1. 14

    You can use science tag instead.

    1. 6

      I second this suggestion. Also avoids adding tags for biology, chemistry, etc.

      (Though I noticed that the following tags already exist: math, compsci, philosophy, cogsci)

    1. 2

      isn’t that what meta is for?

      1. 1

        There is meta, but I want to read other meta posts, so meta is not good for me.

      1. 1

        But whyyyyyy

        1. 2

          I’ve heard a great deal of buzz and praise for this editor. I’ve got a couple decades’ experience with my current editor – is it good enough to warrant considering a switch?

          1. 3

            What do you love about your current editor?

            What do you dislike about it?

            What are the things your editor needs to provide that you aren’t willing to compromise on?

            1. 2

              It probably isn’t, but it’s maybe worth playing around with, just to see how it compares. It’s definitely the best behaved Electron app I’ve ever seen. It doesn’t compete with the Emacs operating system configurations, but it does compete for things like Textmate, Sublime, and the other smaller code-editors. It has VI bindings(via a plugin) that’s actually pretty good(and can use neovim under the hood!). I still don’t understand Microsoft’s motivation for writing this thing, but it’s nice that they dedicate a talented team to it.

              It’s very much still a work in progress, but it’s definitely usable.

              1. 3

                Here’s the story of how it was created[1]. It’s a nice, technical interview. However, the most important thing about this editor is that it marked an interesting shift in Microsoft’s culture. It appears that is the single most widely used open source product originating by MS.

                https://changelog.com/podcast/277

                1. 1

                  Thanks for linking that show up.

              2. 2

                It’s worth a try. It’s pretty good. I went from vim to vscode mostly due to windows support issues. I often switch between operating systems, so having a portable editor matters.

                1. 1

                  It’s pretty decent editor to try it out. I’ve personally given up because it’s just too slow :| The only scenario in which I tolerate slowness, is a heavy-weight IDE (e.g., IntelliJ family). For simple editing I’d rather check out sublime (it’s not gratis, but it’s pretty fast).

                  1. 1

                    It doesn’t have to be a hard switch, I for example switch between vim and vs-code depending on the language and task. And if there is some Java or Kotlin to code then I will use Intellij Idea, simply because it feels like the best tool for the job. See your text editors more like a tool in your toolbelt, you won’t drive in a screw with a hammer, won’t you? I see the text editors I use more like a tool in my toolbelt.

                    1. 1

                      I do a similar thing. I’ve found emacs unbearable for java (the best solution I’ve seen is eclim which literally runs eclipse in the background), so I use intellij for that.

                      For python, emacs isn’t quite as bad as it is with java, but I’ve found pycharm to be much better.

                      Emacs really wins out with pretty much anything else, especially C/++ and lisps.

                      1. 1

                        VS Code has a very nice python module (i.e. good autocomplete and debugger), the author of which has been hired by MS to work on it full time. Not quite PyCharm-level yet but worth checking out if you’re using Code for other stuff.

                  1. 30

                    How do I phrase this without sounding like a horrible show-off? I’ll try to make my job sound not meaningful and meaningful and you’ll find some truth in both and have to judge for yourself.

                    Modern, JavaScript-capable Web Browsers: An experiment to download untrusted code from the web and run it on your computer, without allowing the code to take over your computer. Still trying.

                    Most, if not all other relevant web browsers exist purely to support a business model, strengthen vendor lock-in, get user data beyond search orgenerate revenue for shareholders. I’m working for the alternative web browser, which answers to no one but its users. We’re competing with the biggest and most valuable corporations in the world and I think we’re doing rather OK. I help this product being a secure choice for hundreds of millions of people.

                    1. 11

                      I just want to pipe in and say thanks for working on the development of Firefox. I have been a long time advocate and never really jumped onto the Chrome (or Chromium) bandwagon. As a web developer, FF has always been a much better platform to debug in (starting with Firebug and then its integration into the default FF inspector and dev tools), and new HTML/CSS/JS features always seemed to hit Aurora instantly. That statement always seems to start interesting debates with Chrome-jockeys where they tend to show me things I already have in FF.

