1. 8

    As a European, I don’t quite get it: Americans seem to be concerned with net neutrality, meanwhile not protesting huge monopolistic corporations(the gatekeepers) removing some controversial users on their own judgement and with no way to appeal. Are individuals excluded from the net neutrality?

    1. 16

      I’m not very familiar with the legal details, but I assume the distinction is general access to the internet being considered a utility, while access to platforms being considered something like a privilege. E.g. roads shouldn’t discriminate based on destination, but that doesn’t mean the destination has to let you in.

      edit: As to why Americans don’t seem as concerned with it (which is realize I didn’t address): I think most people see it as a place, like a restaurant. You can be kicked out if you are violating policies or otherwise disrupting their business, which can include making other patrons uncomfortable. Of course there are limits which is why we have anti-discrimination laws.

      1. 1

        Well, they’re also private, for-profit companies that legally own and sell the lines. So, there’s another political angle where people might vote against the regulations under theory that government shouldn’t dictate how you run your business or use your property, esp if it cost you money. Under theory of benefiting owners and shareholders, these companies are legal entities specifically created to generate as much profit from those lines as possible. If you don’t like it, build and sell your own lines. That’s what they’d say.

        They don’t realize how hard it is to deploy an ISP on a shoe-string budget to areas where existing players already paid off the expensive part of the investment, can undercut you into bankruptcy, and (per people claiming to be ISP founders on Hacker News) will even cut competitors’ lines “accidentally” so their own customers leave them. In the last case, it’s hard to file and win a lawsuit if you just lost all your revenue and opponent has over a billion in the bank. They all just quit.

        1. 1

          Do you have the source for these claims regarding ISPs?

          1. 1

            Which ones?

            1. 2

              …existing players … (per people claiming to be ISP founders on Hacker News) will even cut competitors’ lines “accidentally” so their own customers leave them.

              1. 2

                One of them described a situation with a contracted, construction crew with guy doing the digging not speaking English well. They were supposedly digging for incumbent but dug through his line. He aaid he pointed that it was clearly marked with paint or something. The operator claimed he thought that meant there wasnt a line there.

                That’s a crew that does stuff in that area for a living not knowing what a line mark means. So, he figured they did it on purpose. He folded since he couldnt afford to sue them. Another mentioned them unplugging their lines in exchanges or something that made their service appear unreliable. Like the rest, they’d have to spend money they didnt have on lawyers who’d have to prove (a) it happened snd/or (b) it was intentional.

      2. 11

        The landmark case in the United States is throttling of Netflix by Comcast. Essentially, Comcast held Netflix customers hostage until Netflix paid (which they did).

        It’s important to understand that many providers (Comcast, AT&T), also own the channels (NBC, CNN, respectively). They have an interest in charging less for their and their partners content, and more for their competitors content, while colluding to raise prices across the board (which they have done in the past with television and telephone service).

        Collectively, they all have an interest in preventing new entrants to the market. The fear is that big players (Google, Amazon) will be able to negotiate deals (though they’d probably prefer not to), and new or free technologies (like PeerTube) will get choked out.

        Net neutrality is somewhere where the American attitude towards corporations being able to do whatever to their customers conflicts with the American attitude that new companies and services must be able to compete in the marketplace.

        You’re right to observe that individuals don’t really enter into it, except that lots of companies are pushing media campaigns to sway public opinion towards their own interests. You’re seeing those media campaigns leaking out.


        Switching to the individual perspective.

        I just don’t want to pay more for the same service. In living memory Americans have seen their gigantic monopolistic telecommunications company get broken up, and seen prices for services drop 100 fold; more or less as a direct consequence of that action.

        As other posts have noted, the ISP situation in the US is already pretty dire unless you’re a business. Internet providers charge whatever they can get away with and have done an efficient job of ensuring customers don’t have alternatives. Telephone service got regulated, but internet service did not.

        Re-reading your post after diving on this one… We’re not really concerned about the same gatekeepers. I don’t think any American would be overly upset to see players like Amazon, Facebook, Google, Twitter, and Netflix go away and I wouldn’t be surprised to see one or more of those guys implode as long as they don’t get access to too much of the infrastructure.

        1. 4

          Right-leaning US Citizen here. I’ll attempt to answer this as best as I can.

          Net neutrality is being pushed by the media because it “fights discrimination”, and they blame the “fascist, nazi right” for it’s repeal (and they’re correct, except for the “fascist, nazi” bit). But without net neutrality, the ISPs still have an incentive to provide equal service, because otherwise they’ll lose customers (for obvious reasons).

          I can’t speak to why open-source advocates are also pushing for net neutrality, because (in my opinion) the government shouldn’t be involved in how much internet costs. I do remember this article was moderately interesting, saying that the majority of root DNS servers are run by US companies. But, that doesn’t really faze me. As soon as people start censoring, that get backlash whether the media covers it or not

          Side note, the reason you don’t see the protests against the “gatekeepers” is that most of the mainstream media isn’t accurately covering the reaction of the people to the censorship. I bet you didn’t know that InfoWars was the #1 news app with 5 stars on the Apple app store within a couple of weeks of them getting banned from Facebook, etc. I don’t really have any opinion about Alex Jones (lots of people on the right don’t agree with him), but you can bet I downloaded his app when I found out he got banned.

          P.S. I assumed that InfoWars was what you were referring to when you said “removing some controversial users” P.P.S. I just checked the app store again, and it’s down to #20 in news, but still has 5 stars.

          1. 34

            But without net neutrality, the ISPs still have an incentive to provide equal service, because otherwise they’ll lose customers (for obvious reasons).

            I think this is too optimistic. I live in Chicago, the third biggest city in the country and arguably the tech hub of the midwest. In my building I get to choose between AT&T and Comcast. I’m considered lucky: most of my friends in the city get one option, period. If their ISP starts doing anything shady they don’t have an option to switch, because there’s nobody they can switch to.

            1. 16

              I think this is too optimistic. I live in Chicago, the third biggest city in the country and arguably the tech hub of the midwest. In my building I get to choose between AT&T and Comcast. I’m considered lucky: most of my friends in the city get one option, period. If their ISP starts doing anything shady they don’t have an option to switch, because there’s nobody they can switch to.

              It’s interesting to contrast this to New Zealand, where I live in a town of 50,000 people and have at least 5 ISPs I can choose from. I currently pay $100 NZ a month for an unlimited gigabit fibre connection, and can hit ~600 mbit from my laptop on a speed test. The NZ government has intervened heavily in the market, effectively forcing the former monopolist (Telecom) to split into separate infrastructure (Chorus) and services (Telecom) companies, and spending a lot of taxpayer money to roll out a nationwide fibre network. The ISPs compete on the infrastructure owned by Chorus. There isn’t drastic competition on prices: most plans are within $10-15 of each other, on a per month basis, but since fibre rolled out plans seem to have come down from around $135 per month to now around $100.

              I was lucky to have decent internet through a local ISP when I lived in one of Oakland’s handful of apartment buildings, but most people wouldn’t have had that option. I think the ISP picture is a lot better in NZ. Also, net neutrality is a non-issue, as far as I know. We have it, no-one seems to be trying to take it away.

              1. 14

                I’m always irritated that there are policies decried in the United States as “impossible” when there are demonstrable implementations of it elsewhere.

                I can see it being argued that the United States’s way is better or something, but there are these hyperbolic attacks on universal health care, net neutrality, workers’ rights, secure elections, etc that imply that they are simply impossible to implement when there are literally dozens of counterexamples…

                1. 5

                  At the risk of getting far too far off topic.

                  One of the members of the board at AT&T was the CEO of an insurance company, someone sits on the boards of both Comcast/NBC and American Beverages. The head of the FCC was high up at Verizon.

