1. 3

    Certainly, but there are costs to not working on one’s skills outside of work. All other things being equal, someone who spends 1,000 hours studying a topic will know it better than someone who spent 100, and less than someone who spent 10,000. If you choose to spend your time not-coding, then you need to accept that someone who decides to spend his time otherwise may be better at coding than you (while perhaps being a worse musician, artist, friend or human being).

    One really key point is that as we progress in our careers, our non-technical skills become more important than our technical skills. It turns out that investing all of our free time in coding is probably not the best use our resources.

    Regardless, choices have consequences.

    1. 4

      They should have used canonical S-expressions instead of JSON: they are simpler to parse & emit; they are better-suited to handing encryption; and they readily handle binary data.

      It’s a matter of taste, but I also think that they’re a lot more attractive:

      (request
       (using ietf.org/rfc/smap-core ietf.org/rfc/smap-mail)
       (method-calls
        (method1 ((arg1 arg1data) (arg2 (arg2data))) "#1")
        (method2 ((arg1 arg1data)) "#2")
        (method3 () "#3")))
      

      vs.:

      {
        "using": [ "ietf.org/rfc/jmap-core", "ietf.org/rfc/jmap-mail" ],
        "methodCalls": [
          ["method1", {"arg1": "arg1data", "arg2": "arg2data"}, "#1"],
          ["method2", {"arg1": "arg1data"}, "#2"],
          ["method3", {}, "#3"]
        ]
      }
      
      1. 2

        Any particular reason not to go for ... (method1 (arg1data arg2data) "#1") ...?

        Then, the attractiveness thing sort of gets lost when you go for actual canonical S-expressions with binary data, doesn’t it? No more looking at the raw expressions in a text editor.

        And is JSON really that hard to parse?

        1. 1

          Any particular reason not to go for ... (method1 (arg1data arg2data) "#1") ...?

          I was just following the original style directly. Certainly a more common way to write that in a Lisp would be the way you indicated.

          Then, the attractiveness thing sort of gets lost when you go for actual canonical S-expressions with binary data, doesn’t it? No more looking at the raw expressions in a text editor.

          I dunno, this looks pretty good to me:

          (cert
               (issuer (hash sha1 |TLCgPLFlGTzgUbcaYLW8kGTEnUk=|))
               (subject (hash sha1 |Ve1L/7MqiJcj+LSa/l10fl3tuTQ=|))
               …
               (not-before "1998-03-01_12:42:17")
               (not-after "2012-01-01_00:00:00"))
          

          The only bits which are binary are the hashes, and the rest of the expression is fine. The whole thing can be edited in a text editor, if necessary.

          And is JSON really that hard to parse?

          No, not really — but it’s still more complex than S-expressions.

      1. 2

        It’s definitely cool-looking. Needs a bit more documentation, particularly with respect to non-paren delimiters (e.g. []/{}): are they just different parens (as in some Scheme), or do they mean something else (as in Clojure)? Reading the source, it looks like the former.

        The syntax or constructor for tables should also be documented. I think maybe it’s ($ …)?

        Definitely cool, though. Although I’m a big fan of Common Lisp, a Lua-semantics Lisp sounds like a really nice environment to program in.

        1. 1

          Interesting project, but I have a question regarding:

          Python is Lisp with syntactic sugar and Lisp is Forth with syntactic sugar.

          Could you elaborate further on this point? I’m guessing it’s not to be taken literally, but although I have heard of the connections between Python and Lisp (map, fliter, lambda, …) I haven’t heard about the second connection. Wasn’t FORTH invented in the 1970’s and LISP in the 1950’s? I’m guessing the order of appearance isn’t strictly necessary, but you don’t often hear about newer programming languages making older ones more “difficult”.

          1. 3

            I’m guessing it’s not to be taken literally, but although I have heard of the connections between Python and Lisp (map, fliter, lambda, …) I haven’t heard about the second connection. Wasn’t FORTH invented in the 1970’s and LISP in the 1950’s?

            I think the idea is that Lisp is a delimited, prefix language (e.g. (foo (bar baz) quux)) while Forth is an undelimited, postfix language (e.g. quux @ baz @ bar foo, where baz & quux are words which put an address on the stack, bar is a word which pops a value from the stack and pushes a value on the stack & foo is a word which pops two values from the stack and does something).

            You can imagine that one could work up to a Lisp from something like OPAREN quux OPAREN baz bar CPAREN foo CPAREN in Forth, where OPAREN & CPAREN are special Forth words which do the obvious thing.

            1. 3

              Its nothing so profound. Just a remark about syntax. Its almost as bargap explained. To go from Lisp to Forth

              (foo (bar baz) quux)
              

              Put the function at the end of the list instead of the beginning so (func arg1 arg2 arg3) becomes (arg1 arg2 arg3 func).

              ((baz bar) quux foo) 
              

              And remove the parenthesis

              baz bar quux foo
              

              This should produce the same output when run in Forth. (Assuming constants are functions with no parameters and return the constant. And adjust for autoquoting and implicit returns.)

              The same goes for the Python to Lisp transfomration. Replace all syntax with calls to their dunder equivalent, put the functions inside the parenthesis and remove the comma separators (func(arg1, arg2, arg3) becomes (func args1 arg2 arg3)) and turn indented blocks into quotes (and put them as the last argument of the block heading).

              1. 2

                I still don’t see the link they’re trying to make with lisp and forth, especially considering their lisp example looks and seems nothing like lisp…

                consider their example

                bind("fib" fun([i]
                               [if(<(i 3) [return(1)])
                                return(+(fib(-(i 1)) fib(-(i 2))))]))
                

                against common lisp

                (defun fib (i)
                 (if (< i 3)
                  1
                  (+ (fib (- i 1)) (fib (- i 2)))))
                
                1. 2

                  To do the reverse transformation:

                  (defun fib (i)
                    (if (< i 3)
                     1
                     (+ (fib (- i 1)) (fib (- i 2)))))
                  

                  Put function names in front of the parenthesis.

                  defun(fib (i)
                   if(<(i 3)
                      1
                      +(fib(-(i 1)) fib(-(i 2)))))
                  

                  Add explicit returns.

                  defun(fib (i)
                   if(<(i 3)
                      return(1)
                      return(+(fib(-(i 1)) fib(-(i 2))))))
                  

                  Put square bracket for quotes to distinguish them from calls.

                  defun(fib [i]
                    if(<(i 3) return(1)
                       return(+(fib(-(i 1)) fib(-(i 2))))))
                  

                  Change which arguments need to be quoted and which ones don’t.

                  defun("fib" [i]
                    [if(<(i 3) [return(1)]
                        return(+(fib(-(i 1)) fib(-(i 2))))]))
                  

                  (Some of these transformations I’ve seen on discussions on possibilities for Lisp syntax.)

