1. 29

    I don’t own any macs, but I think it is worth considering the flipside of this article - that Linux in 2019 is actually very good at hardware compatibility. I run the Wayland/wlroots window manager Sway on my laptop (a Dell XPS), and recently had cause to connect it to a Samsung TV. I expected to have to poke around with the Sway config and perhaps with drivers to get things working nicely but to my pleasant surprise, the display worked instantly as soon as I plugged it in. I am very grateful to the hard-working devs who have toiled over the subsystems which allow this sort of seamless, stress-free computing. Those of us who use libre software must be cognisant that these sorts of usability victories represent a lot of hard and often thankless work.

    1. 8

      It’s a lot of hard work by a lot of people, including the people who make hardware standards. Moving from everything connecting via serial port and needing low-level device support to things connecting over USB and HDMI has been a big step up. That isn’t a panacea, and it still represents a lot of work done by software developers to support these new hardware standards, but more of the work can be done once, and improved, instead of having to be done multiple times over. (Plus, of course, there’s also the hardware that’s simply died, like Winmodems and Zip drives. Especially Winmodems, which by-and-large never worked on Linux.)

      1. 6

        Especially Winmodems

        I had an Amiga so, not only could I not use a Winmodem, I couldn’t even use an internal modem. True external modems were often twice the price of an internal modem, and three times the price of a Winmodem…it hurt.

      2. 7

        that Linux in 2019 is actually very good at hardware compatibility.

        Within the past year:

        I bought a Lenovo IdeaPad and tried to install Linux on it. It failed with a kernel panic. The ACPI tables in the BIOS were incorrect but in a way that Windows didn’t mind. Disabling ACPI via kernel parameters got the system to boot (though obviously this was not preferable), but then the graphics card was unsupported and I got a side-by-side mirroring effect on the internal display.

        I bought an Acer laptop. Linux didn’t support the sound card.

        I bring these up not to say that Linux sucks but to say that I was genuinely surprised that these things happened. It was the first time in maybe a decade that Linux didn’t support everything out-of-the-box.

        (Except for printers. I have a PoS HP home printer that supposedly has Linux support but it’s hit or miss whether it shows up on the network, can print, will finish a print job, or print the right thing when asked. This is also not a Linux problem: printers have always sucked.)

        1. 8

          IIRC from my conversations with FreeBSD kernel devs: Microsoft has a broken implementation of ACPI, and hardware manufacturers cater to that. Open source projects implement ACPI as defined by the spec, but then run into bugs.

        2. 6

          I had the same experience with the same setup (Sway + XPS), everything worked out of the box with the Dell Adapter and HDMI. Very smooth experience!

          1.  

            I built a plex server earlier this year and got some sort of no-name chinese 7” LCD display so I could avoid having to SSH into it all the time if I wanted to do some small tasks. I plugged it in, it worked. The same thing happened with a knockoff TV I have for my guest room that I initially was using with it. I remember fighting with linux distros for weeks at a time over the dumbest issues when I first got into it (late 90s), but it’s so streamlined now.

          1. 3

            It probably makes sense if the “correct” baseline orientation is considered to be landscape, as in a legacy digital camera.

            I tried to verify this with my iPhone (8 plus) but the “Orientation” parameter is not visible in images taken with it and processed in Adobe Lightroom.

            Edit there’s no Orientation tag in the images from my Nikon D700 either (and it knows the orientation because it always presents vertical images sideways on the rear screen, as well as showing them correctly vertical after importing the image). Is this a new addition to the Exif spec?

            More edit this exact behavior is described in this article, recently linked here.

            1. 2

              Worst part is that when you upload an image to a website that uses the CSS

              image-orientation: from-image;

              it rotates the vertical photo sideways!

              1. 5

                I’d argue that images shouldn’t be uploaded unmodified from a camera and onto the public web like this. This problem aside, the gps data in photos seems like a privacy issue. I don’t know what other fields in the exif one may want to keep secret too.

                1. 2

                  There is no GPS data in my photos:

                  Settings > Privacy > Location Services > disable for Camera

                  Furthermore Apple now strips GPS and other EXIF data when you send images on iPhone through different mediums. e.g., iMessage, AirDrop*. I haven’t confirmed if they’re doing it when Safari accesses Photos app though but they should,

                  Even when I downsize the photos the EXIF rotation bug remains. It’s a super pain in the butt to get photos from my camera to the internet right now and have them correct.

                  My usual procedure for transferring images is to use the viewExif iOS app to strip all EXIF, save a copy, then upload that one. The image selection modal on iOS has blue text at the bottom of the screen telling you the image size, and you can touch it to open a dialog to choose a different image size.

                  Turns out even when I strip EXIF it seems to doing the equivalent of ImageMagick’s “-auto-rotate” which rotates the image to match EXIF orientation hint, so it keeps screwing up.

                  *theres a special option for AirDrop to send the original unmodified

                  1. 1

                    Adobe Lightroom allows one to restrict the metadata included in a JPG on publishing. I’m sure other image editing programs do too.

                    Also many popular image hosting sites (like Imgur) strip EXIF down to the bare minimum.

                    1. 1

                      Also I want to point out that lots of people have phones but no real computers so how else will they get the images online if they don’t have the skills or tools to do image editing / manual stripping of EXIF?

                      It’s a sad situation.

                1. 2

                  Pi-hole to the rescue. Outmanoeuvre that Google!

                  Also, part of me believe that things like this will actually, eventually, contribute to ending the reign of Google Chrome.

                  1. 10

                    Outmanoeuvre that Google!

                    I believe youtube is able to sidestep host-based solutions because they serve ads from their own domain. also there’s crazy hacks like sending ads over a websocket connection, which ublock somehow is able to defeat

                    1. 4

                      Resolverless DNS will evade this as the DNS records for 3rd party page assets will be shipped in the HTTP headers.

                      Starting to wonder how long before this happens… and when the outrage from security folks will make news. I guess since they didn’t care about the consequences of DoH they won’t care about this either.

                      1. 1

                        DoH, which I admit does have actual privacy benefits, also happens to help work around the ad-blocker problem for Google.

                      1. 2

                        This seems trickier to me than “it’s broken.” But, maybe I’m missing something. There’s 4 common orientations when taking photos on an iPhone. (I assume most of the modern phones have the lightning port at the bottom, and, when the screen is facing the ceiling, the power button the the right. The camera is on the same side as the power button.)

                        1. (portrait #1): Camera is top-right, lightning connector is facing ground. Power button to the right.
                        2. (portrait #2): Camera is bottom-left, lightning connector is facing sky. Power button to the left.
                        3. (landscape #1): Camera is top-left, lightning connector is to the right. Power button left.
                        4. (landscape #2): Camera is bottom-right, lightning connector is to the left, Power button to the right.

                        Which would you consider “no rotation”? Based on the the picture, and how I assume you were holding the phone, “landscape #2” seems like the “no rotation” ?

                        1. 2

                          When I take a picture in Portrait #1 the EXIF data turns the image to Landscape #2.

                          Honestly the image should always be encoded to match the way you’re holding your phone. The EXIF orientation should be a hint when you’ve modified the image with the editing tool to rotate it.

                          This was never an issue in previous iPhone. The behavior previously was always correct.

                          edit: a Portrait #1 has the correct orientation on an iPhone XR https://share.icloud.com/photos/0QP7nEX0XQMV-EjZ4XLXe3s5Q

                          1. 1

                            The more and more I think about this, the more I disagree. I think the Orientation should provide the correction which can be applied to the data the sensor supplies. The Medium article that @gerikson posted desribes this.

                            Now, I understand your frustration a bit, because applications obviously assume that things are stored “correctly,” for viewing instead of relying on the corrective measure from the EXIF data.

