1. 10

    Maybe people will reconsider using MiTMflare if we get a few more outages like this.

    1. 7

      Can you suggest some comparable services with better uptime or, failing that, better postmortems?

      1. 6

        What’s the use case you have?

        I just use … “my web host” (which happens to be Dreamhost, which does offer optional Cloudflare integration, but I intentionally leave it off). It has survived all the HN traffic news spikes just fine, as well as spikes from Reddit, lobste.rs, from an O’Reilly newsletter, and from what I think is some weird Google content suggestion thing (based on user agent).

        It has worked fine for 10 years. The system administration seems very competent. I don’t know the details, but they have their own caches.

        I noticed this guy said the same thing about Dreamhost: https://www.roguelazer.com/2020/07/etcd-post-follow-up/ i.e. that it’s worked for 15 years.

        I feel like a lot of people are using Cloudflare for some weird “just in case” moment that never happens. I’m not saying you don’t have that use case, but I think many people talking about and using Cloudflare don’t.

        To me Cloudflare is just another layer of complexity and insecurity. I would consider using something like it if I had a concrete use case, but not until then. Computers are fast and can serve a lot of traffic.

        1. 3

          The use case is free caching, and free bandwidth if you use some services for hosting (like backblaze). Which cuts down a lot of costs depending on the website you’re running.

          1. 3

            Where is the original site hosted? Why does it need caching?

            (I’m not familiar with Backblaze – is it a web host or is it an object store or both?)

            My point is that, depending on the use case, you probably don’t need caching, so it doesn’t matter if it’s free. There is a downside in security and complexity, which is not theoretical (as this outage shows, and as MITM attacks by state actors and others have shown.)

            1. 2

              (I’m not familiar with Backblaze – is it a web host or is it an object store or both?)

              Backblaze has a backup service, as well as a service called “b2” which is basically an s3 like object storage service.

          2. 1

            For the use cases I’ve had, I have (we have) used Fastly, a local Varnish/Apache/Nginx, or Rails middleware. The goals were some combination of a) overriding the backend’s declared cache lifetime b) speeding up page response c) letting the client cache various things even if not cachable by intermediates.

            Cloudflare combines all that with good DDOS protection and good performance globally. I can see how that’s an attractive feature set to many people, and while it’s a shame that VCs haven’t funded three dozen copycats, suggestions like that of @asymptotically that people just shouldn’t use it are stupid. It’s a fine combination of features, and telling people to just not want it, without suggesting alternatives, is IMO offensive and stupid.

          3. 4

            I don’t think so. I think that Cloudflare’s offerings are very good, they got this whole thing fixed in 30 minutes and explained how they’re making sure nothing similar happens again.

            The main problem I have with Cloudflare is their size. What good is a decentralised internet if we just connect through the Cloudflare VPN, resolve a domain via Cloudflare DNS and then get our requests proxied through Cloudflare?

            I also hate the captchas that you are occasionally forced to do.

            1. 3

              the captchas that you are occasionally forced to do

              Or all the time when connecting through Tor. Privacy Pass barely works :/ and it’s really silly that you need captchas to just view public pages! If they want to prevent comment spam and whatnot, why not restrict captchas to non-GET requests by default >_<

            2. 1

              DNS or anti-ddos? Doesn’t OVH have anti ddos-servers for example.

              1. 6

                Cloudflare is a CDN with DDOS features (and has some related products, such as a registrar). It offers quick page access anywhere in the world, excellent support for load spikes, and DDOS protection.

                A lot of ISPs offer anti-DDOS features for their products (which may be a product like Cloudflare’s or a different one, like OVH), but the feature is often one that displeases the victim: Dropping packets to the attacked IP address until the attacker grows bored and goes away. I don’t know what OVH means by anti-DDOS and they description page sounds a little noncommittal to my ears.

                1. 3

                  OVH’s anti-ddos will trigger on legitimate traffic and then people will say your website has been “hugged to death” when it’s just OVH that shut down all incoming connections.

                  1. 2

                    OVH, the service from which 1/3 of my current bot-attacks come..

                    1. 1

                      Okay. Never used their services myself and don’t know how bots affect their anti-ddos or DNS.

                2. 2

                  My impression was BGP problems (specifically BGP leaks, I think) were not just a problem in a CDN like Cloudflare, but also allowed mistakes by small players to make huge numbers of people to temporarily lose internet access.

                  Is there a difference in what happened here, and if so, is it a difference of scale, or some other kind of difference?

                  1. 3

                    This incident is related to internal BGP, not eBGP, and could’ve happened with any internal routing protocol.

                1. 14

                  This postmortem seems unusually bad by Cloudflare’s standards.

                  They did a BGP change and stuff almost immediately changed. But tracing the outcome back to the change took >20 minutes. That seems strange. How come? Don’t they have a log of actions taken on the routers, that would show that something was done on one of the affected routers a few seconds before the graphs went up to full or down to zero?

                  I’m also surprised that the relevant POPs continued to export the world-facing anycast routes when their success rate dropped to near zero.

                  1. 4

                    13% seems like a nonissue at first glance; the graphs should tell the same story except with slightly different numbers, right? If you have a signup form, GA should say that 32% come there from A, 68% from B, but the absolute numbers are undercounts and therefore the percentages are a little less precise. If you get 21% of your inbound visitors from site X, leaving out 13% of the browsers when counting should make the “21” less precise, that’s all, so the historical graph’s a little more wiggly but hovers around the same level.

                    But then there’s skew and join. About 50% of linux users disappear from the graphs, 5% of iphone users. If GA data is joined with something else, that skew might be a real problem. If someone facets the actual customer service costs by browser OS and then joins that with skewed GA, the cost of a linux-related customer service issue will appear to be twice as high as it really is. Someone might make a powerpoint slide that says “linux users form 2% of audience, 4% of customer service issues and costs ⇒ let’s drop linux”.

