1.  

    Looks like a Framasoft ad for me, as they recommend their own services in place of Google ones :D

    1.  

      Framasoft hosts open-source software, so if you want to self host any of it you can. (Scroll down on that page for links to the self hostable versions.)

      1.  

        But hey, isn’t the attitude like “Google is centralizing and monopolizing the internet, look for independent alternatives! So, replace Google Suite (sheets, docs, slides and so on) by Framasoft Suite right now!” looking quite suspicious for you? :>

        1.  

          by Framasoft Stuide right now

          No, because they don’t seem to charge for what looks to be a digital community service, and every service “they provide”, is something you can self-host as well. They even offer instructions, albeit in French.

      2.  

        I understand the point, but usually Ads don’t take the form of saying “use our product or this alternative we also think is good!”.

      1. 14

        The inconvenience is not a bug, it’s a feature. Collapsing isn’t so much to spare delicate sensibilities, it’s to be instantly clear to the poster and visitors that these comments are unrepresentative of Lobsters. Only 104 out of the site’s 146,068 comments have hit -5 to default to being collapsed. I’m looking to add, not remove, features that emphasize to these rare posters just how far outside of normal, appropriate community behavior these few comments are.

        1.  

          While I agree with the value of not giving bad comments prominence, I think it’s unfortunate that many replies to downvoted comments are good comments, highlighting the values this community approves of. It’s not insult-counterinsult, it’s reasoned responses that take the original comment’s arguments in good faith and engage with them.

          I just think it’s unfortunate that the good will be hidden with the bad.

          1.  

            Could you please explain then, what it is about this comment that is so “far outside of normal, appropriate community behavior”?

            How these emacs.d distributions are “valuable” in any way? If you want to type text and don’t care at all, just get notepad.exe, VS Code, Sublime Text or another silly tool that kids use these days. The thing about Emacs is to just start with bare bones and add features and improvements to your .emacs only if you need to, instead of reusing other people’s configuration which you won’t read or even understand, as it’s mostly overcomplicated to cover extensive cases for many users at once.

            And what is the reason for preventing links from working to this reply?

            1.  

              It’s the complete dismissal of a lot of people’s work and favorite tools. Really just the second sentence and “which you won’t read or even understand”. It’s not the technical opinion that these tools are overbuilt or inferior, it’s expressing that opinion as an insult to everyone who uses different tools than the author. If he’d said that he doesn’t see a use for these tools, that he has a much better approach, that there are tradeoffs he thinks people missed or misread, great, it sounds like someone with a considered opinion who wants to discuss these choices. When someone’s convinced they’re right and that people who choose differently did so because they’re incapable of understanding, there’s not much hope for an informative discussion.

              The fundamental issue is not extending charity to recognize that other people’s opinions can have merit or criticizing effectively* to narrow, explore, and maybe resolve the disagreement. And this applies even if the poster is 100% right in every opinion! If it was enough to be right, they could be right alone in their head or in their projects; we collaborate in a community to ask questions, or get answer didn’t know to ask for, or share what we know. It’s bad, counter-productive writing that hurts a community in much the same way as a pile of spaghetti code with a bunch of global variables that sorta works is counter-productive and hurts the overall system.

              Sometimes these comments get responses that are better than them, that ignore the outrageous rhetoric to talk about the fundamental issues in a collaborative way. This one you linked is a great example and I don’t have a good answer for your question. I’ve seen forums that replace deleted comments with a moderator note summarizing them or explaining why they were deleted; it’d mean significantly more deleted comments and mod work so I’m reluctant to adopt it. I’ve also seen forums that allow mods to reparent comments to top-level threads, but that can be really confusion to read. Turning off replies to collapsed comments would have much the same effect, but feels like it would entirely close the door on the better replies. None of these feel like a great solution, like a measured nudge towards community norms that doesn’t reward bad comments with more attention. I’m open to suggestions, and maybe drop in the chat where ideas for these sorts of things get kicked around fairly regularly.

              • I think this four-point framework is very useful but overkill for small disagreements; it’s generally enough to nod in the direction of that level of understanding until you suspect you’re talking past each other, it’s about a very contentious or sensitive topic, or there’s otherwise a reason to proceed more deliberately.
              1.  

                Well, that’s all well and your opinion, and I see no good reason to collapse that comment.