                          2. 1

                            Based on the Medium link I posted in my other comment, the “natural” orientation would be the one where the sensor scans the image from top to bottom, left to right(?) - in any case, the “natural” readout orientation.

                            1. 2

                              Right! Presumably, for an iPhone they’re expecting you to use it in landscape #2, which seems like the natural way to hold the phone for landscape photos.

                          1. 3

                            I really want to know what their video processing pipeline is like since they generate clips and varying video quality levels for what I assume is every device in existence. There were some nice nuggets here. I didn’t know about the Beacon api or the intersection observer. Seems like a mostly boring stack but considering they’ve been around for about 10 years and the site hasn’t slowed to a crawl on my intentionally crappy test laptop it means they’re doing something right.

                            Did anyone pick up on whether they’re running all of their infra on AWS or just the vertica part? I thought the bandwidth costs would be killer.

                            1. 4

                              Why would they need to generate so many different quality levels? They probably just have 2 or 3 which is enough to cover most devices out there. Using ffmepg it’s trivial to generate these videos, though you need the infrastructure and processing power behind it.

                              1. 2

                                When you do it live, constantly, on terabytes of data, the infrastructure and processing power become the big problems.

                                Edit: upon rereading it, they actually sound like they put a big emphasis on quality and compatibility too. So their question is, “if we can we make this content incrementally better for X market segment, is it worth it?” Start from the biggest X’s and work your way down like any other priority list!

                                1. 2

                                  There’s absolutely no way they’d do live transcoding; these sites usually only have two versions, it’d be much cheaper to simply store both at all times.

                                  It’s actually a very simple thought experiment — you obviously cannot re-create the high-res version from the low-res one, and the low-res one would take so little space in storage compared to high-res one, that spending minutes trying re-create it from the high-res one would simply make very little sense — they’re probably transcoded once on upload, and pretty much forever cached.

                                  BTW, I’d suggest you read the DDIA book, which explains a lot of these things. It has many insights into how actual popular applications are designed nowadays, including the actual Twitter implementation — which answered my own question on why it often takes so long to post a Tweet.

                                  1. 1

                                    They might only have two versions from your perspective (SD and HD), but having worked in video development, it’s likely they have 3-4 x those two versions for compatability. The web has converged on a few technologies in the last few years, making it less cumbersome, but if they want to cover “most” devices, then I still expect them to have at least 2-3 sets of files.

                                  2. 1

                                    Do you think they do live transcoding? I’m certain they have multiple copies of the media transcoded to different qualities. It’s really not that much processing power when you have things like Ryzen boxes and GPUs which can rip through this in no time.

                                  3. 2

                                    At this point, they almost certainly don’t. But in the not too distant past, they would have had to have a multiplicity of encodings, because of the varying abilities of the various browsers/devices/codecs.

                                  4. 3

                                    This is tangential, but I have really enjoyed learning about how netflix handles encoding and processing their videos.

                                    Although Pornhub must process much more video than netflix does. I wonder what trade offs PH makes compared to Netflix’s approach based soley on the amount of content they have.

                                    Here is a brief article from the Netflix Engineering blog about encoding. But I first started thinking about it when I watched this system design video from Gaurav Sen.

                                    1. 2

                                      Although Pornhub must process much more video than netflix does

                                      Are you sure about this? I don’t remember where I read it, but I’m sure at some point I read that one of the adult sites (likely this one) determined that most viewing behaviour is to watch a bit at the beginning, and then skip forward to about 80% of the way through the video. The consumption of Netflix [I’m guessing] would look very different, i.e., watching a film start to finish.

                                      I would have thought that this site could optimise videos for certain behavioural patterns.

                                    2. 3

                                      Self hosted, I’ve seen their servers in the datacenter.

                                      Porn industry giants usually self-host as much as possible.

                                      1. 2

                                        Self-hosted using Level 3 as the network provider per Rusty.

                                      2. 1

                                        Although idk about processing, I do remember that Rusty said in Reddit AMA that they use Limelight for video CDN.

                                      1. 3

                                        But why would you need Docker to deploy Erlang? OTP releases are better than Docker containers.

                                        1. 1

                                          I suggest reading the Releases and Docker chapters, or at least the introductions. They are not really comparable and I try to explain what a container provides when bundling a release.

                                          1. 3

                                            I know what a container provides, I’ve been running jails since before Linux had any notion of containers.

                                            BEAM does not need cgroups or other types of process isolation. And when you’re deploying with docker, you can’t do hot code upgrades because to upgrade the container you’ll have to destroy the container and deploy a new one, right? So… what do you benefit from except tooling that is far more complicated than rsync and now you have to rely on infrastructure in front of your services for load balancing/failover every time you upgrade vs only when an actual outage occurs.

                                            edit: maybe I’m being fed some incorrect information as well, so I’m curious to hear what you have to say about this

                                            1. 3

                                              I hope it is well covered in the chapters and would be interested to know if it isn’t so I can update them.

                                              Briefly, release upgrades are rare. They should only be used when necessary because of the complexity which often comes with no actual benefit.

                                              Your point about rsync and load balancers in front of a service is unrelated to BEAM. This is true for any language. Cases where you only have 1 node, which you fully control, isn’t what is being covered here. But BEAM isn’t different when it comes to horizontal scaling and the need for infrastructure in front and needing infrastructure for release management. BEAM projects work just as well with whatever infrastructure the organization is already using for deployment, whether it is rsync to nodes or orchestrating containers.

                                              1. 1

                                                Briefly, release upgrades are rare.

                                                Is a “release upgrade” alternatively called “hot code reloading”?

                                                1. 2

                                                  “release upgrade” (http://erlang.org/doc/design_principles/release_handling.html#release-upgrade-file) is a structured form of “hot code loading”. Since “hot code loading” could refer to also what people do during development to reload modules in the shell after its been recompiled.

                                                  I have worked on one system that did production upgrades outside of release upgrades, by basically doing what a relup would do itself but doing so manually in a script, but it is rarer than even release upgrades.

                                                  1. 1

                                                    Thanks for the clarification!

                                        1. 4

                                          In a potentially far-reaching move […]

                                          There’s nothing “potentially” about it. I don’t know why it would be a good thing for the government to 1) decide what constitutes software accessibility, and 2) force people by threat of legal action to change the way their websites work when there’s no negative externality to not being able to use a website

                                          1. 12

                                            How is this any different than the government mandating certain architectural/design rules for commercial buildings and public spaces (ADA)?

                                            1. 3

                                              That’s the whole point if I understand the case correctly (and I may not! I’m not a lawyer!).

                                              See here:

                                              First, the Ninth Circuit reaffirmed its position that, to be covered by the ADA, a website or mobile app must have a nexus to a physical place of public accommodation. The court stated that this nexus was “critical” to its analysis in the Domino’s case where the “alleged inaccessibility of Domino’s website and app impedes access to the goods and services of its physical pizza franchises – which are places of public accommodation.” The Ninth Circuit said in a footnote that it was not deciding whether “the ADA covers the websites or apps of a physical place of public accommodation where the inaccessibility does not impede access to the goods and services of a physical location.”

                                              Like, that’s the key thing–the website augments a physical location.

                                            2. 9

                                              there’s no negative externality to not being able to use a website

                                              If an insufficient number of websites include accurate accessibility metadata, browser developers won’t write code to consume it. If nobody uses it, then the effort will never get off the ground, and accessibility tool (and, almost identically, search engines) rely on heuristics instead. The benefit is reaped by the web authors, who don’t have to write the metadata, but is born by browser and search engine developers, who are not direct parties. Thus, it’s an externality.