                    There aren’t very many linux users, so this isn’t a big problem. (Except for us linux users, maybe.) But I wonder what other skew might go unreported. I’ve heard that the city I live in has a much higher frequency of adblockers than other comparable cities, although I’m not sure how accurate that is.

                    1. 4

                      I used this some years ago.

                      There are several others like it and IIRC one of the others was drastically faster, but when I needed something like this I picked jpeg2png because its choices are governed by a reasonable mathematical model. Noone has complained, which might perhaps mean that jpeg2png is great. YMMV.

                      1. 3

                        Quite a reasonable article. With which I disagree in detail, but detail is detail.

                        I think he’s right, unit testing is overrated, and I think I know why: It’s amazingly good for the things it handles well (“units”). And so people use it for purposes that other kinds of testing would handle better, and some of them notice that it doesn’t work very well, and draw the wrong conclusion.

                        If you try really hard you can call anything a “unit”. See truths 3, 8 and 10.

                        1. 8

                          There are so many kinds of bugs…

                          There are some bugs where I say “ok, if I understand this correctly, then this test should fail…”, add it to the testing framework, and run it, and if if fails, then I think I understand. (Did you know that if you sort countries by timezone, NZ is at the end of the list even if you sort the list the wrong way?)

                          There are some bugs that are much quicker to test mechanically than by spinning up a server and clicking a few buttons, so taking a few minutes to write a test right away is likely to save time while writing the fix if the fix is likely to require more than a few minutes of fixing and testing. (I have that today.)

                          I find many features easier to understand properly if I express the task’s invariants first, ie. if I write some tests. “What should this new feature really do?” After writing a couple of tests, I may understand the fit between the new need and the existing code better, and write simpler code. As a bonus, when I’ve written some tests I observe that I try to keep the code simple, so as to avoid the need for more tests.

                          The tests that naturally repeat the code, as tedu implies, are a minority for me. Tests repeat the documentation more often than the code.

                          1. 4

                            Other tests grow obsolete because the target platform is retired, but not the test. There’s even less pressure to remove stale tests than useless code. Watch as the workaround for Windows XP is removed from the code, but not the test checking it still works.

                            I don’t see how that works? Or how that is possible?
                            Would not that test fail once its code is removed?
                            That failure would be momentarily inconvenient for whoever is removing it, sure, but when analyzed the test would be removed as unnecessary, no?

                            On the other hand, without tests, you might not even know the workaround is still lingering, long after support for Windows XP is gone. A constant somewhere that lists supported platforms, and simple test that asserts that constant includes “Windows XP” would fail when that is removed from official support.

                            Tests can help with removing unused (or no-longer needed) workarounds. In our test suite (at $WORK) we have what we call “sanity tests”, which have a few categories. One category is simply for workarounds, and does things such as assert “Is the version of library foo equal to 4.5.1 or higher?” and has a failure message saying something such as “A workaround in path/to/file is no longer needed. Please go remove it by {{instructions to remove}}.”

                            Beyond that, there are many ways to make test suites useful as they age. We have a dozen or so tests that have comments (or failure messages) such as “If this test fails, take a moment and consider removing it.” because it might have been testing an expected behavior that the author suspected (knew?) might become obsolete at some point.

                            1. 8

                              The tests continues to work because it would fail on Windows XP, and the code is removed just after Windows XP is removed from the set of testing platforms.

                              However. Bugs that prevent users from working are really bad. Bugs that irritate users are also bad, but not quite that bad. Bugs that block CI etc. and thereby block the development team are even less bad. Bugs that block a single developer are even less bad. Bugs that slow down unit testing by a millisecond are at the very end of the scale. Give me a hundred of those and relieve me of a small chance of the first kind, and I’ll still think the swap is a good one for me.

                              1. 1

                                Aha, I misinterpreted an aspect of the example. Thanks.

                            1. 4

                              Bill Shannon was among the half-dozen people who answered most questions about IMAP on Stack Overflow. One can learn something about the people by reading their answers… Bill’s answers are uniformly unopinionated and helpful. You may be able to tell from my answers whether I’d slept well, not so from Bill’s. I thought him professional, but now that he’s dead, I finally understand that the correct adjectives are gentle and helpful. RIP, I suppose. It’s good that the answers stay.

                              1. 39

                                I’ve lived with depression and bipolar to various degrees the majority of my life. 2019 was incredibly hard for me. I’m doing better than I was in 2019, but the feeling of numbness has returned. I’m unable to really feel emotion while in this depressive state. I feel somewhat guilty and ashamed that I can’t be the husband my wife needs me to be right now, which further fuels the depression. I’m seeing a therapist and taking meds, doing what I can to get out of this, but I’m not sure I will be free from this internal oppression.

                                I’m not really looking for sympathy or resolution, but I hope that by opening up publicly, I can help rid stigma and let others know they’re not alone. In the US, our society is okay with saying “I have the flu” but not “I live with mental illness.”

                                1. 15

                                  Here with you: got my bipolar diagnosis this year after a couple of years seeing a therapist but never really having a name to give to my cyclical depression.

                                  The lockdown hit me hard, even though I’ve been WFH for several years now. What little social escape + contact I had outside my family basically stopped cold, and I found myself trying and struggling to redirect all my energy and self-worth into work, feeling dumb + ineffective, and staying in that loop for too long.

                                  By late March it basically boiled over, and I had a breakdown. I was hospitalized briefly and then took several weeks of leave to focus on therapy, rest, and rebuilding some sort of self-care plan and habits. Now I’m back at work, shaken but also trying to just slow down and find time for all the things in moderation. It’s basically just: work, rest, family, chores (not necessarily in that order)…lather, rinse, repeat.

                                  So basically: lockdown sucks, esp. with mental illness; great resources are out there, but it can take an acute crisis for most folks to go after them; you’re brave to speak up like this, and I hope you get to feeling like every day is a little better than the one before (even if the starting point isn’t great).