                As I didn’t see an answer, I ask again:

                And what is the reason for preventing links from working to this reply?

              2.  

                “Could you please explain then, what it is about this comment”

                It was a dismissive type of comment that didn’t look for any value people might have gotten out of the distributions. Then, it had an insult built into it as @steveno highlighted in his reply. Most comments here are disagreements with more technical detail and few insults. That is outside of the baseline even for highly-subjective topics like this.

            1. 3

              How do you prevent your server from being overfilled with data?

              1. 4

                How most IPFS gateways work is they have a list of content pinned that will be always stored on on the server and anything else is kept until the hdd gets full and then it will be deleted.

                1. 4

                  There’s a quota.

                1. 3

                  How do you prevent your site/gateway from serving files you don’t want it to serve?

                  1. 2

                    Because IPFS is content-addressable, illegal and/or otherwise undesirable content can be blocked by hash - after all, that’s all there is to go by!

                    Public lists of such hashes exist for illegal content, and can be automatically applied. Merely copyright-infringing content is not an issue, at least in the U.S., due to OCILLA.

                    In Europe, the situation has recently become problematic, but the nature of a decentralized system is such that it very rapidly becomes very hard to meaningfully prosecute people for being part of the network just because the network is used to distribute illegal content. Tor is a good example of this.

                    1. 2

                      Doesn’t the list of hashes fall under the same copyright restriction as the content it points too though?

                      1. 7

                        No, a hash does not represent the full information content of the data it identifies. One would have to perform additional steps to acquire the content itself (ask the network for it).

                        1. 4

                          Linking them on your website probably would be otherwise torrent websites would be perfectly legal but storing them to use as a block list wouldn’t be. Most large web companies have large collections of illegal content stored so it can be automatically removed and reported.

                      1. 1

                        It would be like a specific ntp server going offline. Nobody knows what relies on it, but that thing is now broken.

                        1. 4

                          The problem is not servers hosting hashes, it’s anyone who has a problem with that.

                          1. 1

                            Making it easier to get illegally distributed content is generally considered bad.

                            1. 2

                              Restricting art and research to only those who can afford to pay for it is generally considered bad.

                              1. 1

                                It depends on if your income depends on people paying for that art and research.

                      1. 25

                        Can we not post scuttlebutt on twitter from a thread in the dedicated SomethingAwful technology shitposting forum?

                        1. 20

                          how many comments of yours do you think are policing what people post here? 10%, 20%? Before you respond with something along the lines of “eternal september” or “hacker news” just know I’ve lurked at HN for almost as long as its been around and I had a computer in the late 80s.

                          1. 30

                            It is kind of a garbage source. friendlysock is doing people a favor by pointing that out, and I wish I’d read his comment before I read the thread.

                            1. 6

                              If you have any evidence that any of these claims are untrue (a rebuttal from Musk, Tesla, etc.), please share it with us.

                              1. 7

                                Legal systems generally (not the French) go with innocent until proven guilty for a reason. CEOs would not have a lot of time in the day if they had to personally prove every accusation made against them or their company.

                                1. 6

                                  CEOs would not have a lot of time in the day…

                                  Funny, he seems to have time to respond to random twitter accounts all day.

                                  1. 0

                                    Obviously means regular boring old CEOs, not the visionary ones aimed at Mars…

                                  2. 1

                                    Taking your jab at French jurisprudence seriously, what do you mean by that? Is this some recent court case?

                                    Because France basically invented the modern Continental legal framework (well, Napoleon overhauled the ancient Roman system) which is used all over Europe (and beyond!) today.

                                    1. 0

                                      Sure, it is a well known fact that France is the European Guantanamo. 😏

                                    2. 3

                                      I don’t think Tesla as a corporate entity or Musk as a private individual / CEO will dignify this source with any sort of acknowledgement. That’s a PR no-no.

                                      However, if a personal actually trained in ferreting out the truth and presenting it in a verifiable manner (these people are usually employed as journalists) were to pull on this thread, who knows where it might lead?

                                      1. 2

                                        The standards of evidence in most places, including science, are that you present evidence for your claims since (a) you should already have it and (b) it saves readers time. Bullshit spreads fast as both media and Facebook’s experiment show. Retractions and thorough investigations often don’t make it to same audience. So, strong evidence for source’s identity or claims should be there by default. It’s why you often see me citing people as I make controversial claims to give people something to check them with.