              1. 6

                we don’t hire junior developers because we can’t afford to have our senior developers mentor them

                That’s not why we don’t do it: our issue is that junior developers simply aren’t productive enough to warrant the expense.

                1. 16

                  The other consideration is; expend resources (ie seniors time) training entry level, only to see them leave in a year or two for large pay raises. It’s nearly impossible for business leaders to understand that 100% pay increases are required after a couple of years in this field.

                  1. 4

                    So how does one break the cycle? Junior developers will have to learn somewhere. Are we in a situation similar to the video game industry, where we actually have too many programmers on the market?

                    You can certainly learn a lot outside of work, but there are a lot of things that are best learned on a job.

                    1. 4

                      where we actually have too many programmers on the market?

                      Yes. Absolutely. And every programmer is a special snowflake which makes it impossible for anyone except another programmer to read their CV.

                      1. 0

                        The fact that pay is high is probably an indicator that that isn’t true.

                        1. 2

                          Pay is high in some areas. It’s crap in others. It’s mediocre in others. I think it says more about the practices of businesses in a given industry and geographical area than anything else.

                          1. 2

                            Adjusted for that it’s nearly double the median wage. I would say there are not too many developers.

                            1. 2

                              Depends on the area. In the Mid-South, there’s plenty of IT people, including programmers, making $12-15 an hour. Minimum wage is just over $7. We obviously have many move from this area but steady stream to fill those positions from colleges. Things that vary this much by area I usually talk about in terms of the area. Otherwise, the generalizations can be meaningless.

                              Except for when you say there aren’t too many developers. I agree with that if we factor in skill or tech they know about. There’s just not so many companies wanting to invest in junior ones or pay senior ones well.

                              1. 5

                                As a southerner I can anecdotally say that’s caused by a lack of labor organization and not a glut of programmers. Low willingness to pay is because they’re hoping to pick up someone who is willing to work for peanuts, not because there are too many developers. In fact they frequently take on business impact because of unfilled positions.

                                1. 1

                                  That makes sense to me as well (having worked in those sorts of jobs during college in the south and southeast)

                                  1. 1

                                    That sounds about right. You bet I call them out for it, too, if they get high and mighty with the politics. ;)

                    1. 2

                      A link has one or more targets, represented by a permanent address combined with an optional start offset and length (in bytes).

                      In a UTF-8 world, shouldn’t this be characters rather than bytes?

                      1. 1

                        PNG and any binaries is not exactly UTF-8 (I assume you still want to access images via hyperlinks).

                        1. 1

                          True, but does it make sense to link to a byte position within an image or binary? In the latter case, perhaps — but might it not also make more sense to link to a character within the display version of the binary?

                      1. 8

                        These kinds of posts tend to take one out of two stances on ‘network transparency’ depending on what the author actually wants to attack, and if there is a reference to the “standup over substance” Daniel Stone talk on X11 vs Wayland - you can be sure it will be the ‘haha, X isn’t actually transparent’ one, followed by perplexed users saying that it is actually very useful to them. The reddit thread referencing this article is one such example.

                        The first camp talking about the drawing primitives and commands as such and saying that the actual drawing commands should be sent and treated locally in the same way as they are treated remotely and since the toolkits have all made data type and parameters opaque pixmaps, opaque transfers are needed.

                        The ‘my use experience’ camp talks about the convenience in just saying ‘run graphics program’ from a remote shell and it seem to appear on the local machine similarly enough to how it would behave had it actually been run locally. That’s the meaning of transparency to them.

                        The later perspective is, in my opinion, more interesting since it can be improved on in many more ways than just switching compression schemes. Incidentally, I might just have something for that in the works…

                        1. 3

                          Most basic applications work fine with X11 forwarding. Stone’s talk stating X isn’t transparent is really referring to specific use cases (direct rendering and opengl), which, of course, isn’t going to work over the network.

                          I agree with his talk that we need to move forward from X, but you can’t just hand wave away a lot of features that people currently use. Usability matters. It took Pulseaudio a long time to get to a usable state where it’s not the first thing I try to disable (I think it works pretty well now, especially with bluetooth devices). Systemd is still terrible in terms of its usability with its terrible CLI interface.

                          1. 4

                            tone’s talk stating X isn’t transparent is really referring to specific use cases (direct rendering and opengl), which, of course, isn’t going to work over the network.

                            Gaming over the network has been around for some time. Some products were around before the cloud became a thing. These days, some are doing gaming desktops and rendering workstations with cloud VM’s. Probably more like X is an outdated design being made to do things in totally different context it can’t handle.

                            1. 2

                              specific use cases (direct rendering and opengl), which, of course, isn’t going to work over the network.

                              Couldn’t OpenGL, at least, be made to work over a network? It’s just commands which have larger effects; I’d think some sort of binary protocol could transmit it fairly effectively.

                          1. 10

                            I don’t think it’s fair to judge a 30 year old graphics system against today’s applications. X’s network transparency worked well for the low resolution displays and simpler applications that existed in 1987.

                            Just because it’s not useful any more doesn’t mean it was never useful and an overall failure.

                            1. 3

                              I agree entirely. I relied on remote X sessions with all kind of graphical stuff from web browsers to TCL/TK programs exported back to my client right up to 2000.

                              This article is ill-considered.

                              1. 2

                                I don’t think it’s fair to judge a 30 year old graphics system against today’s applications.

                                Why not? We fairly judge 90s crypto by modern standards.

                                I think that while X may have been well-designed by the standard of its day, it was indeed a failure because it ended up optimising for the wrong things.

                                That doesn’t mean that X is unusable or not the best alternative — just that as a protocol it has failed to live up to its fundamental goals.

                                1. 2

                                  I think it’s fair to ask whether X meets today’s requirements or not, but it shouldn’t be called a success or failure judging solely by today’s standards.

                                  X is outdated, but it was still a successful project.

                              1. 3

                                My passwords regularly end up in my $HISTFILE, both by accident and when connecting to certain services, it would be good to not store that in a central repository. Not sure how you would tackle this issue…

                                1. 3

                                  Store the hash and blacklist content in the $HISTFILE based on the hash. If you get that one in a quadrillion false positive then you just accept that you lost some data for the sake of security.

                                  1. 1

                                    Yeah I like that….

                                  2. 2

                                    Aside from the shared secret security, it would be easy to add a blacklist file to the code (checking it’s an 0400 file). I could implement this if you want.

                                    1. 1

                                      Some encryption would be required - am pondering whether this should be SSL or a simpler scheme using the shared key.

                                      1. 3

                                        If you think about it, there’s not actually a need for the central server to read the logs: it just needs to store & serve them to authorised clients.

