Cray Customer Service – Memories (2021) (cray-history.net)

Sharing screen is really scary today with all PIIs and secrets sprawling around your screen, so I built Entropy, a small Chrome extension that spots API keys, tokens, emails, and throws a blur overlay on them in real time.

The goal is to make screen-sharing feel safe again without adding steps to a demo.

Everything runs locally—regex + entropy heuristics compiled to WASM—and the extra CPU cost averages ~1 ms per mutation on my M1.

Custom rules can be added with a JSON file for teams that have proprietary token formats.

visit https://entropysec.io

Feedback please <3

Comments (26)

pinkmuffinere · 1d ago

Congrats! Launching is hard. Feedback:

- I can't tell what this is until I scroll "below the fold" (ie, below the first visible screen). I think your tagline just needs to be clearer. Even your first sentence in the post here could be a decent description ("Entropy, a small Chrome extension that spots API keys, tokens, emails, and throws a blur overlay on them in real time")

- I'm not very comp-sec minded. I've never in my life worried about leaking API keys, tokens, email addresses, etc via screen share. I have worried about leaking bookmarks, sensitive email drafts, slack messages, etc. But I also don't think I care enough to pay for something that blocks those. Hopefully there are people that do care enough to pay

- An idea for a possible pivot: Ad agencies sometimes want to show how much money or traffic they bring in for clients. Made up data isn't convincing to close a sale, but real pages can have sensitive data like company names, logos, ad spend, etc. With a slight pivot, you might be able to provide them something to obscure that info. I only have second-hand knowledge of this problem, so you'd need to verify that they care enough about this -- don't take my word for it.

mattbessey · 1d ago

I would recommend doing more than gaussian blurring. Blurring makes it harder but not impossible to recover, especially if you know the exact font and font size in an image (which is easily recovered when the attacker can visit the website to work it out!).

pockybum522 · 23h ago

https://youtu.be/acKYYwcxpGk here's a citation for that being possible, in case anyone's interested. Also has some of the methods posted on github from what I remember.

pushcx · 21h ago

Yep: https://github.com/bishopfox/unredacter

randomtoast · 23h ago

We would need actual black bars.

kevincox · 21h ago

Or if you want it to look "authentic" replaced it with blurred random text.

But personally I like solid bars as it makes it obvious what is happening and that it is secure.

phoronixrly · 1d ago

Soo... No source? Requires access to 'Read and change all your data on all websites'? Pinky-promises not to send data to a server?

On top of that it uses blur to hide secrets when it has been proven that blurring leaks enough information for the obscured data to be reconstructed.

On top of that it's a $4/mo subscription service for what in your words amounts to regex + entropy heuristics + some enshittification (you're not allowed to have custom regex unless you pay subscription)...

Xss3 · 23h ago

What, you don't trust strangers with all your web browsers data? Don't be so paranoid.

dinfinity · 13h ago

Agreed. Flagged the article. Borderline malware advertisement.

pinkmuffinere · 10h ago

They built a new thing and shared it. Hn is news for “hackers”, and sharing early products like this is one of the intended use cases. Sure it lacks polish, but flagging seems extreme

phoronixrly · 1h ago

I mean, drumming up a chrome extension on HN to get a userbase, then abusing it or selling it off to be abused shouldn't be the sort of entrepreneurial/hacking mindset HN appreciates.

owebmaster · 23h ago

Now developers have to give their source code for free and can also not monetize subscription. Is it some kind of modern slavery?

castillar76 · 18h ago

The only place I'm insistent about source-code is things like this that need access to a ton of my data at all times. An app that only has access to the data I choose to share with it, I'm more willing to give-and-take on the show-me-the-code front.

As far as subscriptions go, a lot of devs have moved to a subscription-train model, which I really like: you pay for the subscription (which funds development and pays for support), but at any time you can _stop_ paying the subscription cost and keep the version you're currently running without further updates. That's a good trade-off to me, since I can choose to end my subscription without it becoming a catastrophic migration event that has to be carefully planned and executed fully before opting to stop paying.

phoronixrly · 21h ago

No source - no pay. Even if source, in case the licensing scheme is subscription-based, there better be some service rendered that has recurring expenses, otherwise -- still no pay.

owebmaster · 12h ago

yes source - still no pay. What is the benefit in satisfying your demands? Code it yourself and make it open source.

mouse_ · 21h ago

Dude, just install the closed source screen reader that tries to find PII/credit cards/social security numbers on your computer. It's for Cyber Security!

ttoinou · 20h ago

Feature idea for another product based on the exact same stack tech : replace private information that are less private than secret keys but still not for public release (filepath files folders names in file system, user accounts names etc.) so that developer can easily make product screen recording / screenshot to showcase their product to the public. Then replace those strings by dummy strings generated by AI. You could sell it for more. I need this.

keepamovin · 23h ago

This is a great example of a product that doesn't really need to exist in a super completed state but that "gracefully degrades" to the customer tiers that come in. Like technically the features in the tiers are not complex or difficult (not disparagement to the effort and design, instead respect) - but the natural "peak solution" (using LLM to detect secrets) is advertised and achievable.

Well done!

ajb · 20h ago

In security, whitelisting is preferable to blacklisting. However given that people can already whitelist by only sharing one window (which is what I, and I guess most security conscious people, always do) I'm not sure there's a business here.

castillar76 · 18h ago

I was puzzled by that, too: I'm always mystified when people share their entire screen on a Zoom call instead of just the one window they need to show me. Zoom even makes it easy to change out what you're sharing (add / subtract) any time.

Having seen a giant work meltdown stemming from a colleague's Slack DM accidentally broadcast over a Zoom call, I'm always paranoid about it.

CommenterPerson · 21h ago

A Google Chrome extension to hide your secrets? Wouldn't that be self contradicting?

bitbasher · 17h ago

Sharing secrets is scary. Instead we share your screen and secrets to third party LLM providers!

nssnsjsjsjs · 22h ago

Nice line of defence! Ofc. people should avoid a situation where a secret on screen is worth something. Use MFA, VPN, key vault, JWT, OTP etc. etc.

sureglymop · 1d ago

A very cool idea but I think instead of blurring, you should just put a black bar over the recognized secrets. I mean think about it: you're going all the way when it comes to detection but only halfway when it comes to actually obscuring.

cheschire · 22h ago

Or make it customizable! Maybe I want to cover my secrets with daisies. Or fig leaves.

stephantul · 23h ago

“Colleagues”, the first prompt on the main page, is misspelled as “collegues”