Exploring JavaScript security and open source - Podcast
Dive into the world of hardened JavaScript, LavaMoat, and JavaScript security with Zbyszek “ZB” Tenerowicz (@naugtur) in episode 4 of Change Mode. From at-home HTML trial-and-error to building inclusive 3D gaming engines, ZB dives into his open-source journey and the incredible projects he continues to work on every day. Including a passion and dedication to organizing and public speaking at international developer events. Let’s get into the episode!
Podcast transcript
Marine: Thank you very much for joining me today. I'm with Zbyszek, also known as ZB for English speakers. Thanks for meeting us today. Could you introduce yourself and tell us a bit about what you do and why you're here?
Zbyszek: Hi, I'm ZB. You might also know me as Naukter from my online activity. I'm here because I do a lot of open source work, particularly in JavaScript security. I've been involved in open source and Node.js for the last eight to ten years. Currently, I'm working on a project called LavaMoat, which is a fully open-source project available under an MIT license.
Marine: Great, thank you. We're going to talk about LavaMoat, but first, I'd like to get to know you better. How did you end up doing open-source work?
Zbyszek: I got into open source through JavaScript. I started learning JavaScript many years ago in primary school. My parents bought a PC, and I learned a bit about how it works. Around the age of 13, I started learning HTML by trial and error. Eventually, I made my first website in pure HTML and got fascinated by JavaScript. Over time, I published various things on GitHub and npm. My first significant contribution was to the XHR package, and since then, I've been involved in various open-source projects.
Marine: That's amazing. How did LavaMoat come to be? Did you join when it was already made, or did you create it?
Zbyszek: LavaMoat was born out of a legitimate fear of malicious npm packages. Aaron, the founder of MetaMask, was concerned about what would happen if one of the dependencies turned malicious. He started working on LavaMoat, and I noticed his work while researching supply chain security. After some discussions, I joined the team to help build LavaMoat further.
Marine: So this is your full-time job now?
Zbyszek: Yes, I work full-time on LavaMoat and other security-related projects at MetaMask. We develop software to prevent attacks and consult with other teams on JavaScript security.
Marine: Can you explain how LavaMoat is made and what it does?
Zbyszek: LavaMoat consists of several tools. The first tool prevents malicious packages from using post-install scripts to attack you. Another tool runs your JavaScript software with a policy that prevents dependencies from doing unexpected things. LavaMoat uses Hardened JavaScript compartments to isolate dependencies, ensuring they cannot perform malicious actions. Hardened JavaScript, also known as SES (Secure ECMAScript), is a concept intended to go into the language itself. It's already implemented and working with minimal trade-offs.
Marine: That's fascinating. How many people are contributing to LavaMoat?
Zbyszek: We have about four people working on LavaMoat directly. We also contribute to Endo, the runtime environment for LavaMoat, which has more contributors.
Marine: What should someone do if they want to contribute to LavaMoat?
Zbyszek: Get in touch with us. We have weekly Zoom calls that are open to anyone who wants to participate. Join the call, see what's going on, and start experimenting. Reporting issues and helping us figure them out is also a great way to contribute.
Marine: You mentioned that you sometimes do demos at conferences. How did you get into speaking in public? Is it because you're passionate about sharing your knowledge?
Zbyszek: I just can't stop. It started out super early. The first local meetup talk I gave was in 2011. The organizers would let me know whenever they were organizing another one, and I kept giving talks. I would look into things just for the purpose of learning enough to give a talk about it. I learned web audio just to give a talk about it because it seemed interesting. It's a continuation of this passion of putting stuff in people's heads. I did a lot of role-playing games as a teenager and enjoyed being the narrator of the game a lot. I think this is a continuation of that. I've been talking about JavaScript stuff and Node.js. Especially diagnostics and performance in Node.js. Then switched to a bit more security and been focusing on security pretty much ever since.
Marine: That's really cool. I love the role-playing game analogy. I might steal it. I think you also help organize conferences yourself, right?