                  These are some obvious, verifiable, connections based in personal interest. Not implying that it’s wrong or any of those individuals are doing anything which is wrong, you’ve just gotta take these ‘hyperbolic attacks’ with a grain of salt.

                    1. 2
                  1. 4

                    Oh yeah it’s infuriating. It helps to hit them with examples. Tell them the media doesn’t talk about them since they’re all pushing something. We all know that broad statement is true. Then, briefly tell them the problems that we’re trying to solve with some goals we’re balancing. Make sure it’s their problems and goals. Then, mention the solution that worked else where which might work here. If it might not fit everyone, point out that we can deploy it in such a way where its specifics are tailored more to each group. Even if it can’t work totally, maybe point out that it has more cost-benefit than the current situation. Emphasize that it gets us closer to the goal until someone can figure out how to close the remaining gap. Add that it might even take totally different solutions to address other issues like solving big city vs rural Internet. If it worked and has better-cost benefit, then we should totally vote for it to do better than we’re doing. Depending on audience, you can add that we can’t have (country here) doing better than us since “This is America!” to foster some competitive, patriotic spirit.

                    That’s what I’ve been doing as part of my research talking to people and bouncing messages off them. I’m not any good at mass marketing, outreach or anything. I’ve just found that method works really well. You can even be honest since the other side is more full of shit than us on a lot of these issues. I mean, them saying it can’t exist vs working implementations should be an advantage for us. Should. ;)

                    1. 3

                      Beautifully said.

                      My family’s been in this country since the Mayflower. I love it dearly.

                      Loving something means making it better and fixing its flaws, not ignoring them.

                      1. 2

                        Thanks and yes. I did think about leaving for a place maybe more like my views. That last thing you said is why I’m still here. If we fix it, America won’t be “great again:” it would be fucking awesome. If not for us, then for the young people we’re wanting to be able to experience that. That’s why I’m still here.

                2. 5

                  arguably the tech hub of the midwest.

                  Only if you can’t find Austin on a map… ;)

                  1. 11

                    Native Texan/Austinite here. Texas is the South, Southwest, or just Texas. All the rest of y’all are just Yankees. ;)

                  2. 1

                    But if their ISP starts doing anything shady, they’ll surely get some backlash, even if they can’t switch they can complain.

                    1. 9

                      They’ve been complaining for decades. Nothing happens most of the time. The ISP’s have many lobbyists and lawyers to insulate them from that. The big ones are all doing the same abusive practices, too. So, you can’t switch to get away from it.

                      Busting up AT&T’s monopoly got results in lower costs, better service, better speeds, etc. Net neutrality got more results. I support more regulation of these companies and/or socialized investment to replace them like the gigabit for $350/mo in Chattanooga, TN. It’s 10Gbps now I think but I don’t know what price.

                      Actually, I go further due to their constant abuses and bribing politicians: Im for having a court seizetheir assets, converting them to nonprofits, and putting new management in charge. If at all possible. It would send a message to other companies that think they can do damage to consumers and mislead regulators with immunity to consequences.

                        1. 6

                          What incentive does the ISP have to change? Unless you can complain to some higher authority (FCC, perhaps) then there is no reason for the ISP to make any changes even with backlash. I’d be more incentivized to complain if there was at least some competition.

                      1. 30

                        Net neutrality is being pushed by the media because it “fights discrimination”, and they blame the “fascist, nazi right” for it’s repeal

                        Nobody says this. It’s being pushed because it prevents large corporations from locking out smaller players. The Internet is a great economic equalizer: I can start a business and put a website up and I’m just as visible and accessible as Microsoft.

                        We don’t want Microsoft to be able to pay AT&T to slow traffic to my website but not theirs. It breaks the free market by allowing collusion that can’t be easily overcome. It’s like the telephone network; I can’t go run wires to everyone’s house, but I want my customers to be able to call me. I don’t want my competitors to pay AT&T to make it harder to call me than to call them.

                        But without net neutrality, the ISPs still have an incentive to provide equal service, because otherwise they’ll lose customers (for obvious reasons).

                        That assumes people have a choice. They very often don’t. Internet service has a massively high barrier to entry, similar to a public utility. Most markets in the United States have at most two providers (both major corporations opposed to net neutrality). Very, very rarely is there a third.

                        More importantly, there are only five tier-1 networks in the United States. Five. It doesn’t matter how many local ISPs there are; without Net Neutrality, five corporations effectively control what can and can’t be transmitted. If those five decide something should be slowed down or forbidden, there is nothing I can do. Changing to a different provider won’t do a thing.

                        (And of those five, all of them donate significantly more to one major political party than the other, and the former Associate General Counsel of one of them is currently chairman of the FCC…)

                        I can’t speak to why open-source advocates are also pushing for net neutrality, because (in my opinion) the government shouldn’t be involved in how much internet costs.

                        Net neutrality says nothing about how much it costs. It just says you can’t charge different amounts based on content. It would be like television stations charging more money to Republican candidates to run ads than to Democratic candidates. They’re free to charge whatever they want; they’re not free to charge different people different amounts based on the content of the message.

                        Democracy requires communication. It does no good to say “freedom!” if the major corporations can effectively silence whoever they want. “At least it’s not the government” is not a good defense of stifling public debate.

                        And there’s a difference between a newspaper and a television/radio station/internet service. I can buy a printing press and make a newspaper and refuse to carry whatever I want. There are no practical limits to the number of printing presses in the country.

                        There is a limited electromagnetic spectrum. Not just anyone can broadcast a TV signal. There is a limit to how many cables can be run on utility polls or buried underground. Therefore, discourse carried over those media are required to operate more in the public trust than others. As they become more essential to a healthy democracy, that only becomes more important. It’s silly to say “you still have freedom of speech” if you’re blocked from television, radio, the Internet, and so on. Those are the public forums of our day. That a corporation is doing the blocking doesn’t make it any better than if the government were to do it.

                        Side note, the reason you don’t see the protests against the “gatekeepers” is that most of the mainstream media isn’t accurately covering the reaction of the people to the censorship.

                        There’s a big difference between Twitter not wanting to carry Alex Jones and net neutrality. Jones is still free to go start up a website that carries his message; with Net Neutrality not only could he be blocked from Twitter, but the network itself could make his website inaccessible.

                        There is no alternative with Net Neutrality. You can’t build your own Internet. Without mandating equal treatment of traffic, we hand the Internet over solely to the big players. Preventing monopolistic and oligarchic control of public discourse is a valid use of government power. It’s not censorship, it’s the exact opposite.

                        1. 7

                          That assumes people have a choice. They very often don’t.

                          This was also brought up by @hwayne, @caleb and @friendlysock, and is not something that occurred to me. I appreciate all who are mentioning this.

                          More importantly, there are only five tier-1 networks in the United States.

                          Wow, I did not know that. I can see that as a legitimate reason to want net neutrality. But, I also think that they’ll piss off a lot of people if they can stream CNN but not InfoWars.

                          It just says you can’t charge different amounts based on content.

                          I understood it to also mean that you also couldn’t charge customers differently because of who they are. Also, don’t things like Tor mitigate things like that?

                          “At least it’s not the government” is not a good defense of stifling public debate.

                          I completely agree. But in the US we have a free market (at least, we used to) and that means that the government is supposed to stay out of it as much as possible.

                          Preventing monopolistic and oligarchic control of public discourse is a valid use of government power.

                          I also agree. But these corporations (the tier-1 ISPs) haven’t done anything noticeable to me to limit my enjoyment of conservative content, and I’m pretty sure that they would’ve by now if they wanted to.

                          The reason I oppose net neutrality is more because I don’t think that the government should control it than any more than I think AT&T and others should.

                          not only could he be blocked from Twitter, but the network itself could make his website inaccessible.

                          But they haven’t.