                                  1. 10

                                    I voluntarily admitted myself early this year to a partial hospitalization program–an intensive outpatient therapy program. I haven’t really dealt with my issues in the most productive ways until this year (part of why 2019 hit me hard.)

                                    I learned a lot of coping skills and tools. I”ve started journaling on a semi-regular basis. My memory is horrible (likely due, at least in part, to depression+bipolar) and it feels nice to have something that I can grep. Literally grep through my life. grep -rnF 'feelings' journal. :-D

                                  2. 7

                                    This may or may not be your thing, but I listened to a couple lecture series (through audible) that I think have really helped me with depressive thoughts and behaviors:

                                    1. Cognitive Behavioral Therapy Great Courses https://a.co/hbhlSPc
                                    2. The Science of Mindfullness Great Courses https://a.co/1AiSnpM

                                    Both provided a wealth of information. I think the second one was more valuable for me, personally. If either of them sound interesting, I highly recommend checking them out!

                                    1. 2

                                      Will do. Thanks for the links!

                                    2. 6

                                      This really bothers me because I really know what you are talking about (I never had this kind of disease though, but I used to know a lot of people in the same situation) and I’d really love to help even if I don’t really know how. Maybe I should take a look at voluntary groups near where I live…

                                      In the US, our society is okay with saying “I have the flu” but not “I live with mental illness.”

                                      Not just in the US and not just with mental illness unfortunately! Look at drugs and AIDS and hemorrhoids and…

                                      1. 1

                                        I’m unable to really feel emotion while in this depressive state.

                                        So you don’t feel lonely, bored or otherwise distracted by emotions?

                                        1. 3

                                          Perhaps it makes sense to you to say: The urges and emotions don’t feel real. They feel weak, like shadows of emotions rather than the real thing.

                                          1. 1

                                            Distracted from what exactly? The things you aren’t currently doing because you don’t feel motivated or interested in anything?

                                            1. 0

                                              I do plenty of things that I’m not interested in, like cleaning the house.

                                        1. 3

                                          The .xyz TLD is fun, small, refreshing, funky, a whole lot cheaper and you don’t support colonialism.

                                          Perhaps, but it still sounds childish and looks like something you’d choose if all other serious options are not available. At least that’s the feel I get and I’m certain a lot of other more casual user do too. .io was kind of lucky that it managed to get into the .com, .net, .co.uk, … group of common domain names.

                                          1. 17

                                            Yeah, good point. It must be my recent interactions with the indieweb, but… The internet is supposed to be fun and perhaps, to some degree, childish. For serious stuff, by all means, avoid .xyz, .wtf, .ooo, use .org, .com, .net, .tech, .news, .computer. There’s so much out there, even more meaningful than “input/output” :)

                                            1. 17

                                              The internet is supposed to be fun and perhaps, to some degree, childish.

                                              I couldn’t agree with this more. People have lost touch with this attitude.

                                              1. 6

                                                People have lost touch with this attitude.

                                                Sorry to be so cynical, but it’s easy to lose touch with the fun internet when even personal blogs are packed with trackers and advertising and trying to monetize everybody.

                                                Except for some relatively obscure corners, the light hearted and fun internet is dead. At this point, I doubt most people ever even experienced that part of it.

                                                1. 4

                                                  I strongly disagree. Let’s say in 1995 there were 10 websites and all of them were fun and childish. In 2000 maybe there were 10,000 websites and 50 of them were fun and childish. In 2020 there are 10 million websites and 10,000 of them are fun and childish. And I see people calling that a bad thing?!

                                                  The internet of the 90s didn’t go away, there’s just more built up around it. You can have that old internet back, just block Facebook and Google and hell even the top million sites. All you have to do is just not visit the sites you don’t like. When I hear people say the old internet is gone what I hear is that they want all websites to be like the old internet. There’s more “old internet” today than there ever has been and it’s easier to find those sites than it ever has been. I don’t go into my favorite ice cream shop and complain about all the fancy new flavors, because I can still buy plain old vanilla. Strawberry shortcake didn’t replace my favorite flavor, it’s all still there. The only difference now is that I have other flavors tempting me, flavors no one is forcing me to buy. Vanilla is still there.

                                                  Complaining that the good sites are stuck to the obscure corners ignores the fact that the 90s web was an obscure corner.

                                                  1. 2

                                                    I think you misunderstood what I was trying to say. I was on the internet in 1995, and while there are things I miss, like the higher signal to noise ratio and less advertising, I don’t have anything against the modern web and I don’t have any interest in making the modern internet more like the internet of the past.

                                                    The point I was making is that the whole mindset of the web has changed, and even if you block millions of sites you’re not going to get the same open and “fun” experience as browsing back in the 90s. The mere fact that you have to put so much effort into it changes the experience.

                                                    It’s like trying to relive the 1870s by driving a horse and buggy in traffic on modern streets - maybe you’re getting some idea for what it was like, but it’s a long ways off from what it was really like back then.

                                                  2. 3

                                                    I didn’t intend for my comment to be a pointed one, or to blame anyone. It was perhaps directed more at the people who run those blogs that are packed with trackers and advertising.

                                                2. 2

                                                  I recall when there was a minor uproar over .xxx … at some point one must do away with childish things, no?

                                                  1. 4

                                                    Why, exactly?

                                                    It’s never to late to have a happy childhood. (That’s a quotation, yes. Fine book.)

                                                    1. 1
                                                      1. 2

                                                        This is actually a verse from the Bible:

                                                        https://biblehub.com/kjv/1_corinthians/13-11.htm

                                                        1. 1

                                                          Is that a film where the man is a thoughtful person or more of a badass? If thoughtful you can make a thoughful argument. If badass, I suppose there isn’t much of an argument to be be made.

                                                  2. 4

                                                    I agree. I own both snazz.xyz (because it’s fun, short, and fits well with the theme of my username) and a more professional website with my CV and academic information at [firstname][lastname].com. I think that owning both serves me well at a lower annual cost than a single .io.

