1.  

    All of these Wi-Fi access points just use web interfaces that issue iptables rules. Very few of them block DNS, so you can use tools like iodine to pump TCP-over-DNS to get around captive portals. Be aware though, doing this (either via a mac address change or via iodine) is probably illegal in most jurisdictions.

    Also, if the author is on Linux, I’m sure someone will bringing up using ip instead of ifconfig.

    1. 38

      May Terry rest in peace. Hopefully he found the peace he could not find in his life.

      1. 14

        That could easily have been me. In fact, at one point during the years I spent expecting never to get enough control over my disabilities to escape financial abuse, I had started planning what project I wanted to leave to the world (it would have been a programming language with some novel ideas).

        I’m really impressed by how much of it he got done. I very much hope that this work brought him relief, and that he’s at peace now.

        1.  

          Thank you for saying this. It’s lovely and it means something to me.

        2. 10

          His story reminds me a lot of the folk artist Daniel Johnston, who I got to see preform years ago in Atlanta. Having know others close to me who’ve had to deal with serious mental illness, it’s really neat to see what these people put together and accomplished, as well as how difficult it was for them to live in this world and the world inside their heads. It’s a reminder of how dependent we are on our senses and our perception of reality.

          1.  

            Amen.

          1. 19

            I really wish Microsoft would at least open source EdgeHTML if they go this route. All the old NSCA code has got to be gone by now, and it would at least give developers out there another engine to try to write minimalistic browsers in. Remember Firefox was the trimmed down version of Mozilla. Maybe if they open source the Edge/Titan engine, we could see something similar. Maybe people could even get it to compile and build a UI on it for Linux/Mac and others.

            1. 2

              From what I gather EdgeHTML is largely Trident - the IE renderer - with a bunch of legacy cruft removed and some new bits bolted on. This would make it quite possible for some of the original Spyglass/NCSA code to remain buried somewhere and as such it would be hard to certify the code to be ‘clean’.

            1. 81

              I beg all my fellow crustaceans to please, please use Firefox. Not because you think it’s better, but because it needs our support. Technology only gets better with investment, and if we don’t invest in Firefox, we will lose the web to chrome.

              1. 59

                Not because you think it’s better

                But that certainly helps too. It is a great browser.

                • privacy stuff — the cookie container API for things like Facebook Container, built-in tracker blocker, various anti-fingerprinting things they’re backporting from the Tor Browser
                • honestly just the UI and the visual design! I strongly dislike the latest Chrome redesign >_<
                • nice devtools things — e.g. the CSS Grid inspector
                • more WebExtension APIs (nice example: only on Firefox can Signed Pages actually prevent the page from even loading when the signature check fails)
                • the fastest (IIRC) WASM engine (+ now in Nightly behind a pref: even better codegen backend based on Cranelift)
                • ongoing but already usable Wayland implementation (directly in the official tree now, not as a fork)
                • WebRender!!!
                1. 7

                  On the other hand, WebSocket debugging (mostly frame inspection) is impossible in Firefox without an extension. I try not to install any extensions that I don’t absolutely need and Chrome has been treating me just fine in this regard[1].

                  Whether or not I agree with Google’s direction is now a moot point. I need Chrome to do what I do with extensions.

                  As soon as Firefox supports WebSocket debugging natively, I will be perfectly happy to switch.

                  [1] I mostly oppose extensions because of questionable maintenance cycles. I allow uBlock and aXe because they have large communities backing them.

                  1. 3

                    Axe (https://www.deque.com/axe/) seems amazing. I know it wasn’t the focus of your post – but I somehow missed this when debugging an accessibility issue just recently, I wish I had stumbled onto it. Thanks!

                    1. 1

                      You’re welcome!

                      At $work, we used aXe and NVDA to make our webcomponents AA compliant with WCAG. aXe was invaluable for things like contrast and missing role attributes.

                    2. 3

                      WebSocket debugging (mostly frame inspection) is impossible in Firefox without an extension

                      Is it possible with an extension? I can’t seem to find one.

                      1. 1

                        I have never needed to debug WebSockets and see no reason for that functionality to bloat the basic browser for everybody. Too many extensions might not be a good thing but if you need specific functionality, there’s no reason to hold back. If it really bothers you, run separate profiles for web development and browsing. I have somewhat more than two extensions and haven’t had any problems.

                        1. 1

                          I do understand your sentiment, but the only extension that I see these days is marked “Experimental”.

                          On the other hand, I don’t see how it would “bloat” a browser very much. (Disclaimer: I have never written a browser or contributed to any. I am open to being proved wrong.) I have written a WebSockets library myself, and it’s not a complex protocol. It can’t be too expensive to update a UI element on every (websocket) frame.

                      2. 5

                        Yes! I don’t know about you, but I love the fact that Firefox uses so much less ram than chrome.

                        1. 2

                          This was one of the major reasons I stuck with FF for a long time. It is still a pronounced difference.

                        2. 3

                          honestly just the UI and the visual design! I strongly dislike the latest Chrome redesign >_<

                          Yeah, what’s the deal with the latest version of Chrome? All those bubbly menus feel very mid-2000’s. Everything old is new again.

                          1. 3

                            I found a way to go back to the old ui from https://www.c0ffee.net/blog/openbsd-on-a-laptop/ (it was posted here a few weeks ago):

                            Also, set the following in chrome://flags:

                            • Smooth Scrolling: (personal preference)
                            • UI Layout for the browser’s top chrome: set to “Normal” to get the classic Chromium look back
                            • Identity consistency between browser and cookie jar: set to “Disabled” to keep Google from hijacking any Google > - login to sign you into Chrome
                            • SafeSearch URLs reporting: disabled

                            (emphasis mine)

                          2. 1

                            The Wayland implementation is not usable quite yet, though, but it is close. I tried it under Sway, but it was crashy.

                            1. -3

                              Not really. Not to mention Pocked integration and recent vpn advertisement. Ah, and they have removed RSS support.

                              It’s just another product made by a for-profit corporation.

                              I think web got over-complicated. There are none usable truly independent browsers and probably will never be. It’s a read-only “opensource”.

                              1. 16

                                It’s just another product made by a for-profit corporation.

                                They (Mozilla) are actually a non-profit.

                                1. 2

                                  There is also Mozilla corporation.

                                  1. 12

                                    …which is 100% owned by the Mozilla Foundation, and:

                                    The Mozilla Corporation reinvests all of its profits back into the Mozilla projects.

                                    Forming for-profit corporations is not uncommon for NGOs, because NGOs in many countries are severely legally limited in the amount of commercial activities they’re able to do.

                                    1. 3

                                      Adding to that, funding FOSS software development is not considered 501(c)3-eligible in the US.

                                2. 5

                                  I had the same impression with that over-complication of JS into ES6. CSS is also looking more like a programming language. HTTP/2 is now a binary protocol. So to have a modern web platform, you need to support all of these, and none are trivial anymore. On the other hand, I find it amazing to be able to do netwroking, audio, video, 3d and highly customizable user interfaces with (relatively) few efforts at a pretty good speed. As a platform for creativity and experimentation, it is without equivalent.

                                  1. 2

                                    without equivalent.

                                    Java applets - done right?

                                    1. 3

                                      Or Flash/Shockwave done openly and right?

                                      1. 4

                                        Both Java applets and Flash were actually more like trojan horses. See how Flash ( very good scenegraph at the time) became Air (ie. a tentative to take over the Web like Java) and thankfully died because Apple killed it with the iPhone. The intention was to run programs within a walled garden, not to interoperate with the Web at large. At least that’s how I read it.

                                        1. 4

                                          Good point on long-term risk. Do note I said Flash/Shockwave the tech. That was made by Macromedia, not Adobe. Macromedia was a company whose pricey tech was kick-ass but no attempt to be open or interoperate past maybe Dreamweaver. Catchy name many lay people could spell, too.

                                          I think Adobe acquiring them made me drop some F-bombs, sigh a bit, eye rolls, and so on. I knew there would be short-term improvements before the large company FUBARed its value over time. Apple’s position sealed its fate.

                                          1. 2

                                            Indeed, Macromedia had a much better stewardship than Adobe in this respect. What I find really ironic is that before the acquisition, Adobe was pushing SVG and SVG animations as an alternative to Flash, embracing and pushing the web standards. After the acquisition, everything stalled and it’s only with Apple creating the Canvas API and standardizing it through the newly created WHATWG that we started to catch up and be able to do so fast interactive graphics on the Web. What we lost, though, is one of the best tool to create vector animations with programmatic behaviour. One step ahead, two steps back some might say.

                                        2. 3

                                          I think the difference is that aplets and flash were supposed to extend the web experience, new technologies are replacing it. It’s convenient but dangerous as it promotes monoculture. I don’t know if there is a safe middle ground.

                                          1. 5

                                            There is a lot being lost with the death of Flash. It was amazingly lightweight when it started out. You can take that Homestar Runner e-mail and the original Flash, resize it to 4k, and it will still render correctly and sharply. You can’t do that when you export animation to YouTube at a set resolution. Not to mention all the games that were made in Flash that we’ll loose soon.

                                            Adobe really butchered all the Macromedia stuff when they acquired that company. It’s pretty sad.

                                    2. 2

                                      What does “removes RSS support” mean? Was it possible to use it as a feed reader before?