                          edit: how -> who

                        2. 6

                          Even though I’m favoring net neutrality, I appreciate you braving the conservative position on this here on Lobsters. I did listen to a lot of them. What I found is most had reasonable arguments but had no idea about what ISP’s did, are doing, are themselves paying Tier 1’s, etc. Their media sources’ bias (all have bias) favoring ISP’s for some reason didn’t tell them any of it. So, even if they’d have agreed with us (maybe, maybe not), they’d have never reached those conclusions since they were missing crucial information to reflect on when choosing to regulate or not regulate.

                          An example is one telling me companies like Netflix should pay more to Comcast per GB or whatever since they used more. The guy didn’t know Comcast refuses to do that when paying Tier 1’s negotiating transit agreements instead that worked entirely different. He didn’t know AT&T refused to give telephones or data lines to rural areas even if they were willing to pay what others did. He didn’t know they could roll out gigabit today for same prices but intentionally kept his service slow to increase profit knowing he couldn’t switch for speed. He wasn’t aware of most of the abuses they were doing. He still stayed with his position since that guy in particular went heavily with his favorite, media folks. However, he didn’t like any of that stuff which his outlets never even told him about. Even if he disagrees, I think he should disagree based on an informed decision if possible since there’s plenty smart conservatives out there who might even favor net neutrality if no better alternative. I gave him a chance to do that.

                          So, I’m going to give you this comment by @lorddimwit quickly showing how they ignored the demand to maximize profit, this comment by @dotmacro showing some abuses they do with their market control, and this article that gives nice history of what free market did with each communications medium with the damage that resulted. Also note that the Internet itself was an open, free-if-you-have-a-wire system that competed with the proprietary, charge-per-use, lock-them-in-forever-if-possible systems the private sector was offering. It smashed them so hard you might have even never heard of them or forgotten a lot about them depending on your age. It also democratized more goods than about anything other than maybe transportation. Probably should stick with the principles that made that happen to keep innovation rolling. Net neutrality was one of them that was practiced informally at first then put into law as the private sector got too much power and was abusing it. We should keep doing what worked instead of the practices ISP’s want that didn’t work but will increase their profits at our expense for nothing in return. That is what they want: give us less or as little improvement in every way over time while charging us more. It’s what they’re already doing.

                          1. 2

                            I read the comments, and I read most of the freecodecamp article.

                            I like the ideal of the internet being a public utility, but I don’t really want the government to have that much control.

                            I think the real problem I have with government control of the internet, is that I don’t want the US to end up like china with large swaths of the internet completely blocked.

                            I don’t really know how to solve our current problems. But, like @jfb said elsewhere in this thread, I don’t think that net neutrality is the best possible solution.

                            1. 2

                              Also note that the Internet itself was an open, free-if-you-have-a-wire system that competed with the proprietary, charge-per-use, lock-them-in-forever-if-possible systems the private sector was offering. It smashed them so hard you might have even never heard of them or forgotten a lot about them depending on your age.

                              I might recognize a name, but I probably wasn’t even around yet.

                              So, I’m going to give you…

                              Thanks for the info, I’ll read it and possibly form a new opinion.

                            2. 5

                              But without net neutrality, the ISPs still have an incentive to provide equal service, because otherwise they’ll lose customers (for obvious reasons).

                              What obvious reasons? Because customers will switch providers if they don’t treat all traffic equally? That would require (a) users are able to tell if a provider prioritizes certain traffic, and (b) that there is a viable alternative to switch to. I have no confidence in either.

                              1. 1

                                I don’t personally care if the prioritize certain websites, but I sure as hell care if the block something.

                                As far as I’m concerned, they can slow down Youtube by 10% for conservative channels and I wouldn’t give a damn even though I watch and enjoy some. What really bothers me is when they “erase” somebody or block people from getting to them.

                                1. 4

                                  well you did say they have an incentive to provide “equal service” so i guess you meant something else. net neutrality supporters like me aren’t satisfied with “nobody gets blocked,” because throttling certain addresses gives big corporations more tools to control media consumption, and throttling have similar effects to blocking in the long term. i’m quite surprised that you’d be fine with your ISP slowing down content you like by 10%… that would adversely affect their popularity compared to the competitors that your ISP deems acceptable, and certain channels would go from struggling to broke and be forced to close down.

                                  1. 1

                                    Well, I have pretty fast internet, so 10% wouldn’t be terrible for me. However, I can see how some people would take issue with such a slowdown.

                                    I was using a bit an extreme example to illustrate my point. What I was trying to say was that they can’t really stop people from watching the content that they want to watch.

                                    1. 3

                                      I recall, but didn’t review, a study saying half of web site users wanted the page loaded in 2 seconds. Specific numbers aside, I’ve been reading that kind of claim from many people for a long time that a new site taking too long to load, being sluggish, etc makes them miss lots of revenue. Many will even close down. So, the provider of your favorite content being throttled for even two seconds might kill half their sales since Internet users expect everything to work instantly. Can they operate with a 50% cut in revenue? Or maybe they’re bootstrapping up a business with a few hundred or a few grand but can’t afford to pay for no artificial delays. Can they even become the content provider your liked if having to pay hundreds or thousands extra on just extra profit? I say extra profit since ISP’s already paid for networks capable of carrying it out of your monthly fee.

                                      1. 2

                                        yeah, the shaping of public media consumption would happen in cases where people don’t know what they want to watch or don’t find out about something that they would want to watch

                                        anti-democratic institutions already shape media consumption and discourse to a large extent, but giving them more tools will hurt the situation. maybe it won’t affect you or me directly, but sadly we live in a society so it will come around to us in the form of changes in the world

                                2. 5

                                  But without net neutrality, the ISPs still have an incentive to provide equal service, because otherwise they’ll lose customers (for obvious reasons).

                                  Most customers have exceedingly limited options in their area, and they’re not going to switch houses because of their ISP. Especially in apartment complexes, you see cases where, say, Comcast has the lockdown on an entire population and there really isn’t a reasonable alternative.

                                  In a truly free market, maybe I’d agree with you, but the regulatory environment and natural monopolistic characteristics of telecomm just don’t support the case.

                                  1. 1

                                    Most customers have exceedingly limited options in their area, and they’re not going to switch houses because of their ISP.

                                    That’s a witty way of putting it.

                                    But yeah, @lorddimwit mentioned the small number of tier-1 ISPs. I didn’t realize there were so few, but I still think that net neutrality is overreaching, even if its less than I originally thought.

                                    1. 3

                                      Personally, I feel that net neutrality, such as it is, would prevent certain problems that could be better addressed in other, more fundamental ways. For instance, why does the US allow the companies that own the copper to also own the ISPs?

                                  2. 3

                                    But without net neutrality, the ISPs still have an incentive to provide equal service, because otherwise they’ll lose customers (for obvious reasons).

                                    Awkward political jabs aside, most of your statements imply that you believe customers are free to choose who they get their internet from, which is just plain incorrect. Whatever arguments you want to make against net neutrality, there is one indisputable fact that you cannot just ignore or paper over:

                                    ISPs do not operate in a free market.

                                    In the vast majority of the US, cable and telephone companies are granted local monopolies in the areas they operate. That is why they must be regulated. As the Mozilla blog said, they have both the incentive and means to abuse their customers and they’ve already been caught doing it on multiple occasions.

                                    1. 1

                                      most of your statements imply that you believe customers are free to choose who they get their internet from, which is just plain incorrect

                                      I think you’re a bit late to the party, I’ve conceded that fact already.

                                    2. 3

                                      All of that is gibberish. Net Neutrality is being pushed because it creates a more competitive marketplace. None of it has anything to do with professional liar Alex Jones.

                                      But without net neutrality, the ISPs still have an incentive to provide equal service, because otherwise they’ll lose customers (for obvious reasons).

                                      That’ s not how markets work. And it’s not how the technology or permit process for ISPs work. There is very little competition among ISPs in the US market.