                                                  1. 18

                                                    I applaud Apple’s approach to privacy, http://www.apple.com/privacy I was shocked to learn that coming from one of the largest corporations in the world, they are pushing the correct approach to privacy. Control of the private key.

                                                    Zoom has been caught lying the past and has very fishy claims and ostensible practices. https://www.schneier.com/blog/archives/2020/04/security_and_pr_1.html So this is not a fair comparison in my opinion, but I do agree with the author’s principals and reasoning.

                                                    1. 10

                                                      The exact problem is that in this case Apple does not give ‘control of the private key’ to the consumer.

                                                      (It’s not clear in this article, but I believe this is specifically limited to iCloud backups of iOS devices, and that it can be resolved by turning that feature off. This is an important issue to me and I’d appreciate more info if anyone has some.)

                                                      1. 5

                                                        I understand, iOS does not give control of the private key to the user, even more, the software used for messaging is highly proprietary and locked down. thanks for the correction, I was jaded by their slick marketing webpage.

                                                        Does apple have the ability to decrypt user’s imessages? Up until now, I was going on the assumption that imessages were encrypted similar to signal.

                                                        1. 7

                                                          Apple has the ability to remotely install any software on your phone that they want, and therefore exfiltrate any data that they want.

                                                          1. 2

                                                            I don’t think that quite follows… Apple has the ability to install a new OS, and it has the ability to install apps, but both have limitations. I’ll deal with each.

                                                            1. OS. If Apple is willing to build a custom version of the new OS and serve that to you when it serves a new OS to other people, then your custom OS can do exfiltrate anything. That’s a high bar though.

                                                            2. Apps. Apple can install apps on your device at any time and perhaps silently, but those apps are subject to the security regime enforced by the OS version your phone already runs, which is one that countless researchers have checked as carefully as they can. The installled app won’t have the ability to exfiltrate any and all data belonging to the system or other apps.

                                                            The past is immutable. Apple can write any code, but noone, not even Apple, can travel into the past.

                                                            1. 2

                                                              OS. If Apple is willing to build a custom version of the new OS and serve that to you when it serves a new OS to other people, then your custom OS can do exfiltrate anything. That’s a high bar though.

                                                              Why would it have to be a custom version, and why would it have to be timed with the release of some other version?

                                                              Apps. Apple can install apps on your device at any time and perhaps silently, but those apps are subject to the security regime enforced by the OS version your phone already runs, which is one that countless researchers have checked as carefully as they can.

                                                              Which is not carefully at all because they can’t audit the code.

                                                              1. 2

                                                                Apps. Apple can install apps on your device at any time and perhaps silently, but those apps are subject to the security regime enforced by the OS version your phone already runs.

                                                                Security engine works with rules, and those rules on apps are set by Apple. Safari is the only app that has JIT permissions, there is no reason why they couldn’t do that for a rogue app.

                                                                1. 1

                                                                  Are you saying that iOS has a permission that permits apps to read other apps’ data? Or rather that some future version of the OS could hypothetically add such a permission that would, further in the future, enable silently installed apps to read other apps’ data?

                                                                  If the latter, then it’s a special form of the statement “product X is bad, because it could in the future be modified to do bad things”.

                                                                  1. 1

                                                                    Cursory search says that it does exist. Though I’m not a iOS developer by any means.

                                                                    1. 1

                                                                      I’m not either. A friend who is says that capability doesn’t really exist any more. It once did and still has a name, but since deprecation the name is all it has.

                                                                  2. 1

                                                                    And they have done this before. For example, the “Clips” app which is distributed through the AppStore has immediate camera access without prompting the user, I believe, because the app ships with a code sign entitlement that grants unprompted camera access. A regular iOS developer would never get Apple to sign such an entitlement, but as the Uber screen capture entitlement scandal proved, some developers are more equal than others.

                                                              2. 1

                                                                From Apple’s own iCloud security overview page:

                                                                If you have iCloud Backup turned on, your backup includes a copy of the key protecting your Messages.

                                                                Apple has the key to your backups, so they can access the iMessage key, rendering the so-called E2EE useless. If you disable iCloud backups, your messages can still end up in other people’s backups.

                                                              3. 4

                                                                You’re correct. iCloud backups can be retrieved by Apple. Using iTunes for backups is still safe. iCloud Photo Library is not end-to-end encrypted either, but that provides major usability benefits (like being able to see your photos from iCloud.com just like the competitor, Google Photos).

                                                                This is the one major flaw with Apple’s privacy strategy for “average Joe” users. I think that having iCloud Backup on by default is great (losing your phone isn’t such an issue anymore), but it would be great if there were at least an option to encrypt it. Is the idea that people who lost their phone and forgot their password (because they never use their password after setting up their phone) would want access to the backups? That’s my only guess.

                                                                1. 3

                                                                  Why would they? An average customer does not understand what a private key is. If you give out private keys to end-users and they lose them you are going to end up with massive data loss. Apple does the right thing. This is not perfect but it works for most cases. The other end (no unauthorized access to private keys) of this should be guaranteed by the law like in the EU. It is unfortunate that the US has the Patriot Act but it does not mean that you could have a chance against the US gov agencies even in the case of privately stored private keys.

                                                                2. 5

                                                                  I was shocked to learn that coming from one of the largest corporations in the world, they are pushing the correct approach to privacy. Control of the private key.

                                                                  I’m shocked that you trust one of the largest corporations in the world to live up to their promises on this - or any other - issue. That implies you ascribe morals to the corporation, an organisation without morality. In the end it implies you assume Apple corp. would rather go down in flames (i.e. be forced to pay fines even they could not shoulder, being forced to split the company, etc.) than allow a bunch of TLA’s to do some harvesting.

                                                                  It isn’t that single out Apple here, I don’t think you can trust any of these entities and should act accordingly with data you don’t want to get in the wrong hands. For most people this won’t matter but if, say, you’re a dissident writer in Hong Kong or you happen to have proof of what really happened to Epstein it would be foolish to simply trust those data to an iDevice in the assumption that they’re safe for any adversary.