                                        You could have a single key shared by the clients, with SHA256(key || ‘client-server key’) being the client-server connexion key and SHA256(key || nonce) being the line-encryption key. Then the clients have simple configuration and the server cannot read the records, but all clients can read any client’s records.

                                        More complex schemes are possible, but this should be good enough for what I think you want to do.

                                        1. 1

                                          ssh tunnel?

                                          1. 1

                                            Am keen to keep it as simple as possible - re-using the secret key seems like the shortest path (but I may be missing a technique).

                                    1. 1

                                      What is the current state of Plan 9 development?

                                      1. 7

                                        9front is actively developed.

                                        1. 1

                                          Is 9front usable on desktop? By usable, I mean that there’s some mail client (I don’t mind CLI, I use Mutt anyway), some audio / video player (mpv is just fine) and some browser that understands modern websites (yeah, I hate JS too, but it’s inavoidable). I guess the last part is the worst :)

                                          1. 9

                                            The last part is indeed the worst. For web browsing, there’s mothra and that’s about it. Mothra does not support JavaScript. Here is the relevant bit of the FQA.

                                            Russ Cox described his motivation for creating Plan 9 from User Space like this:

                                            I ran Plan 9 from Bell Labs as my day to day work environment until around 2002. By then two facts were painfully clear. First, the Internet was here to stay; and second, Plan 9 had no hope of keeping up with web browsers. Porting Mozilla to Plan 9 was far too much work, so instead I ported almost all the Plan 9 user level software to FreeBSD, Linux, and OS X.

                                            1. 2

                                              Yes there’s a mail client, playing videos depends on the format, modern browser…no, by design mostly.

                                              1. 3

                                                there is no support for video playback at all.

                                                1. 2

                                                  What can you use 9front for? I don’t mean playing in VirtualBox or whatever VM software you use, but for serious usage. I’ve always wanted to play with it more, but playing just for the sake of playing with it makes me isn’t interesting for me :)

                                                  1. 11

                                                    The system excels at manipulating text. It can playback most popular audio formats, and it can display many popular image and document formats. It does not (currently) have any support for video playback. There is no modern web browser (the native browser, mothra(1), ignores CSS, js, and many HTML tags). The system includes a PC emulator called vmx(1) that is capable of hosting Linux or OpenBSD, but currently the guest’s framebuffer is emulated entirely in software, so performance is pretty awful, and programs like web browsers are barely usable.

                                                    1. 1

                                                      Now, that is something, thanks!

                                                      What about use as a server? Since this is Plan9-derivative, I assume all Plan9 servers (CPU, Auth, 9P etc. are available). I can also see the included HTTP server. Can it use TLS? What about others protocols (like XMPP, DNS authoritative server etc.)?

                                                      I see there’s a port of OpenSSH, but it’s at version 4.7, which can’t do ED25510 :/ Is there any other SSH client (I mean, one written for 9front)?

                                                      I hope you don’t get angry by my questions, I just want to know what I can use 9front for. You kind of made me again interested in it, so I’ll install 9front on a spare PC.

                                                      1. 6

                                                        I’m the admin for basically all of the 9front official websites, and the cat-v.org sites, all hosted on 9front for several years. TLS is supported, but there is no support for SNI, so the end result is most current mobile browsers will refuse the self-signed/wrong-domain-name certificate. I also host all my DNS on 9front, pushing updates automatically to slaves at dns.he.net.

                                                        You didn’t ask about mail, but all the 9front mailing lists are also hosted on 9front, with upas(1) and a rather primitive mailing list manager called ml(1). I also host my personal e-mail with upas(1).

                                                        The system includes a native SSH2 client called ssh(1).

                                                        http://fqa.9front.org is probably the best overall resource for information about the system. It includes links and pointers to most other relevant sources. Unfortunately it tends to lag behind the current state of the system at times, mainly because of time comstraints.

                                                    2. 3

                                                      The Introduction To Plan 9 from the 9front FQA might interest you.

                                                      1. 1

                                                        I read it, I used 9front for a few hours some time ago, so I’m not a complete newcomer.

                                                        What I miss is some overview of available software. I can see that there is https://bitbucket.org/mveety/9front-ports, but it doesn’t seem official.

                                                        EDIT: Nvm, just found https://code.9front.org/hg/ports/

                                                          1. 1

                                                            Thanks, that’s what I was asking for.

                                                      2. 1

                                                        I’d really like to get around to porting emacs to Plan 9. That might be the sort of work I could actually do. I’d love to port Firefox to Plan 9, but … that just isn’t going to happen.

                                                        It’s a pity, because emacs & a web browser are the only things that Plan 9 is really missing.

                                                        1. 3

                                                          I think it really needs a hardware accelerated graphics stack. Things would improve dramatically after that.

                                                          I would love it if the plumber can talk to my phone. An Android/iOS app that reads a web link from plumb and display it on the phone would solve the browser problem.

                                                          As to the editor… just use acme.

                                                          1. 3

                                                            it’s trivial to plumb a link to a script that opens ssh to a remote host and runs a command.

                                                            1. 1

                                                              I would love it if the plumber can talk to my phone. An Android/iOS app that reads a web link from plumb and display it on the phone would solve the browser problem.

                                                              I’d think that could easily be doable with a small Android app to listen for GCM messages.

                                                              As to the editor… just use acme.

                                                              But that wouldn’t be emacs, and emacs is what I want to use:-)

                                                            2. 2

                                                              emacs has been ported to plan 9 more than once.

                                                              1. 1

                                                                Really? I did a quick googling, but no joy. Is it in the main emacs tree?

                                                                1. 2

                                                                  looks like i’m not able to reply from mothra.

                                                                  there were a couple of (old) ports on sources, which i think is permanently down. there exists a mirror at http://9p.io.

                                                  1. 1

                                                    Search only stinks online.

                                                    I’ve started using notmuch for my email, and this is so true! I’d gotten used to how slow online search was with Inbox & Gmail — but with notmuch it’s effectively instantaneous. It’s a strong reminder of how powerful client applications can be.

                                                    1. 11

                                                      Finally a proper use of the caps lock key:

                                                      Press caps lock to switch to a command line interface; here’s the debug screen.

                                                      1. 8

                                                        Well, I’d rather use it for Control. But maybe if keyboards would put Control where it belongs, next to Space (it should go Super Alt Control Space Control Alt Super), then it wouldn’t be necessary to have Control where most keyboards have Caps Lock.

                                                        1. 5

                                                          I always map Caps Locks to Ctrl, so whenever I’m on someone else’s laptop I keep flipping into caps when I mean to copy/paste/break/etc.

                                                          1. 3

                                                            it should go Super Alt Control Space Control Alt Super

                                                            What’s the premise for “should” here?