                                              1. 2

                                                Allow me to clarify, I’m looking at this in the frame of actions that are legally recognized as externalities; I think the example you point out is a cultural/social consequence of adhering to accessibility standards. Legally, negative externalities are generally effects that directly cause harm to a party not involved (I’m sure there are exceptions, but we’re talking about the rule here). If a website doesn’t work, that is neither endangering the person unable to access the website, nor is directly inflicting harm to them. That’s why I’m saying the government shouldn’t really be involved in something like this.

                                                1. 2

                                                  In the case of Dominos there was an online-only promotion that was inaccessible, so they literally lost money if they had to phone in an order.

                                                  1. 2

                                                    I think calling it losing money is overzealous. It would be losing money if they had no choice but to order from Dominos. They weren’t forced to order from Dominos. If there’s a coupon for groceries that gets mailed out by a grocery store, we don’t legally pursue the grocery store for being exclusionary if someone that doesn’t have a mailbox didn’t get the coupon (e.g. homeless folks). They didn’t lose money, they just didn’t save some money; those aren’t the same thing

                                                    1. 1

                                                      Well of course folks who aren’t customers aren’t going to care/lose money, but there was literally an unfair financial advantage in favor of those who could use the website to order pizza vs those who could not use the website to order pizza. Folks who had to use a phone to order pizza literally paid more than those who could use the website. They lost money.

                                              2. 7

                                                In addition to what other posters have raised - IMO ‘no negative externality’ is a defensible claim, but far from a sure one.

                                                The negative externality of impeded access is paid by the carers (usually family), who end up spending their time managing the affairs of someone who would otherwise be able to do so themselves.

                                                1. 5

                                                  I think you’ve misunderstood the ADA. The whole point of creating a private right of action is that the government does not set specific standards. Instead those affected by inaccessible accommodations sue, and a court decides if the place is in fact inaccessible. Accessibility is the standard. Places of business are free to meet that standard in any way that actually meets it.

                                                  1. 2

                                                    You’re right, I did misunderstand it.

                                                  2. 6

                                                    I’ve also tried to make this point but nobody wants to hear it… I don’t think we want the government to get involved in UI/UX design.

                                                  1. 1

                                                    Mike: Saw your comment about this on the hackernews thread: https://news.ycombinator.com/item?id=21186825

                                                    Have you actually done any benchmarks with this and sidekiq?

                                                    1. 1

                                                      I also find it interesting that the BSD license enables this 3rd party company to fork Redis and build closed source commercial software on top of it. One of the trade offs to consider when licensing a project.

                                                      This is the best part of BSD licensed software. Everyone gets a level foundation. They can do what they want with the code. Nobody has an advantage over anyone else.

                                                      1. 2

                                                        It can be the worst part for many. The author loses any leverage to recoup for their labor. You can blame the engineer for picking an inappropriate license but much OSS is written by folks in their 20s: plenty of time for programming, little life experience with law.

                                                        And yes, I’ve talked privately with many people in this exact situation.

                                                        1. 1

                                                          Sorry, but none of the developers in the BSD projects feel this way. We get code back all the time, too.

                                                          1. 2

                                                            Ok, you’ve talked to those who like it. I’ve talked to those who consider it a mistake. Both things can be true.

                                                      2. 1
                                                        $ brew install keydb
                                                        Error: No available formula with the name "keydb"
                                                        

                                                        Nope, I have no idea if it will work and how fast.

                                                        1. 1

                                                          I compiled keydb on my local machine. Testing it out with sidekiq and seems to at least work as expected. As far as any improvement vs vanilla redis, I would have to throw a lot more work at it.

                                                          1. 1

                                                            If you have the Sidekiq repo cloned, you can try bundle exec bin/sidekiqload. It’s a mostly self-contained script that runs 100,000 jobs, takes about 10-20 sec on my laptop, edit lightly as necessary.

                                                            1. 1

                                                              Using ruby 2.5.3p105 and current sidekiq master, five runs of sidekiqload on vanilla redis took an average of 13.0167407516 sec. For KeyDB, average of 5 runs took 12.8944184326 sec, so an improvement but not really a whole lot.

                                                              1. 1

                                                                Not surprising. On Ruby 2.6.3, I still see Redis at 25% CPU and Ruby at 100%. We’d need to run a much larger, multi-process, multi-machine load test to get realistic production results.

                                                      1. 9

                                                        One thing this announcement makes obvious is that Apple marketers see macOS primarily as an application suite. They don’t mention system-wide changes like security improvements until the last quarter of the page — it’s all about the apps.

                                                        1. 9

                                                          Or most users/most of the target audience does not care about OS changes. E.g. my dad is also a macOS user – he probably cares more about that iTunes is now split in several apps, or what changes there are in Photos, than that developers have to do notarization or that macOS supports and will migrate to user-mode drivers.

                                                          Of course, the OS changes will benefit users, but they are harder to explain.

                                                          1. 1

                                                            iTunes is now split in several apps

                                                            LOL what? How can a music player be this complicated?

                                                            1. 4

                                                              iTunes was where Apple used to dump anything iPod related, and it was a bit hairy as a result. Now each function is broken into its own application or folded into Finder.

                                                              1. 2

                                                                There was a point (it may still be true; I don’t use XCode anymore) where updating XCode required quitting iTunes because… iTunes had a dependency on XCode?

                                                                The mind reels.

                                                                1. 1

                                                                  Round and round we go.

                                                                2. 0

                                                                  You have no idea.

                                                                  1. 1

                                                                    I don’t. That’s why I use Linux.

                                                              2. 2

                                                                Users shouldn’t have to think about technical things like security improvements

                                                                1. 4

                                                                  They really should, though.

                                                                  1. 2

                                                                    They should publish it somewhere, but not here. This is not a technical document. This is a marketing piece aimed at non-technical consumers.

                                                                    1. 1

                                                                      Stop dividing users by “technical” and “non-technical”. Also, he’s right - rising security awareness in a gentle yet sill informative way should be a top priority for company which people rely on so hard.

                                                              1. 52

                                                                Voat is a link aggregation platform, where users can submit text or links to content, comment on existing submissions and vote both links and comments up or down. It’s essentially a Reddit clone, but, due to several bad design decisions, it has become known on the rest of the Internet as a community that promotes intolerance and hate speech.

                                                                What.

                                                                Voat was created in direct response to Reddit’s deplatforming of hate subreddits, and its owners and content moderators explicitly invited those deplatformed trolls with open arms. Voat’s notoriety wasn’t the inadvertent consequence of bad decisions, it was part and parcel of the site from day one.

                                                                1. 21

                                                                  As far as I remember it wasn’t created as a response[1], it was fairly new at the time a lot of people jumped ship tho. It was just created as a news aggregator site with a focus on freedom of speech. Then all the reddit banning happened and a lot of people moved there.

                                                                  [1] https://en.wikipedia.org/wiki/Voat

                                                                  1. 3

                                                                    Yeah, Wikipedia certainly seems to agree with you.

                                                                    1. 2

                                                                      Any platform that focuses on “freedom of speech” is dog whistling for hate speech.

                                                                      Removing hateful garbage off your platform is exercising your freedom of speech in a responsible way.

                                                                      There is a clear line between censorship that is about brainwashing the masses and that which removes things that only exist to hurt/attack people. If you can’t see this line you have a problem.

                                                                      1. 5

                                                                        Any platform that focuses on “freedom of speech” is dog whistling for hate speech.

                                                                        What a world we live in. Wow.

                                                                        1. 3

                                                                          Show me one “free speech” platform that isn’t full of hate speech please. They’re all the same.

                                                                          Freedom of speech does not mean I have to be forced to read or listen to it. Or publish it.

                                                                          1. 5

                                                                            If you asked the maintainers/moderators of Lobsters, reddit or even HN, I’m sure they’d all attach a very high value on free speech. I’m sure you’ll say, “but that’s different because they don’t treat free speech as an absolute value that is prioritized above all else.” But that isn’t what you said.