                                        1. 3

                                          There’s nothing surprising about the employee’s claims. It’s like asking for evidence that Google spies on users. They admit to it, and so does Tesla. So there’s your evidence, and I think it’s sad that you’re taking these trolls here seriously.

                                          1. 3

                                            Thanks for the link. Key point:

                                            “Every Tesla has GPS tracking that can be remotely accessed by the owner, as well as by Tesla itself. That means that people will always know where a Tesla is. This feature can be turned off, by entering the car and turning off the remote access feature. I am not sure why you would want to do this, but you can. Unfortunately, there are ways for a thief to turn off the remote access feature, and this will blind you to the specific information about the car. It will not stop Tesla from being able to track the car. They will retain that type of access no matter what, and have the authority to use it in the instances of vehicle theft.”

                                            re taking trolls seriously. We’re calling you out about posting more unsubstantiated claims via Twitter. If your goal is getting info out, then you will always achieve it by including links like you gave me in the first place. Most people aren’t going to endlessly dig to verify stuff people say on Twitter. They shouldn’t since the BS ratio is through the roof. Also, that guy didn’t just make obvious claims like they could probably track/access the vehicle: he made many about their infrastructure and management that weren’t as obvious or verifiable. He also made them on a forum celebrated for trolling. So, yeah, links are even more helpful here.

                                            1. 1

                                              But the point isn’t to even say that everything written here is true. The point is to share a very interesting data point that likely constitutes primary source material, and force a reaction from Tesla to stop their dangerous practices (or offer them a chance to set the record straight if any of this is untrue, which we’ve established is unlikely).

                                              1. 3

                                                “Dangerous” compared to what? Force how?

                                                Low-effort regurgitation of screencaps is not some big act of rebellion, it is just a way of lowering quality and adding noise.

                                                But the point isn’t to even say that everything written here is true.

                                                If we wanted to read fiction we could go enjoy the sister Lobster site devoted to that activity.

                                                1. -1

                                                  …it is just a way of lowering quality and adding noise.

                                                  Being a troll is “a way of lowering quality and adding noise”.

                                                  1. 1

                                                    Which is why several people are asking you to stop it.

                                                2. 1

                                                  Is there any evidence your tweets or Lobsters submissions have changed security or ethical practices of a major company?

                                                  If not, then that’s either not what you’re doing here or you should be bringing that content to Tesla’s or investors’ attention via mediums they look at. It’s just noise on Lobsters.

                                      2. 10

                                        I agree with you in general, but this specific “article” is just garbage. (As far as I’m concerned, Twitter in general should be blacklisted from lobste.rs. Anything there is either content-free or so inconvenient to read as to be inaccessible.)

                                      3. 2

                                        I agree. I did at least learn from your link that Arnnon Geshuri, Vice President of HR at Tesla, was a senior one at Google that some reports said was involved in the price fixing and abusive retention of labor here. That’s a great hire if your an honest visionary taking care of employees who enable your world-changing vision. ;)

                                      1. 3

                                        to those who are considering buying a Tesla, please consider purchasing something that isn’t connected to the Internet for your safety and the safety of others.

                                        Like what?

                                        1. 2

                                          The mod correctly removed my commentary from the story because, per the guidelines (which I missed), it should be in a separate comment. So in reference to your question I’m copying the removed comment here for context:

                                          Some highlights:

                                          • Tesla cars run on sketchy software that’s connected to the Internet 24/7
                                          • Tesla power charging stations will blacklist you if a complicated algorithm decides you need to be blacklisted
                                          • Employees can “ssh into” all cars
                                          • China wants new cars to report their locations to government databases

                                          I share this as a public service announcement — to those who are considering buying a Tesla, please consider purchasing something that isn’t connected to the Internet for your safety and the safety of others. If you are working for an auto manufacturer, please consider how many lives you are putting at risk by connecting a 1+ ton speeding vehicle to a centralized server where hackers, or you own employees, can command and control them.

                                          As far as what cars you can buy, there are many cars, new and old, that don’t have an Internet connection. Shop around. I personally plan to stick to used petrol based cars until auto manufacturers are able to design an electric car that I actually like.

                                          1. 2

                                            Really? There are many new cars that don’t have internet connections? And software quality in most automobiles is appreciably better? Care to cite a source?

