1. 1

    Ambiguous parsing, undocumented escaping. Hidden complexity. My favorite topics and (imho) the shared root cause for various security bugs.

    1. 1

      An opinion in good company.

      1. 1
    1. 4

      Why does every vulnerability come with it’s own catchy acronym and slick webpage now?

      1. 8

        Generally easier to remember, identify, and communicate than CVE IDs.

        Are we vulnerable to ALPACA?

        versus

        Are we vulnerable to CVE-2021-31971?

        1. 6

          At least they’re getting more adorable over time!

          1. 6

            Why does every vuln with a name get at least one person asking this exact question?

            1. 3

              Why does every vuln with a name get at least one person asking the question of why every vuln with a name gets at least one person asking why every vuln needs a name now?

            2. 3

              A Bug With A Logo? It worked the first time…

              In fact, thinking back, this trick still worked for POODLE, in the sense of management-level people caring enough to ask about it and organising statements that “we’re now protected against POODLE” or “we’re unaffected by POODLE” etc. But no branded vuln since has had any real boost from its marketing, as far as I recall – nobody cares, just the way everyone discussing this aspect of Heartbleed could foresee right from the start. The marketing has just become this motion you go through because it’s what everyone does.

              1. 2

                Crypto bros are a very weird crowd worried a lot about publicity and street cred.

              1. 14

                When this popped up in my RSS reader I thought I’d have to comment on it at some point. While I enjoy Rachel’s work, I can’t say I agree with this one, being at the centre of it.

                freenode, and now Libera, are fundamentally for and by the foss community. Every one of our staff have roots in some - often many - projects, and these roots are what allowed us to give confidence to projects during the split.

                Something I’ve seen a bunch is that when deciding what to do, projects have said “well, they’ve taken good care of us so far - the people are more important than the name” and followed us to Libera. I’m not sure that would be true if this was only a changing of the guard at a distant, faceless organisation that weren’t first and foremost also users.

                1. 5

                  I agree. There’s a useful notion here but I don’t think Rachel really manages to get at it. The divide is more along the lines of something like maybe channel politics vs network policy. But even just that is getting a bit too abstract for easy application while at the same time still being overly prescriptive.

                  1. 3

                    Yes. Power is formally dual to responsibility, and there’s nothing like dogfooding to keep the powerful aware of their responsibilities. Additionally, the responsible need to understand what they’re doing and why they’re doing it, which is hard to do at a distance.

                    1. 2

                      So I’ll pose a question then: How would you know if you didn’t hear the community’s voice? Aren’t you naturally biased by whom you consider to be the community? Moreover, as far as Libera is concerned, before the Bylaws were put in place, there wasn’t even a formal definition of what the “community” meant. In other words, if someone disagrees, how would you know?

                      1. 4

                        Drawing staff from communities means they can tell us when their community seems unhappy.

                        That does leave a tilt in favour of “communities from which we draw staff”, but we’re aware of and try to mitigate this: every project or community registered with us on libera has at least 1 group contact, and they are invited (and strongly encouraged) to join #libera-communities , which is both where they can make support requests (such as cloak requests, help in dealing with abuse, etc) but also where we seek broader feedback and also they can tell us outright what’s good and bad. It’s ~150 people in there from across our communities right now.

                        We also have #libera , our open access support channel, which is again the best place to tell staff how things are going right or wrong.

                        To sum up: 1) we try to ensure staff is a sample of the community, 2) we seek broader community feedback from formally delegated representatives of projects and communities, 3) the entire userbase is welcome to let us know their thoughts in a public discussion channel.

