1. 3

    youtube-dl is amaze. Having the file local makes seeking much less of a pain.

    1. 3

      I am amazed at just how much non-youtube stuff I’ve managed to download with it.

      1. 1

        It works on p-hub.

    1. 3

      I like LaTeX! At one point during my bachelor’s degree I could take calculus notes in realtime with LaTeX, I kinda miss using LaTeX for all my documentation needs.

      Whenever I need to write a paper with “real” citations I go back to LaTeX so I don’t have to manually format everything.

      1. 1

        Same here, though I’ve been using Jekyll Scholar for online things. The Liquid syntax is pretty clunky, but it can parse BibTeX files and generate nice output. I use it for my University home page, with both the most-recent publications list on the main page and the complete publications page being generated from the same .bib file. The BibTeX rendering that it does is sanitised BibTeX, generated from its own data structures, not just a text copy of the source, so it’s a lot cleaner than the cruft I end up pasting in there!

        1. 1

          When I need to write letters I do them in LaTeX, it’s really good for consistent output.

        1. 9

          One of my favorite Vim books is still Drew Neil’s Practical Vim. That book is a great read and it changed how I use Vim. I’ve bought it for a lot of my co workers.

          1. 7

            Author of screencast here. Cannot agree more about Practical Vim being the best resource out there. I’m such a fan that when he was in town I booked a day of Vim training with him.

            1. 2

              I need to go back to it I think. I am not very smart and forget stuff that I don’t use, but that book was jam packed with handy hints.

              1. 4

                (Author here) The key factor, for me, in improving my Vim ability was to create a dotfiles README where I documented everything I learned and referred back to it again and again until the commands were seared into my fingers.

                1. 3

                  I think this applies to almost everyone; there’s actually a bunch of things in Vim that I know exist, but don’t really use much anyway.

                  For example to select an entire { .. } block you can use va{V, but generally I’ll just manually go to one of the brackets (e.g. with [[, [{, {, or just moving the cursor) and use V%. This is rarely faster, but I got in the habit of doing it like that years ago before I really knew about text objects and such, and now I’m kinda stuck with it 😅

                  I’m mostly okay with this, since I try to optimize for cognitive load rather than absolute speed, and manually moving the cursor tends to be a bit better for that since I don’t need to think so much about what it’s going to select.

                  1. 3

                    I believe one of the greatest aspects of the design of Vim is that you can choose your own tools and level of usage of more ‘advanced’ techniques.

                    Over the years I have slowly added more and more tools to my belt - progressively enhancing, but never needing to, only choosing to when it suited me.

                    For example, it was about ten years before I started using macros. Perhaps another ten before I started moving by searching. Maybe in another ten I’ll use buffers rather than opening an editor for one file, closing it - and opening another later. I use the shell to drive, but I know I can get more of an IDE experience if I ever want to.

                    I don’t think I’d seen the ‘args’ feature before today. When I’ve done multi file edits in the past I’ve passed the names on the command line and done a ‘:n’ to move to the next file at the end of my macro (apologies if that’s wrong - I don’t do it often enough to remember).

              1. 2

                Is it more appropriate/desirable from your experience to have entire articles available in an RSS feed? I just show title, date, description. Not even image…

                1. 5

                  Given that I use newsboat as my feed reader, I do appreciate when the whole article is included in the feed - it saves time more than anything. I’ll open it in a GUI web browser if there are images related to the content, though.

                  1. 1

                    I have too many feeds, and when I’m thinning them down the first ones to go are ones without full articles, or at least a few paragraphs.

                  2. 1

                    I don’t know if it is appropriate/desirable in general to include all content in the feed. I personally prefer feeds that include the full text. It seems that I am not the only one because there are commercial products that generate full text feeds from partial ones.

                    My impression is that partial feeds became more popular with publishers as a way to prevent people to bypass their paywalls and/or to monetize page views on their main website. If you monetize your website, I would keep partial articles in your feed. If you don’t monetize it, I would suggest to include a full feed just to accommodate your readers that might prefer it.

                    1. 1

                      I make everything available in RSS feeds.

                      I read RSS heavily on my phone and love it when full feeds are available. I understand many news sites can’t do that, so in that case I am happy to subscribe for full feed (for eg Ars Technica) or just click through to open in browser.