                      I see by your hat you’re on the security team, but I thank you nonetheless.

                      1. 2

                        Ditto. I get tired of watching people take pot shots at Firefox because it’s a big target. From where I sit it is the last best hope for a truly open web browser that has anything like mass market penetration, and that’s important in all caps, bold and with flames erupting from every letter.

                      2. 9

                        I tried to answer the “is your work meaningful” question.

                        What I’d find more interesting: Do you find your own work meaningful (personal view in contrast to assuming objectivity) and what aspect makes it meaningful to you.

                        1. 1

                          I think that’s a fair update to the question!

                      1. 3

                        Work: Thinking about implementing an XSS Sanitizer and exposing it to all web pages, a bit like DOMPurify. The road to writing web standards and IDL is…bumpy. (Well in fact, my focus should be on code reviews and meeting preparations this week :))

                        Fun: Trying to build a music player for my toddler that is toddler friendly and doesn’t require any kind of reading. Idea: NFC cards with colorful stickers that allow the selection of songs / albums / playlist. Based on a raspberry pi and an rc522

                        1. 2

                          It should work, though not the “Google Meet” version you have to use with corporate Google accounts. See https://www.reddit.com/r/firefox/comments/7l3h0i/google_hangouts_finally_supports_firefox/

                          1. 24

                            If you want to take it to the extreme, you can build a website that fits in a single TCP packet.

                            Source: https://github.com/diracdeltas/FastestWebsiteEver

                            Demo: http://packet.city/

                            1. 12

                              “Get in touch today to hear about our 120-byte ad sponsorship opportunities!”

                              Amazing :D

                              1. 4

                                Ok, that’s totally awesome. Tops my idea by far!

                                1. 2

                                  Of course there’s sound on that page too. BBS advertising at its best.

                                1. 3

                                  This is a review of a great albeit old paper (2007). Sadly it’s a bit detached from my real world experience securing big, complex software products with the ability run untrusted (JavaScript) code. But then, browser are an atypical thing to compare agait, I’m sure.

                                  For a sufficiently complex system, mitigations are a greater benefit than trying to minimize code. The best suggestion for sure is to provide an (internal) API that makes writing insecure code significantly harder than writing secure code. That certainly helped us in the past.

                                  1. 3

                                    If talking browsers, then you might want to look at secure, browsing architectures that followed high-assurance, security principles that included minimizing trusted code. A few were OP1 and OP2 with OP1 inspiring Chrome’s model, Gazelle, Illinois Browser Operating System, and Quark Browser Kernel. The high-assurance, security industry just went with isolating existing browsers in VM’s on separation kernels but with middleware to host security-sensitive components in low-TCB protection domains. Nizza from CompSci illustrates what commercial players were doing better than their often BS marketing. Perseus is very similar deployed in commercial desktops and other products.

                                    So, the best route is to do what worked far back as the 1970’s in using small, modular, layered, and highly-analyzed code for anything trusted plus minimize trust/privileges everywhere possible. That’s what above architectures do. It stopped NSA pentesters in the past. Same techniques reduce hacks today. The main difference is we have things like Rust, SPARK, TLA+, AFL, and so on to do lots of analyses without expensive experts with rare expertise. You can bet culture and maybe some market reasons, not tech, are the only thing that stopped well-funded companies from doing similarly-secure browsers given those above delivered working prototypes with small teams on non-Google/Microsoft/Mozilla budgets reusing existing components where possible with more secure isolation and integration. They just… didn’t want to do it.

                                  1. 2

                                    I’m biased, but I have high hopes of WebAuthentication killing phishing on the web.

                                    1. 3

                                      wow, I can see how coloring variables differently makes reviewing and understanding someone else’s code much easier. nifty.

                                      1. 1

                                        Most interesting their attempts to get certs despite disallowing CAA records: https://github.com/quirins/caa-test/blob/master/README.md

                                        1. 3

                                          I’m very inexperienced and new to Rust, but the times I tried to do something I too found it painful that the good stuff is rust-nightly only.