                                                                            In any case, I’m more or less reacting to how absolutely incredulous your position is. It’s straight out of 1984 doublespeak. Historically, prioritizing free speech has always been understood as an ideal, and that allowing others to say what they want is very much distinct from actually endorsing the message. But we’ve lost that ideal apparently. Absent other evidence, “prioritizing free speech above all else” is at worst naive. Jumping to “they just want a place for a hate speech” is absolutely absurd. And your weaseling “dog whistle” phrasing is doing exactly that.

                                                                          2. 3

                                                                            In one sense, yeah, I feel you, but in another, more pragmatic sense, /u/feld is completely correct, and the world would be a lot better if more people realized it.

                                                                            1. 5

                                                                              Thank you, and this is the last I’ll comment on it. Online. Forever. This is only a discussion worth having in person.

                                                                              I’ve simply had enough of this. People wrapping themselves in the Free Speech flag and spreading hateful crap is leaking everywhere we go on the internet. The problem is that the internet is not a good analogy for real life or a public square. There is no fear or shame for these people.

                                                                              In real life, exercising your right to hate speech looks like this: https://www.instagram.com/p/BX-0YVIlLGz

                                                                              On the internet, it’s more like guerrilla warfare. These cowards do not have to deal with confrontation. They’re allowed to spread their hate with no consequences, shame, or fear; protected by their computer screen separating them from the world.

                                                                              Remember, only one side of the political spectrum is filled with people whose goals are to hurt people.

                                                                              If you really think Free Speech Zones are such a great idea, why not lobby to open Lobsters to the masses instead of having an invite-only membership?

                                                                              Freedom of speech is definitely important. People should be allowed to say whatever they want without fear of criminal punishment. But platform operators are still allowed to control what is published on their platform.

                                                                              1. 4

                                                                                If you really think Free Speech Zones are such a great idea

                                                                                On the Internet, I don’t think they are a good idea at this point in time. I don’t regularly visit any web site that prioritizes free speech above all else. I am myself on the moderation team for official Rust community spaces and have been an advocate for stronger moderation here at Lobsters.

                                                                                So it seems to me like you’ve completely misunderstood my criticism. Which isn’t that surprising, because outrage culture (along with several other things) drives an Us vs. Them mentality. It’s seemingly inconceivable to you that someone can say “I believe in free speech” and actually be sincere about it without also being a surreptitious vehicle for hate speech. I’ve been in online forums for a couple decades at this point, and I personally see web sites that prioritize free speech above all else as bad ideas, but that doesn’t mean there aren’t people out there that see them as good ideas in good faith, or even have ideas on how to fix what makes them so bad. I don’t know how to do that, but there’s a lot I don’t know. And just because I don’t know how to do something doesn’t mean I’m automatically going to assume the worst about people.

                                                                                But if the best we can do is rave about dog whistles, then we’re never going to see the rich nuance that is involved in these issues, and good people are going to get caught in the crosshairs of outrage.

                                                                                1. 3

                                                                                  It’s seemingly inconceivable to you that someone can say “I believe in free speech” and actually be sincere about it without also being a surreptitious vehicle for hate speech.

                                                                                  I appreciate that you interpret what’s being said through the lens of Us-vs-Them extremism and so say things like “seemingly inconceivable” when summarizing someone else’s position. There’s certainly enough evidence in the dialog to support that conclusion. Nevertheless I think you mischaracterize what’s actually being said, or suggested.

                                                                                  It’s not that we think good faith advocates of free speech literally don’t exist. It’s that they are so much in the minority in the spaces and contexts that we’re talking about that they may as well not exist in a statistical sense. And, carrying that point a bit further, that spending more than a statistically insignificant amount of time, energy, or benefit of the doubt addressing those people is (at a minimum) a misallocation of resources, and (at a maximum) actually providing normalizing cover to the bad faith actors in the space. And exploiting that dynamic, exploiting the naïvety of idealists who want to assume good faith and have a discussion purely on the merits, is arguably the principal tool that trolls use to achieve their ends.

                                                                                  I like to think of it in terms of macro vs. micro. I think you are coming at this discussion from a micro- or individual-scale: in any given pairwise interaction between two people, it’s a shame and probably even harmful that we don’t give the benefit of the doubt and engage in good faith. I don’t disagree. But I, and I suspect feld, are coming at it from a macro- or group-scale: we care about the aggregate effect of positions on issues, measured at the societal level. And rational advice or behavior or best practice at one scale is frequently entirely opposite the best practice at the other scale.

                                                                                  1. 3

                                                                                    Yes. I am certainly predisposed to an individualist viewpoint. But I guess that’s the point. I don’t believe in outrage culture as a means to an end, in part because it gets otherwise good people caught in the crosshairs. At a macro pragmatic scale, outrage culture is not limited to very clear cases of Nazis or trolls or fascists or otherwise bad people. It makes leaps of faith based on “dog whistles.” Ultimately, people throwing around phrases like “dog whistles” are not held responsible when they’re wrong, in my experience. It sours all interaction instead of just the interaction with trolls/Nazis/fascists.

                                                                                    I am also in general pretty skeptical of a statistical argument here. I can see how one can perceive statistical significance here, but I’d be very surprised to see hard data supporting that conclusion there because I’m not sure it’s actually available.

                                                                                    As I said, we are on two different wavelengths here.

                                                                              2. 2

                                                                                I don’t agree and based on your other comments, we are definitely on two different wavelengths here. IMO, the rise of the phrase “dog whistle” has allowed for sloppy and lazy thinking. It being used here, in this context, is exactly what outrage culture is built on top of. Hate speech is bad, but so is being outraged when someone says they like free speech. There’s a non-ridiculous position to be had in the middle there.

                                                                            2. 2

                                                                              First of all, I never actually got into the discussion of what “freedom of speech” means, whether it’s worth defending, or whether it’s hate speech in disguise.

                                                                              If you can’t see this line you have a problem.

                                                                              I don’t see why you felt any need to attack me. I merely clarified that it wasn’t created as a response to the reddit bans, it fed from them as it was advertised as a platform for freedom of speech which attracted the kind of people reddit was getting rid of. I don’t think I defended any position anywhere in my post. I just stated some facts about the timeline.

                                                                              Now, after this has been clarified, I mostly agree with you but I still think it’s a slippery slope and one that is worth examining thoroughly.

                                                                              Just as an extra comment, I don’t think someone defending freedom of speech is automatically defending hate speech. There are real freedom of speech problems around the world, and I don’t think this antagonization of the term brings anything positive to the table.

                                                                          3. 18

                                                                            Yeah. There’s neutrality, and then there’s misreporting. This definitely falls into the second category.

                                                                          1. 5

                                                                            Some devs are not very happy with that new notary thing.

                                                                            1. 4

                                                                              It only applies for binaries downloaded with the browser. Anything on a game launcher or similar is already unaffected.

                                                                              1. 1

                                                                                Isn’t it related to every executable (and kext) that is being built by every developer?

                                                                                1. 3

                                                                                  No. it’s only related to binaries marked as quarantined. It’s up to the transferring application to set that extended attribute. Compilers don’t. Browsers do.

                                                                                  Stuff you build for yourself is unaffected. Same goes for whatever pre-built binary brew downloads.

                                                                                  1. 1

                                                                                    Compilers don’t. Browsers do.

                                                                                    The Notary service does it. Not the browser. The browser (well, only Safari AFAIK) leaves a note so that the OS can tell you where a document, file or binary came from. But that is not the notarization process. That happens on Apple’s servers. You have to send your app to the Notarization API and you will get back a binary that has some special signed meta data attached.

                                                                                    If it were as simple as the browser adding this then every piece of malware would be doing that.

                                                                                    Note that this does not cost money. You don’t need a $100 developer subscription. All you need is an Apple ID.