Zbyszek: Yes. This local meetup kind of escalated. At some point, I switched from being the regular speaker to organizing. So I stopped speaking at the local meetup every time and instead started getting other people to speak. I was organizing the local meetup. The meetup family actually grew to multiple cities. At some point, they needed a new coordinator. So I took the role of coordinator. I can't say I did a great job, because it's impossible to coordinate this thing, but yeah, I've been trying. The Meetup family was actually running a conference every year, and we were looking for someone who dares to organize a conference. We don't have a legal entity, we don't have anything, we're just a bunch of enthusiasts around Poland in different cities organizing Meetups. So we tried to convince someone every year to organize a conference that would get people to go into one place and meet across cities. I did the 2014, 2018, and 2022, and helped a bit with a few other ones. It's a lot of fun, especially on the day of the conference, putting out fires, running around, emceeing is also great. I don't know, I'm doing it for fun. But we also managed to get some money out of it. But as I said, we don't even have a legal entity. So what do we do about money? The answer was simple, we give it away. These are charity conferences, and whenever we organize one, we just find a charity organization to work with, and they get all of the money that we have left from organizing the conference. Sometimes it's even some leftovers from what we get from sponsors, if we didn't spend it all, but it's mostly the money we get from tickets. Our tickets are very inexpensive, but if you organize a conference for 500 people, it's still a bit. I kind of specialize in making it low budget, but work for the community. Being able to say, hey, we're doing this for charity helps when negotiating stuff. We can negotiate a discount on food in exchange for a mention of the catering company that's providing it. I don't have the update for this year handy, but I think it was similar. In 2018 and 2022, we gave the charity a bit more than we spent organizing the event.
Marine: That's amazing. Wow.
Zbyszek: That was fun. Oh, and by the way, the organization is called MeetJS.
Marine: Yes.
Zbyszek: If you're ever in Poland, look for a meetup or try to get to our conference. It's in English. We want to create an international conference-style experience for our community, because this is not just for the participants. We also try to give the stage to our community. So a lot of people showing up as speakers are also new speakers or people who don't go abroad talking at larger conferences a lot. This is sometimes their first attempt to perform in front of a few hundred people audience. These are people from our local meetups that gave great talks. We obviously try to also bring some people from the outside. We have some folks that like to visit us. There's a little friend of the conference who always gets a slot, and he gives talks whenever available about JavaScript security, because I'm organizing, so I shouldn't. He comes from Israel, and he always makes sure that we don't have to pay for his flight, because the money goes to charity. He always expenses the flight not with us. So that's a nice arrangement. I got to say, I really enjoy doing that. But as you noticed, I do it every four years, because that's how long it takes to rest for organizing one.
Marine: I know what you mean. Organizing events is a lot of work. It's good that you have a team that you can take turns and still have the event. So that's great. You really like community. I'm guessing open source is also about community for you, not only code and sharing stuff, right?
Zbyszek: Yeah, I got to say, I mentioned Jake, and I explicitly said he was the first person I met through open source and then in person after a few years. This is something that happens a lot nowadays. I meet a lot of people from open source, and then we get to see each other in person at events like NodeConf EU. NodeConf EU is like a holiday for open source people. We gather together and we spend time with each other. We even pay attention to talks, but I dare say these are not the most important bits of the conference. NodeConf EU this year and last year was a great four night, three days event. The four night thing is kind of significant there.
Marine: Nice. What would be a dream project for you, professionally or within the realm of open source, something that would be exciting for you to work on? Unless this is what LavaMoat is already. I mean, could be.
Zbyszek: Well, yeah, that was my thought going into all this. I can't even believe this is possible. Now I get to participate in it. These people tell me that the thing I'm supposed to be working on for the next two months is actually possible. I'm eager to try it. So, yeah, this is definitely my attitude to LavaMoat and Hardened JavaScript. I would love for it to become something with major adoption. My dream project would be to work on LavaMoat in a bunch of years from now when we already have ESM support and Bundler support finalized and major adoption. At that point, we're working on super interesting security quirks and improving the way we define policy so that even the most sophisticated threats out there in the NPM ecosystem can get it.
Marine: That is great. You are working on your dream. Congrats. OK, I have a few silly questions for you.
Zbyszek: These are the best.
Marine: If you could get the permission to do anything for a day, what would you do?
Zbyszek: Sleep.
Marine: Come on. Really?
Zbyszek: Yeah, I'm a parent. I just moved to a different city recently. I would probably sleep. But I know what you mean. You mean open source.
Marine: No, no. I mean anything. If anything was allowed. No, but I get it.
Zbyszek: Resting is involved. I have a bunch of project ideas. If you gave me a month, not a day, I might finish my 3D game engine that I once started. The interesting quirk that makes it, you know, because building a 3D game engine is kind of pointless nowadays with everything available in open source already. But the quirk is my 3D game engine that I started working on renders to sound and sound only. So it's like a game, but it's a Bobcast.
Marine: Oh, wow. Now you got me interested.