                                      1. 1

                                        Hey, here’s a great example from HN of the crap they pull without net neutrality. They advertised “unlimited,” throttled it secretly, admitted it, and forced them to pay extra to get actual unlimited.

                                        @lorddimwit add this to your collection. Throttling and fake unlimited been going on long time but they couldve got people killed doing it to first responders. Id have not seen that coming just for PR reasons or avoiding local, govt regulation if nothing else.

                                        1. 1

                                          I can’t speak to why open-source advocates are also pushing for net neutrality, because (in my opinion) the government shouldn’t be involved in how much internet costs.

                                          It’s not about how much internet costs, it’s about protecting freedom of access to information, and blocking things like zero-rated traffic that encourage monopolies and discourage competition. If I pay for a certain amount of traffic, ISPs shouldn’t be allowed to turn to Google and say “want me to prioritize YouTube traffic over Netflix traffic? Pay me!”

                                          1. 1

                                            Net neutrality is being pushed by the media because it “fights discrimination”, and they blame the “fascist, nazi right” for it’s repeal (and they’re correct, except for the “fascist, nazi” bit).

                                            Where on earth did you hear that? I sure hope you’re not making it up—you’ll find this site doesn’t take too kindly to that.

                                            1. 1

                                              I might’ve been conflating two different political issues, but I have heard “fascist” and “nazi” used to describe the entire right wing.

                                              A quick google search for “net neutrality fascism” turned this up https://motherboard.vice.com/en_us/article/kbye4z/heres-why-net-neutrality-is-essential-in-trumps-america

                                              “With the rise of Trump and other neo-fascist regimes around the world, net neutrality will be the cornerstone that activists use to strengthen social movements and build organized resistance,” Wong told Motherboard in a phone interview. “Knowledge is power.”

                                              1. 2

                                                You assume that net neutrality is a left-wing issue, which it’s not. It actually has bipartisan support. The politicians who oppose it have very little in common, aside from receiving a large sum of donations from telecom corporations.

                                                As far as terms like “fascist” or “Nazi” are concerned—I think they have been introduced into this debate solely to ratchet up the passions. It’s not surprising that adding these terms to a search yields results that conflate the issues.

                                                1. 2

                                                  Ill add on your first point that conservatives who are pro-market are almost always pro-competition. They expect the market will involve competition driving whats offered up, its cost down, and so on. Both the broadband mandate and net neutrality achieved that with an explosion of businesses and FOSS offering about anything one can think of.

                                                  The situation still involves 1-3 companies available for most consumers that, like a cartel, work together to not compete on lowering prices, increasing service, and so on. Net neutrality reduced some predatory behavior the cartel market was doing. They still made about $25 billion in profit between just a few companies due to anti-competitive behavior. Repealing net neutrality for anti-competitive market will have no positives for consumer but will benefit roughly 3 or so companies by letting them charge more for same or less service.

                                                  Bad for conservative’s goals of market competition and benefiting conservative voters.

                                          2. 2

                                            One part of it is that we already have net neutrality, and it’s easier to try to hang on to a regulation than to create a new one.

                                          1. 17

                                            An interesting aspect of this: their employees’ credentials were compromised by intercepting two-factor authentication that used SMS. Security folks have been complaining about SMS-based 2FA for a while, but it’s still a common configuration on big cloud providers.

                                            1. 11

                                              What’s especially bugging me is platforms like twitter that do provide alternatives to SMS for 2FA, but still require SMS to be enabled even if you want to use safer means. The moment you remove your phone number from twitter, all of 2FA is disabled.

                                              The problem is that if SMS is an option, that’s going to be what an attacker uses. It doesn’t matter that I myself always use a Yubikey.

                                              But the worst are services that also use that 2FA phone number they got for password recovery. Forgot your password? No problem. Just type the code we just sent you via SMS.

                                              This effectively reduces the strength of your overall account security to the ability of your phone company to resist social engineering. Your phone company who has trained their call center agents to handle „customer“ requests as quickly and efficiently as possible.

                                              update: I just noticed that twitter has fixed this and you can now disable SMS while keeping TOTP and U2F enabled.

                                              1. 2

                                                But the worst are services that also use that 2FA phone number they got for password recovery. Forgot your password? No problem. Just type the code we just sent you via SMS.

                                                I get why they do this from a convenience perspective, but it bugs me to call the result 2FA. If you can change the password through the SMS recovery method, password and SMS aren’t two separate authentication factors, it’s just 1FA!

                                                1. 1

                                                  Have sites been keeping SMS given the cost of supporting locked out users? Lost phones are a frequent occurrence. I wonder if sites have thought about implementing really slow, but automated recovery processes to avoid this issue. Going through support with Google after losing your phone is painful, but smaller sites don’t have a support staff at all, so they are likely to keep allowing SMS since your mobile phone number is pretty recoverable.

                                                  1. 1

                                                    In case of many accounts that are now de-facto protected by nothing but a single easily hackable SMS I’d much rather lose access to it than risk somebody else getting access.

                                                    If there was a way to tell these services and my phone company that I absolutely never want to recover my account, I would do that in a heartbeat

                                                  2. 1

                                                    This effectively reduces the strength of your overall account security to the ability of your phone company to resist social engineering. Your phone company who has trained their call center agents to handle „customer“ requests as quickly and efficiently as possible.

                                                    True. Also, if you have the target’s phone number, you can skip the social engineering, and go directly for SS7 hacks.

                                                  3. 1

                                                    I don’t remember the details but there is a specific carrier (tmobile I think?) that is extremely susceptible to SMS interception and its people on their network that have been getting targeted for attacks like this.

                                                    1. 4

                                                      Your mobile phone number can relatively easily be stolen (more specifically: ported out to another network by an attacker). This happened to me on T-Mobile, but I believe it is possible on other networks too. In my case my phone number was used to setup Zelle and transfer money out of my bank account.

                                                      This article actually provides more detail on the method attackers have used to port your number: https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin

                                                      1. 1

                                                        T-Mobile sent a text message blast to all customers many months ago urging users to setup a security code on their account to prevent this. Did you do it?

                                                        Feb 1, 2018: “T-Mobile Alert: We have identified an industry-wide phone number port out scam and encourage you to add account security. Learn more: t-mo.co/secure”

                                                        1. 1

                                                          Yeah I did after recovering my number. Sadly this action was taken in response to myself and others having been attacked already :)

                                                  1. 5

                                                    Kinda surprised that reddit - a site which hosts rougher parts of the internet - has not had a Head of Security until 2.5 months ago?

                                                    1. 8

                                                      Their headcount has always been kinda small I think? You need to hit a certain size before carving out a specific position.

                                                      1. 7

                                                        “Kinda small” is ~250 people. They have data of 330 Million users.

                                                        I wouldn’t attach the headcount to the position directly, the question is how much a security need you have.

                                                        1. 2

                                                          They seemed to have done pretty well for a long time without having one though.

                                                          1. 1

                                                            Did they? How do you know there weren’t previous leaks/breaches that simply went undetected?

                                                            1. 2

                                                              That’s probably not a good way to measure it, but maybe the number of posts like this? But that’s true.

                                                              1. 3

                                                                My point is, they could have been regularly infiltrated for years and they only noticed know thanks to new talent in house. There’s only so much a jack of all trades team can do while fire fighting all the needs.

                                                                1. 1

                                                                  I’ll add to mulander’s hypothetical that this happened in all kinds of big companies with significant investments in security. They were breached for years without knowing they were compromised. They started calling them “APT’s” as a PR move to reduce humiliation. It was often vanilla attacks or combos of those with some methods to bypass monitoring that companies either didn’t have or really under-invested in. Reddit could be one if they had little invested in security or especially intrusion detection/response.