                      1. 1

                        Yes, I prefer to read the entire article straight from my feed reader. I find it much less distracting than having to open a web browser, copy the link (I use newsbeuter, so links aren’t clickable) and visit the web site. Of course it doesn’t help that many websites aren’t exactly designed to be pleasant to read, just to look good (or to make money with distracting banners).

                        1. 1

                          Yes, I prefer to read the entire article straight from my feed reader.

                          You and me both! :^)

                          I use newsbeuter […]

                          Ouch! From the very top of the README:

                          ABANDONED! An actively maintained fork is available in newsboat repo

                          […] so links aren’t clickable

                          This is a feature of your $TERM, not feed reader.

                          Of course it doesn’t help that many websites aren’t exactly designed to be pleasant to read, just to look good (or to make money with distracting banners).

                          You can say that again! Unless there’s a really good article, linked from multiple sources, I never visit anything Medium-like.

                          1. 1

                            Yikes, I didn’t know newsbeuter was abandoned. I just installed newsboat and was happy to see that it converted my newsbeuter config automatically. It’s truly a drop-in replacement! Thanks for the tip!

                            This is a feature of your $TERM, not feed reader.

                            Yeah, true. But if I was using a non-terminal based feed reader, it’d likely have clickable links.

                            1. 1

                              But if I was using a non-terminal based feed reader, it’d likely have clickable links.

                              However, you chose a terminal feed reader! If clickable links were a priority, you’d most likely go for a GUI option, no? ;^)

                              Either way, it’s an easy fix :^)

                              1. 1

                                haha, true that. But the point was about how it’s more convenient to read it in the reader anyway. That’s not an easy fix for me, but it is for the site’s author!

                      1. 6

                        Coincidently I’ve recently read about mailto links not being ideal and I think RSS feeds suffer from a similar problem: links to them are kind of useless beyond signaling their existence. I am much more inclined to plop the website’s URL in the RSS reader than copy the feed URL directly. There used to be the idea of a “feed://” scheme floating around, but I’m not sure if it has caught on.

                        1. 8

                          Coincidently I’ve recently read about mailto links not being ideal and I think RSS feeds suffer from a similar problem: links to them are kind of useless beyond signaling their existence.

                          In my experience, it’s the opposite - if the the feed icon/URL is not featured on the page I have to copy the site address, open the feed reader, paste it, pick the appropriate feed (RSS, Atom, comments, etc.) and finally add. With a direct link, all I need is to click on it and my reader opens automatically.

                          I am much more incline to plop the website’s URL in the RSS reader than copy the feed URL directly.

                          This is what I’m forced to do because most pages don’t feature direct feed URLs.

                          The problem is even worse when it comes to podcasts - one can find links to all sorts of iTunes, Google Play, Stitcher, Spotify, etc. but don’t have any desire to use any of it and frequently have to ask for a direct feed URL.

                          1. 3

                            if the the feed icon/URL is not featured on the page I have to copy the site address, open the feed reader, paste it, pick the appropriate feed (RSS, Atom, comments, etc.) and finally add

                            This bugs me every time I have to do it. Plus, there’s a ~20% chance that the site doesn’t expose any type of feed, so I have to go to a workaround like politepol to follow the site :(

                            1. 6

                              This bugs me every time I have to do it. Plus, there’s a ~20% chance that the site doesn’t expose any type of feed, so I have to go to a workaround like politepol to follow the site :(

                              Don’t get me started about sites** without any type of feed.

                              So, you post stuff every so often and would, presumably, like some else to read it.

                              Sure.

                              Are you expecting me to visit every n days/weeks/months or script it?

                              Yeah, why not?

                              Thanks, but no thanks.

                              ** like with everything in life, there are, of course, exceptions :^)

                            2. 2

                              With a direct link, all I need is to click on it and my reader opens automatically.

                              Ah, that’s cool! Does it work with any old https:// link to a feed?

                              1. 2

                                Does it work with any old https:// link to a feed?

                                Sure, as long as it is being served with the correct media type.

                                1. 2

                                  Huh, on macOS I get three different behaviors in three different browsers for a MIME type of application/rss+xml:

                                  • Firefox offers to download the file, or open it with… Sublime Text
                                  • Safari invokes the RSS reader (NetNewsWire)
                                  • Chrome loads the feed as plain text

                                  Since I use FF day to day, this behavior might have colored my impression of RSS feed URLs.

                                  It would be interesting to see how https:// vs. feed://, text/xml vs application/rss+xml behave in the year 2020, and which version (or combination) offers the broadest convenience.