                                            https://www.wired.com/brandlab/2016/02/how-connectivity-is-driving-the-future-of-the-car/

                                            1. 3

                                              Indeed. People in cars represent a lucrative, and increasingly “captive” market for advertising.

                                              This, coupled with the obvious interest of insurance companies and local tax authorities to know exactly where cars are and how fast they’re going will drive increasing addition of connectivity to cars. Note I did not say “adoption”, as it will be increasingly difficult to opt out of such connectivity.

                                              1. 1

                                                People in cars represent a lucrative, and increasingly “captive” market for advertising.

                                                It’s your choice to live in a Ferengi dystopia.

                                                1. 0

                                                  Lacking off planet travel options, …

                                                  1. 3

                                                    You can buy older cars that are in good shape. The one I drive has no tracking devices. It’s pretty good on gas. Maintenance has been a few hundred this year. (Shrugs)

                                            2. 2

                                              You gotta look carefully, though. Even low-end stuff might have tracking they dont advertise. At least they’re not remote-controlled, death machines.

                                              The next frontier will be active, emination attacks on the computers trying to glitch them. Police in one area had something like that mounted on a helicopter. Low-cost, RF boards combined with high-output components will make those attacks cheaper. Might need TEMPEST sheilding for car computers even on older cars if expecting targetted attack.

                                              Also, an older, common car will be cheap to fix due to being simpler (usually), part availability, commodity parts, and technician familiarity. There’s even junkyards out here like U-Pull-It that let you get parts out of wrecked or dead cars dirt cheap. Many parts are still fine even in a totalled vehicle.

                                                1. 1

                                                  Thanks. I can’t remember if it’s same company but same effect. The story also has this point supporting my recommendation of older vehicles in other comment:

                                                  “But because the device works on electronic systems, he acknowledged that it would not work on all older vehicles. ‘Certainly if you took a 1960s Land Rover, there’s a good chance you’re not going to stop it,’”

                                                  Might need really older vehicles for this one, though. Analog and mechanical systems to the rescue. :)

                                                  1. 2

                                                    Let’s go back to those old slant-6s or straight 8s - 12mpg, spewing leaded gas fumes, heavy, none of that fancy electronic safety stuff like airbags, real distributors with points that could wear down, etc. Sadly, all engineering involves tradeoffs - if we are lucky

                                                    1. 3

                                                      Most stuff your mentioning can be done without electronics or minimal use of them. They’re simple enough that they might also be able to use hardened electronics. There’s just nobody building cars that way due to no demand for RF-proof cars. We might see it happen in armored car side, though, if attackers start trapping important people in their cars.

                                          1. 8

                                            I guess the next best thing after dropping Cloudflare and similar services completely…

                                            1. 7

                                              If you can’t provide an alternative then I can’t take this seriously, and - until then - I hope that nobody else can either.

                                              1. 2

                                                What do you need Cloudflare for? I’ve never seen a single use case for it (other than their DNS service, which is well done compared to many other providers). People who claim “DDoS protection” seem to have either picked a crappy web host, don’t know how to use caching, or are running Apache.

                                                1. 1

                                                  An alternative to surrendering your visitors to surveillance capitalism and forcing them to train Google’s AI that will enslave them?

                                                  I guess there are some use cases for services like CF, but most of the time it is just incompetency, forced on developers by their managers, or a fascination with bloat. A page without a spinner is just not the modern web!

                                                  See: http://idlewords.com/talks/website_obesity.htm

                                                  1. 1

                                                    Does configuring rate limiting and doing load testing before production deployment not count as an alternative? It’s not like we weren’t running websites and dealing with the problems cloudflare tries to address before that service existed.

                                                    1. 2

                                                      No. Cloudflare isn’t a “rate limiting” service. Your load testing isn’t going to compare to real traffic. It’s a nice thing to do, but should never be considered representative of real traffic.

                                                      A lot of the problems that Cloudflare addresses have become worse due to multiple reasons.

                                                      Firstly, this is later in time. Technology has improved. This means that attacks have become stronger.

                                                      Secondly, services like Cloudflare weren’t there and people now have to find ways to attack against services like Cloudflare. This means that doing it yourself is substantially harder now, since you probably can’t compete with them in terms of DDoS protection. I doubt you ever saw anyone performing the largest DDoS in the world by hacking into people’s IoT cameras back then, either, but comparing reality 10 years ago to now isn’t the best approach to solving these problems.