Zbyszek: It's a genre. It used to be called games for the blind sometimes, but it's actually for everyone. And it's a genre that's just a bit more inclusive. I stumbled upon a web forum where people with various disabilities were discussing games, but also making games. There were no great tools for that that were easy to use. You have to really do a lot yourself. They were not super experienced game developers. They were doing interesting experiments. That motivated me to come up with this idea. Life happened, work happened. I ended up coding just a bit of it and really struggling with a bunch of things in there. I would love to finish that. The idea was for you to be able to almost entirely declaratively define the whole scene to create an audio experience with collisions and everything. The fun part about this project to me was that the rendering medium of sound means that I don't have to be good at doing any of it. Create this engine myself because 3D audio is already there in the browser. You can just use it. Positional audio has an API. So all of the difficult math is already done. It's finding a good way to organize this stuff into something that makes sense. My favorite fact about rendering to audio is that you can make all collisions, you can implement all collisions as if they were collisions between spheres and no one's going to notice.
Marine: I believe you on that. Wow. That's amazing. I did not expect such a deep answer. I love the focus on accessibility. Kudos to you. OK. So other silly question. If you could invent a new permission, like if you could change modes, blah, blah, blah, something, what would your new permission do? Anything in the world. Not just in computers.
Zbyszek: It's probably going to be very boring, but my new permission would be like, you know, we have use strict in JavaScript. I would want the new permission to be use lockdown that just does whatever lockdown from hard in JavaScript is doing. That's the boring answer. The more interesting answer is I would introduce something that just takes away all of the powerful references you have available from all of the code out there. You could only give them to anything that wants to use them top down. Like if you have a program that wants to read a file, make changes to it, and write it back like a linter for your code, that linter, when it runs, it has access to your entire system just like the user, you, because you're running it as your own user. I would like for it to be simple. That's a big challenge. I would like for this to be simple to actually run this program with no permissions whatsoever, except the ones that are directly given to it. Like you have access to these files, you can read them, and then you can write to them. That's all you can do. Nothing else is available to you as if it didn't exist. I would love that to be the case. There's even this prize from Foresight Institute. It's called Norm Hardy Prize. It's a memory of Norm Hardy, who kind of pioneered this idea a lot, where they're looking for new research on how to allow users decide how they're going to agree to certain policies with a user experience that doesn't make it easy to trick them. This is my very unsophisticated explanation of this. Do look it up. It's super interesting as a topic, because we have created a situation where our software is insecurable. It's theoretically possible, and there are people working on that. Hardened JavaScript is one of the attempts, by the way. People are working on making software paradigms where it doesn't have the insecurity that's normal everywhere else. It's the same mistake we're making over and over again, mixing commands with input. We don't have separate memory for programs and for data, which if you confuse your C program or your CPU just a little bit, it's going to start executing something that was supposed to be data. This is one of the manifestations of this, but in hardware. The idea here is to create this situation where everything, every permission is denied until you get it. That means we need to come up with human-computer interactions that are going to make that kind of behavior usable for the humans, because an average app that you use, actually, it's not just the 15 things you agreed to when installing the app that it's using. It's using a ton of capabilities that are given to it by default. If we wanted to make it more and more specific, we need to come up with interactions where users would not only be able to give it permissions for specific things, but also be able to comprehend what they're doing and not be easily tricked into giving permissions they didn't intend. While most of software is okay working that way for now, this is a problem that's really important whenever you get into super secure systems or cryptography or electronic money. The whole crypto thing, with all the weird stuff that happens around it, has actually prompted a lot of interesting developments in security, because you can no longer deal with it with existing security. You need to start going beyond that.
Marine: Answered like a true security person, right? You're talking about basically accessible defensive programming. That's super interesting. Well, thank you so much for your time. It was super interesting for me to understand a bit more about LavaMoat and what you're doing. I hope you'll get some new contributors. And I'll be super excited to see you on stage soon, I hope.
Zbyszek: Oh, that reminds me, I need to do some CFP submissions. I don't have anything lined up for next year yet.
Marine: See? Time to get on it.
Zbyszek: Yeah. Thank you. I really hope people will try our Webpack plugin and report back with any issues. If you're interested in this stuff and you happen to have a project that builds its front end with Webpack, that's the best place to start.
Marine: We'll share all the links. Thank you very much.
Zbyszek: Shout out to MetaMask for sponsoring the whole project.
Marine: Sure. You're right. Open source can only go so far. It's great that companies actually give time and money for that. I agree with you.