                                  1. 2

                                    You can change the file type’s associated program in FF’s Preferences.

                              2. 2

                                My experience chimes with this. I always copy and paste the feed URL. I even use this extension to show me feed links like Firefox used to.

                              3. 1

                                Coincidently I’ve recently read about mailto links not being ideal

                                That was a fascinating insight into the average user. In every desktop browser I’ve used, right-clicking on a mailto link gives an option of copying the address (often it includes the mailto: prefix, but that’s easy to trim after you paste). I’d never have thought about trying to copy the text because that requires accurately hitting the start and end, whereas right-clicking requires me to hit somewhere in the link. A copy button is potentially a good idea, but I am quite reluctant to encourage untrusted web sites to be able to write things to my clipboard. As far as I know, there are Chrome and Firefox plugins that will allow you to forward mailto links to a webmail client and it surprises me that people who use webmail wouldn’t set these up - I remember this being a problem 20 years ago but largely a solved issue 15 years ago. Does Chrome really not integrate with Gmail?

                                The article asks why browsers removed the RSS button. I know why this happened in Safari because Apple talked about it publicly. The user experience for RSS depends on being able to see new things easily. That doesn’t work well when you read feeds on multiple devices unless you have some mechanism for syncing the ‘read’ state across devices. Apple didn’t have that and didn’t want a core feature of the browser to depend on iCloud. The popular RSS readers were all server-side things that kept track of what you’d read centrally. These could ship a browser plugin that detected the RSS feeds and let you add it to your list, so this didn’t need to be core browser functionality. A quick look in the Chrome store implies that only feeder.co actually does this.

                              1. 1

                                I actually use an extension to just blindly accept cookies etc. Then I use Firefox temporary containers to wipe it all away when I close the tab.

                                1. 1

                                  I prefer the self-destructing cookies extension (there’s an attempt to rewrite it for Chrome, but it’s missing the point slightly). This extension makes cookies ephemeral by default, but provides an undo button. If you discover that you actually want the functionality that cookies provide on a site (e.g. remembering preferences) then you can hit the undo button to undelete them - they’re not actually deleted initially, they’re just moved aside where the browser won’t see them. I wish browsers would make this the default behaviour.

                                1. 2

                                  This might not be a popular opinion but as someone who spends most of their day on the phone, I strongly dislike mechanical keyboards and the culture that has recently sprung up around them. I’m a consultant and my normal interactions with customers is over the phone. I can usually tell within 24 hours on a project who I have to mute by default on any new project. Especially with remote meeting software that emphasizes “call using my computer”. The sound of someone taking notes with a loud mechanical keyboard has disrupted my meetings so often that I can’t even count the occurrences. For clients I know very well, I’ll usually start the call saying “Hey [name], if you have something to say, make sure you unmute yourself” because I start the call with that person muted.

                                  I know there are mechanical keyboards that are quieter, but there are also a lot that are so loud no one can hear the conversation over the sound of the person taking notes on the call. Please be aware of the sound of your keyboard if you’re on a conference call.

                                  1. 13

                                    I find it incredibly odd that “push-to-talk” isn’t the cultural default almost anywhere. It’s so much nicer for every participant at so little cost to the individual.

                                    1. 6

                                      Yeah this is more of a broken software than anything else. I wish more systems were like mumble. Super low latency, crystal clear, push to talk. Instead we’re trying to cram 30 pointless video streams onto everyone’s screen.

                                      1. 5

                                        Your comment could just as well have been written by myself. Not only are these 30 pointless video streams crammed onto everyone’s screen – they’re also choking everyone’s network connection, causing further latencies in the audio, meaning conversations require explicit handoff to other people.

                                        I really wish I could convince my company to switch to something like Mumble. The low latency, crystal clear audio would make conversations flow so much more naturally and feel less forced. But no. We have to look at each others badly lit outlines of faces. That’s worth so much more than fluent communication.

                                        1. 4

                                          It’s madness. In the pandemic it has shown itself to be a deeply irritating technology. In 99% of cases the sole purpose of the video feed is to see what people’s houses look like.

                                          Mumble cracked the ‘how to we do natural conversation’ issue 15 years ago. Everything I have used since then feels like a step backwards.

                                        2. 3

                                          Mumble is especially good with RNNoise, that seems to “learn” filtering out sounds such as keyboard or clicking noises, improving over time. I have a not-so-quiet keyboard and a friend of mine has a more-loud-than-not mechanical keyboard and unless you’re typing and speaking, nobody notices either of us.