                                      1. 3

                                        Yeah, it was called “Live Bookmarks” and basically made your RSS feed subs show up in your bookmarks bar (or accessible from a page). It actually looked really neat, but I only found about it when/because they removed it.

                                        1. 10

                                          “Live Bookmarks” still exist, in Firefox 63.0.3 released on Nov 15th, 2018. I use them. Go to any RSS feed in FF and they will pop up. I use them for multiple Discourse forums.

                                            1. 1

                                              Ah, sad times, thanks for the link!

                                        2. -1

                                          Sure, using live bookmarks and integrated reader. But RSS collided with the their new commercial and closed product namely Pocket.

                                          1. 4

                                            That’s not completely fair. I’m not sure if anything has happened yet, but Mozilla does have plans to open-source Pocket:

                                            As a result of this strategic acquisition, Pocket will become a wholly owned subsidiary of Mozilla Corporation and will become part of the Mozilla open source project.

                                    3. 16

                                      I switched to Firefox last year, and I have to say I don’t miss Chrome in the slightest.

                                      1. 13

                                        And those with a little financial liberty, consider donating to Mozilla. They do a lot of important work free a free and open web.

                                        1. 10

                                          I recently came back to Firefox from Vivaldi. That’s another Chromium/Webkit based browser and it’s closed source to boot.

                                          Firefox has improved greatly in speed as of late and I feel like we’re back in the era of the mid-2000s, asking people to chose Firefox over Chrome this time instead of IE.

                                          1. 2

                                            I’d love to switch from Vivaldi, but it’s simply not an option given the current (terrible) state of vertical tab support in Firefox.

                                            1. 2

                                              How is it terrible? The hiding of the regular tab bar is not an API yet and you have to use CSS for that, sure, but there are some very good tree style tab webextensions.

                                              1. 2

                                                The extensions are all terrible – but what’s more important is that I lost the belief that any kind of vertical tab functionality has any chance of long-term survival. Even if support was added now, it would be a constant battle to keep it and I’m frankly not interested in such fights anymore.

                                                Mozilla is chasing their idealized “average user” and is determined to push everyone into their one-size-fits-all idea of user interface design – anyone not happy with that can screw off, if it was for Mozilla.

                                                It’s 2018 – I don’t see why I even have to argue for vertical tabs and mouse gestures anymore. I just pick a browser vendor which hasn’t been asleep on the wheel for the last 5 years and ships with these features out of the box.

                                                And if the web in the future ends up as some proprietary API defined by whatever Google Chrome implements, because Firefox went down, Mozilla has only itself to blame.

                                                1. 2

                                                  The extensions are all terrible – but what’s more important is that I lost the belief that any kind of vertical tab functionality has any chance of long-term survival. Even if support was added now, it would be a constant battle to keep it and I’m frankly not interested in such fights anymore. The whole point of moving to WebExtensions was long term support. They couldn’t make significant changes without breaking a lot of the old extensions. The whole point was to unhook extensions from the internals so they can refactor around them and keep supporting them.

                                                  1. 0

                                                    That’s like a car manufacturer removing all electronics from a car – sure it makes the car easier to support … but now the car doesn’t even turn on anymore!

                                                    Considering that cars are usually used for transportation, not for having them sit in the garage, you shouldn’t be surprised that customers buy other cars in the future.

                                                    (And no, blaming “car enthusiasts” for having unrealistic expectations, like it happens in the case of browser users, doesn’t cut it.)

                                                    1. 3

                                                      So you’d rather they didn’t improve it at all? Or would you rather they broke most extensions every release?

                                                      1. 3

                                                        I’m not @soc, but I wish Firefox had delayed their disabling of old-style extensions in Firefox 57 until they had replicated more of the old functionality with the WebExtensions API – mainly functionality related to interface customization, tabs, and sessions.

                                                        Yes, during the time of that delay, old-style extensions would continue to break with each release, but the maintainers of Tree Style Tabs and other powerful extensions had already been keeping up with each release by releasing fixed versions. They probably could have continued updating their extensions until WebExtensions supported their required functionality. And some users might prefer to run slightly-buggy older extensions for a bit instead of switching to the feature-lacking new extensions straight away – they should have that choice.

                                                        1. 1

                                                          What’s the improvement? The new API was so bad that they literally had to pull the plug on the existing API to force extension authors to migrate. That just doesn’t happen in cases where the API is “good”, developers are usually eager to adopt them and migrate their code.

                                                          Let’s not accuse people you disagree with that they are “against improvements” – it’s just that the improvements have to actually exist, and in this case the API clearly wasn’t ready. This whole fiasco feels like another instance of CADT-driven development and the failure of management to reign in on it.

                                                          1. 3

                                                            The old extension API provided direct access to the JavaScript context of both the chrome and the tab within a single thread, so installing an XUL extension was disabling multiprocess mode. Multiprocess mode seems like an improvement; in old Firefox, a misbehaving piece of JavaScript would lock up the browser for about a second before eventually popping up a dialog offering to kill it, whereas in a multiprocess browser, it should be possible to switch and close tabs no matter what the web page inside does. The fact that nobody notices when it works correctly seems to make it the opposite of Attention-Deficient-Driven-Design; it’s the “focus on quality of implementation, even at the expense of features” design that we should be encouraging.

                                                            The logical alternative to “WebExtension For The Future(tm)” would’ve been to just expose all of the relevant threads of execution directly to the XUL extensions. run-this-in-the-chome.xul and run-this-in-every-tab.xul and message pass between them. But at that point, we’re talking about having three different extension APIs in Firefox.

                                                            Which isn’t to say that I think you’re against improvement. I am saying that you’re thinking too much like a developer, and not enough like the poor sod who has to do QA and Support triage.

                                                            1. 2

                                                              Improving the actual core of Firefox. They’re basically ripping out and replacing large components every other release. This would break large amount of plugins constantly. Hell, plugins wouldn’t even work in Nightly. I do agree with @roryokane that they should have tried to improve it before cutting support. The new API is definitely missing many things but it was the right decision to make for the long term stability of Firefox.

                                                              1. 1

                                                                They could have made the decision to ax the old API after extension authors adopted it. That adoption failed so hard that they had to force developers to use the new API speaks for itself.

                                                                I’d rather have extension that I have to fix from time to time, than no working extensions at all.

                                                      2. 1

                                                        Why should Mozilla care that much about your niche use case? They already have a ton of stuff to deal with and barely enough funding.

                                                        It’s open source, make your own VerticalTabFox fork :)

                                                        1. 3

                                                          Eh … WAT? Mozilla went the extra mile with their recent extension API changes to make things – that worked before – impossible to implement with a recent Firefox version. The current state of tab extensions is this terrible, because Mozilla explicitly made it this way.

                                                          I used Firefox for more than 15 years – the only thing I wanted was to be left alone.

                                                          It’s open source, make your own VerticalTabFox fork :)

                                                          Feel free to read my comment above to understand why that doesn’t cut it.

                                                          Also, Stuff that works >> open source. Sincerely, a happy Vivaldi user.

                                                          1. 2

                                                            It’s one of the laws of the internet at this point: Every thread about Firefox is always bound to attract someone complaining about WebExtensions not supporting their pet feature that was possible with the awful and insecure old extension system.

                                                            If you’re care about “non terrible” (whatever that means — Tree Style Tab looks perfect to me) vertical tabs more than anything — sure, use a browser that has them.

                                                            But you seem really convinced that Firefox could “go down” because of not supporting these relatively obscure power user features well?? The “average user” they’re “chasing” is not “idealized”. The actual vast majority of people do not choose browsers based on vertical tabs and mouse gestures. 50% of Firefox users do not have a single extension installed, according to telemetry. The majority of the other 50% probably only have an ad blocker.

                                                            1. 3

                                                              If you’re care about “non terrible” (whatever that means — Tree Style Tab looks perfect to me) vertical tabs more than anything — sure, use a browser that has them.

                                                              If you compare the current state of the art of vertical tabs extensions, even Mozilla thinks they suck – just compare them to their own Tab Center experiment: https://testpilot.firefox.com/static/images/experiments/tab-center/details/tab-center-1.1957e169.jpg

                                                              Picking just one example: Having the navigation bar at a higher level of the visual hierarchy is just wrong – the tab panel isn’t owned by the navigation bar, the navigation bar belongs to a specific tab! Needless to say, all of the vertical tab extensions are forced to be wrong, because they lack the API do implement the UI correctly.

                                                              This is how my browser currently looks like, for comparison: https://i.imgur.com/5dTX8Do.png

                                                              But you seem really convinced that Firefox could “go down” because of not supporting these relatively obscure power user features well?? The “average user” they’re “chasing” is not “idealized”. The actual vast majority of people do not choose browsers based on vertical tabs and mouse gestures. 50% of Firefox users do not have a single extension installed, according to telemetry. The majority of the other 50% probably only have an ad blocker.

                                                              You can only go so far alienating the most loyal users that use Firefox for specific purposes until the stop installing/recommending it to their less technically-inclined friends and relatives.

                                                              Mozilla is so busy chasing after Chrome that it doesn’t even realize that most Chrome users will never switch. They use Chrome because “the internet” (www.google.com) told them so. As long as Mozilla can’t make Google recommend Firefox on their frontpage, this will not change.

                                                              Discarding their most loyal users while trying to get people to adopt Firefox who simply aren’t interested – this is a recipe for disaster.