                                                            1. 1

                                                              Because of the frequency of use. Control is used almost all the time, in Windows, Linux & emacs. As such, it should go into the easiest-to-strike location, right next to the spacebar where the thumb can strike it in conjunction with other keys.

                                                              Alt/Meta is used less often, so it should receive the less-convenient spot. Alt should be used for less-frequently used functionality, and to modify Control (e.g. C-f moves forward one character; C-M-f moves forward one word).

                                                              Super should be used least of the three, and ideally would be reserved for OS-, desktop-environment– or window-manager–specific tasks, e.g. for switching windows are accessing an app chooser. Since it’s used less than either Alt or Control, it belongs in the least-convenient spot, far from the spacebar.

                                                              If we were really going to do things right, there’d be a pair of Hyper keys outboard of super, reserved for individual user assignment. But we don’t live in a perfect world.

                                                          2. 4

                                                            as a vi user, i would have said “use escape” but then remembered my caps-lock key is remapped to escape.

                                                          1. 7

                                                            I‘m not convinced that the current trend to put authentication info in local storage is entirely driven by the thought of being able to bypass the EU cookie banner thing. I think it‘s more related to the fact that a lot of people are jumping on the JWT bandwagon and that you need to send that JWT over an Authorization header rather than the cookie header.

                                                            Also, often, the domain serving the API isn‘t the domain the user connects to (nor even a single service in many cases), so you might not even have access to a cookie to send to the API.

                                                            However, I totally agree with the article that storing security sensitive things in local storage is a very bad idea and that httponly cookies would be a better idea. But current architecture best-practice (stateless JWT tokens, microservices across domains) make them impractical.

                                                            1. 4

                                                              Hey! You are correct in that this isn’t the main reason people are doing this – but I’ve spoken to numerous people who are doing this as a workaround because of the legislation which is why I wrote the article =/

                                                              I think one way of solving the issue you mention (cross-domain style stuff) is to use redirect based cookie auth. I’ve recently put together a talk which covers this in more details, but have yet to write up a proper article about it. It’s on my todo list: https://speakerdeck.com/rdegges/jwts-suck-and-are-stupid

                                                              1. 2

                                                                Ha! I absolutely agree with that slide deck of yours. It’s very hard to convince people though.

                                                                One more for your list: having JWTs valid for a relatively short amount of time but also provide a way to refresh them (like what you’d do with an oauth refresh token) is tricky to do and practically requires a blacklist on the server, reintroducing state and defeating the one single advantage of JWTs (their statelessnes, though of course you can have that with cookies too)

                                                                JWTs to me feel like an overarchitectured solution to an already solved problem.

                                                                1. 1

                                                                  There’s a third use case: services that are behind an authentication gateway (like Kong) and whenever a user is doing an authenticated request then the JWT is injected by the gateway into the request headers and passed forward to the corresponding service.

                                                                  But yes, a lot of people are using $TECHNOLOGY just because it’s the latest trend and discard “older” approaches just because they are no longer new which is quite interesting because we today see a resurgence of functional languages which are quite old, but I digress.

                                                                2. 2

                                                                  you need to send that JWT over an Authorization header rather than the cookie header.

                                                                  Well, you don’t need to, but many systems require you to. It’s completely possible — although it breaks certain HTTP expectations — to use cookies for auth² is after all quite an old technique.

                                                                  1. 1

                                                                    This is true – you could definitely store it in a cookie – but there’s basically no incentive to do so. EG: Instead just use a cryptographically signed session ID and get the same benefits with less overhead.

                                                                    The other issue w/ storing JWTs in cookies is that cookies are limited to 4kb of data, and JWTs often exceed that by their stateless nature (trying to shove as much data into the token as possible to remove state).

                                                                  2. 1

                                                                    Could you point me to some sort of explanation of why using localStorage is bad for security? Last time I looked at it, it seemed that there was no clear advantage to cookie based storage: http://blog.portswigger.net/2016/05/web-storage-lesser-evil-for-session.html

                                                                    1. 2

                                                                      Just as the article says: if you mark the session cookie as http only, then an XSS vulnerability will not allow the token to be exfiltrated by injected script code.

                                                                      1. 1

                                                                        Are we reading the same article? What I see is:

                                                                        • “The HttpOnly flag is an almost useless XSS mitigation.”
                                                                        • “[Web storage] conveys a huge security benefit, because it means the session tokens don’t act as an ambient authority”
                                                                        • “This post is intended to argue that Web Storage is often a viable and secure alternative to cookies”

                                                                        Anyway, I was just wondering if you have another source with a different conclusion, but if not, it’s OK.

                                                                        1. 3

                                                                          I disagree with the author of that article linked above. I’m currently typing out a full article to explain in more depth – far too long for comments.

                                                                          The gist of it is: HttpOnly works fine at preventing XSS. The risk of storing session data in a cookie is far less than storing it in local storage. The attack surface is greater there. There are a number of smaller reasons as well.

                                                                          1. 1

                                                                            Great, I would appreciate a link (or a Lobsters submission) when you’ve written it.

                                                                  1. 15

                                                                    I’ll add my voice to those which disagree with you. I think that a single message in a mailing list can be an excellent place to dive into an issue — far better than an article or blog post, because the entire mailing list history is right there (unlike in an article or blog post, where the author will likely only link to other instances which support his points).

                                                                    I do think that discussions about tone & style are generally off-topic to technical discussions. Someone who says, ‘water is composed of hydrogen & oxygen, jerk!’ is correct regardless of his rudeness, while someone who says, ‘pardon me, but in my opinion snails grow up to be geese’ is incorrect regardless of his politeness.

                                                                    1. 10

                                                                      I agree with you et. al. too. I think there has been meaningful discussion around such posts. People often quote before/after e-mails in the thread; talk about stuff that came up years ago, etc. I mean there might not be enough context in one e-mail, but it can be a good starting point.

                                                                      When Meltdown came out, a lot of people were asking where the BSD community stood. For a while, the only official statement for OpenBSD came from their mailing list. I think for DragonFly, it was their changelog.

                                                                    1. -1

                                                                      [Title] /proc/<pid>/stat is broken

                                                                      This sounds serious! Is the content of the pseudo-file associating incorrect PIDs or parent PIDs to processes?

                                                                      Let’s continue…

                                                                      Documentation (as in, man proc) tells us to parse this file using the scanf family, even providing the proper escape codes - which are subtly wrong.

                                                                      So it’s a documentation issue…

                                                                      When including a space character in the executable name, the %s escape will not read all of the executable name, breaking all subsequent reads

                                                                      I have literally never encountered an executable with a space in the name, although it’s perfectly legal from a file name perspective. (I’ve been a Linux user since 1998).

                                                                      The only reasonable way to do this with the current layout of the stats file would be to read all of the file and scan it from the end […]

                                                                      So… let’s do this instead?