                                          Sadly it has to be enabled, as it’s not turned on by default.

                                          1. 1

                                            Wow, that was really cool!

                                      2. 9

                                        Back when folks were in the office, I didn’t mind using my mechanical keyboard around others. If they get to talk loudly on the phone, wandering around with wireless headsets, often times about topics that aren’t even vaguely work-related, then they get to listen to my clacking. Seems fair.

                                        1. 7

                                          If everyone thought like that then there would be no peace in the world. Well, maybe there isn’t… but still, I don’t think others acting poorly means you should too.

                                          1. 1

                                            MX Blues might be an exception but I can hear people typing on our work-supplied Logitech keyboards just as well on a mechanical one.

                                            I think it’s more the people who refuse to use headsets but use their laptop mic that grabs every sound in the room…

                                        2. 3

                                          I’m a fan of mechanical keyboards, my first one was a Sun UNIX style buckling spring model with the command and caps lock key functions swapped (so that CTRL is on the home row where it should be for programmers). Still, I think you’re undoubtedly right that they are best for people who work in private offices and non-collaborative work environments instead of open plan offices and people who do a lot of conferencing.

                                          1. 9

                                            Not to be facetious. But that sounds like a problem for management.

                                            If you want to stick me in an open office and then complain that my work is too loud; that’s on you. (Yeah, I know keyboards are a preference but so is working in an open landscape)

                                            1. 5

                                              (Note: writing this comment turned out more aggressive than it ought to be. Rest assured that I have no quarrel with you, I just hate open plans, to the point I’d consider turning down offers over them.)

                                              private offices and non-collaborative work environments instead of open plan offices

                                              I’m not sure I agree with the implication that anything “not open plan” is not collaborative. Like many people here I suddenly started to work remotely this last few months, and the amount of practical collaboration within my own team doesn’t seem to have significantly decreased, despite the higher friction of instant messaging with microphones compared to our shared office. I’ve also worked in an actual open plan office, with over 50 people on the same completely floor. We collaborated all right, but boy, the noise.

                                              Let’s not kid ourselves, what is so often sold as a way to increase collaboration is mostly cost cutting, surveillance, and showing off. Discovered that last one pretty recently: open plan offices are great at showing the sheer mass of people buzzing & working together to executives and clients. Lots of people at their desk doing whatever hermetic magic technical people do, a couple group here and there on a Scrum meeting, or just discussing obscure schematics on a whiteboard, honestly it’s beautiful.

                                              Me, I yearn for a cubicle. I don’t even require a full wall, I just want less noise, less visual distraction, and a wall behind my back. Seriously, leaving your back open to a room full of people you barely know, some of which you may even dislike a little? Nobody wants that. Why do you think the higher ups end up near the corners of the open floor? Why do you think the last hire, juniors, or interns, end up with the one office with their back to the door?

                                              Cubicles however are horrible to show. Everyone looks isolated. You don’t hear as much buzzing activity, the floor is now closer to an oppressive maze than a green field, you don’t see as many faces…

                                              I tried to put up walls on my desk. 90cm tall, some foam to dampen the sound, all around my desk (80cm deep, 180cm wide). Very effective at attenuating the sound, much less distractions. Despite prior authorization to try it out by ones of the higher ups, the first higher up to actually see it instantly vetoed it. And here’s the thing: one thing they worried about was that everyone would do something similar, and the whole office would start looking like a slum. So they knew on some level that many people might want this. But they were reluctant to give it to them because it wouldn’t look nearly as good.

                                              Lesson learned: outwards appearances are more important than internal well being.

                                          1. 3

                                            I can’t say I get much spam at all, looking at my inbox now I’ve not had any in two weeks. Perhaps I am tempting fate.

                                            I use migadu, their spam filter was too harsh so I had to turn it down.

                                            I know they do greylisting, perhaps that helps with spam.

                                            1. 2

                                              Greylisting stops about 50% of spam for me. Of the spam that gets through, about 75% is directed towards my registrar-specific email address [1].

                                              [1] I used to not bother with the “privacy” tax of my registrar. Now that privacy for registrants email addresses is mandatory, I should change the address I use.

                                            1. 3

                                              This “service” just sends you an email with a calendar event on the day your cert expires. I’m not sure how useful that is. For someone with an already-packed inbox and calendar, I don’t need another thing to have to go and manually check up on.