                                                                                    1. 1

                                                                                      I was talking about setting the quarantine xattr. Unless an executable has that flag set, the OS will execute it even when it’s not signed.

                                                                                      Of course notarization has to be done by Apple and not each user individually. That was the main goal of the change.

                                                                                2. 1

                                                                                  I don’t get it, how is downloading a binary with a browser different than a game launcher?

                                                                                  1. 3

                                                                                    Game launcher (e.g., Steam) is verified. It’s now Steam’s job to police the contents of their platform. If they fail Apple can blacklist Steam for everyone at a moment’s notice, so Valve is incentivized to not ship malware through Steam.

                                                                                    1. 2

                                                                                      Browsers set the gatekeeper flag, game launchers don’t. It sounds stupid.

                                                                                      1. 0

                                                                                        Browsers don’t set any flags.

                                                                                        1. 2

                                                                                          http://ix.io/1Y1C

                                                                                          I beg to differ

                                                                                          1. 1

                                                                                            Yes but this is not used by Gatekeeper to decide whether or not to run a binary. This is just for the notification you will see in the Finder when you open the app. Notarization is a signing process. If it were just as simple as adding some meta data to a file then every piece of malware would be doing that.

                                                                                1. 2

                                                                                  Ugh, I want to do this but I hate wiping my phone when I have an SSH key in my Secure Enclave

                                                                                  1. 3

                                                                                    Some of us like our software downloads from unknown entities to be signed. It’s almost like we’re tired of infected/malware ridden crap

                                                                                    1. 6

                                                                                      EDNS is important. I don’t know how Cloudflare thinks you’ll get a good experience without it. It will cause odd behavior like an American being sent to an Australian CDN mirror.

                                                                                      I was having this issue at work and then realized it was broken EDNS…

                                                                                      1. 5

                                                                                        I don’t know how Cloudflare thinks you’ll get a good experience without it.

                                                                                        You get a good experience to Cloudflare hosted proxies. Which strenghtens their case when they say that your website gets faster if you let them MITM it.

                                                                                        1. 2

                                                                                          Don’t most global DNS/CDN provider rely on anycast + bgp for routing requests to closest PoP?

                                                                                          1. 1

                                                                                            That’s exactly the thing, isn’t it. CloudFlare, and many of their direct competitors like Fastly, do use anycast routing for their CDN. But that’s expensive, and making it work well is complicated, so Archive Today uses Geo DNS instead.

                                                                                            1. 1

                                                                                              While anycast is complicated it can be done cheaply by those who know how, and for those who don’t, route53 is only marginally more expensive than a well-monitored “geo dns” setup.

                                                                                              “Geo dns” is so dumb, and so extremely error prone, and so very difficult to correctly handle many failure scenarios that are just simply automatic with the anycast approach, that I do not recommend it to anyone.

                                                                                              1. 3

                                                                                                can be done cheaply by those who know how

                                                                                                OK, I’m all ears here!

                                                                                                Anycast is completely inaccessible to the average advanced user. There are some providers which offer anycast service on their own IP space (vr.org/hostvirtual.com — only one provider I’m aware of, showing that there’s not even much competition), and you quickly realise just how inflexible the whole thing is, because IPv4 space has a /24 granularity, meaning, you gotta dedicate a whole /24 to a given anycast group, and every single member of the group is then bound to have anycast presence in every single location from which the anycast is announced.

                                                                                                Got a new PoP? Gotta have every customer onboard for purchasing the computing resources at the new location. Got a spiked load for one specific PoP? Better be using autoscaling! I.e., it’s an all-or-nothing kind of situation. There’s no individual scaling, individual selection of which PoPs you get to have your anycast in etc.

                                                                                                Otherwise, if you do want such control, you gotta have your own /24, and find providers willing to announce it for you. Where exactly can you get such custom services cheaply? I don’t see anything like that in the price lists of most hosting providers which are my go-to for the affordable dedicated servers.


                                                                                                This whole notion and all the arguments provided by Cloudflare and their fans resolve around the fact that they simply don’t care about the hobbyist and grass-roots internet services like archive.today. The writing on the wall being that archive.today is too small to need their own thing, should be a (paying) Cloudflare CDN customer, or just do things differently than is convenient for them in their free service without venture capital, as well as other bigotry justifying why Cloudflare, a 3.5 billion US dollar company playing dirty with their free Cloudflare DNS subsidised by their billion-dollar CDN operation to slow down all the other competing CDNs, is in the right. It’s sad that so many folks applaud these actions — they should not be celebrated. We need internet diversity. Some folks don’t even realise how much of a monopoly and a bully Cloudflare already is. It is hard but possible to do internet without Google. Not so easily without access to Cloudflare.

                                                                                                1. -1

                                                                                                  Anycast is completely inaccessible to the average advanced user.

                                                                                                  Be that as it may, I also think you’re probably less advanced than you think.

                                                                                                  First issue: BGP has no security. Getting an IP and an ASN is just some paperwork, but you still need networks to let you announce.

                                                                                                  I don’t know of any providers that would let you do this with a prepaid debit card you picked up in Walgreens, but once I’ve explained what I’m doing, I’ve found most virtual hosting providers will set things up appropriately. I’ve yet to have someone charge me for this.

                                                                                                  Some of the providers I’ve used include Softlayer, Ghandi, HopOne, and OVH. Just one Linux instance, and I run gated (or zebra or whatever) on each site.

                                                                                                  If you still can’t figure it out, you can suggest some use cases and maybe I would help you set up an experiment if you have an interesting idea.

                                                                                                  There are a lot of things to get right if you don’t want to piss off other network admins on the Internet so it should not surprise you (or anyone else) that there’s a significant amount of KYC at the gates.

                                                                                                  This whole notion and all the arguments provided by Cloudflare and their fans resolve around the fact that they simply don’t care about the hobbyist and grass-roots internet services like archive.today.

                                                                                                  This is uncalled for.

                                                                                                  I’m happy to engage on EDNS (client subnet extension) being a dumb/unnecessary privacy leak, and useless for load balancing or DDoS protection, and anycast being straightforward, but I can’t speak for Cloudflare or its fans. I’ve never used Cloudflare and my experience as a regular internet user would never have me recommend them or their patently silly “DDoS protection” product.

                                                                                          2. -3

                                                                                            It shouldn’t.

                                                                                            If you have anycast dns servers who receive a request from a name server without EDNS support, you can basically assume the POPs nearest your nameserver should be returned.

                                                                                            If you’re not anycast (eg because you’re the sad sort who thinks “Dns geoip load balancing” is a thing) then you should just fix that problem. Route53 is cheap.

                                                                                            1. 3

                                                                                              Yeah, sorry, maybe with all your millions of dollars in venture capital you might think that DNS geoip is not a thing, but if you don’t have that kind of money, it still does the job just fine. (Extra 80ms in latency is nothing compared to the average page load times of several seconds on the modern web anyways.) And EDNS-Client-Subnet isn’t there for nothing, either. And what does AWS Route53 has to do with anycast in the first place? Also — AWS may be convenient, but it sure ain’t cheap, either.

                                                                                              1. 0

                                                                                                with all your millions of dollars in venture capital

                                                                                                Who the fuck do you think you’re talking to?

                                                                                                I don’t have millions of dollars in venture capital.

                                                                                                you might think that DNS geoip is not a thing

                                                                                                Not a thing? It’s something that inexperienced sysadmin do: It’s clearly a thing, just not a good thing.

                                                                                                And EDNS-Client-Subnet isn’t there for nothing, either.

                                                                                                Yes. It really is.

                                                                                                It’s a privacy leak engineered by Google, and there’s no point to it. You can’t trust it, so you must handle fallbacks with it missing instead of diverting traffic to 127/8 e.g. users who have a local resolver running on their laptop which might not know the IP address (or guess wrong). Just assume the web service closest to your nameserver and you’ll immediately be doing better.