                    1. 7

                      It’s a shame JavaScriptCore, the WebKit JavaScript engine doesn’t get more attention. They have a four-tier system that’s really nicely designed:

                      • Tier 1 is a bytecode interpreter. This is hand-written macro assembly, which is carefully designed to fit into the L1 instruction cache on most machines, which makes it very fast to run. This stage records various bits of profiling information.
                      • Tier 2 is the baseline JIT. This mostly uses the same code as tier 1, but either inlines the assembly implementing the bytecodes or inserts a call to a routine implementing complex bytecodes, avoiding any of the interpreter jump-threading overhead. This uses exactly the same stack-frame layout as tier 1, so on-stack replacement is trivial: if you’re in a loop in tier 1 and discover it’s being executed a load of times, you can quickly JIT the loop and continue.
                      • Tier 3 is the CFG JIT. This is a continuation-passing-style IR that takes the profiling information (particularly type information) from tiers 1 and 2 and can compile larger functions from traces through a JavaScript program.
                      • Tier 4 takes the output from the CFG JIT, converts it to SSA form, does a few more optimisations on it, and then runs it through a more expensive register allocator. Originally this was LLVM (which led to the fun acronym FTL for Fourth-Tier LLVM) but is now a lighter-weight Bare-Bones Backend (B3) because it was only benefitting from a tiny subset of LLVM.
                      1. 1

                        CFG […] can compile larger functions from traces through a JavaScript program.

                        Do you mean it can compile loops down to straight-line code across function boundaries? Put another way – does TraceMonkey’s spirit live on? 🙂 If so – cool!

                        1. 1

                          I can’t remember if it’s actually a trace-based JIT or whether it just does inlining of hot paths. The effect is pretty similar either way: hot code paths are inlined into the unit that is compiled as a single ‘function’ in the back end.

                      1. 8

                        I’m wondering where the gain is. Surely a move like this was bound to be a bad idea and scare people away. So after a takeover, the new operator started scaring people away almost immediately. This will end with everyone going away, and then what? What’s the use of operating an irc network that’s empty?

                        1. 12

                          I’ve been wondering about this too. I would honestly have expected Freenode staff to lay low for a while, let the dust settle, present more of their bullshit about how it’s actually the fault of the old Freenode staff who were bad, and let their sheer size carry them through it. They would be left with a network that’s smaller than the old Freenode, but with quite a lot of concurrent users. I bet some of the projects who decided to leave would’ve come back, seeing as a lot of their community was left in the Freenode channel. Other projects would’ve decided to have a split community, with both the Libera and the Freenode channels as their “official” channels. A lot of projects was in a “wait and see” mode where they would basically decide to stick with Freenode at least for a while and see how it turned out; if nothing happened for a while, those would’ve stayed as well.

                          In the end, Lee would’ve ended up in charge of one of the biggest IRC networks. He could then have started monetizing the users, or felt good about being the king of IRC or whatever he’s LARPing as. But instead he decided to burn it all down. Why? Is he just a sad narcissist who went mad from the idea that people weren’t worshiping him? Or is it some scheme to make money? Is there a way to “bet against” the continued existence of Freenode and make money off of everyone who thought it wouldn’t go down in flames? Or does he actually have no idea how IRC works and genuinely thought that forcibly taking control over channels and preventing people from mentioning Libera in their topic was the best way to keep projects at Freenode?

                          1. 16

                            It’s fascinating, and it’s why I’m obsessively following this drama for pure entertainment purposes.

                            I think Lee is not as practiced a businessman as he’s making himself out to be. Such a person would dispassionately have surveyed the situation, and realized that time and inertia was on their side. The mass of users would be on Freenode, and they could advocate, passively or otherwise, for staying where they were. Libera could presumably flare up, sputter, and then fade away.

                            Instead Lee reacted as an IRC op. He saw the loss of channels and users as a personal affront and as an immediate threat, and moved to stop it. (I honestly believe that the mass-takeover of 700+ channels was a mistake - but it’s a mistake that’s easy to make under stress). Coupled with an obvious internalization of the current culture war outlook, he could easily convince himself that the other side was the enemy, employing all sorts of dirty tricks, and feel that his reaction was justified.

                            Like I mentioned, the small channel I was part of was not interested in moving, even if I knew most of the members were personally against the kind of network Lee was creating, and the ops he was inviting. But having our access forcibly removed sure made the decision easier for everyone.

                            1. 6

                              Considering the reported attempts to bribe existing staff with the ability to k-line their “enemies”, I think Lee just has very poor understanding of people who are unlike himself, nor any ability to read them or empathise with them. If you read the chat logs, it’s evident that he thought they would all jump at the chance – in fact exactly zero of them did, as evident by the unanimity of the staff’s mass resignation.