                                                                      The proper fix (aside from introducing the above function) however should probably be to either sanitize the executable name before exposing it to /proc//stat […]

                                                                      Sounds reasonable to me.

                                                                      […], or move it to be the last parameter in the file.

                                                                      Thus breaking all existing implementations that rely on the documentation in man proc. But I guess it can be done in some backwardly compatible way?

                                                                      This problem could potentially be used to feed process-controlled data to all tools relying on reading /proc//stat

                                                                      I can’t really parse this. Do you mean “affect” instead of “used”?

                                                                      In conclusion: I can’t see any evidence of the functionality of this proc pseudo-file being “broken”. You have encountered an edge case (an executable name with a whitespace character in it). You’ve even suggested a workaround (scan from the end). If you had formulated this post as “here’s a workaround for this edge case” I believe you would have made a stronger case.

                                                                      1. 5

                                                                        I have literally never encountered an executable with a space in the name

                                                                        Well, tmux does this, for example. But my primary concern is not has it ever happened to me but, if it happens, what will my code do?. As this is a silent failure (as in, the recommended method fails in a non-obvious way without indicating failure), no action is taken by most implementations to guard against this. That, in my mind, counts as broken, and the least thing to do is to fix the documentation. Or expose single parameters in files instead of a huge conglomeration with parsing issues. Or… see above.

                                                                        So… let’s do this instead?

                                                                        I do, but only after I got sceptical while reading the documentation, ran some tests and had my hunch confirmed. Then I checked to see others making that very mistake.

                                                                        Thus breaking all existing implementations that rely on the documentation in man proc. But I guess it can be done in some backwardly compatible way?

                                                                        No, I don’t think so - except for introducing single-value files (and leaving /proc/<pid>/stats be as it is).

                                                                        This problem could potentially be used to feed process-controlled data to all tools relying on reading /proc//stat

                                                                        I can’t really parse this. Do you mean “affect” instead of “used”?

                                                                        Admittedly, English is not my first language, I do however think that sentence parses just fine. The discussed problem (which is present in several implementations based on the documentation), can potentially be used to inject data (controlled by the process, instead of the kernel) into third-party software.

                                                                        In conclusion: I can’t see any evidence of the functionality of this proc pseudo-file being “broken”.

                                                                        That depends on your view of broken - if erroneous documentation affecting close to all software relying on it with a silent failure does not sound broken to you, I guess it is not.

                                                                        You have encountered an edge case (an executable name with a whitespace character in it).

                                                                        I actually did not encounter it per se, I just noticed the possibility for it. But it is an undocumented edge case.

                                                                        You’ve even suggested a workaround (scan from the end).

                                                                        I believe that is good form.

                                                                        If you had formulated this post as “here’s a workaround for this edge case” I believe you would have made a stronger case.

                                                                        Maybe, but as we can see by the examples of recent vulnerabilities, you’ll need a catchy name and a logo to really get attention, so in my book I’m OK.

                                                                        1. 1

                                                                          Thanks for taking the time to answer the questions I have raised.

                                                                          The discussed problem (which is present in several implementations based on the documentation), can potentially be used to inject data (controlled by the process, instead of the kernel) into third-party software.

                                                                          Much clearer, thanks.

                                                                          On the use of “broken”

                                                                          I’m maybe extra sensitive to this as I work in supporting a commercial software application. For both legal and SLA[1] we require our customers to be precise in their communication about the issues they face.

                                                                          [1] Service level agreement

                                                                          1. 1

                                                                            Followup: can you give a specific example of how tmux does this? I checked the running instances of that application on my machine and only found the single word tmux in the output of stat files of the PIDs returned by pgrep.

                                                                            1. 2

                                                                              On my Debian 9 machine, when starting a tmux host session, the corresponding /proc/<pid>/stat file contains:

                                                                              2972 (tmux: client) S 2964 2972 2964 […]

                                                                        2. 3

                                                                          “Thus breaking all existing implementations that rely on the documentation in man proc. But I guess it can be done in some backwardly compatible way?”

                                                                          I will never get the 100ms it took to read this sentence back….

                                                                          1. 1

                                                                            I dunno, maybe just duplicate the information at the end of the current format, in the author’s preferred format, and delimited by some character not otherwise part of the spec.

                                                                            It’s not trivial, though.

                                                                            That was my point.

                                                                          2. 1

                                                                            this was clearly overlooked when the api was designed, nobody is parsing that file from the end and nobody is supposed to

                                                                            1. -1

                                                                              What was overlooked? That executables can have whitespace in their names?

                                                                              I can agree that this section of the manpage can be wrong (http://man7.org/linux/man-pages/man5/proc.5.html, search for stat):

                                                                              (2) comm  %s
                                                                                  The filename of the executable, in parentheses.
                                                                                  This is visible whether or not the executable is
                                                                                  swapped out.
                                                                              

                                                                              From the manpage of scanf:

                                                                              s: Matches a sequence of non-white-space characters; the next
                                                                                  pointer must be a pointer to the initial element of a
                                                                                  character array that is long enough to hold the input sequence
                                                                                  and the terminating null byte ('\0'), which is added
                                                                                  automatically.  The input string stops at white space or at
                                                                                  the maximum field width, whichever occurs first.
                                                                              

                                                                              So it’s clear no provision was made for executables having whitespace in them.

                                                                              This issue can be simply avoided by not allowing whitespace in executable names, and by reporting such occurrences as a bug.

                                                                              1. 8

                                                                                This issue can be simply avoided by not allowing whitespace in executable names, and by reporting such occurrences as a bug

                                                                                Ahhh, the Systemd approach to input validation!

                                                                                Seriously, if the system allows running executables with whitespace in their names, and your program is meant to work with such a system, then it needs to work with executables with whitespace in their names.

                                                                                I agree somewhat with the OP - the interface is badly thought out. But it’s a general problem: trying to pass structured data between kernel and userspace in plain-text format is, IMO, a bad idea. (I’d rather a binary format. You have the length of the string encoded in 4 bytes, then the string itself. Simple, easy to deal with. No weird corner cases).

                                                                                1. 1

                                                                                  I agree it’s a bug.

                                                                                  However, there’s a strong convention that executables do not have whitespace in them, at least in Linux/Unix.[1]

                                                                                  If you don’t adhere to this convention, and you stumble across a consequence to this, does this mean that a format that’s been around as long as the proc system is literally broken? That’s where I reacted.

                                                                                  As far as I know, nothing crashes when you start an executable with whitespace in it. The proc filesystem isn’t corrupted.

                                                                                  One part of it is slightly harder to parse using C.

                                                                                  That’s my take, I’m happy to be enlightened further.