                                                                                                The users who foolishly use 8.8.8.8 and etc because they believe it’s faster deserve what they get. They are great tools, and it’s touching how they’re used to subvert censorship and oppression but make no mistake: the only real reasons they serve is those to their masters.

                                                                                                AWS may be convenient, but it sure ain’t cheap, either.

                                                                                                Route53 is cheaper than trying to build your own reliable “geoip dns” crap: one of the biggest cost-savings is you don’t need a few dozen monitoring nodes second guessing the answers coming out of your servers. Split paths and partial network outages are extremely common and impossible for your dns servers to detect on their own.

                                                                                              2. 1

                                                                                                We use GeoDNS and anycast. It’s not rocket science and there are some very good reasons to leverage both.

                                                                                                1. 0

                                                                                                  There aren’t. Really.

                                                                                                  BGP is a much better/more-complete picture of the network shape, so there’s no reason to do an IP to arbitrary country or lat/lon table built every month by Ip2location (or your favourite vendor here), and given that database is obsolete before you even downloaded it, you might as well “just” use BGP and your health/monitoring network.

                                                                                            1. 33

                                                                                              Ignoring completely conventions for how software should be updated on macOS (either via signed Sparkle updates, built-in updater ala Firefox, or via the Mac App Store), Google chose to implement a piece of malware known as GoogleSoftwareUpdate that resides in /Library/Google and ~/Library/Google. It is a specific kind of malware known as an APT (Advanced Persistent Threat), and several articles have been written on this subject (but I can’t find at the moment via a cursory search).

                                                                                              Sometimes people have “legitimate” reason to use Google Chrome (i.e. because it supports some piece of DRM you might need which better browsers like Brave choose to not ship with). If you’re one of these users, to prevent Google Chrome from infecting your computer with its malware, you need to perform the following actions:

                                                                                              # create folders if they don't already exist
                                                                                              $ sudo mkdir -p /Library/Google ~/Library/Google
                                                                                              # if they do exist delete everything inside of them
                                                                                              $ sudo rm -rf /Library/Google/* ~/Library/Google/*
                                                                                              # prevent Google from writing to these folders
                                                                                              $ sudo chown -R root:wheel /Library/Google ~/Library/Google
                                                                                              $ sudo chmod -R go-rwx /Library/Google ~/Library/Google
                                                                                              
                                                                                              1. 10

                                                                                                In what world is this an APT? I deal with threat hunting, APT attack simulation, and TTP recreation on a daily basis and this is not the first time that I’ve seen a few people who don’t like Google try and pin the term on GoogleSoftwareUpdate. It makes no sense and you make your argument way weaker by throwing around terms like that and spreading FUD. APT’s are acting groups who create payloads for specific targeted purposes, not the payloads themselves. That’s like calling Stuxnet a APT.

                                                                                                1. 11

                                                                                                  I consider it an APT. Even removing Chrome doesn’t remove it, and if you don’t excise it completely it will restore itself. It’s nasty. Really evil stuff on MacOS.

                                                                                                  1. 12

                                                                                                    That’s like calling Stuxnet a APT.

                                                                                                    The Wikipedia page calls Stuxnet an APT. Copied from there:

                                                                                                    The Stuxnet computer worm, which targeted the computer hardware of Iran’s nuclear program, is one example.

                                                                                                    GoogleSoftwareUpdate is an APT because, well, it fits the definition. It runs in the background, without your permission, it phones home to Google, and at any point in time it can modify your computer either directly or with a payload it downloads.

                                                                                                    1. 10

                                                                                                      An Advanced Persistent Threat (APT) is a stealthy computer network threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period

                                                                                                      I don’t mean to be inflammatory, but I honestly don’t even think you read the first sentence of the Wikipedia article you linked. It references to threat actors specifically. So this would generally be considered a tool used by an APT. Google is the actor, GoogleSoftwareUpdate is their payload/TTP (Tools Techniques and Procedures). We assign APT names and numbers to groups, not malware families, your description doesn’t fit that definition at all.

                                                                                                      1. 6

                                                                                                        It seems like the Wikipedia entry uses it in multiple ways as well, since it calls Stuxnet an APT, and later refers to its creators.

                                                                                                        If you’re used to hearing the term APT refer to the people behind the code, I can see being confused at the way that I’m using it here. Wikipedia does not use the term consistently, and others have also used the term to refer to the software itself, so I’m not alone in this usage.

                                                                                                        I think confining the term “APT” to the software’s creators can be unnecessarily limiting. In the case of GoogleSoftwareUpdate, it might not be accurate to call Google the APT, since their mechanism (GoogleSoftwareUpdate) can be hijacked by completely unknown entities to infect computers. In a sense, you could also say that GoogleSoftwareUpdate is the entity that’s doing the infecting, and I don’t think that’s an unreasonable expansion of the definition.

                                                                                                        1. 6

                                                                                                          I’m saying that the entire computer security field has seemingly agreed (whether or not the terms are somewhat confused in Wikipedia) that APT refers to specific threat actors not their tooling, which means when you use those terms in technical groups they are going to misconstrue them since no one calls TTPs APTs. Whether or not you are meaning to, you are accidently leading people away from the in field terms. I have never once heard a threat hunter call a artifact an APT in my entire career.

                                                                                                          Generally in the malware and analysis world GoogleSoftwareUpdate wouldn’t even count as malware, it would be a PUP (Potentially Unwanted Program) that functions in a known way but might do something unwanted. That’s not the same as malware either. Also if you are refering to the fact that GoogleSoftwareUpdate is installed in a user writable directory and can be replaced or DLL hijacked then you are further purposefully choosing to make that fit into you view. This is a common terrible practice, but can be mitigated by installing the Google Chrome Enterprise which installs system wide and doesn’t leave GoogleSoftwareUpdate writable by users.

                                                                                                          1. 5

                                                                                                            I’m saying that the entire computer security field has seemingly agreed

                                                                                                            I thought my presence on Hacker News and Lobsters bringing in all the high-assurance and CompSci folk showed that popular security != entire computer security field. The popular ones also built many fewer systems highly-resistant to penetration. They knew nothing of those that did or even denied they existed. When they failed, they doubled down on their ways instead of relenting or admitting the other groups had anything of value. If anything, I’m skeptical when the “computer security field” that most know about make a pronouncement. The skepticism usually pays off.

                                                                                                            Back to this, I see why @itistoday is talking like this. Many security and news pieces I read at the time talked about APT in terms of their methods. They highlighted how different the methods were. Who cares who the source is if the methods are the same things you already blocked. The “APT’s” were different using stealthier techniques that involved getting a foot in, bringing in more, and doing a lot of exfiltration of data under users’ noses. That’s basically Google minus outright hacking. Hence, hyperbole.

                                                                                                            1. 1

                                                                                                              Skeptisism is always fair and I appreciate being called out when I accidently arbitrate or overly claim authority, that was not my goal and very much not my objective either. Appeal to authority was a failure on my part. I know based on our conversations that I very much have respect for the HA world and the world outside of “pop-security”, but in both of those I have never heard the term get used as a reference to persistence techniques and only referred (even in the research I read) to as the groups executing real world attacks. I agree that the term “persistence” is of importance, and isn’t represented properly in the original acronym, but I have always heard and read about them in the terms of “persistence” in general.

                                                                                                              For the second portion, the corporate world and enterprise land is almost the opposite of what you stated in my experience. They care much more about who, how to block them, and how to detect them than necessarily root cause detection/prevention. I think this is fundamentally flawed (as I bet you do too), but just look at something like the MITRE ATT&CK and show me how the Google example fits in? I think that the “outright” hacking and purest of intent is important to seperate out threats from potentially unwanted behavior. There is a fundamental difference between a risk and a threat no?