                          1. 1

                            Any database has a limit on the size of data that can be sorted in memory to ensure the stability of the database server. [… T]hese values are typically less than 10MB. Because of this, to sort a large data set the database creates a temporary file to sort small chunks one at a time and merge them together later.

                            The article already suggests picking values from some indexed unique-valued column, and it seems like a lazy but effective way to address the memory limit issue would be to just use that to simply limit the amount of data loaded:

                            SELECT * FROM repositories WHERE id IN (
                              SELECT id FROM repositories ORDER BY RANDOM() LIMIT 3
                            )
                            

                            This will be slower on very small tables but should be able to avoid hitting even the default memory limit until the table grows very large, even under a dumb query plan (per @dpercy’s comment), and should only degrade slowly even after that. This avoids all the distribution issues of alternative schemes as discussed both in the article itself (!) as well by @Forty-Bot and @ianthehenry here.

                            1. 23

                              Short version: compile SQLite using emscripten, turn the page size way down (4KB -> 1KB) and use the VFS layer to request only the necessary bits of the DB. Very clever, worth the read.

                              1. 2

                                Not sure what’s the impact on latency of turning page size from 4k to 1k. The http and tls overhead would be much bigger and I am assuming few kilobytes doesn’t introduce significant load. I did something similar by accessing sqlite db over fuse/http. it’s less cooler than the author’s approach, but being more useful in non-web application.

                                The ultimate solution could be adding vfs-curl to sqlite itself, so we don’t need to hack our own copy.

                                1. 6

                                  Not sure what’s the impact on latency of turning page size from 4k to 1k.

                                  Already addressed in the implementation and the article:

                                  I implemented a pre-fetching system that tries to detect access patterns through three separate virtual read heads and exponentially increases the request size for sequential reads. This means that index scans or table scans reading more than a few KiB of data will only cause a number of requests that is logarithmic in the total byte length of the scan.

                              1. 10

                                I’m on the side of the people who consider this a mis-overreaction out of spite. I’d like to see a mass revert… of the actual bogus commits. The would-be researchers state in their methodology description they consciously chose to submit their patches under non-UMN email addresses, so using @umn.edu as a revert criterion has a 100% miss rate for identifying bogus commits, and using no other criterion has a 0% inclusion rate. So I don’t know if this is a case of “something must be done; this is something” or something else, but I can’t find a way to frame it as a rational reaction.

                                (Of the would-be researchers and what they did, I won’t even speak.)

                                1. 12

                                  I think blatant violations of ethics in research deserve to be dealt with harshly, and making it the university’s problem is absolutely the right move because it is the university’s job to police their researchers. Reputation is a very hard currency for universities: it drives grants, it drives student applications, it drives where prestigious researchers want to work. Making a big dramatic stink about this threatens UNM’s reputation in the computer science field, which helps ensure the problem gets taken seriously.

                                  1. 3

                                    Greg is what we call a high-performer. Publically shaming a university for their “research” was probably a couple hours of work at most for him. And if you can do it, why not? It will likely prevent future “experimentation” from other “research groups dedicated to improving the linux kernel”.

                                  1. 2

                                    What’s wrong with “$foo”?

                                    1. 2

                                      The value of $foo will be interpolated within the double quotes.

                                      1. 2

                                        And if that’s what you want what’s wrong with it?

                                        1. 1

                                          Nothing.

                                          But in most cases, $foo and "$foo" produce the same result, except the latter is slightly wasteful and slightly uglier. And in the fewer cases where they do differ, "$foo" produces the wrong result 99.9% of the time. So if it’s what you want then there’s nothing wrong with it, it’s just exceedingly rare that you do want it.

                                          And because of that, I find that writing it as "$foo" doesn’t sufficiently emphasise that I specifically wanted that, so I write those cases as something like '' . $foo so that it will be absolutely clear that the code was written that way deliberately. So actually, I do in fact never write "$foo".

                                          So that’s what is wrong with it after all: nothing from the computer’s perspective, but it communicates intent poorly to the next programmer.

                                    1. 2

                                      What happens if you are at the receiving end of this Cellebrite software, and your phone is one of the phones that has these completely unrelated files on it?