                                                                  1. 3

                                                                    I was shocked to learn that coming from one of the largest corporations in the world, they are pushing the correct approach to privacy. Control of the private key.

                                                                    The reason gigacorps don’t care about privacy is because most of them rely on siphoning your information for profit. Apple don’t, since they sell premium hardware and fashion accessories. That’s why Apple can give users more privacy.

                                                                    1. 1

                                                                      They are still trying to maximize their profits, and data is “the new oil,” so giving users privacy is not a viable path even for Apple. Marketing the idea of privacy on the other hand is a viable strategy.

                                                                      Am I missing some substantive difference between Apple’s privacy policy and that of other tech companies?

                                                                    2. 4

                                                                      This makes so little sense to me, I think I might be parsing it wrong.

                                                                      1. 2

                                                                        Who has control over the private key? Steve has always been a pioneer in taking control away from users. Even if they claim the key resides on the device, this is far from the user controlling the key. The actual correct approach to privacy would have to give real control to users, and Steve could not be farther from this.

                                                                      1. 13

                                                                        I would financially support a fork of Firefox with all the garbage removed. The home page bullshit, Pocket, all the automatic requests made without user action, and more that I probably don’t know of.

                                                                        1. 8

                                                                          At least Firefox does allow us to disable anything we don’t want/need.

                                                                          1. 15

                                                                            Not everything. Try running Wireshark before you open Firefox and see if you can configure it to produce zero requests on startup. I tried that last week and there was a request to firefox.settings.services.mozilla.com that I think there’s no about:config setting to disable.

                                                                            Also, there is the fact that when opening a fresh install of Firefox for the first time you’ll make requests to a bunch of random companies, like Facebook, Google etc. The only way to protect yourself from that is to know it beforehand and disable it via user.js before opening the browser. I don’t think that’s right and I wish I could prevent my browser from telling these companies about me. These things should be opt-in in my view.

                                                                            1. 7

                                                                              If you disable your internet connection before launching Firefox for the first time, would that give you an opportunity to turn everything off without making extra requests first? I agree that it’s crappy that this is even necessary, but maybe this is a simpler workaround than tweaking user.js?

                                                                              1. 1

                                                                                Good idea!

                                                                            2. 9

                                                                              The megabar issue proves the contrary.

                                                                              1. 5

                                                                                https://www.userchrome.org/megabar-styling-firefox-address-bar.html#mbarstyler

                                                                                This is not an acceptable solution, by the way: like many organizations, Mozilla needs to get better at incorporating feedback and reverting bad changes. But you did claim it was impossible to undo the megabar, when it’s actually perfectly doable. I also figure that a lot of people would be interested in knowing this.

                                                                                1. 2

                                                                                  You don’t even need a userChrome for this, there’s an about:config flag (browser.urlbar.update1 I believe).

                                                                                  1. 3

                                                                                    This flag got removed in v77.

                                                                                  2. 1

                                                                                    I did not stay it was impossible, but they aim to make changing it as hard as possible. I do not know the reason for Mozilla acting so about such a minute issue.

                                                                                2. 2

                                                                                  This isn’t correct. Look at what’s happening with forced updates, for example. Right now I keep installs performed as Administrator (and run as regular user) so the user can’t update, which results in Firefox throwing up dialogs complaining that it can’t update itself. I think I need to go back to building from source just to remove this garbage, but even building from source is more convoluted than it used to be due to sprawling dependencies.

                                                                                  1. 3

                                                                                    You made me realize that this is why Mozilla has zero interest in making an Electron equivalent with Servo.

                                                                                    A Firefox-like browser without the Firefox corporation would be a huge hit and thus unmonetizable.

                                                                                3. 6

                                                                                  Me too, very much so. Mozilla jumped the shark years back and their attitude does not seem to be improving. Its flagship really deserves a long trip through a detox and weight loss boot camp. It would be a significant effort, though; here are some interesting case studies from Cliqz (RIP) and ungoogled-chromium.

                                                                                  1. 1

                                                                                    I’d really like to see the Tor-browser without Tor. That seems to move in the right direction and they seem to be able to keep Firefox under control somehow.

                                                                                    1. 1

                                                                                      Why RIP? Cliqz seems to still be active.

                                                                                      1. 2

                                                                                        No, it died, the mothership can’t fund it any more. The servers still run, for the time being.

                                                                                        It’s a pity.

                                                                                        1. 1

                                                                                          Holy hell wtf.

                                                                                          Damn.

                                                                                    2. 3

                                                                                      There is IceCat [ https://www.gnu.org/software/gnuzilla/ ], though it’s based on ESR releases.

                                                                                    1. 4

                                                                                      (If you want to have a real shit time, try to use a USB-C video camera (like an Intel Realsense, for example) next to a sensitive GPS receiver or long-range wifi. Not with the PBP, just with anything.)

                                                                                      What would happen? I don’t own a sensitive GPS receiver or long-range wifi :)

                                                                                      1. 4

                                                                                        Unless you had very good quality USB hardware, they would get totally swamped by the radio interference radiating from the USB cable/connector. You know, the way that it’s theoretically not supposed to do to be able to pass US FCC regulations. I do wonder how long before it causes a problem for an airplane; it can certainly cause problems for a drone navigating by GPS.

                                                                                        1. 3

                                                                                          When you plug a USB thing into the side of a laptop, the thing is perhaps 10cm away from the PCU and main memory, a drone overhead might be 10m up, and an airplane 10km up.

                                                                                          This means that the CPU and main memory (full of circuits only a few atoms wide) suffer interference that’s about 10000 times as strong as the drone and 10000000000 times a strong as the airplane, and they suffer that permanently. The airplane and drone move, the CPU is fixed, and the USB device must’ve been tested with at least a half-dozen current-day laptops.