                                              If we assume that everyone is using automated certificate generating and signing, then I think it would make more sense if this service checked for certificates past a certain age (or a certain number of days before expiration) and emailed only on erroneous conditions. For example, I rotate my certs every 60 days but the certs are valid for 90 days. I would like to get an email for any cert still active at 65 days old, for example.

                                              Actually, I think LE might already do this to some extent.

                                              1. 2

                                                I’m not sure why you quote the word service. It’s a service with a reasonable fee for a reasonable price. If I dabbled writing this, I’d have a hard time saving money if my time was paid for years.

                                                If the model doesn’t fit, you could reasonably quick write probe for your favourite monitoring service if you missed one (I know people that have a nagios probe for all their services and all their third-party services). But this assumes you have a monitoring service at hand.

                                                This is a classic service that makes sense in a small- to midrange setting, possibly in areas where you don’t have full control.

                                                1. 1

                                                  Yeah they email you within a window of expiry, and then every few days until expiry.

                                                  Also, LE’s certbot now sets up a cronjob for you.

                                                  1. 1

                                                    With Let’s Encrypt, I get emails from them a few days out for certs that are going to expire. It’s helpful because if you set up automation to renew every 30 days (for example), then you really only get those emails from LE when the automation has broken for some reason.

                                                  1. 3

                                                    If you like simplicity and open source software, I like GoatCounter

                                                    1. 4

                                                      I run an IRC bouncer as well for me. What’s quite neat is that there is the Palaver app on iOS (costs a bit, but worth it) which has a ZNC module on GitHub that you can load and it gives you push notifications on your phone! I think that’s super neat.

                                                      1. 3

                                                        That’s a clever way to deal with notifications.

                                                        I use znc-push, which does a similar thing but it’s not integrated with an app, so you need a push service to go with it. I use gotify for loads of stuff for this purpose, but not everyone would want this.

                                                      1. 2

                                                        Hopefully this will lead to pfSense integration soon. I know they have been working on it.

                                                        1. 2

                                                          IIRC, pfSense is based on FreeBSD, just utilizing OpenBSD’s pf(4), which has been supported on FreeBSD for quite some time. That to say, I think there is still a fair bit of work to do before you’ll see WireGuard in pfSense.

                                                            1. 2

                                                              Cool, didn’t know that FreeBSD was working on it as well. Thank you for the links!

                                                          1. 4

                                                            The other problem with any devices that use lithium ion batteries (particularly ones that are regularly close to your face like wireless earbuds or headphones), is the potential for the battery to explode. While uncommon, it still happens from time to time. I hope battery tech for a less volatile alternative to lithium ion becomes viable soon.

                                                            Part of the reason I hate wireless stuff is the lack of visibility into what’s going on. I wish there was an easy way to get debug info and statistics on Linux for the WiFi protocol – I can never tell how many frames I’m dropping due to interference or what scans are happening at any point in time. Signal strength is a very poor proxy for any of that information.

                                                            I’ve heard a bunch of bad things about Bluetooth’s complexity too. I’m always suspicious (both for security and freedom) of protocols that aren’t easy to implement without a team of developers and the funding of a large organization.

                                                            1. 6

                                                              To add to your point about batteries, they are environmentally pretty unsound. Slapping them into devices where a wire would work fine (headphones…) is not a trend I want to get behind.

                                                            1. 2

                                                              Not directly related but anyone knows a list of awesome RSS feeds? A bit like the other “awesome” lists.

                                                              1. 13

                                                                I find myself using RSS rather for the non-awesome feeds. The awesome stuff reaches me via lobsters or other aggregator. RSS is necessary for feeds I care for but which are not mainstream enough to be on an awesome list.

                                                                1. 3

                                                                  This is what I have realized as well. In this way, I have 100s of feeds which I don’t even see in a month. But, when I want to narrow my sources to something specific I am working on, then I could just go back to the mountain of feeds with relevant information.

                                                                  1. 1

                                                                    Good idea. Thanks!

                                                                  2. 3

                                                                    RSS is probably too personal, but there is this website where people have added their own personal sites.

                                                                    1. 3

                                                                      https://github.com/learn-anything/blogs contains lots of blogs who have RSS feeds

                                                                      1. 3

                                                                        One good source I recently found on hn is https://reddit.com/r/hnblogs/. You can append .rss to this URL as well: https://www.reddit.com/r/hnblogs.rss

                                                                        1. 2

                                                                          For all the (mostly warranted) excitement around static site generators, this is a bit of a downside: RSS tends to be left out.