                                                                                  I also agree that exposing these kind of structures as plain text is arguably … optimistic, and prone to edge cases. (By the way, isn’t one of the criticisms of systemd that it has an internal binary format?).

                                                                                  [1] note I’m just going from personal observation here, it’s possible there’s a subset of Linux applications that are perfectly fine with whitespace in the executable name.

                                                                                  1. 3

                                                                                    I agree with most of what you just said, but I myself didn’t take “broken” to mean anything beyond “has a problem due to lack of forethought”. Maybe I’m just getting used to people exaggerating complaints (heck I’m surely guilty of it myself from time to time).

                                                                                    It’s true that we basically never see executables with a space (or various other characters) in their names, but it can be pretty frustrating when tools stop working or don’t work properly when something slightly unusual happens. I could easily see a new-to-linux person creating just such an executable because they “didn’t know better” and suffering as a result because other programs on their system don’t correctly handle it. In the worst case, this sort of problem (though not necessarily this exact problem) can lead to security issues.

                                                                                    Yes, it’s possible to correctly handle /proc/xxx/stat in the presence of executables with spaces in the name, but it’s almost certain that some programs are going to come into existence which don’t do so correctly. The format actually lends itself to this mistake - and that’s what’s “broken” about it. That’s my take, anyway.

                                                                                    1. 2

                                                                                      Thanks for this thoughtful response. I believe you and I are in agreement.

                                                                                      Looking at this from a slightly more usual perspective, how does the Linux system handle executables with (non-whitespace) Unicode characters?

                                                                                      1. 3

                                                                                        Well, I’m no expert on unicode, but I believe for the most part Linux (the kernel) treats filenames as strings of bytes, not strings of characters. The difference is subtle - unless you happen to be writing text in a language that uses characters not found in the ASCII range. However, UTF-8 encoding will (I think) never cause any bytes in the ASCII range (0-127) to appear as part of a multi-byte encoded character, so you can’t get spurious spaces or newlines or other control characters even if you treat UTF-8 encoded text as ASCII. For that reason, it poses less of a problem for things like /proc/xxx/stat and the like.

                                                                                        Of course filenames being byte sequences comes with its own set of problems, including that it’s hard to know encoding should be used to display filenames (I believe many command line tools use the locale’s default encoding, and that’s nearly always UTF-8 these days) and that a filename potentially contains an invalid encoding. Then of course there’s the fact that unicode has multiple ways of encoding the exact same text and so in theory you could get two “identical” filenames in one directory (different byte sequences, same character sequence, or at least same visible representation). Unicode seems like a big mess to me, but I guess the problem it’s trying to solve is not an easy one.

                                                                                        (minor edit: UTF-8 doesn’t allow 0-127 as part of a multi-byte encoded character. Of course they can appear as regular characters, equivalent to the ASCII).

                                                                                        1. 1
                                                                                          ~ ❯ cd .local/bin
                                                                                          ~/.l/bin ❯ cat > ą << EOF
                                                                                          > #/usr/bin/env sh
                                                                                          > echo ą
                                                                                          > EOF
                                                                                          ~/.l/bin ❯ chmod +x ą 
                                                                                          ~/.l/bin ❯ ./ą
                                                                                          ą
                                                                                          
                                                                                      2. 2

                                                                                        If you don’t adhere to this convention, and you stumble across a consequence to this, does this mean that a format that’s been around as long as the proc system is literally broken?

                                                                                        Yes; the proc system’s format has been broken (well, misleadingly-documented) the whole time.

                                                                                        As you note, using pure text to represent this is a problem. I don’t recommend an internal, poorly-documented binary format either: canonical S-expressions have a textual representation but can still contain binary data:

                                                                                        (this is a canonical s-expression)
                                                                                        (so "is this")
                                                                                        (and so |aXMgdGhpcw==|)
                                                                                        

                                                                                        An example stat might be:

                                                                                        (stat
                                                                                          (pid 123456)
                                                                                          (command "evil\nls")
                                                                                          (state running)
                                                                                          (ppid 123455)
                                                                                          (pgrp 6)
                                                                                          (session 1)
                                                                                          (tty 2 3)
                                                                                          (flags 4567)
                                                                                          (min-fault 16)
                                                                                          …)
                                                                                        

                                                                                        Or, if you really cared about concision:

                                                                                        (12345 "evil\nls" R 123455 6 1 16361 4567 16 …)
                                                                                        
                                                                                    2. 3

                                                                                      nobody is parsing that file from the end

                                                                                      As an example the Python Prometheus client library uses this file, and allows for this.

                                                                                1. 6

                                                                                  I really like the idea behind the theme and the general feel.

                                                                                  For my personal taste, as a text editor theme, the background is a little too light and the comments are barely visible. And I say that as someone who uses Solarized.

                                                                                  These things are highly subjective of course, and also depend on what room you’re in, what time of day, and what display.

                                                                                  1. 2

                                                                                    For my personal taste, as a text editor theme, the background is a little too light and the comments are barely visible.

                                                                                    The emacs theme deals with this by adding nord-comment-brightness.

                                                                                    I think I’m finally going to replace Zenburn (my previous all-time favourite theme)!

                                                                                    1. 1

                                                                                      Personally, I’ve tweaked my nofrils-like theme for emacs using these colors.

                                                                                  1. 12

                                                                                    Why oh why does this article require JavaScript to display images? HTML has a perfectly useful tag for that: img.

                                                                                    Pages like this are breaking the Web.

                                                                                    1. 4

                                                                                      Interestingly it seems to work if you have JS fully disabled, just not when you block scripts from loading via addons. For each image it has:

                                                                                      <noscript><img src="[...]"  /></noscript>
                                                                                      
                                                                                    1. 9

                                                                                      Longtime user of StumpWM here. I really enjoy using it; it’s very nice to be able to easily extend my window manager while it’s running, and to have a complete Common Lisp environment always available. Highly recommended.

                                                                                      1. 2

                                                                                        I’ve been using i3 for years but recently came back to StumpWM because Common Lisp is my favorite language. Going from i3 to StumpWM is a small step (there’s some advantages in both of them compared to the other) and I haven’t run into major issues the last couple of weeks. It is also stable.

                                                                                        So, recommended as well!

                                                                                        1. 1

                                                                                          I switched from Ratpoison to StumpWM just to get Xrandr multihead support. My only problem is that it only supports bitmap fonts, which sucks on HiDPI, but it doesn’t matter that much. I’m planning to switch to EXWM after Christmas…

                                                                                          1. 2

                                                                                            My only problem is that [StumpWM] only supports bitmap fonts …

                                                                                            Luckily, that’s not true. I’m using TrueType with StumpWM just fine.