                                                                                          CPUs really are amazing. They execute another instruction each time a photon moves 2cm, and contain electric conductors that are only tens of atoms wide. That’s a lot of sensitive parts and even very brief disturbances can last long enough to throw an instruction off the tracks. Testing that USB doesn’t bother such devices isn’t bad testing. Could be better I suppose, but it’s not bad.

                                                                                          1. 6

                                                                                            I was referring to items in the aircraft or mounted on the aircraft, sorry that wasn’t clear.

                                                                                            Also the problem isn’t interference in the CPU, the problem is the antennas for the communication or GPS system.

                                                                                            Citation: https://www.intel.com/content/www/us/en/products/docs/io/universal-serial-bus/usb3-frequency-interference-paper.html . Also I’ve tried to fly a drone with a small computer and USB3 camera attached to it. USB2 camera? Fine. Other sensors that transfer their data over ethernet? Fine, even with gigabit ethernet and unshielded cables. USB3 camera? Drone’s GPS gets swamped with noise and it gets lost, even with expensive “shielded” cables. Can happen with wifi as well; you can find lots of people complaining about it if you search.

                                                                                          2. 1

                                                                                            it can certainly cause problems for a drone navigating by GPS.

                                                                                            At what distance?

                                                                                        1. 1

                                                                                          Depends on how the machine random generator, if it’s tied to time for example, then possibly you can build a ML that will eventually figure out the upcoming number.

                                                                                          1. 1

                                                                                            I want to define the problem in term of machine learning but I am new to this field and cannot figure out what algorithm(s) to use to handle this situation

                                                                                            1. 2

                                                                                              You’ll need to invent something, and Knuth would rate that invention a solid 50. Pseudorandom number generators nowadays are generally cryptographically secure, which means that the next number cannot be predicted from the past numbers using currently known mathematics or algorithms.

                                                                                          1. 5

                                                                                            Here’s the list: 1 Ability to assign suffix such as megacorp.com 2 Register hosts in DNS 3 Keep track of what host had what IP at a certain time 4 Image deployment via PXE (think DHCP options) 5 Other DHCP options used for example for WLC 6 Ability to easily swap DNS server in entire network (think Umbrella deployment) 7 Dot1X deployment where you want RADIUS server to see DHCP request 8 Need to support IP phones

                                                                                            1, 4 and 8 seem irrelevant to Android by design.

                                                                                            5 seems useful if one wants to support Cisco’s WLC, which is not a given. AFAICT Aironets work well with devices that don’t support WLC too. I’m curious about what WLC offers.

                                                                                            6 seems like a strange thing to me — remove the DNS caches and replace them with new ones, and expect that to work quickly?

                                                                                            2, 3 and 7 puzzle me, why can’t those be done by observing SLAAC? Is this a matter of “either the server or the clients need to be updated, and the server won’t be so the clients must”? 6 too, to some degree.

                                                                                            1. 5

                                                                                              Replying to myself: I understand it better now. Some people want to control access to their network and a DHCP server is a convenient choke point, but only if ~everyone uses DHCP. And Google’s attitude is that relying on 100% DHCP use is tantamount to relying on 100% RFC 3514 use, and therefore it’s better to not implement DHCPv6, so that the presumably deficient illusion of control is plainly seen to be deficient.

                                                                                            1. 2

                                                                                              BazQux is awesome. I’m disappointed nobody else has mentioned it yet.

                                                                                              1. 3

                                                                                                I also use BazQux and am very happy with it. I previously used a self-hosted version of tt-rss, but gave up when it started to fail too often on valid feeds with parsing errors and because of its obnoxious maintainer.

                                                                                                1. 2

                                                                                                  Also partially written in the rather obscure functional language ur/web https://github.com/bazqux/bazqux-urweb

                                                                                                  1. 1

                                                                                                    More about that in this blog entry and the message it links to.

                                                                                                1. 3

                                                                                                  I’ve a question, which I suppose some people might consider trolling, but I do want to know:

                                                                                                  Why keep blogging alive and thriving? What does that gain?

                                                                                                  I’m not arguing or even implying that it’s not worthwhile. I ask because I’ve heard the sentiment several times on the past years, and I don’t see how it’s related either to the blog posts I’ve written or those I’ve proofread on for friends. Each of those has an audience to reach and a message to deliver, but “alive and thriving” doesn’t seem to matter for either audience or message. Some other things do. For example, being indexable by Google and other search engines is very important for the purpose of some postings. But if “alive and thriving” means that there should exist many other blogs with many new postings, then I don’t see how that makes a difference for actual blog postings such as the example mentioned in that audience-and-goal rant. So what does it mean, what benefit does it bring, why is it something to work towards?

                                                                                                  If you want to keep blogging alive and thriving, you should answer, because one of the big advantages of writing is that it clears your mind and improves your own understanding. Understanding the nature of a goal helps understanding how to better work towards the goal.

                                                                                                  EDIT: I want to digress. Writing to gain understanding is IMO a good reason to write some/many blog posts. There aren’t many formats where you can write five hundred words on any subject you want, but your blog is your kingdom.

                                                                                                  1. 2

                                                                                                    One of the main reasons for me is that personal blogs and websites make the web different and more personal too. All Facebook profiles look the same, all Twitter profile likewise. If we all move to them and produce and consume all of our content on those closed platforms, those platforms would be in full control and will be able to decide what happens with the future of the web. Keeping independent places alive and thriving keeps that free spirit and independence of the internet alive and thriving too.

                                                                                                    1. 3

                                                                                                      If I’m allowed some rather unkind phrasing: You’re saying that people who write should do it more on their own blogs and less on big prefab platforms so that readers experience a more diverse and more personal web. If that’s it, then I can see why the central platforms won so much — I could forget about my server’s uptime or about editing my CSS to be suitably mobile-friendly, and the people who suffer by seeing reduced diversity aren’t me. I gain ease of use and perhaps reliability, they lose diversity.