                                                      How are you going to implement DDoS protection? Rate limiting isn’t doing that for you, it’s just rejecting requests that are excessive. That’s what Cloudflare is trying to do here.

                                                      It’s not trying to rate limit, that makes little-to-no sense.

                                                      EDIT: Also, if you’re the one that marked my response as “incorrect” then I don’t think that you know what “incorrect” means. It is absolutely correct to say not to consider a non-alternative as an alternative. Downvotes shouldn’t be an “I don’t agree” button.

                                                1. 3

                                                  I wrote a long rant on this same subject and am using newLISP instead. It’s great.

                                                  1. 3

                                                    You’d probably get more people if you wrote a list of why newLISP is a great shell language with examples instead of a rant. It certainly looked neat when you last mentioned it. Here’s some quotes from the FAQ for anyone interested:

                                                    “newLISP is a LISP-like scripting language for doing things you typically do with scripting languages: programming for the internet, system administration, text processing, gluing other programs together, etc. newLISP is a scripting LISP for people who are fascinated by LISP’s beauty and power of expression, but who need it stripped down to easy-to-learn essentials.

                                                    …pragmatic and casual, simple to learn without requiring you to know advanced computer science concepts. Like any good scripting language, newLISP is quick to get into and gets the job done without fuss… newLISP has a very fast startup time, is small on resources like disk space and memory and has a deep, practical API with functions for networking, statistics, machine learning, regular expressions, multiprocessing and distributed computing built right into it, not added as a second thought in external modules.”

                                                    1. 3

                                                      You’d probably get more people if you wrote a list of why newLISP is a great shell language with examples instead of a rant

                                                      You mean like this?

                                                      BTW: I do not care if you use newLISP. I’m not interested in “getting more people”. Use it if you want. Or not (it’s your loss, not mine). I’m just sharing a tip.

                                                      I was, however, interested in writing a long rant, and I enjoyed the process thoroughly. It was very cathartic. :D

                                                  1. 4

                                                    Customers do not care what deals Intel/AMD have made with whom.

                                                    The second a competitor comes along that doesn’t have this nonsense built-in, companies that sell computers will begin to source their CPUs from them. It has already begun with RISC-V, some ARM CPUs, POWER9, etc.

                                                    Computer security has never been more important than it is now, and its importance is only increasing. Security experts, IT experts, their friends, and their families, etc., will vote with their money.

                                                    Meanwhile, these companies will be dealing with lawsuits for intentionally selling customers faulty, backdoored malware. Have fun with that.

                                                    1. 11

                                                      I certainly hope you’re correct that the market will demand better. I think it’s possible, but I’m not as optimistic as you. Getting end users to care about security, even when the lack of it directly harms them, isn’t easy.

                                                      1. 0

                                                        Getting end users to care about security, even when the lack of it directly harms them, isn’t easy.

                                                        I am optimistic because it’s simply the reality. The “users don’t care about privacy/security” refrain is just one of those things some people like to say. It’s total nonsense.

                                                        People use insecure, poorly designed technologies only when well designed, secure versions of those technologies do not exist. It’s just a market cycle. Poorly designed tech where engineers cut corners comes out first, and then the properly designed versions come out later. The instant they go on the market everyone abandons what’s broken and upgrades to the newer and better tech. This has always been the case.

                                                        1. 3

                                                          Engineers cutting corners is one thing. Entire industries conspiring to preclude any alternatives is another beast altogether.

                                                      2. 9

                                                        The second a competitor comes along that doesn’t have this nonsense built-in, companies that sell computers will begin to source their CPUs from them.

                                                        There’s been competitors to Intel without the nonsense built in, with simpler architectures, faster at one point, and so on. Many went bankrupt, the products were withdrawn, or the company got acquired. So, your claim has to be assumed false by default given the market history is exactly the opposite. The combo of monopolistic tactics by Intel/IBM/Microsoft and the lock-in to x86 software made that happen. On x86 side, it was mostly the same with AMD happening because IBM forced it to happen. There’s one, surviving, third party that focused on lowest, energy usage. The Centaur’s were sold by VIA but VIA was losing boatloads of money. So, you don’t have a lasting, success story that was able to do non-coerced license of x86 for high-performance chips.