                                                                          1. 6

                                                                            Really?! That’s disappointing.

                                                                            I mean, if your SSG is generating a generic site, that’s fine I guess, but in my experience most people want to use them as blogs, and a blog without RSS/Atom is a travesty of the term, in my arrogant opinion.

                                                                            1. 2

                                                                              Not so arrogant, I agree. Or maybe that means we’re both are.

                                                                              1. 9

                                                                                I’m prepared to die on the hill that a blog without syndication is not a blog.

                                                                                1. 2

                                                                                  Right beside you, brother. 💪🏾

                                                                              2. 2

                                                                                The default template for Jekyll has an RSS feed, if it’s any help.

                                                                          1. 4

                                                                            I’m still a big XMPP+OMEMO fan but I feel like the writing’s on the wall for it sadly.

                                                                            1. 1

                                                                              XMPP + OMEMO is great, but the problem is that many of the XMPP clients are not stable enough and do not support E2EE on by default for private conversations. XMPP clients do not use E2EE for VOIP related features either.

                                                                              1. 3

                                                                                Yeah you are right.

                                                                                The problem with Riot/Matrix for me is that the mobile app absolutely kills battery life, whereas Conversations is great on that front. Again, that will likely be solved, striking another blow to XMPP.

                                                                                1. 1

                                                                                  Conversations is the exception, however when it’s solved there will be little purpose for XMPP.

                                                                            1. 32

                                                                              There’s a reason reddit can’t seem to kill old.reddit.com - it’s a better version of the site imho.

                                                                              1. 19

                                                                                “Better”, if anything, wildly understates the degree to which the new reddit is an unusable hash. Like some sort of greatest hits list of all the terrible ideas professional web nerds have had since reddit’s original interface was designed.

                                                                                1. 5

                                                                                  Every now and then I bounce back to it to see if it’s any good, and it seems to get worse. It is borderline unusable.

                                                                              1. 27

                                                                                It’s worth linking to A&A’s (a British ISP) response to this: https://www.aa.net.uk/etc/news/bgp-and-rpki/

                                                                                1. 16

                                                                                  Our (Cloudflare’s) director of networking responded to that on Twitter: https://twitter.com/Jerome_UZ/status/1251511454403969026

                                                                                  there’s a lot of nonsense in this post. First, blocking our route statically to avoid receiving inquiries from customers is a terrible approach to the problem. Secondly, using the pandemic as an excuse to do nothing, when precisely the Internet needs to be more secure than ever. And finally, saying it’s too complicated when a much larger network than them like GTT is deploying RPKI on their customers sessions as we speak. I’m baffled.

                                                                                  (And a long heated debate followed that.)

                                                                                  A&A’s response on the one hand made sense - they might have fewer staff available - but on the other hand RPKI isn’t new and Cloudflare has been pushing carriers towards it for over a year, and route leaks still happen.

                                                                                  Personally as an A&A customer I was disappointed by their response, and even more so by their GM and the official Twitter account “liking” some very inflammatory remarks (“cloudflare are knobs” was one, I believe). Very unprofessional.

                                                                                  1. 15

                                                                                    Hmm… I do appreciate the point that route signing means a court can order routes to be shut down, in a way that wouldn’t have been as easy to enforce without RPKI.

                                                                                    I think it’s essentially true that this is CloudFlare pushing its own solution, which may not be the best. I admire the strategy of making a grassroots appeal, but I wonder how many people participating in it realize that it’s coming from a corporation which cannot be called a neutral party?

                                                                                    I very much believe that some form of security enhancement to BGP is necessary, but I worry a lot about a trend I see towards the Internet becoming fragmented by country, and I’m not sure it’s in the best interests of humanity to build a technology that accelerates that trend. I would like to understand more about RPKI, what it implies for those concerns, and what alternatives might be possible. Something this important should be a matter of public debate; it shouldn’t just be decided by one company aggressively pushing its solution.

                                                                                    1. 4

                                                                                      This has been my problem with a few other instances of corporate messaging. Cloudflare and Google are giant players that control vast swathes of the internet, and they should be looked at with some suspicion when they pose as simply supporting consumers.

                                                                                      1. 2

                                                                                        Yes. That is correct, trust needs to be earned. During the years I worked on privacy at Google, I liked to remind my colleagues of this. It’s easy to forget it when you’re inside an organization like that, and surrounded by people who share not only your background knowledge but also your biases.