                                                          2. 1

                                                            and barely enough funding

                                                            Last I checked they pulled in half a billion in revenue (2016). Do you believe this is barely enough?

                                                            1. 2

                                                              For hundreds of millions users?

                                                              Yeah.

                                                        2. 1

                                                          At least with multi-row tabs in CSS you can’t dragndrop tabs. That’s about as bad as it gets.

                                                        3. 2

                                                          Are vertical tabs so essential?

                                                          1. 3

                                                            Considering the change in screen ratios over the past ten years (displays get shorter and wider), yes, it absolutely is.

                                                            With vertical tabs I can get almost 30 full-width tabs on screen, with horizontal tabs I can start fishing for the right tab after about 15, as the tab width gets increasingly smaller.

                                                            Additionally, vertical tabs reduce the way of travel substantially when selecting a different tab.

                                                            1. 1

                                                              I still miss them, didn’t cripple me, but really hurt. The other thing about Tree (not just vertical) tabs that FF used to have was that the subtree was contextual to the parent tree. So, when you opened a link in a background tab, it was opened in a new tab that was a child of your current tab. For doing like documentation hunting / research it was amazing and I still haven’t found its peer.

                                                          2. 1

                                                            It’s at least partially open source. They provide tarballs.

                                                            1. 4

                                                              https://help.vivaldi.com/article/is-vivaldi-open-source/

                                                              The chromium part is legally required to be open, the rest of their code is like readable source, don’t get me wrong that’s way better than unreadable source but it’s also very wut.

                                                              1. 2

                                                                Very wut. It’s a weird uneasy mix.

                                                                1. 1

                                                                  that’s way better than unreadable source but it’s also very wut.

                                                                  I wouldn’t be sure of that. It makes it auditable, but has legal ramifications should you want to build something like vivaldi, but free.

                                                            2. 8

                                                              firefox does not get better with investment, it gets worse.

                                                              the real solution is to use netsurf or dillo or mothra, so that webmasters have to come to us and write websites that work with browsers that are simple enough to be independently maintained.

                                                              1. 9

                                                                Good luck getting more than 1‰ adoption 😉

                                                                1. 5

                                                                  good luck achieving independence from Google by using a browser funded by Google

                                                                  1. 1

                                                                    I can achieve independence from Google without using netsurf, dillo, or mothra; to be quite honest, those will never catch on.

                                                                    1. 2

                                                                      can you achieve independence from google in a way that will catch on?

                                                                      1. 1

                                                                        I don’t think we’ll ever get the majority of browser share back into the hands of a (relatively) sane organization like Mozilla—but we can at least get enough people to make supporting alternative browsers a priority. On the other hand, the chances that web devs will ever feel pressured to support the browsers you mentioned, is close to nil. (No pun intended.)

                                                                        1. 0

                                                                          what is the value of having an alternative, if that alternative is funded by google and sends data to google by default?

                                                                          1. 1

                                                                            what is the value of having an alternative

                                                                            What would you like me to say, that Firefox’s existence is worthless? This is an absurd thing to insinuate.

                                                                            funded by google

                                                                            No. I’m not sure whether you’re speaking in hyperbole, misunderstood what I was saying, and/or altogether skipped reading what I wrote. But this is just not correct. If Google really had Mozilla by the balls as you suggest, they would coerce them to stop adding privacy features to their browser that, e.g., block Google Analytics on all sites.

                                                                            sends data to google by default

                                                                            Yes, though it seems they’ve been as careful as one could be about this. Also to be fair, if you’re browsing with DNT off, you’re likely to get tracked by Google at some point anyway. But the fact that extensions can’t block this does have me worried.

                                                                            1. 1

                                                                              i’m sorry if i misread something you wrote. i’m just curious what benefit you expect to gain if more people start using firefox. if everyone switched to firefox, google could simply tighten their control over mozilla (continuing the trend of the past 10 years), and they would still have control over how people access the web.

                                                                              1. 1

                                                                                It seems you’re using “control” in a very abstract sense, and I’m having trouble following. Maybe I’m just missing some context, but what concrete actions have Google taken over the past decade to control the whole of Mozilla?

                                                                                1. 1

                                                                                  Google has pushed through complex standards such as HTTP/2 and new rendering behaviors, which Mozilla implements in order to not “fall behind.” They are able implement and maintain such complexity due to funding they receive from Google, including their deal to make Google the default search engine in Firefox (as I said earlier, I couldn’t find any breakdown of what % of Mozilla’s funding comes from Google).

                                                                                  For evidence of the influence this funding has, compare the existence of Mozilla’s Facebook Container to the non-existence of a Google Container.

                                                                                  1. 1

                                                                                    what % of Mozilla’s funding comes from Google

                                                                                    No word on the exact breakdown. Visit their 2017 report and scroll all the way to the bottom, and you’ll get a couple of helpful links. One of them is to a wiki page that describes exactly what each search engine gets in return for their investment.

                                                                                    I would also like to know the exact breakdown, but I’d expect all those companies would get a little testy if the exact amount were disclosed. And anyway, we know what the lump sum is (around half a billion), and we can assume that most of it comes from Google.

                                                                                    the non-existence of a Google Container

                                                                                    They certainly haven’t made one themselves, but there’s nothing stopping others from forking one off! And anyway, I think it’s more so fear on Mozilla’s part than any concrete warning from Google against doing so.

                                                                                    Perhaps this is naïveté on my part, but I really do think Google just want their search engine to be the default for Firefox. In any case, if they really wanted to exert their dominance over the browser field, they could always just… you know… stop funding Mozilla. Remember: Google is in the “web market” first & the “software market” second. Having browser dominance is just one of many means to the same end. I believe their continued funding of Mozilla attests to that.

                                                                                    1. 2

                                                                                      It doesn’t have to be a direct threat from Google to make a difference. Direct threats are a very narrow way in which power operates and there’s no reason that should be the only type of control we care about.

                                                                                      Yes Google’s goal of dominating the browser market is secondary to their goal of dominating the web. Then we agree that Google’s funding of Firefox is in keeping with their long-term goal of web dominance.

                                                                                      if they really wanted to exert their dominance over the browser field, they could always just… you know… stop funding Mozilla.

                                                                                      Likewise, if Firefox was a threat to their primary goal of web dominance, they could stop funding Mozilla. So doesn’t it stand to reason that using Firefox is not an effective way to resist Google’s web dominance? At least Google doesn’t think so.

                                                                                      1. 1

                                                                                        Likewise, if Firefox was a threat to their primary goal of web dominance, they could stop funding Mozilla. So doesn’t it stand to reason that using Firefox is not an effective way to resist Google’s web dominance?

                                                                                        You make some good points, but you’re ultimately using the language of a “black or white” argument here. In my view, if Google were to stop funding Mozilla they would still have other sponsors. And that’s not to mention the huge wave this would make in the press—even if most people don’t use Firefox, they’re at least aware of it. In a strange sense, Google cannot afford to stop funding Mozilla. If they do, they lose their influence over the Firefox project and get huge backlash.

                                                                                        I think this is something the Mozilla organization were well aware of when they made the decision to accept search engines as a funding source. They made themselves the center of attention, something to be competed over. And in so doing, they ensured their longevity, even as Google’s influence continued to grow.

                                                                                        Of course this has negative side effects, such as companies like Google having influence over them. But in this day & age, the game is no longer to be free of influence from Google; that’s Round 2. Round 1 is to achieve enough usage to exert influence on what technologies are actually adopted. In that sense, Mozilla is at the discussion table, while netsurf, dillo, and mothra (as much as I’d love to love them) are not and likely never will be.

                                                                  2. 3

                                                                    Just switch to Gopher.

                                                                    1. 5

                                                                      Just switch to Gopher

                                                                      I know you were joking, but I do feel like there is something to be said for the simplicity of systems like gopher. The web is so complicated nowadays that building a fully functional web browser requires software engineering on a grand scale.

                                                                      1. 3

                                                                        yeah. i miss when the web was simpler.

                                                                        1. 1

                                                                          I was partially joking. I know there are new ActivityPub tools like Pleroma that support Gopher and I’ve though about adding support to generate/server gopher content for my own blog. I realize it’s still kinda a joke within the community, but you’re right about there being something simple about just having content without all the noise.

                                                                    2. 1

                                                                      Unless more than (rounded) 0% of people use it for Facebook, it won’t make a large enough blip for people to care. Also this is how IE was dominant, because so much only worked for them.

                                                                      1. 1

                                                                        yes, it would require masses of people. and yes it won’t happen, which is why the web is lost.

                                                                    3. 2

                                                                      I’ve relatively recently switched to FF, but still use Chrome for web dev. The dev tools still seem quite more advanced and the browser is much less likely to lock up completely if I have a JS issue that’s chewing CPU.

                                                                      1. 2

                                                                        I tried to use Firefox on my desktop. It was okay, not any better or worse than Chrome for casual browsing apart from private browsing Not Working The Way It Should relative to Chrome (certain cookies didn’t work across tabs in the same Firefox private window). I’d actually want to use Firefox if this was my entire Firefox experience.