                                                        The good news is the prevalence of doing everything in the browser already got hardware diversity in via netbooks and tablets. The new architecture having excellent browser and codec support might be enough to get some of that market. Throw in sync with all devices plus online, private backups. There’s some potential. I’ve also been toying with ideas about cloud servers (esp for web stuff), network appliances, kiosks, and so on. Whereas, taking down Intel/AMD will require x86 support for legacy, x86-optimized apps. Intel publicly threatened to use patent suits on any company that does that.

                                                        “People use insecure, poorly designed technologies only when well designed, secure versions of those technologies do not exist.”

                                                        That’s nonsense. There are easy-to-use, private solutions in a number of areas. Let’s just say search, chat, email, and backups. The market at large uses the insecure offerings, even those with harder UI. That’s because they thought they were a good deal for every reason but the one you gave: truly private or secure. They don’t care about that. I think the easiest counterpoint is that the top providers of email and ways to hang out with friends are surveillance companies. They know it, private IM’s or group messages aren’t so hard, and they still use the surveillance platforms anyway. That’s hundreds of millions to billions of people. Where’s your market data backing your point a similarly-sized number of people cared enough to switch to DuckDuckGo, Signal, or SpiderOak? I’m cherry-picking things advertised as private that are easy to use with media coverage.

                                                        1. 2

                                                          taking down Intel/AMD will require x86 support for legacy, x86-optimized apps. Intel publicly threatened to use patent suits on any company that does that

                                                          Microsoft implemented their version of qemu-user into Windows on ARM. Is Intel going to sue them? :)

                                                          1. 1

                                                            I doubt it. We’ll see how far that goes given the performance difference. Also, we goes from one sue-happy, ISA monopoly to another. Least the SoC’s themselves are more diverse.

                                                            1. 2

                                                              re: performance — it’s not intended to be the primary way to run apps, it’s more of a transitional step, like Rosetta was for Apple. The plan is probably something like:

                                                              • Microsoft says to customers: “you can buy this, this is real Windows, not like RT was. It runs Photoshop!”
                                                              • People buy the devices, get somewhat disappointed with the performance of heavier apps, but still keep the devices
                                                              • Developers port their apps to AArch64 and ship native compiled versions to increase performance
                                                              1. 1

                                                                Now, that’s a great idea! There’s still going to be a legacy base whose stuff won’t port. I think the larger part of the market is using stuff that’s still getting updated. So, that strategy could gradually pull them off x86 if ARM chips get good enough for those users. I’m thinking more like cost-effective with nifty features their SoC’s support more than performance. The multimedia and sensor stuff on a SnapDragon is an example.

                                                          2. 1

                                                            There’s been competitors to Intel without the nonsense built in, with simpler architectures, faster at one point, and so on. Many went bankrupt, the products were withdrawn, or the company got acquired. So, your claim has to be assumed false by default given the market history is exactly the opposite.

                                                            I’m pretty sure you’re making an elaborate strawman argument to my point. The Intel ME thing is only recently in the news relative to the timeline you’re considering. It was not a factor back then. Now it is.

                                                            Where’s your market data backing your point a similarly-sized number of people cared enough to switch to DuckDuckGo, Signal, or SpiderOak? I’m cherry-picking things advertised as private that are easy to use with media coverage.

                                                            DuckDuckGo’s search results were (and are) historically poor compared to Google’s. So it’s not “well designed”. I chose my words and criteria carefully.

                                                            As far as Signal goes, it has a very large and growing userbase, but it too, doesn’t offer the same (or better) level of quality that the popular messaging services offer. It’s pretty darn buggy. Nevertheless, I use it almost exclusively with all of my friends. These technologies don’t go from zero to out-competing incumbents in a day. It obviously takes some amount of time. Facebook is losing users (to a service that advertises privacy as its #1 feature, albeit misleadingly), Signal and Telegram are gaining users.

                                                            As for SpiderOak, I can’t comment on that. Apple’s Time Machine backups are a better idea than cloud backups, no matter who your provider is, and I’m guessing Apple’s Time Machine has more users than whatever it is you have in mind.

                                                            1. 4

                                                              The Intel ME thing is only recently in the news relative to the timeline you’re considering.