                                                        2. 3

                                                          Because reddit is not hosting financial data or (for the most part) deeply personal data that is not already out in the open, I would assume that they are not that interesting a target for hackers looking for financial gain, but more interesting for people script kiddies who are looking to DOX or harass other users.

                                                          1. 5

                                                            Many subreddits host content and discussions that people don’t want to be attached to. The post even appreciates that and recommends deletion of those posts.

                                                            I find it telling that you go out of your way pushing people interested in gaining personal data in the script kiddie corner. Yes, SMS based attacks are in the range of “a script kiddie could do that”, which makes it even worse.

                                                            1. 2

                                                              Criminals are using this type of information for targeted extortions and other activities. The general view that that this is mostly the realm of “script kiddies” detracts from the seriousness and provides good cover for their activities.

                                                              1. 1

                                                                I made an assumption, but reading your reply and that of @skade you are right that there are lots of uses for the data from a criminal perspective, especially for a site the size of reddit.

                                                          1. 7

                                                            The .NET stack never existed as a viable platform for the popular/consumer startups. That said, there have been many “startups” in industries aligned with the enterprise that have been very successful with .NET. You just don’t hear about them because their value proposition was very different, and they weren’t a startup in the same way. Azure and modern .NET are trying to change things, but I think the former makes the biggest difference.

                                                            1. 2

                                                              Yes, those types of “startups” are usually started by insiders in some vertical industry and exist in the funding, sales, and recruiting ecosystem for that industry. They never really touch the Silicon Vally / Tech startup funding and recruiting ecosystem.

                                                            1. 3

                                                              My main project will be finishing up plans for a cycling vacation in the Netherlands and Belgium. My wife and I sometimes have different ideas about what we want to see and the pace. She tends to leave the planning to me though. I’ve been trying to get our ideas into a Google Map so that we can discuss the itinerary based on how many overnight stops we want to make and the proximity to interesting places.

                                                              This has me thinking about what my ideal travel planning tool would look like. I tend to think of trips as a graph with a start and end point that I select first. I then need to fill in a path with interesting things. The itineraries at the front of Lonely Planet tend to be useful, but I’d like to have a site where I can find and fork itineraries, and have people suggest other places by just picking them from a map. I feel like the last year has been relatively fallow in terms of personal tech projects as my energy has been elsewhere, so I figure sharing it might help motivate me a little more.

                                                              I’ve signed up for my first 10-miler in Annapolis, Maryland so I need to sit down and plan the last month of training. It has been very ad hoc so far, but I’ve gone from only running 5k regularly in March to 6-7 miles now with great encouragement from my sister-in-law.

                                                              1. 7

                                                                I jumped on the K8s train moderately early, and have since jumped right back off owing to the rapidly accelerating unnecessary extra complexity.

                                                                I’m sympathetic to the idea that enterprise requires a sometimes bewildering array of configuration options, and that the usual array of systems-screwer-uppers (e.g., Red Hat, IBM) were naturally going to show up to the party to try to increase consultant billing time, but man did that thing get messy and confused in a hurry. It almost makes you sympathize with the go development philosophy.

                                                                1. 3

                                                                  It feels like the K8s train replaced the OpenStack train.

                                                                  1. 2

                                                                    Now consider that there are organization that deploy OpenStack on a hypervisor, then kubernetes on that openstack :)

                                                                  2. 2

                                                                    LOL I couldn’t agree more. “systems-screwer-uppers” I hadn’t heard that before. beautiful turn of phrase!

                                                                  1. 2

                                                                    Why we even tolerate a closed-source, proprietary text editor in XXI century?

                                                                    1. 10

                                                                      Nobody’s holding a sword to your throat and forcing you to use it.

                                                                      1. 7

                                                                        You might want that intolerance looked at, it sounds like it’s reducing your quality of life.

                                                                        1. 3

                                                                          Could you elaborate? I wouldn’t say most ST users are tolerating anything. They are in fact enjoying the experience with the editor, perhaps more than an open source editor. Unless you are one of the small minority who are forced to use an extremely esoteric development setup you have some degree of choice in how you work, which might even include using a proprietary editor if that’s what you prefer. FWIW I think ST has actually jump-started some of the wider interest and innovation in text editors in recent years.

                                                                          My personal favourite closed-source editor is EmEditor (https://www.emeditor.com/). If I need to work in a Windows environment, it’s the first software I install, but it’s not the editor that I spend most of my time coding in. I often have to deal with huge CSV and other text files which the developer specializes in handling. They added features for opening CSV files in an Excel-like way which is a huge boon if you need that. It can open Visual Studio solutions and is extremely fast. It lacks all of the useful plug-ins that editors I prefer to code with have, but it really knows it’s niche. Perhaps there are equivalent capabilities with other open source products, but it doesn’t seem a problem that these proprietary products exist and innovate.

                                                                          1. 3

                                                                            The dude might need money.

                                                                            1. 4

                                                                              Being paid to program? gasps Only I’m allowed to do that.

                                                                          1. 1

                                                                            I’m going to PyCon US next week. It’s now much bigger than my first in 2008, but I’ve always gotten a lot from it. I’ve even got some PyCon friends from around the world and we only meet there. A while ago the conference made the headlines for some of the wrong reasons, but it is generally a very well run conference with a team who try to make everyone feel welcome.

                                                                            Last October I attended PyGotham in New York. As @srbaker noted elsewhere in this thread, small conferences of 100-300 attendees are a sweet spot for learning. I found this to be the case with PyGotham, although the costs of travel and nights in NYC can be expensive.

                                                                            Most of my conference attendance has been something I’ve paid for. As a contractor, I never wanted something to be held over me, but it forced me to be picky and try out a number of different types and sizes of conferences. Over my career I’ve gotten more out of conferences that cost under $700 per ticket.

                                                                            The quality of sessions, and to some degree the hallway conversations, at the $1500+ conferences has been so variable that I don’t feel like they are worth attending. Plus, these are often happening right in the middle of the week which is inconvenient if work isn’t supporting you. It also allows time for a little sightseeing around the conference when it runs up to a weekend.

                                                                            My wife spoke very highly of Strange Loop, so I might give that a go soon. The cost and the days of the week for the event are aligned with what I prefer too.

                                                                            Does anyone know of smaller security conferences?

                                                                            1. 24

                                                                              “There are a lot of CAs and therefore there is no security in the TLS CA model” is such a worn out trope.

                                                                              The Mozilla and Google CA teams work tirelessly to improve standards for CAs and expand technical enforcement. We remove CAs determined to be negligent and raise the bar for the rest. There seems to be an underlying implication that there are trusted CAs who will happily issue you a google.com certificate: NO. Any CA discovered to be doing something like this gets removed with incredible haste.

                                                                              If they’re really concerned about the CA ecosystem, requiring Signed Certificate Timestamps (part of the Certificate Transparency ecosystem) for TLS connections provides evidence that the certificate is publicly auditable, making it possible to detect attacks.

                                                                              Finally, TLS provides good defense in depth against things like CVE-2016-1252.

                                                                              1. 13

                                                                                Any CA discovered to be doing something like this gets removed with incredible haste.

                                                                                WoSign got dropped by Mozilla and Google last year after it came to light that they were issuing fraudulent certificates, but afaict there was a gap of unknown duration between when they started allowing fraudulent certs to be issued and when it was discovered that they were doing so. And it still took over six months before the certificate was phased out; I wouldn’t call that “incredible haste”.

                                                                                1. 2

                                                                                  I’m not sure where the process is, but if certificate transparency becomes more standard, I think that would help with this problem.

                                                                                2. 5

                                                                                  TLS provides good defense in depth against things like CVE-2016-1252.