                                                                        I tried to use Firefox on my laptop. Site icons from bookmarks don’t sync for whatever reason (I looked up the ticket and it seems to be a policy problem where the perfect is the enemy of the kinda good enough), but it’s just a minor annoyance. The laptop is also pretty old and for that or whatever reason has hardware accelerated video decoding blacklisted in Firefox with no way to turn it back on (it used to work a few years ago with Firefox until it didn’t), so I can’t even play 720p YouTube videos at an acceptable framerate and noise level.

                                                                        I tried to use Firefox on my Android phone. Bookmarks were completely useless with no way to organize them. I couldn’t even organize on a desktop Firefox and sync them over to the phone since they just came out in some random order with no way to sort them alphabetically. There was also something buggy with the history where clearing history didn’t quite clear history (pages didn’t show up in history, but links remained colored as visited if I opened the page again) unless I also exited the app, but I don’t remember the details exactly. At least I could use UBO.

                                                                        This was all within the last month. I used to use Firefox before I used Chrome, but Chrome just works right now.

                                                                        1. 6

                                                                          I definitely understand that Chrome works better for many users and you gave some good examples of where firefox fails. My point was that people need to use and support firefox despite it being worse than chrome in many ways. I’m asking people to make sacrifices by taking a principled position. I also recognize most users might not do that, but certainly, tech people might!? But maybe I’m wrong here, maybe the new kids don’t care about an open internet.

                                                                      1. 10

                                                                        I recently worked for a company who, during the interview process said, “We’ll have some crunch time ahead.” Even though I’ve been working in this field for 18 years, I naively though that just meant doing a lot of work at the office. We were salary exempt after all.

                                                                        We were never told explicitly to work overtime ever. We were just told “The company will reward you if you put in the work.” We had a regular meeting with the team that wasn’t about any specific task, but just a general, “How are you doing,” meeting. During one of these a co-worker brought up the hours and the manager said, “Let’s take this off-line.” It was a big warning sign and my co-worker and I wouldn’t let him take this offline.

                                                                        They told him during the interview it was a 40 hour a week job, so I guess when both of us started saying “no” they kept him and fired me. An admin I worked with left a few weeks later right after launch. He said at his new gig he always goes home on time. I learned another developer was pissed I was let go.

                                                                        I did work one 13 hour Sunday (paid via a bonus) and two weeks later they asked for another Sunday and said I couldn’t do it.

                                                                        Two days later an HR person told me that people at the company were expected to put in long hours to meet deadlines. I really wish I had recorded this conversation. I was given no opportunity to adjust to fit what they wanted. I was simply terminated.

                                                                        I’ve worked at one other place with crazy unrealistic expectations like this, but it was years ago and I think I had forgotten all the warning signs.

                                                                        No big loss.

                                                                        1. 2

                                                                          I feel like ActivityPub and OStatus will be the new Atom/RSS .. on steroids.

                                                                          1. 5

                                                                            OStatus is built on Atom, because that’s the obvious thing to do and they weren’t suffering from NiH at the time :)

                                                                          1. 17

                                                                            I love Graber and highly recommend Debt: The First 5,000 Years. I haven’t read this new book, but I have read the original article about Bullshit jobs with the same title (I think it was originally published in the Sydney Morning Herald; or at least syndicated there).

                                                                            I know this quote is out of context and it seems like he’s interviewing someone else, but just addressing this quote there are a lot of things wrong here. First, most of the big open source components we use today are not made in people’s free time as side projects as they once were, nor are they unfunded. IBM, Intel, Redhat (I guess IBM again now), Google, Facebook all pour tons of money into some OSS projects. The Linux kernel has a ton of contributions from people who are paid full time by the big giants to work on this stuff. Things like React come straight out of Facebook labs.

                                                                            In the 90s/2000s there were a lot of people in the FOSS community that thought we’d see open source overtake end-user applications. There were dreams that Gimp would one day be on par with Photoshop, that Inkscape would be as good as Illustrator and that you’d see at least 3 ~ 5 people in every coffee shop running some type of Linux desktop (with Ubuntu making the biggest strides at the time in improving end user desktop experience).

                                                                            Today this is not the case. Almost all FOSS is middleware. End applications are mostly on the web or in mobile apps, entirely closed yet leveraging a lot of OSS technology. I guess in that sense the duct tape analogies above hold true.

                                                                            Yes there are still several truly side, labour-of-love OSS projects, funded only by Patron, Librepay or not at all. People were surprised that openssl was just one or two people when those bugs came out a few years back. The recent npm issue also has people talking about maintainership.

                                                                            I think the above quote is just one specific aspect of some FOSS, but not all of it and certainly not the majority people use. I wrote my own post on this a while back: https://penguindreams.org/blog/the-philosophy-of-open-source-in-community-and-enterprise-software/

                                                                            1. 6

                                                                              Agree, I like Graber’s work in general but he seems to have been a little too eager to select open source as a supporting example for his thesis. If what he says in the quote were true we should expect open source quality to decline over time – it seems evident that that is not the overall trend.

                                                                              E.g. If people are willing to write news articles for free, nobody would pay professional journalists

                                                                              My guess is that there are many people who would do journalism for free if they could afford to, but they’re wrapped up in content generation or other tangential jobs that don’t afford them the spare time/money that is available to many programming practitioners. Also, culturally, journalism is one of many professions that promote the idea of “suffer through K years of grunt work and then you can do what you want”, which isn’t as dominant in the younger field of software.

                                                                              1. 3

                                                                                we should expect open source quality to decline over time – it seems evident that that is not the overall trend.

                                                                                Are you a web developer, perchance? I’d argue that that’s exactly what we’re seeing.

                                                                                1. 6

                                                                                  I occasionally do / have-done web development. I’m not sure which timescale you’re thinking of, but open source software has gotten much better in the fifteen years I’ve been developing professionally, in every area I can think of. Sure, there’s plenty of crap out there (more than ever), but there always has been. Where are you seeing a trend of declining quality?

                                                                                  1. 1

                                                                                    This may be a good example of declining quality of open source, it’s a testimony about a dev who create some npm packages that got a lot of dependants and don’t want to maintain it any more.

                                                                                    In this thread I reached the GNU philosophy about Selling Free Software. I’m starting to read more about the subject, but I didn’t know that the free part of the free software is about freedom not price.

                                                                                    1. 1

                                                                                      BTW, how to write FOSS and charge for it? I may take some time to get the answer from reading.

                                                                                  2. 5

                                                                                    I’m not sure what I think of this.

                                                                                    In the short time I’ve worked with open source (2012-now), it has changed a lot. Many open source users staunchly support the corporatization of open source, where they insist that only tech by $MEGACORPS should be used. The social side of open source feels like it is trying to overtake the technical side, where it becomes vitally important that one has the correct $CURRENT_POLITICAL_VIEW rather than a good project. Bandwagon-hopping is rewarded over truly novel technical approaches; many ecosystems seem happy to simply ape other ecosystems entirely, all the way down to punning off the name. The proliferation of libraries/frameworks seems to need more software to manage it, and open source is happy to feed this desire for more things instead of questioning why we need more complexity and computational resources to do similar tasks as before. Finally, the culture penalizes stable libraries with lower churn rates because it takes a consumerist view whereby libraries should be updated constantly with shiny new features, rather than just work and stay out of the way.

                                                                                    In short, open source may have won the hearts of mainstream developers now, but it is a Faustian bargain that brings in optimization for local maxima, careerism, and corporatism.

                                                                                    Please tell me if I’m full of it. I’ve enjoyed working in open source for most of this time, I’m uncertain if I want to continue. To clarify, I don’t think it is all bad at all, there is a lot of activity and interest in it now. I’m just not sure if I want to put the time into this side of things anymore; I find it hard to identify with the current zeitgeist and what open source has evolved into.

                                                                                    1. 2

                                                                                      many ecosystems seem happy to simply ape other ecosystems entirely, all the way down to punning off the name

                                                                                      This at least is nothing new. Consider “Groovy on Grails”, or even “GNU’s Not UNIX”.

                                                                                      There are plenty of things wrong with open source development and a lot of things that need to be improved – I think all your points are correct. I just don’t think one can point to unpaid open source development as a cause of poor software quality the way the original quote does.

                                                                                    2. 2

                                                                                      different values, so different results. Web development in the past 5 years have made more progress on easy-to-code UIs than the previous 20 years. Typescript got us to gradual typing that “works” in many projects, with the flexibility needed for the kind of projects people are building. I dislike rails, but I see people build stuff in a day in rails that take the Java people weeks.

                                                                                      Ideally cross-polination can mean that we can get some rigor into stuff, but it’s obviously tough. Still miles better than “yeah just download this zip file from a random mirror and check it in, also go in and edit 20 flags to get it to work on your machine”.

                                                                                    3. 1

                                                                                      Graeber’s book is open my eyes for the bullshit work that a lot of people do. It’s hard to say that all his arguments are right and his data is consistent, but is definitely hard to say that bullshit jobs doesn’t exist.

                                                                                      What I’m starting to think now is in a good framework for work (weird words to put together). You suggested that easier for a programmer (than a journalist) to have spare money and time to program for free, maybe I should invest on it. But if my profession is to program, why should I do it for free?

                                                                                      1. 2

                                                                                        But if my profession is to program, why should I do it for free?

                                                                                        I wasn’t suggesting that anyone should, just noting that they do.