                                                              People have been talking about Intel and DRM for a long time. I have a comment in this thread with links. That the markets ignored the risks to keep buying Intel isn’t a strawman so much as what they actually did. You were talking the hypothetical stuff that might cut into whatever their current, public revenues are. Hasn’t panned out yet if you’re talking secure processors or something like that.

                                                              re competition had issues. Most of the big, tech companies had products with issues when they started. Some of the biggest were trash-talked as garbage by many developing for them. They still got tons of users because those wanted or had to use what they offered. It seems like anywhere from most to all the companies focused on privacy or security that actually works vs checklist BS have failed to accomplish anything. You can get rich via sales or VC off a shitty, non-security app many times over before one, secure app will get high uptake. Must be some underlying principle or principles at work, yeah?

                                                              It’s why these days I tell people wanting private/secure apps to hide or embed that in a product sold on every other kind of benefit that people actually jump on. Enough people doing that might give us what we need. It will probably take a lot of time and cooperation, too.

                                                              1. 2

                                                                People have been talking about Intel and DRM for a long time. I have a comment in this thread with links. That the markets ignored the risks to keep buying Intel isn’t a strawman so much as what they actually did.

                                                                This is not true. I repeat myself: the problems of Intel ME were unheard of and out of the public’s consciousness only until recently, and even now, still, many are unaware of its existence. This is fact.

                                                                Likewise it is fact that Facebook is losing users to more private platforms, again proving the point that users do care about privacy and security.

                                                                One need only look at the security of computers over time to see that it’s constantly improving, just as it is with every other technology, be it cars, trains, spaceships, airplanes, whatever.

                                                                1. 2

                                                                  You’re right that there’s increased awareness. You’re right that this could affect sales. The thing you’re leaving off is that anyone that cared about privacy could’ve just googled the AMT thing on their box to find out it was a backdoor. They didn’t care enough to do that. Whereas, privacy-conscious, lay people were already avoiding that shit years ago. They used to show up in forums talking about it, running SandboxIE, using NoScript for surfing, and so on.

                                                                  My argument is most didn’t care, don’t, and won’t. If they buy a private-ish alternative, it will be for other reasons like apps, features, luxury, etc. Apple iPhone being pushed for privacy is an example. Apple succeeded for every other reason. That’s just after the fact that might bump sales up a bit.

                                                                  1. 1

                                                                    One cannot care about something that one is unaware of. So increased awareness = more caring, because of course users care about privacy and security. Many of them just aren’t computer experts like you and I who have the time to sift through all of the b.s. “privacy” marketing claims that companies like Facebook make.

                                                                    So, again, users do care very much, and once they’re made aware they’ve been lied to, precisely because they care they will ditch these companies.

                                                                    1. 3

                                                                      Many of them just aren’t computer experts like you and I

                                                                      That’s right. So, the ones that cared asked us on security forums what we thought. They’d get a basic assessment of overall risks, what defense to use, which products were better, and so on. Again, I’m talking about what privacy-conscious laypeople were doing for the past ten years or so I’ve been on security forums. They also usually found it hard to get friends and family using the better stuff. It didn’t have feature X, shiny emoji Y, and so on. They didn’t care. Same with literally over a 1,000 people I’ve tried to market that stuff to face-to-face.

                                                                      “ So increased awareness = more caring, “

                                                                      This can happen. I’m even hoping for it. The general public does respond to what’s in the media, esp scary stuff. The thing is, it’s not really an informed response so much as a reaction. They jump at buzzwords and false assurances en masse. So, what privacy-pushing suppliers need to do is keep good products ready for those events. Then, when it makes waves, they have media campaigns targeted at those people. The bullshitters already do this. The honest suppliers will only get so many amidst the competition. The numbers can gradually go up with each media wave while they do more positive type of marketing on a regular basis advertising features, privacy, and good service. Sales from that can drive new products. Even better if they’re nonprofits or public benefit corporations to reduce odds they themselves become the villains down the line.

                                                              2. 2

                                                                DuckDuckGo’s search results were (and are) historically poor compared to Google’s. So it’s not “well designed”. I chose my words and criteria carefully.

                                                                How about StartPage? Exact same results as Google. Where are all their users?

                                                                Consumers won’t care about additional choice if everything they care about is packaged into what they already use.