                                      Maybe your “interviewer” won’t find it as funny. Maybe it’s still better than the alternative? If they’re actually doing it, that is.

                                      1. 5

                                        If you are being “interviewed” by a government that does not have guarantees around civil rights and rule of law, a cheeky exploit likely won’t matter: the presence of Signal may be enough to convict you in the eyes of the state, let alone anything else found on your phone.

                                        If the state does respect rights and rules of law, I think the presence of an exploit targeting forensic gathering tools that you didn’t install yourself could arguably introduce enough doubt to the process to exclude anything identified in the search.

                                        1. 4

                                          If the state does respect rights and rules of law

                                          Show me a state whose spooks and counterterrorism apparatus respect rights and rules of law and I’ll show you a bridge you can buy for 5 bucks.

                                          1. 3

                                            Some governments have been known to torture and imprison people on the basis of owning a Casio watch: https://www.theguardian.com/world/2011/apr/25/guantanamo-files-casio-wristwatch-alqaida

                                            Having Signal or WhatsApp on your phone is sure to be excuse enough if the government you’re dealing with doesn’t guarantee civil rights or the rule of law

                                          2. 3

                                            Your interviewer won’t find it, that’s the point. Your interviewer’s software will parse the file, and the file triggers a remote code execution. But why would that remote code execution be displayed to the interviewer as user?

                                            But as it happens, I sort of know someone who works with this. His employer will be angry at Cellebrite, and will the contract will soon say “all CVEs must be applied, or else they pay damages”. Moxie will not have overlooked this aspect.

                                            1. 3

                                              Not knowing more than what’s presented in the article, I imagined for example that the interviewer could have old reports open, or visible in a file browser, and then the exploit would modify them all. That could be one way to notice that something just happened.

                                              Like when I change some file from underneath my text editor, and it goes “the file changed on disk, what do you want to do?”

                                              1. 2

                                                A common fallacy of general computing.

                                                When you can program a computer to do anything, that includes any imaginable bad things. Just choose a meaning of “bad”, and general computing includes at an instance of that. The fallacy is to transfer the badness to general computing, or the developer who can choose freely what code to write and run.

                                                A program such as Signal can run any code on a Cellebrite computer, including code which is bad for the Signal user. That doesn’t make Signal bad, or imply that the Signal developers would act against their user’s interest, or even that they might. Just that they could.

                                                1. 1

                                                  Modifying past and future reports is not something I came up with. It’s right there in the article.

                                                  1. 1

                                                    Yes, because it’s a good threat.

                                                    Cellebrite has two main customer groups, one of them involves prosecution. That statement tells prosecutors that the report they use aren’t reliable. Those prosecutors need reliability and will tell their Cellebrite salescritters that, so it’s an excellent way to threaten Cellebrite’s Cellebrite’s income.

                                          1. 3

                                            This is a good description of the bare basics of a build system. Where things get messy, though — even in simple projects — is when the source files have dependencies on each other, which are described within those files. In C terms, when a .c or .h file #includes .h files. Then changing a .h file requires recompiling all the .c files transitively dependent upon it.

                                            No problem, make can do that! Except (unless make has changed a lot since I last used it) those dependencies have to be described explicitly in the makefile. Now you’ve got a very nasty case of repeating yourself: it’s so easy and common to add an #include to a source file during development. But if you ever forget to add the equivalent dependency to the makefile, you’ve broken your build. And it can break in really nefarious ways that only manifest as runtime errors or crashes that are extremely hard to debug. This in turn leads to voodoo behaviors like “I dunno why it crashed, lets delete all the .o files and build from scratch and hope it goes away.”

                                            So now you need a tool that scans your source files and discovers dependencies and updates your makefile. This is why CMake exists, basically. But it add more complexity. This is a big part of why C/C++ are such a mess.

                                            (Or you could just use an IDE, of course. Frankly the nay reason I have to deal with crap like makefiles is because not everyone who uses my code has Xcode…)

                                            1. 6

                                              None of this is necessary. It’s perfectly normal in make-based C/C++ projects to have a build rule which uses the compiler to generate the dependencies during the first build & then include those build dependencies into the Makefile for subsequent incremental builds.