                                                                                                  1. -10

                                                                                                    The author lives in a country where he doesn’t understand the language, and has a problem with not understanding websites? I think he needs to get out more, meet some people.

                                                                                                    1. 17

                                                                                                      The point is, it has nothing to do with the user’s current location. It’s about the user’s preference. The browser has a way to indicate the visitor’s preferred language (e.g., Accept-Language header or navigator.language constant) and the choice should be respected if possible. Relying on the geolocation does not respect that choice.

                                                                                                      I live in France and I am a French native speaker, but my browser is configured to get the “en” version if available. I have my reasons for that, and I don’t want the French version just because my IP address is French.

                                                                                                      1. 14

                                                                                                        I prefer most web services that are not based in Sweden to be presented in English, simply because they usually have machine-translated Swedish that is awful.

                                                                                                        1. 3

                                                                                                          One of my first gigs was with the team who worked on the site for Familjens Jurist. At the time, the client insisted on using Google Translate instead of conventional internationalisation.

                                                                                                          One of the pages was entitled “Få barn”, which Google decided to translate as “Few children.”

                                                                                                          :’)

                                                                                                          1. 2

                                                                                                            Man, that’s really cheap… it’s not as if people seeking legal advice won’t notice crappy language…

                                                                                                        2. 11

                                                                                                          What a curious sentiment; in almost all locations there’s an expat community where the general language is English, and in many non-English speaking countries many locals speak English fluently enough to hold meaningful conversations. Learning a language fluently enough to actually speak it well takes over a year if you study hard at it, which is why most expats that are in a place for 1-2 years just stick to English.

                                                                                                          1. 2

                                                                                                            And then, consider the places that don’t use Latin script.

                                                                                                            Even without trying most people will learn some of the local language through immersion, and if the characters are generally pronounced the same as your native tongue/English, it’s just a matter of sounding out the word.

                                                                                                            I speak some Thai. I have zero expectation of ever (successfully) reading or writing a single word or even character in Thai script.

                                                                                                          2. 8

                                                                                                            They may have recently arrived, or knew from the start their relocation is short-term/temporary so investing in learning the language makes no point.

                                                                                                            What’s wrong with pointing out the actual clear, technical issue anyway?

                                                                                                            1. 3

                                                                                                              What is the actual, clear, technical issue? At a guess, site operators optimise to reduce customer service costs, x Germans don’t have their browsers set to German and don’t read much English, and complain when they get English prose, and x is greater than the number of countryhoppers who actually want English.

                                                                                                              1. 9

                                                                                                                The actual issue is the Web server using geotarding instead of browser language settings, which costs are you even talking about?

                                                                                                                EDIT: OK I would understand how you have a point if you open DW for the first time in your life. Maybe. But not the global internet corps that don’t have any support either way? Bloody Google would happily serve you the landing page in traditional Chinese when you are in .tw, even if they have two decades worth of your personal data and fresh browser cookies on the same machine you used at home.

                                                                                                                1. 6

                                                                                                                  I’ve heard this explanation before and I don’t understand it.

                                                                                                                  If your OS/browser is set to English, how the fuck are you using it without being able to read English?

                                                                                                                  1. 4

                                                                                                                    By using a colleague’s PC. By just having factory reset the phone, and leaving it at default. A lot of people here know enough English to use a browser, even if not enough to know what [insert Fachbegriff here] is called in English.

                                                                                                                    That blog posting reminds me of a comment by James Hague years ago. From memory, “now that I’ve thought about this for a minute, let me explain what’s wrong with your code and design.” The author doesn’t even try to think about what the reasons might be that this “error” has become so common.

                                                                                                                    1. 5
                                                                                                                      • Doesn’t a browser use the OS’s configured language?

                                                                                                                      • Doesn’t resetting a phone ask you for the language to use (it does for iOS!)?

                                                                                                                      • Don’t most users setup or buy their equipment in their native language?

                                                                                                                      Geocoding is done for “whiz bang!” in my experience. It has no backing data other than a few scattered anecdotes. If it turns out the the overwhelming majority of browsers are configured correctly for language support, then the geodetection language is a misfeature by definition.

                                                                                                                      1. 1

                                                                                                                        At the job where I counted this, the number of probably misconfigured browsers outnumbered the number of probably wilfully strange language settings. Both were in the low single percentages.

                                                                                                                        (And at both jobs where I’ve done geocoding, we did it in order to offer the right things. To offer users what we would be able to sell them. (EDIT: Actually I’m not sure about that. I know that that reason was a contributing reason, but I wasn’t at the meetings where it was decided, and there may have been other reasons.))

                                                                                                                  2. 1

                                                                                                                    If you have a VPN or you are in one of the non anglophone countries, try this out: set your language to [en-gb] or [en-au] and go to google.com in a private window. What do you see?

                                                                                                                    The problem is that they cared enough for a shitty solution using an ad-hoc means but not enough for a good solution which does not seem to be any harder (I would say easier because one does not require possibly outdated geo-location databases for this).

                                                                                                              1. 3

                                                                                                                I wish app stores included human-readable summaries of Apps privacy policies & terms of service [0]. I mostly want to know if the app uses permissions for stuff that doesn’t benefit me (e.g. location services for ad targeting, not just maps), whether it shares any data with third parties, and for what reasons (crash analytics vs ad targetting).

                                                                                                                Details on how this differs with free/paid versions would be valuealbe, but challenging. This is especially the case with apps that have a single, free app listing with in-app purchases to unlock the premium version.

                                                                                                                [0] Terms of Service: Didn’t Read is a nice attempt at this, but would need to be refined for apps.

                                                                                                                1. 3

                                                                                                                  A decent user agent (phone operating system) would track usage and allow revocation per app and per permissions. But how a permission like location is being used is tricky to infer :/

                                                                                                                  Shameless plug, I implemented permission revocation for Firefox OS. Maybe that made it a less popular platform for app authors? https://frederik-braun.com/revoking-permissions-on-firefox-os.html

                                                                                                                  1. 3

                                                                                                                    Quite possibly yes. Based on my experiences in two quite different jobs:

                                                                                                                    Firefox OS is/was (or is/was seen as) a platform for users who don’t want to do/use something that android/ios forces their users to. This means that ffos refines its audience by selecting those users who’ll act on their dislikes.