                                                                                            Just get ttf-fonts & then throw this at the top of your config:

                                                                                            (ql:quickload '(#:clx-truetype #:ttf-fonts))
                                                                                            (set-font (make-instance 'xft:font
                                                                                                                     :family "Source Code Pro Semibold"
                                                                                                                     :subfamily "regular"
                                                                                                                     :size 12))
                                                                                            

                                                                                            (changing the args as you like — I find that Source Code Pro is an awesome font)

                                                                                            1. 1

                                                                                              Duh, I’m way too lazy nowadays. Thanks!

                                                                                        1. 7

                                                                                          “Compiled languages are always faster.”

                                                                                          This link seems to indicate problems in one of most overly-complicated languages designed (C++) rather than evidence of that bullet point. Plus, the comparisons rarely use a profile-guided optimizer for the AOT compiler when comparing to JIT’s which are essentially that on bytecode. That the AOT has more time to optimize with even more information than the JIT means it should always produce faster code in theory. The only exception I can recall is for code whose runtime patterns change a lot. Even then there could be an AOT-style solution combined with JIT that periodically recompiles the code or loadbalances in a heterogenous way matching workloads to ideal AOT-compiled processes. I haven’t seen one I don’t think.

                                                                                          1. 9

                                                                                            “Compiled languages are always faster”

                                                                                            But Java has a compiler.

                                                                                            We’re left trying to interpret what the author meant. Does “compiled languages” mean “AOT compiles to native code” vs. “JIT compiles to native code” as you reasonably assume based on the linked Forbes article? Or is it about interpreters, as I’ve suffered this debate before? Who knows!

                                                                                            Gas on the fire.

                                                                                            1. 1

                                                                                              That’s true in general but these are supposed to be memes. So, the meme would be an AOT compiler for a mainstream language vs one doing JIT. Author gave C++ vs Java as very common example. I always knock that down as apples vs oranges with one not allowed profiling even though it’s possible for AOT.

                                                                                            2. 6

                                                                                              I’ll add a misconception to the list: “The term ‘compiled language’ is a useful concept”.

                                                                                              You don’t have languages that are compiled[1]; you can have a language for which a compiled implementation exists, or a language for which no compiled implementation exists, or a language for which the primary implementation is compiled but not always, etc. And even that is not a very useful category, because the performance implications of a compiler that targets machine code can be very different from one that compiles to bytecode.

                                                                                              I think most people mean “a language which is typically AOT-compiled directly to machine code” when they say this, but I can’t be sure because the terminology is so vague.

                                                                                              1 - OK, so technically there are languages like Forth where the compiler is part of the language spec, but A) these are very unusual and B) no one who uses the term “compiled language” is actually talking about this.

                                                                                              1. 2

                                                                                                Of note, it is possible for a language to be uncompilable[0] — c.f. some of the reflective-tower languages of the 1980s (Lisp in Small Pieces has an example of an uncompilable language).

                                                                                                [0] Really, it’s not so much that they’re uncompilable as that compilation has no real utility as applied to them.

                                                                                              2. 2

                                                                                                It also depends on your definition of “faster”. Generally, higher level representations of software are more compact - source is smaller[*] than bytecode which is smaller than machine code. If your performance is constrained by transferring your program representation (for example over a slow network, from slow storage medium) or if your interpreter + bytecode can fit in cache better than a compiled representation then compiled code may be slower.

                                                                                                [*] At least once gzipped or converted to a minimal representation.

                                                                                                1. 1

                                                                                                  On that note, the Juice project that substituted Oberon for Java had about that effect I think. They wanted fast compilation and small transfers over dial-up more than ultra-optimized result. Their innovation was sending app as compressed AST’s so compiler still had more info to work with versus bytecodes.

                                                                                                  I wonder about that last part, though. How often is it a problem that AOT-compiled code is worse at caching than interpreted/JIT’d bytecode?

                                                                                                2. 1

                                                                                                  But it’s interpreters all the way down, and some interpreters are faster than others.

                                                                                                  1. 1

                                                                                                    Yeah, the fully-analog ones are still kicking the rest of them’s asses. People are just too picky about accurate results. ;)

                                                                                                1. 5

                                                                                                  Ugh… terrible arguments.

                                                                                                  For those of us in the US (I’m going to ignore everyone else because I’m unfamiliar with the state of things in other countries) our First Amendment rights protect us from the government making any laws abridging freedom of speech. It’s a restraint on government, not on individuals or corporations. Individuals are free to discriminate based on speech.

                                                                                                  Suppose you write a book, in the book your have some things that I find offensive. I’m free to not read your book or write bad reviews about your book because of my dislike for it. Anything less would be an infringement on my First Amendment rights. Now suppose I’m also a bookseller. My store is small but I sell many books. It’s my shop and I decide what to sell. Since I do not like your book I do not carry it. You may be upset with my decision to not carry your book as it will cause you to sell fewer copies. But it’s my store and I may do as I please. You may think my customers would object to me not carry your book, but most do not as they prefer my store because of the selection of books they I know I carry. It’s part of my competitive advantage against larger book stores. I’m still an individual, and choosing what I sell in my store is my First Amendment right, even though it affects my customers.

                                                                                                  Net Neutrality is an important issue we need to talk about it. But Net Neutrality is not a free speech issue. It’s not. Period.

                                                                                                  Facebook, Google, and Twitter have done far more to manipulate information and censor views they disagree with. Facebook is constantly manipulating our news feeds so we only see a select portion of the posts our friends make. Every month we learn of someone who was banned from Twitter because @Jack and friends decided the users tweets were offensive or hateful. What have ISPs done? Inject a few ads into web pages? Throttle some Netflix? That’s nothing.

                                                                                                  1. 12

                                                                                                    What have ISPs done?

                                                                                                    1. 5

                                                                                                      First Amendment rights protect us from the government making any laws abridging freedom of speech. It’s a restraint on government, not on individuals or corporations. Individuals are free to discriminate based on speech.

                                                                                                      The First Amendment is a restraint on government AND any individual or business acting on behalf of the government.

                                                                                                      A private business that has a mutually beneficial commercial arrangement with the government is acting on behalf of the government.

                                                                                                      The federal government aims to provide all universal access to telecommunications and internet services. To this end, the Federal Government created the Universal Service Fund in 1996 to provide telecommunications and internet to all consumers (including schools, libraries, and individuals in rural, low-income, and high-cost regions) at reasonable non-discriminatory prices. This fund is paid for by individual consumers via the “Universal Service Fund” fee/tax on their monthly internet/phone bills. This fee/tax is then distributed from the Federal Government back to the ISPs through Lifeline and other programs.

                                                                                                      In other words, ISPs are collecting a tax on behalf of the government, and then using the funds from that tax to, on behalf of the government, provide a service. One can clearly argue this pulls ISPs under the authority of the First Amendment.