                                              There’s no need to keep track of the dependencies for C/C++ files by hand.

                                              (For reasons which are not entirely clear to me, Google’s Bazel does not appear to do this. Meson does though, if you want a nice modern build tool.)

                                              1. 2

                                                Maybe recursive make is where it breaks down. I have fond memories of hardcoding dependencies between libraries in the top level makefile – an activity reserved for special occations when someone had tracked down an obscure stale rebuild issue.

                                                (I think recursive make, at least done the obvious top-down way, is flawed.)

                                                1. 1

                                                  Yeah, you never want to be calling make from within make.

                                                2. 2

                                                  I imagine the reason is that Bazel requires a static dependency graph, including for all autogenerated intermediate files. I’m not sure why the graph is encoded directly in files instead of maintained in a parallel index though.

                                                  There’s internal tooling at Google to automatically update dependencies in BUILD files from source files, but it’s apparently not open sourced.

                                                3. 4

                                                  You can’t add dependencies on the fly in Make, unfortunately. You can get a list of dependencies of a file in Makefile format in with gcc using -MD and -MF, but that complicates things a lot. Ninja on the other hand has native support for these rules, but from what I’ve heard Ninja is mostly made to be used by higher-level build tools rather than directly. (I mean you can manually write your ninja file and use ninja just like that, but it’s not as pleasant to write and read as Makefiles.)

                                                  1. 5

                                                    from what I’ve heard Ninja is mostly made to be used by higher-level build tools rather than directly. (I mean you can manually write your ninja file and use ninja just like that, but it’s not as pleasant to write and read as Makefiles.)

                                                    That’s an explicit design goal of Ninja. Make is not a good language to write by hand, but it’s just good enough that people do it. Ninja follows the UNIX philosophy. It does one thing: it checks dependencies and runs commands very, very quickly. It is intended to be the target for higher-level languages and by removing the requirement from the high-level languages that they have to be able to run the build quickly, you can more easily optimise them for usability.

                                                    Unfortunately, the best tool for generating Ninja files is CMake, whose main selling point is that it’s not as bad as autoconf. It’s still a string-based macro processor pretending to be a programming language though. I keep wishing someone would pick up Jon Anderson’s Fabriquer (a strongly typed language where actions, files and lists are first-class types, with a module system for composition, intended for generating Ninja files) and finish it.

                                                    1. 1

                                                      The best tool for generating Ninja files is Meson :P

                                                      Admittedly not the most flexible one, if you have very fancy auto-generators and other very unusual parts of the build you might struggle to integrate them, but for any typical unixy project Meson is an absolute no-brainer. It’s the new de-facto standard among all the unix desktop infrastructure at least.

                                                      1. 1

                                                        I’ve not used Meson, but it appears to have a dependency on Python, which is a deal breaker for me in a build system.

                                                      2. 1

                                                        CMake, whose main selling point is that it’s not as bad as autoconf. It’s still a string-based macro processor pretending to be a programming language though.

                                                        It’s kind of amazing how wretched a programming language someone can create, when they don’t realize ahead of time that they’re creating a programming language. “It’s just a {configuration file / build system / Personal Home Page templater}” … and then a few revisions later it’s metastasized into a Turing-complete Frankenstein. Sigh. CMake would be so much better if it were, say, a Python package instead of a language.

                                                        I recall Ierusalemchy saying that Lua was created in part to counter this, with a syntax simple enough to use for a static config file, but able to contain logic using a syntax that was well thought-out in advance.

                                                      3. 5

                                                        You can’t add dependencies on the fly in Make, unfortunately.

                                                        The usual way to handle this is to write the Makefile to -include $DEPFILES or something similar, and generate all of the dependency make fragments (stored in DEPFILES, of course) with the -MMD/-MF commands on the initial compile.

                                                        1. 2

                                                          You can definitely do this, here’s an excerpt from one of my makefiles:

                                                          build/%.o: src/%.c | $(BUILDDIR)
                                                          	$(CC) -o "$@" -c "$<" $(CFLAGS) -MMD -MP -MF $(@:%.o=%.d)
                                                          
                                                          -include $(OBJFILES:%.o=%.d)
                                                          

                                                          Not the most optimal solution, but it definitely works! Just need to ensure you output to the right file, wouldn’t call it particularly complicated, it’s a two line change.