                                                                                    2. 9

                                                                                      While the timing might not have been the best, I would overall be on Cloudflare’s side on this. When would the right time to release this be? If Cloudflare had waited another 6-12 months, I would expect them to release a pretty much identical response then as well. And I seriously doubt that their actual actions and their associated risks would actually be different.

                                                                                      And as ISPs keep showing over and over, statements like “we do plan to implement RPKI, with caution, but have no ETA yet” all too often mean that nothing will every happen without efforts like what Cloudflare is doing here.


                                                                                      Additionally,

                                                                                      If we simply filtered invalid routes that we get from transit it is too late and the route is blocked. This is marginally better than routing to somewhere else (some attacker) but it still means a black hole in the Internet. So we need our transit providers sending only valid routes, and if they are doing that we suddenly need to do very little.

                                                                                      Is some really suspicious reasoning to me. I would say that black hole routing the bogus networks is in every instance significantly rather than marginally better than just hoping that someone reports it to them so that they can then resolve it manually.

                                                                                      Their transit providers should certainly be better at this, but that doesn’t remove any responsibility from the ISPs. Mistakes will always happen, which is why we need defense in depth.

                                                                                      1. 6

                                                                                        Their argument is a bit weak in my personal opinion. The reason in isolation makes sense: We want to uphold network reliability during a time when folks need internet access the most. I don’t think anyone can argue with that; we all want that!

                                                                                        However they use it to excuse not doing anything, where they are actually in a situation where not implementing RPKI and implementing RPKI can both reduce network reliability.

                                                                                        If you DO NOT implement RPKI, you allow route leaks to continue happening and reduce the reliability of other networks and maybe yours.

                                                                                        If you DO implement RPKI, sure there is a risk that something goes wrong during the change/rollout of RPKI and network reliability suffers.

                                                                                        So, with all things being equal, I would chose to implement RPKI, because at least with that option I would have greater control over whether or not the network will be reliable. Whereas in the situation of NOT implementing, you’re just subject to everyone else’s misconfigured routers.

                                                                                        Disclosure: Current Cloudflare employee/engineer, but opinions are my own, not employers; also not a network engineer, hopefully my comment does not have any glaring ignorance.

                                                                                        1. 4

                                                                                          Agreed. A&A does have a point regarding Cloudflare’s argumentum in terrorem, especially the name and shame “strategy” via their website as well as twitter. Personally, I think is is a dick move. This is the kind of stuff you get as a result:

                                                                                          This website shows that @VodafoneUK are still using a very old routing method called Border Gateway Protocol (BGP). Possible many other ISP’s in the UK are doing the same.

                                                                                          1. 1

                                                                                            I’m sure the team would be happy to take feedback on better wording.

                                                                                            The website is open sourced: https://github.com/cloudflare/isbgpsafeyet.com

                                                                                            1. 1

                                                                                              The website is open sourced: […]

                                                                                              There’s no open source license in sight so no, it is not open sourced. You, like many other people confuse and/or conflate anything being made available on GitHub as being open source. This is not the case - without an associated license (and please don’t use a viral one - we’ve got enough of that already!), the code posted there doesn’t automatically become public domain. As it stands, we can see the code, and that’s that!

                                                                                              1. 7

                                                                                                There’s no open source license in sight so no, it is not open sourced.

                                                                                                This is probably a genuine mistake. We never make projects open until they’ve been vetted and appropriately licensed. I’ll raise that internally.

                                                                                                You, like many other people confuse and/or conflate anything being made available on GitHub as being open source.

                                                                                                You are aggressively assuming malice or stupidity. Please don’t do that. I am quite sure this is just a mistake nevertheless I will ask internally.

                                                                                                1. 1

                                                                                                  There’s no open source license in sight so no, it is not open sourced.

                                                                                                  This is probably a genuine mistake. We never make projects open until they’ve been vetted and appropriately licensed.

                                                                                                  I don’t care either way - not everything has to be open source everywhere, i.e. a website. I was merely stating a fact - nothing else.

                                                                                                  You are aggressively […]

                                                                                                  Not sure why you would assume that.

                                                                                                  […] assuming malice or stupidity.

                                                                                                  Neither - ignorance at most. Again, this is purely statement of a fact - no more, no less. Most people know very little about open source and/or nothing about licenses. Otherwise, GitHub would not have bother creating https://choosealicense.com/ - which itself doesn’t help the situation much.