                                                                                                              1. 2

                                                                                                                “but in both of those I have never heard the term get used as a reference to persistence techniques and only referred (even in the research I read) to as the groups executing real world attacks”

                                                                                                                Thanks for fairly evaluating what’s going on here. It could be the reporting media doing it. Being outside your group, what I was reading was a combination of actors and methods that were supposedly better than everything else. If anything, it looked like media and security companies were making excuses for bad security in general by making hackers look amazing. Hackers whose methods were sending loaded emails and such followed by gradual expansion of access. Not amazing.

                                                                                                                “the corporate world and enterprise land is almost the opposite of what you stated in my experience. They care much more about who, how to block them, and how to detect them than necessarily root cause detection/prevention.”

                                                                                                                I don’t have much experience there past what I read about they do. I appreciate the insight. They’re often reactive based on whatever is getting a lot of attention. This could be an extension of their habit to want to create an easy characterization of something, point blame at it, and have some solution that eliminates it entirely. It doesn’t work with IT security in general. I definitely can see them doing it.

                                                                                                                “ I think that the “outright” hacking and purest of intent is important to seperate out threats from potentially unwanted behavior. There is a fundamental difference between a risk and a threat no?”

                                                                                                                I agree in general. I already said it was likely hyperbole. Thing is, Google is a threat actor of its own sort trying to get as much secret and public information about its users and non-users as possible to sell influence attempts by third parties. Also, getting close with D.C. in a police state with whatever comes with that. And they do their own thing in a sneaky way.

                                                                                                                I agree that the APT term doesn’t fit them in definition of mainstream, security community or news headlines I saw for some reasons. I do see how the sneaky, bring-in-backdoors, exfiltrate-data behavior justifies a comparison with hyperbole, though.

                                                                                                            2. 1

                                                                                                              I didn’t realize the APT Language Police were here, sorry!

                                                                                                              I have heard various people use APT to refer to software. Multiple definitions for the same words often exist. This is how language works. Since you keep banging on about this, I’ll remind you that I’ve linked to one paper that uses “APT” in this way, that sentence from Wikipedia, and here’s another person:

                                                                                                              The Advanced Persistent Threat (APT) has become the watchword for today’s cyber espionage. It frequently involves a piece of malware or group of malware programs that can evade detection

                                                                                                              Re some people not considering it “malware”. Great, we can agree to disagree. I’m with Stallman on this.

                                                                                                              1. 4

                                                                                                                Multiple definitions for the same words often exist.

                                                                                                                Yeah, we have to stop this in computing. We have enough complexity, and enough trouble communicating ideas. We don’t need to overload terms and make this worse.

                                                                                                                Precision is a foundational aspect of why math is a universal language.

                                                                                                                1. 4

                                                                                                                  Yeah, we have to stop this in computing.

                                                                                                                  Great idea, now let’s nominate you to be in charge of the definitions of the words everyone in computing uses. 👍

                                                                                                                  Precision is a foundational aspect of why math is a universal language.

                                                                                                                  And math is definitely not known for overloading the definitions of symbols.

                                                                                                                  1. 2

                                                                                                                    Great idea, now let’s nominate you to be in charge of the definitions of the words everyone in computing uses.

                                                                                                                    Thank you for your kind nomination!

                                                                                                                    And math is definitely not known for overloading the definitions of symbols.

                                                                                                                    There are very few “symbols,” but you can generate new words for your definitions by using the generalized concept of addition (which has axiomatic properties) and basic set theory primitives like subset. Put another way, assuming a function newword(L, N), where L is a tuple, containing production rules for valid words, P, and a set, C, of valid symbols (e.g. characters), I can call newword, to generate valid words contained in L of length N. While I’ll leave the proof as an exercise to the reader, it follows that incrementing N is all that is needed to create additional words in L, provided, that production rules in L are unbounded.

                                                                                                                  2. 2

                                                                                                                    Mathematics is the art of giving the same name to different things. (Henri Poincaré)

                                                                                                                    Math is precise when it comes to the definitions and what a word means in a context, but the keyword here is context.

                                                                                                                  3. 3

                                                                                                                    There is a difference between being the language police and accepting the fact that the common use terms in the industry itself (to which I have been taken part of IR engagements that discover named APT’s) are not confused in their day-to-day use. I think when you do that you are doing it on purpose to try and craft the narrative in a way that you are the language police and can redefine terms that are not confused inside of a field. It is purposefully trying to confuse people who are not part of the field and I think that’s just as dangerous.

                                                                                                                    It frequently involves a piece of malware or group of malware programs that can evade detection

                                                                                                                    Again even in the your quote you are are ignoring that entire sentence, APT’s do use malware to evade detections. That just solidifies my statement.

                                                                                                                    APTs often embed programs in a penetrated system

                                                                                                                    From the first summary sentence in the paper, which btw is describing how GoogleSoftwareUpdate would be a good model for malware used by an APT (not crafting an APT again).

                                                                                                                    EDIT: I’m bailing out of this argument for the sake of the length of the thread. I’ll squat in IRC or messages if you want to have a further discussion after your response to this.

                                                                                                                    1. 4

                                                                                                                      From the first summary sentence in the paper, which btw is describing how GoogleSoftwareUpdate would be a good model for malware used by an APT

                                                                                                                      This is the first sentence:

                                                                                                                      Google’s software update system can serve as a model Advanced Persistent Threat (APT).

                                                                                                                      The thing being called an “APT” in that sentence is “Google’s software update system”.

                                                                                                                      I’m bailing out of this argument for the sake of the length of the thread.

                                                                                                                      Good call. It was fun and I also have work to get done.

                                                                                                          2. 7

                                                                                                            Oh come on, it’s just some hyperbole about Google doing things with similarities to stealthy attackers. It was a warning and joke mixed together to get more attention to the issue. That’s on top of entertaining the Lobsters.

                                                                                                            Far as APT’s, my favorite counter on the term back when it was hot was Luiz Firmino’s comment on Kreb’s blog. It just explained why the media was making a big deal about what was just hacking 101 for any careful party targeting enterprises. Heck, the whole post makes what they were doing look obvious. I threw in 2 cents worth of corroboration.

                                                                                                            1. 2

                                                                                                              I’ve read studies that only one out of four lobsters are born with a humerus bone in their body. The rest don the thick skin of an exoskeleton one should naturally expect.

                                                                                                              1. 1

                                                                                                                That’s great lol.

                                                                                                            2. 3

                                                                                                              APT’s are acting groups who create payloads for specific targeted purposes, not the payloads themselves.

                                                                                                              Huh, I thought those were “threat actors”. But I’m not very in touch with threat hunting.

                                                                                                              ETA: OK, from the top of Wikipedia:

                                                                                                              An Advanced Persistent Threat (APT) is a stealthy computer network threat actor, typically a nation state or state-sponsored group

                                                                                                            3. 3

                                                                                                              Do you by any chance have the same directions for Windows, too? There were some official instructions that Google would post; I’ve followed all of those when they were still current, and yet sometime afterwards they’ve still broken out of their sandbox, and performed damage to my seldom-used copy of Google Chrome.

                                                                                                              Also, you mention Brave, but Brave doesn’t quite have a way to disable autoupdate, either — unlike Firefox and SeaMonkey.

                                                                                                              1. 2

                                                                                                                I don’t have any direct directions, but Google provides Chrome Enterprise installers that have administrative templates that let you control the vast majority of these controls. They have Mac DMG’s too.

                                                                                                                1. 1

                                                                                                                  Do you by any chance have the same directions for Windows, too?

                                                                                                                  I do not, sorry. Maybe someone else knows.