                                                                                        The quote above says people are employed in their day jobs “fixing the damage” done by uncompensated OSS devs, which seems false, but possibly uncompensated OSS work is a sort of pressure-release for creativity and talent untapped by “bullshit jobs”

                                                                                    1. 3

                                                                                      acct:singpolyma@singpolyma.net

                                                                                      Not followable on Mastodon yet, but most other fediverse and indieweb implementations work. Mastodon compatibility is hopefully coming in my 2019 rewrite.

                                                                                      1. 1

                                                                                        That’s awesome to see someone implemented ActivityPub for their own site/blog. Does yours work with Pleroma? What specific challenges are there with Mastodon’s API?

                                                                                        1. 2

                                                                                          It’s not ActivityPub, it’s OStatus, but yeah. I haven’t tested with Pleroma specifically, but I know it works with GNU Social and Friendica for sure. Mastodon has some little quirks, but in this case the biggest one is that they only support Atom feeds and my site intentionally used alternate formats to make sure that worked in implementations at the time. But at this point Mastodon is not planning to ever be full compatible with protocol specs, and having my site work there is probably more valuable than continuing to be weird on purpose.

                                                                                      1. 6

                                                                                        You can find me @GeoffWozniak@hackers.town and @GeoffWozniak@mastodon.club. I’m migrating to the hackers.town account for most things (Emacs, debugging, old tech books, some Canadian political things) and will use the mastodon.club one less since the site, although happily in Canada, tends to fail a lot and doesn’t get updated.

                                                                                        1. 3

                                                                                          I like hackers.town. One of the admins recently started using my guide to try to re-theme the site:

                                                                                          https://penguindreams.org/blog/using-custom-css-with-mastodon/

                                                                                          I think he posted it on User Styles. I was really happy to see someone use one of my tutorials.

                                                                                        1. 17

                                                                                          I used Mastodon for about six months … Then stopped, because that sort of social networking didn’t make me a happier or better person, regardless of platform or community.

                                                                                          1. 7

                                                                                            You know I hear this a lot.

                                                                                            My Twitter feed isn’t full of trolls, and neither is my Mastodon feed. I find and interact with people who want to have meaningful, interesting and civil discourse on a variety of topics.

                                                                                            Sorry your experience was so different.

                                                                                            1. 6

                                                                                              This is so true. Took me way too long to figure this out. Also, I never follow coworkers — it ruins the relationship for me to get inside their head that much.

                                                                                              1. 2

                                                                                                That’s generally good advice. For me it depends. I can usually draw a bead on the maturity level of the people in question, and I follow the ones I trust.

                                                                                                That may bite me in the posterior someday. Hasn’t yet.

                                                                                                1. 2

                                                                                                  I’m really glad I run my own mastodon instance. The major instances have massive block lists and I’ve found a lot of people on blocked instances to be really cool. There are other people who have mobbed me and they couldn’t even see counter arguments because they came from blocked instances; they were in an echo chamber.

                                                                                                  If you want to use Mastodon, I suggest you start your own instance (or you can PM me if you want an invite to mine).

                                                                                                  I’m at @djsumdog@hitchhiker.social

                                                                                                2. 4

                                                                                                  I think that Twitter, Mastodon, etc. can have ill effects even if you’re only following people you like and no one is harassing you. (And of course, it’s surprisingly difficult sometimes to realize that following a certain person is not bringing you joy and that you should stop following them.) Some people—myself included—get a little twinge of pleasure any time someone likes/favourites/boosts/retweets their stuff, and over time that can make posting feel a little bit like a slot machine. Some people are less prone to that, but for the rest of us it’s not a very healthy dynamic for a social network.

                                                                                                  1. 2

                                                                                                    Except that, if you want to reduce it to the neuro-psych effects of interacting online, what’s so different about this venue? We crave upvotes and standing in the community.

                                                                                                    Admittedly unlike failbook there’s no giant MegaCorp using our data in immoral ways, but that’s the same for Mastodon as well.

                                                                                                    So, basically, I don’t see your point at all. Humans crave social approval. it’s how we’re wired. Companies like Failbook and Twitter leverage this in ways that end up being morally questionable (and in FB’s case just straight up evil) but when you take them out of the equation, your point falters IMO.

                                                                                                    1. 1

                                                                                                      That’s a good point. Perhaps another part of it is that Twitter and Mastodon also encourage (both socially and through their UX design) short, tossed-off posts. Especially back when Twitter only gave you 140 characters, there wasn’t much room for any kind of nuance or subtlety; it was way easier to say something snappy that would garner you a bunch of likes than to engage in a conversation with any level of depth. Lobsters does show your karma up there in the corner, but it also encourages you to write long posts (that are displayed in threads!) and I think that’s an important part of building a discussion-oriented community.

                                                                                                      1. 3

                                                                                                        Ah, there’s the crux of it!

                                                                                                        You cite “building a discussion oriented community”.

                                                                                                        To my mind, things like Mastodon and Twitter for that matter aren’t that at all. They’re more like a crowded cocktail party where people get into a crowded room and chatter. Clumps form and topics are discussed, then disband as another hot topic of interest pulls people in a different direction.

                                                                                                        I like gatherings like that. I feel like they have a lot of value and are a particular type of social inercourse I quite enjoy. If you don’t, that’s totally cool! Nobody says you have to :) But that doesn’t make them bad.

                                                                                                        1. 2

                                                                                                          Makes sense! And to each their own :) It’s unfortunate, of course, that so much of our public discourse has found itself shoehorned into a space designed for a more intimate cocktail party…

                                                                                                      2. 1

                                                                                                        I need to periodically take breaks from lobste.rs because the upvote game is getting me too worked up – don’t you?

                                                                                                        That very rarely happens to me on mastodon, because I hide all notifications except mentions in order to actively prevent getting sucked into a popularity-contest mentality (and disable desktop/push notifications and notification sounds altogether). That’s not the default, but it’s explicitly supported by the settings (while doing the same on twitter as a non-bluecheck requires a browser extension).

                                                                                                        1. 1

                                                                                                          I don’t really get ‘worked up’ around the voting, but I do find myself investing more ego in it than I like.

                                                                                                          Mostly this manifests when I feel like someone has flagged a comment unfairly :)

                                                                                                          1. 3

                                                                                                            I find that over here, I get fixated on checking whether or not posts I think are good are ‘doing well’ – primarily because that information is easily accessible / even visible when I’m not looking for it in some cases. It produces stress I don’t need in my life. If I had an extension that removed upvote counts & karma from lobste.rs posts entirely, I would use it.

                                                                                                    2. 2

                                                                                                      Same here. I think of my twitter/mastodon feed as a kind of soup. I craft it into something enjoyable by being selective about the ingredients that go into it. https://mastodon.xyz/users/donpdonp/

                                                                                                    3. 3

                                                                                                      To expand a little now that I’ve thought about it more… It wasn’t that I didn’t follow good people, as I certainly tried to. It was more that I couldn’t filter by topic, at least not well. This seems like the big difference between “social media”, where you follow people and have to bear whatever they feel like saying, and more “old-school” group communication like Usenet, fora, or their successor Reddit (or Lobste.rs). There’s people out there I really like and enjoy talking to, but I really don’t feel like wading through, say, their stories of Counterstrike triumph to get to the useful and wise things they have to say about software consulting.

                                                                                                      The number of people out there where I honestly want to listen to everything they say is quite small.

                                                                                                    1. 15

                                                                                                      Your thinkpad is shared infrastructure on which you run your editor and forty-seven web sites run their javascripts. If that a problem for you?

                                                                                                      1. 2

                                                                                                        Mmm what did you mean by this? I didn’t get it.

                                                                                                        1. 13

                                                                                                          In We Need Assurance, Brian Snow summed up much of the difficulty securing computers:

                                                                                                          “The problem is innately difficult because from the beginning (ENIAC, 1944), due to the high cost of components, computers were built to share resources (memory, processors, buses, etc.). If you look for a one-word synopsis of computer design philosophy, it was and is SHARING. In the security realm, the one word synopsis is SEPARATION: keeping the bad guys away from the good guys’ stuff!

                                                                                                          So today, making a computer secure requires imposing a “separation paradigm” on top of an architecture built to share. That is tough! Even when partially successful, the residual problem is going to be covert channels. We really need to focus on making a secure computer, not on making a computer secure – the point of view changes your beginning assumptions and requirements! “

                                                                                                          Although security features were added, the fact that many things are shared and closer together only increased over time to meet market requirements. Then, researchers invented hundreds of ways to secure code and OS kernels, Not only were most ignored, the market shifted to turning browsers into OS’s running a malicious code in a harder-to-analyze language whose compiler (JIT) was harder to secure due to timing constraints. Only a handful of projects in high-security, like IBOS and Myreen, even attempted it. So, browsers running malicious code are a security threat in a lot of ways.

                                                                                                          That’s a subset of two, larger problems:

                                                                                                          1. Any code in your system that’s not verified to have specific safety and security properties might be controlled by attackers upon malicious input.

                                                                                                          2. Any shared resource might leak your secrets to a malicious observer via covert channels, storage or timing. Side channels are basically the same concept applied more broadly, like in physical world. Even the LED’s on your PC might internal state of the processor depending on design.

                                                                                                          1. 2

                                                                                                            Hmm. I had a friend yonks ago who worked on BAE’s STOP operating system, that supposedly uses complex layers of buffers to isolate programs. I wonder how it’s stood up against the many CPU vulnerabilities.