                                                                                  Defense in depth can do more harm than good if it blurs where the actual security boundaries are. It might be better to distribute packages in a way that makes it very clear they’re untrusted than to additionally verify the packages if that additional verification doesn’t actually form a hard security boundary (e.g. rsync mirrors also exist and while rsync hosts might use some kind of certification, it’s unlikely to follow the same standards as HTTPS. So a developer who assumed that packages fed into apt had already been validated by the TLS CA ecosystem would be dangerously mislead)

                                                                                  1. 5

                                                                                    This is partly why browsers are trying to move from https being labeled “secure” to http being labeled “insecure” and displaying no specific indicators for https.

                                                                                    1. 1

                                                                                      e.g. rsync mirrors also exist and while rsync hosts might use some kind of certification, it’s unlikely to follow the same standards as HTTPS

                                                                                      If you have this additional complexity in the supply chain then you are going to need additional measures. At the same time, does this functionality provide enough value to the whole ecosystem to exist by default?

                                                                                      1. 5

                                                                                        If you have this additional complexity in the supply chain then you are going to need additional measures.

                                                                                        Only if you need the measures at all. Does GPG signing provide an adequate guarantee of package integrity on its own? IMO it does, and our efforts would be better spent on improving the existing security boundary (e.g. by auditing all the apt code that happens before signature verification) than trying to introduce “defence in depth”.

                                                                                        At the same time, does this functionality provide enough value to the whole ecosystem to exist by default?

                                                                                        Some kind of alternative to HTTPS for obtaining packages is vital, given how easy it is to break your TLS libraries on a linux system through relatively minor sysadmin mistakes.

                                                                                  1. 1

                                                                                    Sendgrid have offers with at least one cloud provider (https://azuremarketplace.microsoft.com/en-us/marketplace/apps/SendGrid.SendGrid?tab=PlansAndPrice) that might cover your requirements. You didn’t say how many emails you need to send.

                                                                                    1. 12

                                                                                      As a Linux user, I don’t really care, because I’ve lived with the knowledge that my screen locker (whatever the local DE’s substitute for xscreensaver is) has been totally busted(*) for years without it really bothering me.

                                                                                      (* by which I mean, multiple times it has manifested security vulns wherein mashing randomly on the keyboard for a bit would crash the screen locker and unlock the screen)

                                                                                      Something something if you have access to the hardware you can just futz with it anyway.

                                                                                      1. 5

                                                                                        Something something if you have access to the hardware you can just futz with it anyway.

                                                                                        A critical difference here is that “you can futz with the harder” is something you’d need at least some knowledge and some equipment to do, not necessarily much of each, but you need to know what you’re doing.

                                                                                        You can fit the instructions for this exploit in a single tweet.

                                                                                        1. 2

                                                                                          Very much this, but:

                                                                                          You can fit the instructions for this exploit in a single tweet.

                                                                                          That has also been the case for many other exploits of that kind, independent of operating system, with or without a graphical shell.

                                                                                          Screen locking seems to be a surprisingly nasty problem, even all smartphone platforms have had similar issues.

                                                                                        2. 4

                                                                                          This one is accessible remotely.

                                                                                          1. 3

                                                                                            Oh, it is? The exploit described here sounds like you need local access. This is interesting.

                                                                                            Is it exploitable via RDP or VNC or something if you have screen sharing turned on, and if so do you need to log in as an ordinary user account first?

                                                                                            1. 3

                                                                                              Screen sharing is indeed the remote exploit vector, [1] [2]. You don’t need to log in as an ordinary user account first.

                                                                                              1. 3

                                                                                                Does Remote Login allow SSH’ing in as root? I’m not familiar with the default macOS config.

                                                                                                1. 2

                                                                                                  I don’t know, but you could enable it pretty trivially.

                                                                                                  1. 1

                                                                                                    I did try after enabling SSH to “All Users” and it didn’t allow me to log in as root.

                                                                                                  2. 2

                                                                                                    Thank you for elaborating. Yeah that’s genuinely scary. Good reason to leave screen sharing turned off I guess. :x

                                                                                              2. 3

                                                                                                Another reason to consider a Wayland composer? I’ve got Wayland and Weston with xwayland comparability running on my media PC right now. Seems to work pretty well.

                                                                                                1. 2

                                                                                                  Yeah I’m hoping Wayland fixes this properly by using a protocol for screen locking that is not intrinsically silly like X11’s is. I assume it does (why would Wayland devs bother to copy such an obvious misfeature of X11?), but I haven’t checked.

                                                                                                2. 1

                                                                                                  You’re perhaps referring to gnome-screensaver https://www.jwz.org/blog/2015/04/i-told-you-so-again/ ?

                                                                                                  How is light-locker’s track-record? KDE’s thing?

                                                                                                  I still use xscreensaver on Xubuntu 17.10. I have a feeling jwz has a better track-record than all of the above, but it’s probably not perfect either …

                                                                                                  1. 3

                                                                                                    Yes. I don’t know about the others’ record but I’d be surprised if it was perfect. xscreensaver can’t do a perfect job here either because it, like any process, could be arbitrarily killed by something like an OOM killer or a hardware bug causing SIGBUS to be emitted in it.

                                                                                                    The underlying problem is that X11’s protocol for screen lockers is silly: the screen unlocks when the locker quits for any reason at all. jwz asserts that gnome-screensaver ought to take more care about crash proofing in light of that, which I can’t dispute. Solving the root problem is going to be much more robust anyway though.

                                                                                                    The 2004 article on this is much better BTW: https://www.jwz.org/xscreensaver/toolkits.html

                                                                                                1. 14

                                                                                                  Lacking a bachelors degree effects your career in development in at least one significant way; limiting your salary and promotion potential. Outside “competent” tech companies, Big Dumb Corp (ie the rest of the Forturn 500) HR will always use lack of a BS degree (or only an Associates) as reason to offer less salary up front, and lower raises once you’re on staff, and deny promotion. It’s a check box incompetents use to because they can’t tell who actually contributes. Some of the best developers I’ve worked with have had no degrees, have been self taught. It’s not right, but what I’ve seen where ever I’ve worked.

                                                                                                  1. 6

                                                                                                    Another unfortunate but real side effect is many people may be less than thrilled to “work under” you if they have degrees (i.e. self-taught engineer in charge of multiple PhDs).

                                                                                                    The only exception is if you are some god authority figure like Linus Torvalds where no one dares to challenge your expertise.

                                                                                                    1. 4

                                                                                                      That’s a bias too. There is nothing to say that an engineer without a degree cannot do a good job managing a highly credentialed staff. As long as they have humility, know their limits, and are thinking about how to get the best out of someone it should be possible. Lots of research-based organisations don’t have this occurring a lot because the needs of the job (not the people management) require the PhD, but in the tech industry there are lots of PhDs being managed by less credentialed individuals.

                                                                                                      1. 1

                                                                                                        I agree. The thing is it’s common enough that you will not be able to consistently escape it.

                                                                                                    2. 3

                                                                                                      True, startups and most tech companies don’t care. Fortune 500, consultancies etc will be harder.

                                                                                                      1. 1

                                                                                                        I think that is less of a problem outside of the US (And maybe the UK?). I not in those countries and have not been to university. I’m doing ok as a developer. I think you just need other ways to show your skills such as a website/blog/github/experience. Once you get your first job (It’s probably not going to be stellar) then all the companies after that will mainly be looking at your experience in the work force.

                                                                                                      1. 1

                                                                                                        Is this actually a good idea from a security perspective? Simply searching for “SVG parser security” results in some “interesting” results… Although, to be fair, this is more something that a browser implementer should worry about, but this was my reason for not using SVG (anymore) for logos.

                                                                                                        1. 2

                                                                                                          The browser support and therefore (security) bugs would exist irrespective of whether developers actually use SVG, or not. Similar issues could exist with font handling if a problem exists with that code.