                                          1. 2

                                            What things do you run into?

                                            1. 2

                                              One example: Clippy requires nightly. I noticed I could run clippy+nightly on my codebase that aims at stable, but it’s still odd :-)

                                              Also, tokio

                                              1. 4

                                                Cool, thanks!

                                                Yeah, developer tools are still on nightly. rustfmt will be on stable as of the next release, with the rls following closely, and clippy at some point.

                                                Tokio is in a weird spot; it doesn’t require nightly, but some nightly features make it more ergonomic; impl Trait is almost here!

                                                Thanks again for taking the time.

                                                1. 3

                                                  Clippy is a tool, so it’s kinda been low priority. Using it doesn’t force your library to use nightly, it just means you have to locally use nightly when running clippy. But we’re working on making it stable!

                                                  tokio is pretty new and experimental and some of the stuff relies on experimental new features in the compiler built for tokio (i.e. generators). It’s getting there.

                                                  There will always be new shiny stuff on nightly :)

                                            1. 3

                                              Firefox 59 (current Nightly) has a global off switch per-permission that allows whitelisting specific websites. But what I found most amazing about this, is that it was contributed by volunteer.

                                              The internet is made of people, after all :)

                                              1. 2

                                                That global way off switching off all push notifications, is very welcome.

                                              1. 8

                                                Unfortunately, this article focuses in various use cases, whereas I’d find the implementation details more interesting. Its project README file explains that it works by patching system calls

                                                1. 2

                                                  The implementation is mentioned briefly at the end of the post.

                                                1. 4

                                                  I thought Moxie’s response on HN (technically responding to the wired article, but I don’t think he would say anything substantially different about the blog post) was really good. The conclusion of which is

                                                  To me, this article reads as a better example of the problems with the security industry and the way security research is done today, because I think the lesson to anyone watching is clear: don’t build security into your products, because that makes you a target for researchers, even if you make the right decisions, and regardless of whether their research is practically important or not. It’s much more effective to be Telegram: just leave cryptography out of everything, except for your marketing.

                                                  1. 2

                                                    Nonsense. If you build an end-to-end encrypted thing you inherently call the server your adversary. Hence, don’t handle key management in the server.

                                                    1. 1

                                                      I think this accurately highlights a real problem with how security and privacy are talked about in popular culture and even in many technical outlets: they are seen as something you either have or don’t. In reality, of course, all technology has to balance security with other concerns, such as usability, cost of building and maintaining the product, technical feasibility, etc. There is no such thing as completely secure software, only software which is secure enough for a certain purpose. Signal says that their service is designed to combat passive surveillance, and I think you could make a case that what this article is describing is more of an active/targeted attack. Which, of course, is not an argument against plugging the hole in Signal’s model if possible.

                                                      Signal has done a pretty good job of maximizing security while providing a nice user interface. It is probably worth pointing out that it is still a better option than many of the alternatives in articles like this one.

                                                    1. 3

                                                      Thanks for this submission. My hunch is that an architecture which makes e.g. caching and speculative execution an observable part of the API is the better approach. Afaiu mips does something similar and compilers learned to deal with it.

                                                      1. 1

                                                        My own hunch is that we should be avoiding impure operations like getting the current time.

                                                        This post seems to be talking about trusting high-assurance languages for critical/sensitive tasks, and how those guarantees can be undermined if we run arbitrary machine code. That problem seems too difficult to me: surely a better langsec approach would be for the arbitrary code to be in a high-assurance language, with the only machine code we execute coming from trusted critical/sensitive programs?

                                                        I would think a langsec approach to e.g. preventing timing attacks in Javascript is to make Javascript (the language) incapable of timing. Or, at least, providing a logical clock (also used for the interleaving of concurrent event handlers) rather than allowing access to the actual time.

                                                        1. 2

                                                          For the vast majority of uses of a computer at some point the application will need to know what time it is. Avoiding impure operations is throwing up your hands on general computing as a useful tool. I don’t think this is quite what you meant to say though. Can you clarify?