                                                                                                                    Marketing something to such an audience is unattractive. Whatever your app does will include something that some set of people dislikes, and the ffos audience will include lots of people who will complain volubly about that. If your app has best-in-class privacy, say, then twitter will be flooded by people who complain about your privacy deficiencies.

                                                                                                                    1. 1

                                                                                                                      Cool, thanks for your work on that. I think they’re important features.

                                                                                                                      I’ve been pretty happy with iOS occasionally checking in with me about app permission useage. I get a lot of “X app has used your location in the background Y times over the past Z days. Allow / restrict to when app is active / Forbid?” It’s very empowering.

                                                                                                                  1. 4

                                                                                                                    Something else to consider; the average age of a registered car is 10.7 years in Europe, and Google quotes 11.8 as the average age in the US. Possibly this is skewed somewhat by people collecting classic cars, but for decades, a new car has offered few advantages over a used one.

                                                                                                                    PCs have reached a similar level of age indifference; today you can buy a 5 year-old used laptop or pc, and expect to get at least another three years of use out of them. When you buy new, you expect to get at least five years, and I see people around me using laptops for over ten years.

                                                                                                                    While there’s a growing market for refurbished phones, all of them seem doomed by the limited number of years Apple and Google will support older models.

                                                                                                                    1. 2

                                                                                                                      I’m using a number of ~10yo (9 and a half, more, but still…) Android phones almost daily, one of them in its original duty as a phone, others for different purposes - remote-controlled media player, trailer camera, etc. Even though the manufacturer - Motorola - never got beyond Android 2.3.6 they’re all running 4.4.4. One of them doesn’t have a screen (it got broken in some distant past), that is the one in use as a trailer camera. The thing is, these older Android phones are still useable for many purposes, from their original gadgety-communications-device role to those things I mentioned and more, due to the free software nature of Android and Linux.

                                                                                                                      With Apple the story is a bit different, they do offer longer support than most Android vendors but once they drop a model it quickly becomes useless. Some devices can be ‘jailbroken’ and with that their useful life can be extended a bit but since the size of the hacking community around Apple devices is nothing compared to that around Android it takes a lot more effort to get things done. Seen as curves the Android ‘usability’ curve starts going down earlier than the Apple one but once Apple drops support their curve quickly sinks below that of Android devices of similar vintage. In both cases it takes a bit of hacking to extend the useful life, more in the case of Apple hardware.

                                                                                                                      1. 1

                                                                                                                        With Apple the story is a bit different, they do offer longer support than most Android vendors but once they drop a model it quickly becomes useless.

                                                                                                                        How did you get to the conclusion of rendering Apple device useless after support is dropped?

                                                                                                                        1. 1

                                                                                                                          Depends on your use, I suppose.

                                                                                                                          My ipad quickly became useless for my use because I needed to install or upgrade apps to evaluate [… digression elided], and that quickly started demanding newer ios versions. If your use is to keep running and using the apps you already have, nothing bad will happen, AIUI.

                                                                                                                          1. 1

                                                                                                                            So basically same as w/ Android? I don’t recall difference between two platforms as per the comment bias.

                                                                                                                            1. 1

                                                                                                                              The big difference is that with many Android devices there are AOSP-derived distributions which can be used to keep the device up to date once vendor-supported updates have ceased.

                                                                                                                              1. 1

                                                                                                                                No, not basically the same. The same in principle. The key word is quickly.

                                                                                                                                Apple is good about providing upgrades and coercing users to upgrade, and the flip side is that app developers feel free to drop support for old versions quickly. Being two or three versions behind on an ios device limits your app selection much more than being two or three versions behind on android device.

                                                                                                                              2. 1

                                                                                                                                The biggest reason that the old iPads are “useless” today is that today’s apps use too much RAM and CPU - something a new OS version isn’t going to solve. When today’s latest iPads are five years old, this is likely going to be less of a problem since performance increases aren’t as huge any longer, but for the first five years or so of iPads this is the biggest limiting factor. IMHO.

                                                                                                                            2. 1

                                                                                                                              I don’t doubt that they’re useful for other purposes, and you’re probably right that we should be making better use of them. But personally I don’t like the idea of using an internet-connected device that’s limited to a seven year-old operating system.

                                                                                                                              1. 1

                                                                                                                                The thing is, they’re not limited to whatever version of Android the device is left with when the vendor ceases to support it. Those AOSP-derived distributions can take it along for the ride more or less until the hardware can no longer support the newest version, e.g. because of the 32/64 bit shift. The Galaxy SIIIneo which I mentioned was left by Samsung at Android 4.4.4, it currently runs Android 9 through LineageOS. It gets weekly OTA updates, the latest was on the 20th of April. As long as these projects support those devices they will stay up to date. They are supported until there is not enough interest from developers, which again depends on the number of users who want to keep those devices in use. There are some hard limits on support like the mentioned 32/64 bit shift, others are a lack of driver support for those platforms which rely on closed-source blobs, hardware capacity limits (memory, GPU, SoC) being exceeded by newer versions of the operating system, etc.

                                                                                                                            3. 2

                                                                                                                              Something else to consider; the average age of a registered car is 10.7 years in Europe, and Google quotes 11.8 as the average age in the US. Possibly this is skewed somewhat by people collecting classic cars, but for decades, a new car has offered few advantages over a used one.

                                                                                                                              Similar to cars, a lot of the advantages are in the realm of safety and security features you don’t want to become important. A 2020 Accord has measurable improvements in structural safety components over a 2010 Accord, and a 2020 iPhone has security features that 2017 iPhones don’t have the silicon to support.