                                                                                                      1. 3

                                                                                                        Ill add to your excellent list my experience when Comcast et al were talking capped plans versus unlimited. The cap was originally way too small. The bigger problem was the system that counted usage was counting mine when nothing was connected. They were either glitching or forging usage data to attempt to force me into buying unlimited plan.

                                                                                                        That went into the FCC complaint.

                                                                                                        1. 4

                                                                                                          Comcast says their trackers were accurate…. but many others had similar complaints about wildly inaccurate readings (e.g. 300GB/day), and being offered the unlimited plan in lieu of an outrageous (inaccurate) bill.

                                                                                                        2. 1

                                                                                                          All of that predates the FCC’s net neutrality regulations of 2015, so presumably all of that would still be resolved as it was prior to 2015.

                                                                                                          1. 6

                                                                                                            In the 90s and early 00s, internet went over the phone lines which were considered Title II common carriers. Nascent broadband was considered an “information service” with more lax rules.

                                                                                                            In 2005, ISPs argued that DSL should be considered an “information service” like broadband, instead of “common carrier” like phone lines. The FCC reclassified DSL and simultaneously laid out four voluntary principles of net neutrality.

                                                                                                            That gets us to the hypothetical you’re talking about:

                                                                                                            presumably all of that would still be resolved as it was prior to 2015

                                                                                                            From 2005-2010, the FCC attempted to enforce net neutrality on the ISPs, which were classified as “information services”.

                                                                                                            Comcast had a drawn-out legal battle over suppressing the Bittorrent protocol, and in 2008 the FCC ruled that Comcast had illegally inhibited Bittorrent activity. Comcast appealed the decision, and the court of appeals struck down the FCC’s ruling, arguing that the rules of net neutrality were not formal enough.

                                                                                                            In 2010, the FCC formalized net neutrality by creating the Open Internet Order of 2010. This was immediately challenged by the ISPs, and Verizon filed suit in 2011. In 2014, the courts ruled in favor of Verizon, stating that the OIO rules could only be applied to Title II common carriers. So the FCC did the next logical step and reclassified broadband ISPs as Title II common carriers in 2015.

                                                                                                            Now Ajit Pai is rolling that back, reclassifying broadband as an information service and completely nullifying any guarantees of net neutrality.

                                                                                                            We can’t just go back to the way things were in 2005, because of the legal precedents which have occurred since then. Since 2014, the FCC cannot enforce net neutrality unless ISPs are considered common carriers.

                                                                                                            1. 2

                                                                                                              Yes exactly. This all happened before FCC’s “Title II” vote in 2015, making it an example of what ISPs do without net neutrality.

                                                                                                              (Perhaps I misunderstand your comment?)

                                                                                                          2. 6

                                                                                                            What have ISPs done? Inject a few ads into web pages? Throttle some Netflix? That’s nothing.

                                                                                                            Only because they haven’t been able to get away with much until now.

                                                                                                            The thing is, I don’t want ISPs to be like a bookstore, with editorial discretion over what they allow you to connect to. ISPs ought to be dumb pipes. Especially with so little competition in a given region.

                                                                                                            I do agree that mega-websites have more power than ISPs, and I’m all ears if you have suggestions on how to address that. But it doesn’t mean we should relent on net neutrality.

                                                                                                            1. 2

                                                                                                              I don’t think anybody is disagreeing that net neutrality is incredibly important. But it’s not a First Amendment issue. First Amendment-wise, ISPs are completely free to provide access to any selection of content they want.

                                                                                                            2. 3

                                                                                                              The book store is a good place to start thinking about this issue, as you’re absolutely right when talking about a small shop like that (because there are many other small shops), but that’s not what these ISPs are. These ISPs are giant mega-corporations whose customers number not in the hundreds but in the millions, whose customers often only have one ISP to choose from, and whose actions affect billions. The larger their influence, the greater the damage from them censoring speech, and the more government-like they become.

                                                                                                              If you think killing free speech online is going to help your Facebook, Google and Twitter problems (and not make them 10 times worse), well, you are welcome to kill it and see what happens.

                                                                                                              1. 4

                                                                                                                You don’t foster competition with mega corporations by making the market harder to compete in. You foster competition by lowering the barrier to entry in the market. Primarily by reducing regulations since the overhead of complying with regulation disproportionately effects smaller businesses. With reduced regulations startups can easily differentiate themselves from the big players by offering novel services the big players don’t. Think about how cell phone plans have improved over the years. Data is cheaper than ever, even though it’s much more difficult to deliver data to mobile devices than homes. Carriers are free to differentiate their offerings by pitching things such as free data for music streaming from online services. It’s a net plus for the consumer.

                                                                                                                I don’t like mega-corporations anymore than anyone else, but don’t forget Facebook, Google, and Twitter support Net Neutraility, and they control more of what we see online than any ISPs:

                                                                                                                Largest ISPs by number of customers:

                                                                                                                • Comcast: 25 million
                                                                                                                • Charter: 23 million
                                                                                                                • AT&T: 15 million

                                                                                                                Web services by monthly US users:

                                                                                                                • Facebook: 214 million
                                                                                                                • Google: Wasn’t able to find stats online, Most likely higher than FB
                                                                                                                • Twitter: 69 million

                                                                                                                Now of course each ISP customer represents probably 3-4 users. Even with that factored in FB, Google, and Twitter still have more influence than the top three ISPs. And that’s excluding others like YouTube and Yahoo.

                                                                                                                If you think killing free speech online is going to help your Facebook, Google and Twitter problems (and not make them 10 times worse), well, you are welcome to kill it and see what happens.

                                                                                                                It doesn’t sound like you want to have an honest discussion about this important issue. I’m not going to be responding to any more comments on this thread. Good day.

                                                                                                                sources:

                                                                                                                1. 3

                                                                                                                  Data is cheaper than ever, even though it’s much more difficult to delivery data to mobile devices than homes.

                                                                                                                  Is it, though? Last-mile wire installation is notoriously problematic. In contrast a wireless tower can cover a large area.

                                                                                                                  I’m very excited for satellite internet. Should only be a few more years until it’s widely available…

                                                                                                                  1. 2

                                                                                                                    Satellite internet access has been sporadically available for decades. It’s super expensive to deploy or repair (hah!) the equipment. Lots of money burned up so far. The latency is awful, and there’s not much to do about it unless you can change the speed of light. Only makes sense in remote areas with low population density. Even there, you’re better off with point-to-point long-distance wifi.

                                                                                                                    1. 2

                                                                                                                      Yeah the latency with geosynchronous satellites is pretty awful. What I’m looking forward to is low-earth-orbit satellite internet by OneWeb and SpaceX. “OneWeb’s 50Mbps Internet with 30ms latency could hit remotest areas by 2019.”