                                                                                                2. 1

                                                                                                  It’s true that there’s no license so it’s not technically open-source. That being said I think @jamesog’s overall point is still valid: they do seem to be accepting pull requests, so they may well be happy to take feedback on the wording.

                                                                                                  Edit: actually, it looks like they list the license as MIT in their package.json. Although given that there’s also a CloudFlare copyright embedded in the index.html, I’m not quite sure what to make of it.

                                                                                                  1. -1

                                                                                                    If part of your (dis)service is to publically name and shame ISPs, then I very much doubt it.

                                                                                          2. 2

                                                                                            While I think that this is ultimately a shit response, I’d like to see a more well wrought criticism about the centralized signing authority that they mentioned briefly in this article. I’m trying to find more, but I’m not entirely sure of the best places to look given my relative naïvete of BGP.

                                                                                            1. 4

                                                                                              So as a short recap, IANA is the top level organization that oversees the assignment of e.g. IP addresses. IANA then delegates large IP blocks to the five Regional Internet Registries, AFRINIC, APNIC, ARIN, LACNIC, and RIPE NCC. These RIRs then further assigns IP blocks to LIRs, which in most cases are the “end users” of those IP blocks.

                                                                                              Each of those RIRs maintain an RPKI root certificate. These root certificates are then used to issue certificates to LIRs that specify which IPs and ASNs that LIR is allowed to manage routes for. Those LIR certificates are then used to sign statements that specify which ASNs are allowed to announce routes for the IPs that the LIR manages.

                                                                                              So their stated worry is then that the government in the country in which the RIR is based might order the RIR to revoke a LIR’s RPKI certificate.


                                                                                              This might be a valid concern, but if it is actually plausible, wouldn’t that same government already be using the same strategy to get the RIR to just revoke the IP block assignment for the LIR, and then compel the relevant ISPs to black hole route it?

                                                                                              And if anything this feels even more likely to happen, and be more legally viable, since it could target a specific IP assignment, whereas revoking the RPKI certificate would make the RoAs of all of the LIRs IP blocks invalid.

                                                                                              1. 1

                                                                                                Thanks for the explanation! That helps a ton to clear things up for me, and I see how it’s not so much a valid concern.

                                                                                            2. 1

                                                                                              I get a ‘success’ message using AAISP - did something change?

                                                                                              1. 1

                                                                                                They are explicitly dropping the Cloudflare route that is being checked.

                                                                                            1. 17

                                                                                              I find the name “static site generator” kind of subconsciously promotes the idea of this just being all about some static files that move from here to there. What they usually come with though is a super complicated, fragile, and regularly updating toolchain that puts at risk your ability to generate the static part that was supposed to be simple. We have a couple “static” sites that are almost impossible to update now because the tooling that generates them is no longer being maintained, so it’s harder and harder to run that tooling successfully. They don’t feel like “static” sites very much anymore.

                                                                                              1. 5

                                                                                                I agree with you on this, but surely these issues can happen to any CMS.

                                                                                                1. 1

                                                                                                  If the generation code is exercised on very web page visit it’s likely to degrade much more slowly than if it’s only exercised when there’s new content.

                                                                                                2. 3

                                                                                                  You’re not the first person I’ve heard say that. I know a few people who spend an inordinate amount of time administering issues on their static sites.

                                                                                                  1. 1

                                                                                                    so it’s harder and harder to run that tooling successfully.

                                                                                                    This gets easier if your tooling isn’t on a platform that gets old.

                                                                                                    My static site generator is written in Clojure. Last commit, 2015. Going strong, no changes necessary to run it today.

                                                                                                  1. 1

                                                                                                    I love this sort of thing. Well done!

                                                                                                    1. 2

                                                                                                      Perhaps I’m missing something, but I don’t like doing TOTP on the same device that my passwords are stored on.

                                                                                                      1. 2

                                                                                                        You can also do this on another device, e.g. a RPi whose only job is to generate TOTP tokens.

                                                                                                        1. 1

                                                                                                          I know some people think it defeats the purpose, but I consider the threat level of “someone can access arbitrary content in my password manager” higher than “someone can access any account I use TOTP on”.

                                                                                                          What it does prevent is someone on the network and/or on the other end from sniffing all of the credentials (it would also be the case if the system used a digest-based authentication method).

                                                                                                          Also, my phone is much easier to steal or hack into than any device I have a copy of my (encrypted) password store on.