                                                                                                        1. 10

                                                                                                          We use LaunchDarkly for feature flagging so we can do contained rollouts and testing of new beta features

                                                                                                          We use Optimizely for A/B testing

                                                                                                          Surely there are libraries for many languages and web frameworks for doing that? For example

                                                                                                          I can understand using Pusher (even though there’s a lot of open source self-hosted solutions for that as well), but A/B testing and feature rollout? Why are these things even offered as-a-Service?

                                                                                                          I don’t understand this “use 3rd party services for everything” mentality. Downloading a library is easier than creating another goddamn account.

                                                                                                          1. 4

                                                                                                            They are offered as a service because you have the library wrapping your feature, but can inevitably end up with lots of supporting infrastructure. By supporting infrastructure, I mean things like feature group management, automating roll out of the feature to a larger cohort etc. If your support team needs to replicate a customer issue they might need to be able to report on users that have a feature flag, and ensure they see the exact same feature set too. In many cases you don’t need all this, but some people do.

                                                                                                            For others though, having it as a service can be an easy way to adopt feature flags, although in practice they could probably have achieved the same result as your approach. The founders of LaunchDarkly and CircleCI produce a podcast (https://www.heavybit.com/library/podcasts/to-be-continuous/), so it’s unsurprising that they use eachother’s products.

                                                                                                            1. 2

                                                                                                              I can understand using Pusher (even though there’s a lot of open source self-hosted solutions for that as well), but A/B testing and feature rollout? Why are these things even offered as-a-Service?

                                                                                                              Different companies have differing amounts of engineering resources, different patterns to their revenue (e.g. to hire more engineers… or not), and different levels of legacy cruft in their products. Stemming from these differences, and especially for anything infrastructure- or process-related, the “build vs buy” conversation will also differ greatly between companies.

                                                                                                              I have had this same conversation with people regarding Heroku and SendGrid. That is, I know people who cannot fathom why anyone would need (or want) to pay for that category of PaaS in that way. Meanwhile, I shudder to imagine how much more difficult my company would have had it without them.

                                                                                                              1. 1

                                                                                                                It’s more “download vs buy” here. For trivial stuff like A/B testing and feature flags, integrating a 3rd party service isn’t significantly easier than adding a library.

                                                                                                                Heroku and SendGrid

                                                                                                                That’s why I said “I can understand using Pusher”. That kind of stuff is actual infrastructure than needs maintenance, yeah.

                                                                                                                1. 2

                                                                                                                  Curious: What library are you referring to when you mention of A/B testing, and what does it provide?

                                                                                                                  Followup: Have you used Optimizely? I am not currently a customer, but when I was, I found it impressive. I would not be able to implement the same level of tooling, WYSIWYG DOM editing, analytics integrations and reporting for less money (the cost of my time) than their subscription costs. Not that simpler needs could not be met with a simpler solution, but if you need what they offer, Optimizely is not a service without its value.

                                                                                                                  1. 1

                                                                                                                    I linked to https://github.com/ankane/field_test in the original comment, of course there are lots more for different web frameworks and stuff.

                                                                                                                    WYSIWYG DOM editing

                                                                                                                    That sounds horrifying.

                                                                                                                    1. 2

                                                                                                                      Quick edit: First off, thanks for pointing out the link!

                                                                                                                      That sounds horrifying.

                                                                                                                      I thought so too, at first, but it’s not.
                                                                                                                      Not entirely, anyway. I of course then thought “but what if you’re using some SPA framework?” and, to my surprise, there was an answer for that, and it wasn’t a bad one. I’m speaking beyond my minor experience, but I suspect it messes with load times a bit, and might not be something to layer on top of, say, a Rails app that already struggles with bad load times. But if you’ve already got a snappy site, Optimizely probably isn’t going to hurt, and might make a marketing team feel like they have freakin’ super powers.

                                                                                                                      I have seen things like Optimizely and Infusionsoft give marketing teams amazing productivity boosts that the company’s product engineering team would be hard-pressed to match, and arguably shouldn’t try to match. Especially if it would distract them from their central product and serving their primary/external users needs better.

                                                                                                                      Through quirks of the current labor market, software engineers command higher salaries than rank-and-file-but-sophisticated digital marketers (though at the top-of-the-top they even out). This leads software engineers, myself included, to assume that our higher pay means we are more important to a company’s goals in some absolute sense. This is not true, and if a company happens to have an engineering team of 5, and a marketing team of 20, distracting those 5 engineers to have them build and maintain a tertiary A/B-testing framework that can match Optimizely, versus enabling those 20 marketers to do more in less time, can make the latter look very appealing.

                                                                                                              2. 1

                                                                                                                Feature flagging seems a bit extreme to me.

                                                                                                              1. 4

                                                                                                                So, here’s the thing - I posted a comment around this at the original site / post but it looks as if it’s been deleted.

                                                                                                                The author basically is taking a big old poop all over CircleCI because of token / javascript bleed. Fine, that’s a reasonable potshot to make - BUT what’s not clear to me, and what I asked in my question - is has the author actually done the work to compare and contrast against another hosted CI provider?

                                                                                                                This feels like a lazy smear to me. There are trade offs to be made when you choose to trust your sources to a hosted provider like this, and I am not convinced that CircleCI is doing anything at all untoward here other than needing to do a better job of communicating its dependencies to its users.

                                                                                                                1. 3

                                                                                                                  I tend to agree, but in a way you have to question the judgement of the developers when they include so many trackers. I don’t think it’s surprising that someone has latched onto this issue and it can be raised with many products that have a business model that doesn’t rely on advertising. Launch Darkly might actually be functional compared to the others listed by the author. I see Facebook references blocked by EFF’s Privacy Badger when I log into the product.

                                                                                                                  I wonder if these trackers are toggled off when I use a paid version of their product? I think that’s a possible trade-off since they are letting you test the product for free. Toggling these off might result in a loss of analytics data that they wouldn’t want, so there is a vicious circle.

                                                                                                                  1. 3

                                                                                                                    I used CircleCI in a past job, and it does something pretty unique among SaS CI vendors - it lets you use an arbitrary number of VMs to run your unit tests.

                                                                                                                    So, we were able to halve the amount of time it took our unit tests to run by increasing the number of simultaneous servers running them. When you’re an org dealing with a legacy code base where the test corpus is taking HOURS and HOURS to run, that is some serious bottom line ROI right there.

                                                                                                                    They just need to update their comms to VERY CAREFULLY indicate what’s happening and everybody can choose to use them or not. What bugs me about the original post is the slapdash nature of the accusations levied and the lack of any kind of even handedness.

                                                                                                                    Also, when I posted my question to the original article, my comment was deleted. Their bat and ball, their rules, but if we’re gonna question judgement or motivation I think we can point the flying fickle finger of fate at this post’s author as well.

                                                                                                                    1. 4

                                                                                                                      the slapdash nature of the accusations levied and the lack of any kind of even handedness.

                                                                                                                      I don’t understand this. What was I supposed to do differently be “even-handed”? Companies imbue CircleCI with an enormous amount of trust, and they do an incredibly risky thing with that trust. “If I am going to pay you thousands of dollars a month, please don’t build a dashboard where my source code gets stolen if someone hacks Quora.js” seems like a reasonable request. I suppose I could have said “By loading third party Javascript in a secure environment, CircleCI is picking up pennies in front of a steamroller, but in fairness, they do have the pennies.”

                                                                                                                      I posted my question to the original article, my comment was deleted.

                                                                                                                      I didn’t delete your comment; I manually approve all comments that appear on my website, there should have been a notice above the post that said “Comments are heavily moderated.”

                                                                                                                      I haven’t looked at your comment and couldn’t say, but generally I get low quality comments on posts and approving them isn’t really a priority for me.

                                                                                                                      1. 0

                                                                                                                        Thanks for the clarification. Have you considered simply disabling comments for your blog in that case? Offering them but leaving them in limbo seems like a questionable practice. Your bat and ball, etc.