                                                                                                            1. 4

                                                                                                              I’ve been talking about STOP for a while but rarely see it. Cool you knew someone that worked on it. Its architecture is summarized here along with GEMSOS’s. I have a detailed one for GEMSOS tomorrow, too, if not previously submitted. On the original implementation (SCOMP), the system also had an IOMMU that integrated with the kernel. That concept was re-discovered some time later.

                                                                                                              Far as your question, I have no idea. These two platforms, along with SNS Server, have had no reported hacks for a long time. You know they have vulnerabilities, though. The main reasons I think the CPU vulnerabilities will effect them is (a) they’re hard to avoid and (b) certification requirements mean they rarely change these systems. They’re probably vulnerable, esp to RAM attacks. Throw network Rowhammer at them. :)

                                                                                                            2. 2

                                                                                                              Thanks, that was really interesting and eye opening on the subject. I never saw it that way! :)

                                                                                                            3. 5

                                                                                                              I think @arnt is saying that website JavaScript can exploit CPU bugs, so by browsing the internet you are “shared infrastructure”.

                                                                                                              1. 6

                                                                                                                Row Hammer for example had a JavaScript implementation, and Firefox (and others) have introduced mitigations to prevent those sorts of attacks. Firefox also introduced mitigations for Meltdown and Spectre because they could be exploited from WASM/JS… so it makes sense to mistrust any site you load on the internet, especially if you have an engine that can JIT (but all engines are suspect; look at how many pwn2own wins are via Safari or the like)

                                                                                                                1. 3

                                                                                                                  If browsers have builtin mitigation for this sort of thing, isn’t this an argument in favor of disabling the OS-level mitigation? Javascript is about the only untrusted code that I run on my machine so if that’s already covered I don’t see a strong reason to take a hit on everything I run.

                                                                                                                  1. 4

                                                                                                                    I think the attack surface is large enough even with simple things like JavaScript that I’d be willing to take the hit, though I can certainly understand certain workloads where you wouldn’t want to, like gaming or scientific computing.

                                                                                                                    For example, JavaScript can be introduced in many locations, like PDFs, Electron, and so on. Also, there are things like Word documents such as this RTF remote code execution for MS Word. Additionally, the mitigations for Browsers are just that, mitigations; things like retpolines and the like work in a larger setting with more “surface area” covered, vs timing mitigations or the like in browsers. It’s kinda like W^X page protections or ASLR: the areas you’d need that are quite small, but it’s harder to find individual applications with exploits and easier to just apply it wholesale to the entire system.

                                                                                                                    Does that make sense?

                                                                                                                    tl;dr: JS is basically everywhere in everything, so it’s harder to just apply those fixes in a single location like a browser, when other things may have JS exposed as well. Further more, there are other languages, attack surfaces, and the like I’d be concerned about that it’s just not worth it to only rely on browsers, which can only implement partial mitigations.

                                                                                                                    1. 1

                                                                                                                      Browsers do run volatile code supplied by others more than most other attack surfaces. You may have an archive of invoices in PDF format, as I have, and those may in principle contain javascript, but those javascripts aren’t going to change all of a sudden, and they all originate from a small set of parties (in my case my scanning software and a single-digit number of vendors). Whereas example.com may well redeploy its website every Tuesday morning, giving you a the latest versions of many unaidited third-party scripts, and neither you nor your bank’s web site really trust example.com or its many third-party scripts.

                                                                                                                      IMO that quantitative difference is so large as to be described as qualitative.

                                                                                                                      1. 1

                                                                                                                        The problem is when you bypass those protections you can have things like this NitroPDF exploit, which uses the API to launch malicious JS. I’ve used these sorts of exploits on client systems during assessments, adversarial or otherwise. So relying on one section of your system to protect you against something that is a fundamental CPU design flaw can be problematic; there’s nothing really stopping you from launching rowhammer from PostScript itself, for example. This is why the phrase “defense in depth” is so often mentioned in security circles, since there can be multiple failures throughout a system, but in a layered approach you can catch it at one of the layers.

                                                                                                                        1. 1

                                                                                                                          Oh, I’m not arguing that anyone should leave out everything except browser-based protection. Defense in depth is indisputably good.

                                                                                                                    2. 3

                                                                                                                      There’s also the concept of layers of defense. Let’s say the mitigation fails. Then, you want the running, malicious code to be sandboxed somehow by another layer of defense. You might reduce or prevent damage. The next idea folks had was mathematically-prove the code could never fail. What if a cosmic ray flips a bit that changes that? Uh oh. Your processor is assumed to enable security, you’re building an isolation layer on it, make it extra isolated just in case shared resources have effect, and now only one of Spectre/Meltdown affected you if you’re Muen. Layers of security are still good idea.

                                                                                                                  2. 2

                                                                                                                    That’s not what I got from it. I perceived it as “You’re not taking good precautions on this low hanging fruit, why are you worried about these hard problems?”

                                                                                                                    I see it constantly, everyone’s always worried about X, and then they just upload everything to an unencrypted cloud.

                                                                                                                    1. 1

                                                                                                                      I actually did mean that when you browse the net, your computer runs code supplied by web site operators you may not trust, and some of those web site operators really are not trustworthy, and your computer is shared infrastructure running code supplied by users who don’t trust each other.

                                                                                                                      Your bank’s site does not trust those other sites you have open in other tabs, so that’s one user who does not trust others.

                                                                                                                      You may not trust them, either. A few hours after I posted that, someone discovered that some npmjs package with millions of downloads has been trying to steal bitcoin wallets, so that’s millions of pageviews that ran malevolent code on real people’s computers. You may not have reason to worry in this case, but you cannot trust sites to not use third-party scripts, so you yourself also are a distrustful user.

                                                                                                                2. 2

                                                                                                                  This might be obvious, but I gotta ask anyway: Is there a real threat to my data when I, let’s say, google for a topic and open the first blog post that seems quite right?

                                                                                                                  • Would my computer be breached immediately (like I finished loading the site and now my computers memory is in north korea)?
                                                                                                                  • How much data would be lost, and would the attacker be able to read any useful information from it?
                                                                                                                  • Would I be infected with something?

                                                                                                                  Of course I’m not expecting any precise numbers, I’m just trying to get a feel for how serious it is. Usually I felt safe enough just knowing which domains and topics (like pirated software, torrents, pron of course) to avoid, but is that not enough anymore?

                                                                                                                  1. 5

                                                                                                                    To answer your questions:

                                                                                                                    Would my computer be breached immediately (like I finished loading the site and now my computers memory is in north korea)?

                                                                                                                    Meltdown provides read-access to privileged memory (including enclave-memory) at rates of a couple of megabits per second (lets assume 4). This means that if you have 8GB of ram it is now possible to dump the entire memory of your machine in about 4,5 hours.

                                                                                                                    How much data would be lost, and would the attacker be able to read any useful information from it?

                                                                                                                    This depends on the attackers intentions. If they are smart, they just read the process table, figure out where your password-manager or ssh-keys for production are stored in ram and transfer the memory-contents of those processes. If this is automated, it would take mere seconds in theory, in practice it won’t be that fast but it’s certainly less than a minute. If they dump your entire memory, it will probably be all data in all currently running applications and they will certainly be able to use it since it’s basically a core dump of everything that’s currently running.

                                                                                                                    Would I be infected with something?

                                                                                                                    Depends on how much of a target you are and whether or not the attacker has the means to drop something onto your computer with the information gained from what I described above. I think it’s safe to assume that they could though.

                                                                                                                    These attacks are quite advanced and regular hackers will always go for the low-hanging fruit first. However if you are a front-end developer in some big bank, big corporation or some government institution which could face a threat from competitors and/or economic espionage. The answer is probably yes. You are probably not the true target the attackers are after, but you system is one hell of a springboard towards their real target.

                                                                                                                    It’s up to you to judge how much of a potential target you are, but when it happens, you do not want to be that guy/girl with the “patient zero”-system.

                                                                                                                    Usually I felt safe enough just knowing which domains and topics (like pirated software, torrents, pron of course) to avoid, but is that not enough anymore?

                                                                                                                    Correct. Is not enough anymore, because Rowhammer, Spectre and Meltdown have JavaScript or wasm variants (If they didn’t we wouldn’t need mitigations in browsers). All you need is a suitable payload (the hardest part by far) and one simple website you frequently visit, which runs on an out-of-date application (like wordpress, drupal or yoomla for example) to get that megabit-memory-reading meltdown-attack onto a system.

                                                                                                                    The attacker still has to know which websites those are, but they could send you a phishing-mail which has a link or some attachment that will be opened in some environment which has support for javascript (or something else) to obtain your browsing history. In that light it’s good to know that some e-mail clients support the execution of javascript in received e-mail messages

                                                                                                                    If there is one lesson to take home from rowhammer, spectre and meltdown, it’s that there is no such thing as “computer security” anymore and that we cannot rely on the security-mechanisms given to us by the hardware.

                                                                                                                    If you are developing sensitive stuff, do it on a separate machine and avoid frameworks, libraries, web-based tools, other linked in stuff and each and every extra tool like the plague. Using an extra system, abandoning the next convenient tool and extra security precautions are annoying and expensive, but it’s not that expensive if your livelihood depends on it.

                                                                                                                    The central question is: Do you have adversaries or competitors willing to go this far and spend about half a million dollars (my guesstimate of the required budget) willing to pull off an attack like this?

