.
11
118
189
🙌 HUGE THANKS to @Brave who just announced they are supporting @WebTorrentApp for the next 12 months as a 🌟 Platinum Sponsor!. 🦁 Brave is a browser with your interests at heart — 🤩 Thanks to the awesome people at Brave for supporting open source! ✨
5
41
193
Want to be a top programmer? This is THE talk to watch. You must know the difference between "easy" and "simple".
1
45
187
React is Considered Harmful™, as far as I'm concerned. Will not use on new projects. The license is weaponized & very harmful to users.
9
83
188
Happy to announce that the Wormhole cryptography code is now open source!. ✅ MIT License.✅ $1,000 bounty for finding a security issue (. Check it out here:
6
34
183
Incredibly informative tutorial on how synthesizers work. Powerful web audio demo, too. What a blast!
3
38
180
WebRTC is FINALLY supported in Safari. Coming to iOS 11 and macOS 10.11, 10.12, & 10.13!.
7
75
172
If these creative and brilliant folks could make a decent living writing open source software to benefits the commons instead of seeking private contracts writing proprietary code for a single company, we'd all have more innovative open source software to use. Everyone wins. 2/2.
11
13
177
Chakra UI is the best frontend component library, hands down. If you haven't used it, you're missing:. - Components are beautiful by default.- Accessible HTML.- Responsive maintainers.- Active community.- Thoughtful and delightful API design . I'm a huge, huge fan.
Made with Chakra UI 🤩🤩.
6
17
184
We replaced require('mod') and `module.exports` which are simple and beautiful with this over-engineered nonsense
12
66
175