                                                          1. 2

                                                            The clock is a sensor and needs to be treated as such with permissions and similar. Many applications don’t have a need for the clock.

                                                        1. 3

                                                          There are a lot of great blog posts written by ‘recursers’. Those posts are usually spread out on different blogs though. Does anyone know if they are aggregated somewhere?

                                                          1. 6

                                                            There’s an internal tool that we (recursers) use that aggregates them, but unfortunately it’s not public. Perhaps someday someone will write a public view for it. (hint hint to current recursers)

                                                            1. 7

                                                              FYI, other projects call this their planet. See http://planet.mozilla.org/ or http://planet.debian.org/ or http://planet.ubuntu.com/

                                                              1. 1

                                                                Thanks, that’s a cool term I hadn’t heard before.

                                                              2. 1

                                                                I’d really like this.

                                                              3. 1

                                                                I was just thinking today that a huge benefit of doing Recurse Center was exposure to so many great blogs/bloggers I otherwise wouldn’t have encountered.

                                                              1. 16

                                                                I thought safari was the new IE.

                                                                1. 10

                                                                  Safari is probably the best browser out there IMO. I wish Windows 10 had it so I could run it.

                                                                  1. 17

                                                                    What makes you say that Safari is the best browser?

                                                                    1. 4

                                                                      It’s fast, light on battery, and has a native UI that respects platform conventions.

                                                                      1. 1

                                                                        Sounds like Firefox? <3

                                                                        1. 1

                                                                          Firefox is faster than it used to be, not sure about battery, but it’s not very native. Safari is the gold standard in not having its own conventions and completely submitting to the platform HIG.

                                                                    2. 11

                                                                      I appreciate many things about Safari as a user; it basically doesn’t touch the battery, for one thing.

                                                                      As a web dev, it unfortunately punches well above its weight in terms of WTFs-per-minute. Specifically, it implements quite a few things incorrectly (such that a careless ‘feature present’ test returns true but the feature doesn’t work).

                                                                      For example, localStorage/sessionStorage are present in private tabs, but raise an exception if used (other browsers downgrade localStorage to sessionStorage and clear sessionStorage when you close the tab).

                                                                      For another, flexbox was broken until 10.1, putting the wrong number of items on a line, calculating heights incorrectly… just a total mess.

                                                                      1. 1

                                                                        other browsers downgrade localStorage to sessionStorage and clear sessionStorage when you close the tab

                                                                        Doesn’t that seem like more of a wtf? Transparently turning “long term storage” into “this will be gone in a moment” with zero notice.

                                                                        1. 3

                                                                          The defining feature of a private tab is that it acts like a regular tab, then deletes everything afterwards.

                                                                          Lots of websites try to put stuff into localstorage (‘works in every browser’) and don’t bother with error handling. Where is the user going to place blame when a private tab is the only place it fails?

                                                                      2. 2

                                                                        I’d disagree here. Mostly because of Security (see other reply), but also because of slower web platform feature support.

                                                                        1. 1

                                                                          Your other reply isn’t exactly a cornucopia of information about why you think it’s poor on security.

                                                                          1. 1

                                                                            Exploiting WebKit is apparently easy enough, that every game platform jailbreak (from early PSP to recent Nintendo Switch) finds one. Also: no sandbox

                                                                            1. 1

                                                                              Ok so firstly - game devices are only going to ship with a single web renderer. If they ship webkit thats where attackers will focus - if they shipped blink, it would attract attacks the same, and given the following, it would hardly be surprising if they found vulnerabilities in any rendering engine when the device maker ships an unpatched version of the software:

                                                                              https://arstechnica.com/gaming/2017/03/nintendo-switch-ships-with-unpatched-6-month-old-webkit-vulnerabilities/

                                                                              Why do you think safari has no sandbox? Sandboxing was a feature of v5.1 in 2011.

                                                                              1. 1

                                                                                Re, the Sandbox: oops :) i must have been wrong

                                                                      3. 7

                                                                        That’s security-wise ;)

                                                                        Chrome is the IE in terms of abused market dominance.