                                                                                                                    1. 1

                                                                                                                      Wow, thanks! Assuming you know what you’re talking about, your response is very useful and informative. And exactly what I was looking for!

                                                                                                                      […] figure out where your password-manager or ssh-keys for production are stored in ram […]

                                                                                                                      That is a vivid picture of the worst thing I could imagine, albeit I would only have to worry about my private|hobby information and deployment.

                                                                                                                      Thanks again!

                                                                                                                      1. 1

                                                                                                                        You’re welcome!

                                                                                                                        I have to admit that what I wrote above, is the worst case scenario I could come up with. But it is as the guys from Sonatype (from the Maven Nexus repository) stated it once: “Developers have to become aware of the fact that what their laptops produce at home, could end up as a critical library or program in a space station. They will treat and view their infrastructure, machines, development processes and environments in a fundamentally different way.”

                                                                                                                        Yes, there are Java programs and libraries from Maven Central running in the ISS.

                                                                                                                    2. 1

                                                                                                                      The classic security answer to that is that last years’s theoretical attack is this year’s nation-state attack and next year it can be carried out by anyone who has an midprice GPU. Numbers change, fast. Attacks always get better, never worse.

                                                                                                                      I remember seeing an NSA gadget for $524000 about ten years ago (something to spy on ethernet traffic, so small as as be practically invisible), and recently a modern equivalent for sale for less than $52 on one of the Chinese gadget sites. That’s how attacks change.

                                                                                                                  1. 4

                                                                                                                    What’s wrong with desktop apps? Like real desktop apps, not this Electron, everything has an 80MB download + a 512MB memory footprint bullshit.

                                                                                                                    Not everything need to run from the browser. Browsers can already sync with your local filesystem using Dropbox/Mega/OneDrive API. This just seems … silly.

                                                                                                                    1. 3

                                                                                                                      They cost more to build and generally aren’t portable. Most users don’t care or notice the memory footprint. Just buy a ton of ram and roll with it.

                                                                                                                      1. 3

                                                                                                                        Good GUIs (generally ones using native UI APIs) are hard to write and not as easily portable, especially when you already have a website you can cram into an electron app.

                                                                                                                        1. 1

                                                                                                                          In a nutshell: worse is better ;)

                                                                                                                          1. 1

                                                                                                                            Also, to your point about DropBox - have you seen the extents to which they go to maintain persistence and access in their macOS desktop app? Benefit-of-the-doubt assuming they need the access their app tries to get, this is still a high-value target in terms of exploiting a personal computer https://techcrunch.com/2016/09/09/dropbox-responds-to-accusations-its-mac-desktop-client-hacks-os-x-security/

                                                                                                                      1. 3

                                                                                                                        The author doesn’t touch on patterns found in GTK or Elixir, where you tend to have data structures and every function takes in a primary data structure as their first argument. This is essentially what OOP does except the data and methods are kept together.

                                                                                                                        One thing that a non-OOP system does, which the author doesn’t touch on at all, is it makes testing a lot easier. You can unit test so much more because you pass in the state of the data within the class! That is pretty powerful.

                                                                                                                        Beyond that though, I don’t think OOP is inherently bad. There are a lot of over-engineered frameworks for sure, but that shouldn’t be a total rejection of OOP by any means.

                                                                                                                        1. 1

                                                                                                                          OOP also builds inheritance on top of that simple and unarguably reasonable idea. That’s where the pain points come in.

                                                                                                                        1. 8

                                                                                                                          I find this article very odd. Who is the target audience? People with their own websites who happen to have an RSS feed they haven’t discovered yet so they need it explained to them? On the other hand they should be able to put some custom HTML there? Maybe I am out of the loop but I’d say either people are aware of and use RSS, then the whole thing could’ve been shortened to two sentences like “Use and promote RSS! It’s good!” or on the other hand the explanation is too technical and the readers will space out anyway.

                                                                                                                          On the other hand I might be biased because I actively stopped reading Aral’s content years ago because of indiephone stuff.

                                                                                                                          1. 12

                                                                                                                            I’ve noticed a trend in (mostly Wordpress?) blogs where there was an RSS or Atom feed, but it was not visibly presented anywhere on the web site. I would have to dig into the HTML sources to find the actual feed (which is usually in the <meta> attributes in the main page’s sources). So I think “people using bad Wordpress themes” is the target audience?

                                                                                                                            1. 4

                                                                                                                              Most feed readers will do that for you if you supply the URL to the site.

                                                                                                                              I think people found the big flashy “RSS” gifs a bit cheesy and removed them.

                                                                                                                              1. 5

                                                                                                                                I miss the thing where Firefox used to display a tinytiny RSS icon in the address bar when a feedfeedwas available.

                                                                                                                                Ah well.

                                                                                                                                1. 1

                                                                                                                                  They they removed the built in live bookmark/subscription not too long ago. Even though it had fallen out of use, it was still easy to give Firefox a live provider and I think that’s what Feedly/Newsblur/et.al. would do to make subscriptions easier.

                                                                                                                                  1. 1

                                                                                                                                    Yeah, it’s a bit sad - but iirc the usage stats were abysmal, like way below 1% of users - I’ve known the feature for a long time, but I’ve been using dedicated RSS readers for longer than Google Reader existed, so I never used it myself.

                                                                                                                                    1. 1

                                                                                                                                      Live Bookmarks were terrible, because who wants to read their news timeline in a drop-down menu?

                                                                                                                                      Drop-down menus are terrible for reading the news; the font is too small, there’s no pictures, the description is under a time-delayed tooltip, it forces you to keep the mouse in a particular spot to avoid accidentally switching somewhere else, and it violates the conventional meaning of a drop-down menu. Live bookmarks also forced your news sources to be in separate lists, instead of mixed together like lobste.rs, planet, thunderbird, classic reader, and other sensible news aggregators do.

                                                                                                                                      Live Bookmarks didn’t fail because RSS sucked. Live Bookmarks failed because live bookmarks themselves suck.

                                                                                                                              2. 1

                                                                                                                                I can guess this post works with a young crowd of new programmers/tecchies but I agree with what you say.

                                                                                                                              1. 7

                                                                                                                                Millions of US Government employees succeed at encrypted email every day.

                                                                                                                                1. 6

                                                                                                                                  … as long as they are only emailing each other. True, but completely beside the point.

                                                                                                                                  1. 1

                                                                                                                                    Is it true? Is one in 300 or so Americans working for the government? In a capacity with mandatory encrypted email? Could be, but I gotta ask.

                                                                                                                                    1. 2

                                                                                                                                      Definitely not 1 in 300. Most intra-gov emails are definitely unencrypted. I had interpreted the comment as “some government employees…”

                                                                                                                                      1. 1

                                                                                                                                        There are close to 3 million civilian federal employees. I have no idea how well they deal with PGP though.

                                                                                                                                        1. 7

                                                                                                                                          Not at all. The majority of federal agencies use Exchange, and ~all federal agencies use ID cards with X.509 certs, so many use S/MIME for signed/encrypted emails.

                                                                                                                                          There’s a few important caveats:

                                                                                                                                          a) It’s actually relatively rare for people to use this; it’s not on by default. People really only use encryption for sending PII. I’m not sure I ever saw anyone (besides myself) use signing besides that. (Not true, now that I think about, at DoD signing was pretty common. Nowhere else though.)

                                                                                                                                          b) There’s 0 support for cross-agency encrypted emails. Key management is handled through Exchange’s GAL, so there’s no way for someone at the State Department to send someone at the VA an encrypted email on the unclassified networks, period. Cross agency signature verification sometimes works, depending on the vagueries of path building.

                                                                                                                                      2. 1

                                                                                                                                        ZixCorp lets you email others outside the system. They get a link to a secure portal, authenticate with out-of-band credentials, and then get the message. Maybe combine that with Keybase for OOB stuff.

                                                                                                                                      3. 5

                                                                                                                                        Joe Q. Average’s kid sister does not work for the US government, mind you.

                                                                                                                                        1. 3

                                                                                                                                          We had encrypted e-mail when I was a staff worker at a University. It involved getting a Comodo client side SSL cert and loading it in to the Active Directory GAL. My director accidentally revoked his cold cert by requesting a new one. Someone at a conference the next week talked about getting multiple client SSL certs and I said, “You can’t. It revkos your old ones and you can no longer decrypt your old mail.” Other people chimed in experiencing the same thing and we discovered it was a bug together.

                                                                                                                                          Other than at that University and one small open source shop that e-mailed us password with PGP encrypted emails, I’ve only used encrypted e-mails with one other person.

                                                                                                                                          1. 1

                                                                                                                                            The trick is using mail guards/gateways and putting crypto in usable proxy in front of legacy clients with similar workflow. Then, IT/ITSEC depts manage it for them. Proven model that isnt followed by FOSS alternatives.

                                                                                                                                          1. 1

                                                                                                                                            I wish more companied I worked at would self-host something like this rather than buying a Slack license.

                                                                                                                                            1. 1

                                                                                                                                              The hosting is not the issue. It’s financially reasonable for companies to not self-host.

                                                                                                                                              But zulip also has a for-pay service which is running well.

                                                                                                                                            1. 3

                                                                                                                                              I’ve had the Little Schemer sitting on my shelf for far too long. I really need to go through it. I wonder if I can go through the book using CHICKEN.