                                                          1. 2

                                                            You didn’t mention the reason this truly works, which is that if there is a rule for a file the Makefile includes, Make is clever enough to check the dependencies for that rule and rebuild the file as needed before including it! That means your dynamically generated dependencies are always up to date – you don’t have a two-step process of running Make to update the generated dependencies and then re-running it to build the project, you can just run it to build the project and Make will perform both steps if both are needed.

                                                      1. 8

                                                        My own philosophy is that blogs don’t need comments. If you want to respond you can contact me or write your own blog post or tweet or tiktok about it - whatever it may be. I don’t want to assume responsibility for moderating and/or curating somebody else’s words that will show up alongside my own.

                                                        1. 2

                                                          Personally, I’m often disappointed to find that a blog post doesn’t have a comments section. Writing an e-mail just to express your gratitude feels weirder than leaving a comment.

                                                          1. 3

                                                            I appreciate gratitude expressed by email way more than that expressed by comment.

                                                            I also feel a comment section is meant to serve other readers of the article at least as much as its author, so in fact I feel expressions of gratitude about the article are misplaced in the comments.

                                                            1. 1

                                                              I also feel a comment section is meant to serve other readers of the article at least as much as its author

                                                              That’s a good point, and I agree!

                                                              What I dislike about writing e-mails is the ceremony involved. I need to explain what article I’m referring to, why I’m writing, say hello and goodbye and so forth. In a comments section, all of those things are implied. (That’s not to say I dislike writing e-mails in general, just as a replacement for comments.)

                                                              1. 1

                                                                Indeed. That is why I appreciate emailed expressions of gratitude so much more – here I have someone so compelled to say thanks that all the trouble they had to go through didn’t deter them. It just hits differently.

                                                                (Doesn’t mean a graceful and sincere response necessarily comes naturally, so sometimes I have taken a long time to reply and in a handful of cases I never did – but don’t let fear of shouting into a void discourage you. I promise, if the author does see your message (which spam filters unfortunately do make uncertain), it will almost certainly be gladly received, even if you never hear back.)

                                                            2. 1

                                                              I make a point of writing emails to express gratitude. Maybe it’s a little weird, but it’s almost always appreciated.

                                                            3. 1

                                                              I how many (if any) tiktoks exist that are replies to blog posts.

                                                            1. 1

                                                              Anyone have any numbers for the size of 100 SVG files vs. an icon font with the same glyphs? I imagine it’s a pretty big difference. SVG is XML, which is the least efficient way to encode a Bézier path I can think of. Whereas web fonts are TrueType, which having been designed circa 1989, goes to great pains to keep path data compact.

                                                              Plus, isn’t the browser making 100 HTTP requests to fetch those 100 SVGs?

                                                              I do understand the accessibility reasons against web fonts. I just don’t think this article took into account their size benefits.

                                                              1. 6

                                                                You can put multiple icons in the same SVG file, define a viewbox with a different id for each of them, and address that ID with a fragment on the SVG URL to limit the view to just that icon. You can use such URLs in background-image and then use background-size to scale the icon as needed.

                                                                Works in all browsers, all the way back to IE 9 (!) if you want to.

                                                                And unlike with icon fonts (where you have to juggle meaningless codepoint numbers or cryptic Unicode characters in the CSS or markup) and PNG sprites (where you have to juggle meaningless pixel coordinates in the CSS), these SVG sprites also lead to completely readable and maintainable CSS, assuming you assign meaningful names to the IDs (e.g. “background-image: url(toggle.svg#enabled);” or such).

                                                                1. 3

                                                                  You can put multiple icons in the same SVG file,

                                                                  And then you gzip it and compress away most the redundancy.

                                                                  1. 1

                                                                    This is pretty close how the sprite in Feather works. Google Material Icons also used to have a sprite sheet, but the set got bloated and they did a structural overhaul in 4.0 that left it out.

                                                                1. 1

                                                                  I do wish nation states would report exploits to get them fixed instead of hoarding them to attack other nation states.