                                                                                                                2. 2

                                                                                                                  Or you can (in this case at least) keep your operating system up to date, and not disable System Integrity Protection.

                                                                                                                  I realize SIP disable is required for 3rd party graphics cards on Macs. And possibly the version of whatever graphics software was required for these machines only run on older versions of MacOS. This raises the question of why they were running (presumably) non-mission critical software (Chrome) on machines that absolutely have to be running…

                                                                                                                  1. 3

                                                                                                                    Maybe they just wanted to use a 3rd-party GPU? I don’t see why the users are suspect because of a completely arbitrary MacOS anti-feature

                                                                                                                    1. 0

                                                                                                                      What anti-feature are you referring to? SIP or that lack thereof, or Google’s Keystone updater software?

                                                                                                                  2. 2

                                                                                                                    Somewhat similarly, on Linux (at least on Ubuntu) Chrome installs itself into /etc/cron.daily: so that even if you notice its existence in your repos and remove it from there, it will re-add itself.

                                                                                                                    1. 2

                                                                                                                      you need to perform the following actions

                                                                                                                      Also recommended, KnockKnock, which can tell you what launch agents, etc. can be installed:

                                                                                                                      https://objective-see.com/products/knockknock.html

                                                                                                                      And BlockBlock (which I haven’t tried yet), which warns you if software tries to install anything persistent.

                                                                                                                      https://objective-see.com/products/blockblock.html

                                                                                                                      Ignoring completely conventions for how software should be updated on macOS (either via signed Sparkle updates, built-in updater ala Firefox, or via the Mac App Store)

                                                                                                                      Luckily, Microsoft now offers Office in the App Store. Another terrible installer/autoupdater that I hated.

                                                                                                                      1. 1

                                                                                                                        Although I haven’t verified it, using a portable version of Chrome should be a solution, as nothing is installed.

                                                                                                                        1. 1

                                                                                                                          This is funny because I think you’ve heard the term APT and thought persistence meant persisting in memory or on disk, which is important in malware terms. But as far as I’ve known the term (in infosec for a few years) the persistent in APT means persistent in trying to get at you. Interesting that this whole time I never thought of confusing persistence of malware with the persistence in APT, but they are different meanings.

                                                                                                                          APTs are groups, not code, a different approach would be crimeware groups that send out ransomware indiscriminately then take the profits where they can. Calling Google an APT seems hyperbolic since their primary goal is shareholder value not intel/influence/surveillance, a list of APTs and their inconsistent names (aka all infosec vendors come up with their own names) are here: https://medium.com/@cyb3rops/the-newcomers-guide-to-cyber-threat-actor-naming-7428e18ee263

                                                                                                                        1. 6

                                                                                                                          Why does anyone trust Keybase? They’ve been untrustworthy since they originally suggested uploading private GPG keys for convenience

                                                                                                                          1. 4

                                                                                                                            Exactly! Like hell I’m giving them my private key!

                                                                                                                            IIRC, I created a key pair just for Keybase. Signed it with my key pair. That worked fine since nobody on Keybase checked it that I remember. That just inspires more confidence, right? ;)

                                                                                                                            1. 3

                                                                                                                              It’s the same as uploading an encrypted key to Dropbox, Google drive, etc. Yes, in theory you lose a tiny bit of security, but realistically your attacker needs to break AES to use your key, and such attacker capabilities usually aren’t included in most threat models.

                                                                                                                              1. 1

                                                                                                                                The keys weren’t encrypted with a passphrase for the web stuff to work seamlessly.

                                                                                                                                1. 1

                                                                                                                                  IIRC web stuff connects to keybase service on your computer to work

                                                                                                                                  1. 5

                                                                                                                                    It originally didn’t at the launch of Keybase. You had the option of cli tools (secure, you control the key) or uploading to their web servers for convenience

                                                                                                                                  2. 1

                                                                                                                                    Odd. The web app does scrypt (even says that on the login button) on the password, I’d be surprised if the derived key wasn’t used to encrypt the keys used for messaging.

                                                                                                                                    1. 2

                                                                                                                                      Unless you have a time machine you won’t be able to see what they used to do with uploaded GPG keys

                                                                                                                                      1. 1

                                                                                                                                        Indeed, because the backend is closed source.

                                                                                                                                        1. 2

                                                                                                                                          And even if it was open, because you can’t know that’s what they were actually running. (This is why E2E encryption and an open client is important, and an open backend is a security red-herring.)

                                                                                                                                2. 2

                                                                                                                                  This is one of those situations where if you’re a hardcore crypto-head, and have been managing your own PGP/GPG keys for years? You probably shouldn’t, but then it’s not FOR you.

                                                                                                                                  It’s for people who want a reasonably secure, convenient way to use crypto to send/receive email, store files, and chat.

                                                                                                                                  There’s no requirement that you upload your existing keys to them, you can always have them generate a fresh key and use it that way.

                                                                                                                                  1. 1

                                                                                                                                    Yes true but it is misleading to the non-technical users. Compromise of the Keybase servers meant compromise of their private keys, and as there was no forward secrecy in use…

                                                                                                                                    1. 3

                                                                                                                                      I disagree. I don’t think they ever claimed that users keys wouldn’t be compromised if they (Keybase) were.

                                                                                                                                      This is a perfect example of the perfect being the enemy of the good.

                                                                                                                                1. 1

                                                                                                                                  I’m on vacation right now and away from a keyboard but:

                                                                                                                                  Your help is a nasty list of echoes. Don’t. Instead:

                                                                                                                                  cat << EOF
                                                                                                                                  all your text here
                                                                                                                                  EOF
                                                                                                                                  

                                                                                                                                  Also, there’s a lot of disk info in sysctl. Can you get what you need from there instead? It would be faster than ls

                                                                                                                                  1. 1

                                                                                                                                    Agreed. Latest lsblk.sh uses that now :)

                                                                                                                                    https://github.com/vermaden/scripts/blob/master/lsblk.sh

                                                                                                                                    What info from sysctl you are referring to? The sysctl kern.geom.conftxt maybe?

                                                                                                                                    Regards.

                                                                                                                                    1. 1

                                                                                                                                      Yeah, kern.geom is correct. I can’t look at the output right now but I was hoping it had all the data you needed. There may also be a few crumbs in the output of kenv command

                                                                                                                                  1. 4

                                                                                                                                    You can just put this in your HTML if you have SSI enabled in your webserver…

                                                                                                                                    <!--#echo var="remote_addr"-->
                                                                                                                                    

                                                                                                                                    I use it on my dumb landing page: https://feld.me

                                                                                                                                    1. 2

                                                                                                                                      Great info. VLC is a rare gem.

                                                                                                                                      side note: font on this website is terrible

                                                                                                                                      1. 5

                                                                                                                                        Always interesting to see how networks work in real life. If you just wanted to get rid of a connection on Linux then there’s something not shown in the article. Repair mode, a fairly obscure setsockopt thing, lets you take down and move connections between systems. Here’s an article about it: https://lwn.net/Articles/495304/

                                                                                                                                        Finally, if a connection is closed while it is in the repair mode, it is simply deleted with no notification to the remote end.”

                                                                                                                                        1. 4

                                                                                                                                          This is great. Ok, I’ll bite.

                                                                                                                                          close(): socket will be lingering in background as usual shutdown(SHUT_RD): no network side effect, discards read buffer shutdown(SHUT_WR): equivalent to FIN SO_LINGER socket - if timeout non-zero blocks until write buffer flushed; if timeout is zero then immediately sends RST

                                                                                                                                          the trick you described: immediately discard a socket with no network side effects.

                                                                                                                                          Then there is ss --kill command to forcefully close a socket from outside process. It is done with netlink SOCK_DESTROY command.

                                                                                                                                          1. 2

                                                                                                                                            On BSD we have tcpdrop, too