                                                                                                                        1. 2

                                                                                                                          Thanks. Occasionally I get a good comment, one that does not describe hours of research and writing as a “lazy smear,” for that reason I like having the option to approve them.

                                                                                                                          1. 0

                                                                                                                            Would you disagree that calling a particular vendor out for particular problems might warrant citing similar issues with other vendors in the name of even handedness?

                                                                                                                            1. 5

                                                                                                                              You called my article a “lazy smear” because there are, supposedly, other CI companies that let arbitrary third party Javascript run in a trusted environment and access CSRF tokens/create API tokens that could result in data compromise, but you’ve provided zero evidence that such companies exist. I can, however, cite many CI tools that do not let arbitrary 3rd party Javascript run in a trusted environment, as Circle does: Phabricator, Jenkins, Gitlab, Travis.

                                                                                                                              Even if they did exist, no, I am under no obligation to cite them. The fact that many people drive drunk is not an excuse for your own decision to drink and drive. You are welcome to do your own research and post your own findings about other companies.

                                                                                                                              1. 3

                                                                                                                                I would disagree. Someone pointed out problems, why should we demand extra work? We should be thankful that someone has pointed out problems.

                                                                                                                      2. 1

                                                                                                                        I wonder if these trackers are toggled off when I use a paid version of their product?

                                                                                                                        No, they are not, everyone gets them, even if you pay them thousands of dollars per month. You can collect analytics data on the server side, and there’s no way a compromise of your server side analytics provider affects the security of my source code.

                                                                                                                      3. 3

                                                                                                                        This is like complaining that arresting someone for drunk driving is unfair because other people also drive drunk and did not get caught. Across the entire industry companies don’t care enough about third party javascript that runs on secure pages (dashboards, credit card input forms, API token creation, more). It’s a dangerous situation and consumers should demand better. I understand there are tradeoffs to be made letting a third party run CI, but I don’t think that “outsource my company’s source code security to Quora.js” is a reasonable one. I also think those companies overstate the benefit compared to the risks, the benefits are small and immediate, the risks are larger and unquantifiable.

                                                                                                                        There are steps they could take to secure important fields - for example, use a different domain for marketing/dashboards, require an HMAC token that the third party Javascripts don’t have access to, but they did not take those steps.

                                                                                                                      1. 20

                                                                                                                        MVPs are too M and almost never V.

                                                                                                                        Then it’s not an MVP.

                                                                                                                        1. 5

                                                                                                                          Indeed. And the author’s experience is clearly the opposite of my own at a medium sized company where “MVP”s are usually not at all minimal.

                                                                                                                          1. 4

                                                                                                                            Yeah, in my experience there’s no shortage of people who look at the original MVP spec and say “but surely we can’t show it to people without XYZ?” and by the time they’re through, you end up with triple the requirements, but no additional time budgeted :)

                                                                                                                            1. 1

                                                                                                                              It’s hard to get an idea of what “not minimal” is for a medium-sized company. My observation is that you can get into problems once you start making micro-adjustments based on A/B tests, or have to cater for negative impacts to other parts of your product. This happens in larger organizations, but I can see any size of organization getting caught up in their own metrics and approach. Features get cut into smaller and smaller pieces and/or don’t get fully fleshed out later once the original A/B test completes. The feature is less value to the user, but the team feel like they are doing the right thing for the product, and no one may be minding the overall product.

                                                                                                                              1. 2

                                                                                                                                Sure. But I’m talking about things like defining your ideal feature set, selecting half of that and calling it minimal, even if the core functionality is 1/10th of the ideal feature set. My general rule is that if your MVP has a settings or configuration screen, it’s not minimal enough. :-)

                                                                                                                          1. 5

                                                                                                                            I have thought of going back to school at various points in my career, but I’ve never done it. My degree is in a softer category and not well-respected for hardcore programming type jobs, but I have a good amount of real experience that balances it out a bit.

                                                                                                                            I honestly think college is greatly over-valued for most jobs. You already have a job, you already have experience. Why burden yourself with something that may never pay for itself? School is increasingly expensive. Are you going to ever get THAT much more money to justify it?

                                                                                                                            I also have the issue of three children who will be looking to start college within the next 8-12 years. Maybe not all will go, but at least one will I’m sure. Why add to that inevitable debt or cause undue stress just for a slip of paper?

                                                                                                                            1. 7

                                                                                                                              I think if I were in your situation (BA degree + kids) I would do exactly the same thing. Unfortunately, I think there’s quite an advantage to having any degree over none. This may play into people’s unconscious biases, but I won’t get into that.

                                                                                                                              1. 6

                                                                                                                                I would definitely not go back for a second bachelor’s if you already have a bachelor’s. If I went for anything it’d be a masters. You don’t typically need a CS BSc to do a CS MSc, just evidence that you have enough CS background to be able to handle the courses. If you’ve worked in a tech job that’s probably enough evidence; mostly schools just want to make sure they aren’t admitting people who know nothing at all about computing (e.g. don’t know how to program), since a MSc isn’t going to start from Intro to Programming. Masters courses are also more likely to offer flexible evening/weekend schedules, and some larger tech companies will even cover the tuition.

                                                                                                                                1. 4

                                                                                                                                  I’m not sure if other universities in the US are doing this, but the University of Pennsylvania have a programme called MCIT. The “IT” in the title may be a negative signal to some people, but this is a pretty heavy-duty CS course. My wife found it to be very rigorous and the approach was helpful for someone without programming experience. In the UK, it was fairly common (circa 2004) to find various MSc programmes that were termed “conversion courses” intended for individuals without a CS undergraduate degree.

                                                                                                                              1. 1

                                                                                                                                Many years ago when we implemented our CMS, we decided to use urls like example.com/aaaa/bbbb/cccc/dddd (content is structured like a tree). This was terrible idea (obviously). After we let the users in, not only were they easily creating structures ten levels deep, but also constantly moving and renaming items.

                                                                                                                                At first we tried some clever tricks to navigate users where necessary even after items were moved/renamed, but it was still terrible pain and had to be rewritten.

                                                                                                                                Now the content is still a tree, but urls are like example.com/language-code/id-name where only id is important (similar to SO), name can be whatever (but we redirect you to proper one, if not present/wrong). This has worked very well for many years.

                                                                                                                                1. 1

                                                                                                                                  The tree structure is nice, but it definitely has limits. Could your system have handled that issue by tracking URL changes so that users could be automatically redirected?

                                                                                                                                  1. 2

                                                                                                                                    Probably could, but as I said people went crazy with moving and renaming items. Tracking all these changes wouldn’t be impossible, but still at least tidyous. The main issue was still super long urls with like ten levels. Actually I was ashamed when sending link to someone :) We kept tree structure, but it is mainly for organizing items now.

                                                                                                                                1. 2

                                                                                                                                  Was this a response to Discourse in any way? It seems to hit on a few pain points with Discourse such as the boring deployment. For a non-Rails dev, how hard is it to add a custom authentication provider to Thredded so that users from another site don’t need to have a separate logon?

                                                                                                                                  1. 3

                                                                                                                                    Was this a response to Discourse in any way?

                                                                                                                                    Yes. :)

                                                                                                                                    For a non-Rails dev, how hard is it to add a custom authentication provider to Thredded so that users from another site don’t need to have a separate logon?

                                                                                                                                    That depends. Integrating it with thredded is very easy (you only need to provide a current_user method) but writing it might not be.

                                                                                                                                  1. 1

                                                                                                                                    Are you planning a feedback mechanism in the site to flag items that are good, or bad? I guess I can skip to the next item, but it’d be nice to leave you some feedback.

                                                                                                                                    1. 1

                                                                                                                                      I was thinking about something like the kudos button here https://dcurt.is/iphone-introduction-and-my-moment-of-awe but not sure for now