                                                                                                                                              1. 4

                                                                                                                                                CHICKEN happens to provide everything you need by default, but any modern implementation will do. You may need to define a few small procedures as you go if your platform doesn’t already have them – atom?, add1 and sub1 from memory, and possibly others – but recent editions include definitions for these and actually executing the programs is almost beside the point anyway, for the first half of the book at least.

                                                                                                                                                1. 2

                                                                                                                                                  Probably, although in my experience every exercise is perfectly doable on paper and gives a welcome break from the screen.

                                                                                                                                                  1. 4

                                                                                                                                                    I also prefer going through those exercises on paper. But like @evhan said, you can use CHICKEN, just like about any other Scheme (with a handful of small extra definitions that are nonstandard; IIRC those are mentioned in the preface).

                                                                                                                                                    1. 1

                                                                                                                                                      Personally I’d love to see a breakdown of what it takes to go through The * Schemer and SICP outside of racket land. I’ll have to give CHICKEN a try!

                                                                                                                                                      1. 2

                                                                                                                                                        I’m not sure what would be needed for SICP or the other schemers, but I’ll keep that in mind.

                                                                                                                                                        As for the little schemer, the book itself provides the definition / implementation for every function as you go, except for a few exceptions, such as quoting and define, but it does tell you how they are called in both scheme and common lisp.

                                                                                                                                                1. 9

                                                                                                                                                  So, uh, what’s better?

                                                                                                                                                  1. 15
                                                                                                                                                    • composable GUIs (like the alto & modern smalltalk environments)
                                                                                                                                                    • notebook interfaces (like jupyter & mathematica)
                                                                                                                                                    • literate programming interfaces (like swyft / the canon cat)
                                                                                                                                                    • plan9
                                                                                                                                                    • menuet
                                                                                                                                                    • NeWS
                                                                                                                                                    • language-based systems like interim
                                                                                                                                                    • modern unix shells like zsh
                                                                                                                                                    • borderline-obscure stuff like zigzag, sometimes

                                                                                                                                                    And, of course, I’ve been working on a prototype of the system I pitched last year.

                                                                                                                                                    The thing about interfaces is, if you put what you’re already accustomed to out of your mind, you start to think of alternatives pretty quickly – and many of them are better for certain tasks than what you already use.

                                                                                                                                                    For my next book I’m planning to write a survey of alternatives to the WIMP paradigm that can be easily run or emulated by readers. Unfortunately, I’m going to need to do plenty of research if I’m to seriously discuss the internals of these systems, since a lot of them are language-based systems built around languages I don’t know very well (like lisp or forth) or at all (like holy c or oberon).

                                                                                                                                                    1. 5

                                                                                                                                                      I’m interested in your research. is there any place where I can keep on track with it?

                                                                                                                                                      1. 4

                                                                                                                                                        I’ve barely started researching for the book in question, so I’m not sure to what extent chapters & other content will be made available before it’s finished.

                                                                                                                                                        The last book was mostly compiled from stuff I had already published on Medium. If you follow me there, you’ll probably get at least some of the material intended for the next one – maybe even rough drafts for chapters. Also, a lot of the chapters from the last book were inspired by or adapted from discussions I’ve had on mastodon or SSB, & this will probably be true of the next one: if you follow me on mastodon, no doubt you’ll get a preview of some of the ideas I’m playing with.

                                                                                                                                                        If there’s enough interest, I might make a point of posting about the systems I’m researching on a more regular basis. Those posts will probably end up on Medium too.

                                                                                                                                                        1. 2

                                                                                                                                                          Also, I’m going to be posting resources here as I find them during my research.

                                                                                                                                                          1. 2

                                                                                                                                                            Thank you for this. I’m going to follow your work on it.

                                                                                                                                                      2. 7

                                                                                                                                                        I’d assume the biggest problem is overlapping windows. I’ve been using tiling window managers since 2012 and I would not go back. If you look at all the newer mobile operating systems (iOS, Android, that failed Windows 8/10 UI thing), they’re all either single app at a time or, at most, split screen.

                                                                                                                                                        I guess a second thing is steering people away from mouse dependence. Hotkeys should be easily discoverable and easily encouraged. A higher learning curve at first can mean faster operation later on. Great example: Autozone. Watch staff look up a part today. They do a lot of clicking and switching back and fourth. The old setup was all terminal based and had the same searching/information. I think the new GUI still has a lot of keyboard shortcuts, but very few people I’ve watched use them.

                                                                                                                                                        1. 5

                                                                                                                                                          Overlapping windows are pretty pointless when they can’t be made to work together in interesting ways. Drag & drop between unrelated applications is the minimum interoperability to justify even supporting overlapping windows in my eyes (and support for that is pretty rare), but I’d be all about overlapping windows if freeform composition with gestures was a standard part of the toolkit. Even then, tiling is preferable on large displays once we’ve settled on an arrangement & interconnections.

                                                                                                                                                          Support for tiling and pseudo-tiling (and quick-switching mechanisms) is something I don’t have a problem with in modern desktops, though. Even Microsoft and Apple have been pretty quick to jump on that bandwagon.

                                                                                                                                                          1. 5

                                                                                                                                                            Tiling windows seems like a funny point since we’re complaining about UIs treating users as stupid. The first version of Windows was tiling only because users were too stupid to handle overlap and might lose track of a hidden window, but eventually it was decided that users could be trusted with the responsibility of arranging things in their own. Round the circle we go.

                                                                                                                                                            1. 1

                                                                                                                                                              The first version of Windows was tiling not because of contempt of users, but to avoid a lawsuit from Apple (who did get overlapping windows working because they thought the Alto had it when it didn’t really). Also, a tiling window system is easier to write than overlapping.

                                                                                                                                                              1. 1

                                                                                                                                                                Alas, I’m not sure of the reference, but they apparently had the feature, tested it, users were confused, and it was pulled.

                                                                                                                                                            2. 4

                                                                                                                                                              I think we’re slowly moving away from mouse-oriented approach, for better or worse. I’d personally wish for keyboard-oriented desktop UI, but judging by how much Microsoft and Apple are striving to unite all their systems software-wise (eg Windows Phone and Xbox One both running Windows variants, or audioOS etc being iOS-based), we might expect a move towards touchscreen-oriented UI on desktops instead. (Although I guess that goes as far back as GNOME 3 instead.) On the other hand, there exist a minority of mouse-oriented UI advocates, such as Rob Pike and his followers. He argues that mouse is more intuitive and faster, and the problem lies in bad UI design instead.

                                                                                                                                                              1. 6

                                                                                                                                                                On the other hand, there exist a minority of mouse-oriented UI advocates, such as Rob Pike and his followers. He argues that mouse is more intuitive and faster, and the problem lies in bad UI design instead.

                                                                                                                                                                i still think that acmes mouse interface for common editing operations is better than keyboard shortcuts (see http://acme.cat-v.org/mouse). the way the mouse is used in most other systems is bad though. the windows way is nearly unusable with the popup-menu thing, and X11 is only saved by the primary selection insert with the middle mouse button ;)

                                                                                                                                                            3. 4

                                                                                                                                                              Presumably some form of programming-is-first-class system like the Alto, where everything you can click is also explorable (“view source” is built in) and extendable via SmallTalk. On the one hand I’m a bit sceptical and think not many users will really make use of this, on the other hand if you see how far some regular (i.e. non-programmer) users take, say, Excel and VBA scripting, having this programmability available pervasively by default in every application would definitely empower users much more than “closed” systems like the original Mac do.

                                                                                                                                                              I have no idea how many people use AppleScript, which ostensibly brings pervasive programmability to the Mac. It wasn’t part of the original Mac OS and is about programming scripts “on the outside” onto or “against” existing applications rather than full-fledged inspection and modification of internals “inside” those same applications.

                                                                                                                                                              1. 3

                                                                                                                                                                The only “modern” OS I know that makes use of hypertext self-documentation is… TempleOS. It also blurs the line between “using” and “programming”, like Alto and LispMs It’s not entirely user-friendly, but I guess it fits the bill.

                                                                                                                                                              2. 8

                                                                                                                                                                Ask not the polemic for what is better; it is merely the shallow well in which the author steeps their discontent.

                                                                                                                                                              1. 8

                                                                                                                                                                I’ve thought about doing a transparency report like this for myself. It’d be great to see a trend in truly open salaries. the taboo against knowing other peoples’ incomes keeps people from knowing what they’re truly worth and what to ask for.

                                                                                                                                                                1. 4

                                                                                                                                                                  My current employer (Cigna) gives an annual packet to employees that lists out

                                                                                                                                                                  • base pay
                                                                                                                                                                  • bonus (cash and/or stock)
                                                                                                                                                                  • how much I spent on Medical/Dental/Life Insurance/Social Security, contributed to 401k
                                                                                                                                                                  • how much they spent on Medical/Dental/Life Insurance/Social Security, contributed to 401k
                                                                                                                                                                  • Retirement plan projections

                                                                                                                                                                  Just an awesome amount of detail.

                                                                                                                                                                  1. 2

                                                                                                                                                                    It’d be great to see a trend in truly open salaries

                                                                                                                                                                    True. What would also be interesting (and maybe connected to what you wrote) to see is just transitions that others have made. A common question I see coming up every now and then is “where is my career going”.