                                                                  1. 1

                                                                    Imagine if all of them had a publicly funded version of Project Zero.

                                                                    1. 2

                                                                      I’ve previously had to make a URL shortener at a previous job. One of the requests for it was that any query parameters passed to the short URL, would be passed along to the long URL. So a request to sho.rt/xyz?foo=bar would redirect to example.com/?page_id=123&foo=bar. The main reason for this was that the short URLs would be posted on Facebook for campaigns, and if you then promote a post (buy advertising) Facebook would add extra query parameters onto the URL in the post. So passing on these parameters would allow people to know how many clicks came through organically and how many where through the paid advertisement.

                                                                      Thinking about this again, it seems like a silly use case for a URL shortener, but it might be people wanted the ability to change what the short URL pointed at after it was posted, I can’t recall.

                                                                      1. 1

                                                                        Link shorteners were created in the first place mainly because of sites with huge query strings with lots of junk in them. Their effect has instead been to normalise the wrapping of links with extra tracking layers. The fact that this has gone so far as to mean adding query strings with junk to “shortened” URLs is so deep in unintended consequences territory as to end up sunk in the irony swamplands.

                                                                      1. 1

                                                                        @tedu: You followed “be liberal in what you accept”, but that’s only half the law, and I don’t see where you can credibly claim to have followed “be conservative in what you emit”. It’s a useful set of observations that if you are liberal in what you accept then testing against yourself is insufficient to ensure that you are also conservative in what you emit; that therefore you may be aspiring to Postel but actually failing; and that a failed aspiration to Postel may be costlier than no aspiration at all. But to call this observation a rebuttal of the law is overstretching it. Which actually does it injustice; it does not need to have that grand an implication to be worthwhile.

                                                                        1. 6

                                                                          Seems like web ads are becoming worse for publishers and viewers more and more over time.

                                                                          1. 1

                                                                            Pray I don’t alter it any further.

                                                                          1. 1

                                                                            Aren’t there some people, somewhere, who work in reasonably well defined and unchanging environments? Isn’t it at least theoretically possible to engineer out a whole bunch of these soft variables? How does NASA do things these days?

                                                                            1. 4

                                                                              NASA (and ESA, and Roskosmos, and JAXA…) constantly miss their ETAs and run over budgets. And since the house building analogy is even more true for them, it’s not surprising.

                                                                              1. 4

                                                                                NASA isn’t unusual for its ability to deliver on time and budget, it’s unusual for its ability to create computing systems reliable enough to put in spacecrafts. They can achieve this because they can absorb a level of cost of development that (for better or for worse) no business would tolerate.

                                                                                In the context of the article linked here, NASA is not a relevant example.

                                                                              1. 2

                                                                                I still feel that this is an American issue and isn’t such a big issue in Europe where in ‘most’ countries you can trust your ISP to do the right thing. Another issue I have with forcing DoH is that the system DNS is no longer respected and now all your DNS requests are going to be collected by Cloudflare.

                                                                                1. 1

                                                                                  collected by Cloudflare.

                                                                                  Instead of speculating, see: https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/

                                                                                  • Cloudflare will not retain any personal data / personally identifiable information, including information about the client IP and client port.
                                                                                  • Cloudflare will retain only limited transaction data for legitimate operational and research purposes, but in no case will such transaction data be retained by Cloudflare for more than 24 hours.

                                                                                  And this is audited:

                                                                                  And we wanted to put our money where our mouth was, so we committed to retaining KPMG, the well-respected auditing firm, to audit our practices annually and publish a public report confirming we’re doing what we said we would.

                                                                                  1. 3

                                                                                    Turning “trust us” into “we paid consultants a lot of money, so trust us” doesn’t change anything fundamental about the proposition. Even if Cloudflare want to do the right thing, they are set to be a single point of snoopage in terms of the network. Even if Cloudflare are doing the right thing, it may not matter – the NSA didn’t exactly tell Google or Yahoo when they tapped their infrastructure.

                                                                                    Of course, your DNS requests always go somewhere, so there is always a trust relationship. You have to make an informed decision here about whether Cloudflare is a bigger risk than wherever you would normally get your DNS service from.