                                                                1. 1

                                                                  That’s a good point, I think many people just don’t know it exists. Those who are aware do use it over Google.

                                                                  I would be curious to know, for example, why Apple doesn’t make it or DDG the default search in Safari. Perhaps some form of collusion going on there.

                                                                  1. 3

                                                                    Apple gets paid for the search engine default. I don’t know if I’d call that ‘collusion’. I think it’s bad – it’s one of many small profit seeking behaviours that Apple engages in to the detriment of their users and their platform as a whole (see also: the 30% cut they take on the App Store).

                                                                    1. 3

                                                                      For default on iOS, I can give you three, billion reasons they’d keep Google. ;)

                                                                      1. 0

                                                                        I think Apple foresees that there would be user backlash. At this point, Google is expected as a default, and providing anything to the contrary is considered presumptive. That would be a huge change; perhaps one day it will be in the forefront of Apple’s attention to take on that change, but for now, we will have to wait, and perhaps do the best we can do as individuals.

                                                                        1. 1

                                                                          I doubt that’s the reason. Apple’s users would praise Apple for the switch. It must be something else, and I’m guessing it’s more along the lines of what @jfb said.

                                                                          I’ll note one other thing, and that’s that even if users are aware of StartPage, that’s often not enough for them to use it. It isn’t clear at all how to change the default search engine in Safari, especially on iOS, and iOS doesn’t even allow StartPage in Safari AFAIK. So companies like Apple deliberately put roadblocks to adoption.

                                                                          This doesn’t mean users don’t care. It means big profit-seeking companies don’t care about their users, and this creates an opening for competitors to do a better job. This is why browsers like Brave are a thing and are taking users away from Safari, IE, Firefox, etc.

                                                                          1. 1

                                                                            Apple’s users would praise Apple for the switch.

                                                                            See the headphone jack debacle. Everything is an inconvenience to somebody; you don’t know how many until you ask.

                                                                            …companies like Apple deliberately put roadblocks to adoption.

                                                                            Where would you place that feature in order to guarantee discoverability? Do you think that change would make for a good user experience?

                                                                            Anecdote: I personally use Safari because it uses the least battery life on my computer, responsiveness stays the same up to a given number of tabs, and the user interface is understandable and consistent; as opposed to Chromium derivatives, which are huge CPU/battery hogs, tend to lag a bit at times, and don’t really mesh well with the rest of macOS (my use of which I could defend similarly). I admire the steps taken by other options such as Brave or qutebrowser, but they forego some basic QoL considerations that are important to users like me. I think that is Apple’s primary consideration.

                                                                            1. 1

                                                                              Where would you place that feature in order to guarantee discoverability?

                                                                              In the search bar when you search.

                                                                              Do you think that change would make for a good user experience?

                                                                              Yes.

                                                                              1. 1

                                                                                I agree that that’s probably the best way to do it. That being said, if I were Apple, I’d be trying to cut down on the number of flow-interrupting pop-ups that occur on performing a simple action such as a web search.

                                                                                1. 1

                                                                                  Who said anything about a popup? Even Firefox (on Desktop) does this pretty well today. No popups.

                                                                                  1. 1

                                                                                    Oh, a dropdown menu? Now I understand what you were saying. That’s fair. I think Safari used to have that, actually. They’ve really been on a minimalist crusade, haven’t they?

                                                              1. 10

                                                                On a related note, it’s also worth noting that the user control situation is even worse on mobile devices. You pretty much can’t buy phones or tablets with unlocked firmware that you can easily put your own operating system on.

                                                                1. 10

                                                                  Well there is the Librem at least.

                                                                  https://puri.sm/shop/librem-5/

                                                                  1. 1

                                                                    It is my understanding that even this and Fairphone still require blobs and the baseband is totally opaque. The battle for complete user freedom on mobile still seems to be completely lost.

                                                                    1. 3

                                                                      This is correct. Purism routinely exaggerates about what they are able to provide in terms of openness, without any plausible way of actually delivering. It’s quite tiresome.

                                                                      Not only will Librem 5 have blobs, they’ve now shamelessly announced they intend to use a loophole to procure FSF RYF certification despite this. If this is allowed to stand, it also makes RYF rather meaningless.

                                                                  2. 7

                                                                    Also Fairphone:

                                                                    We offer the ability to choose between the Google experience and the freedom of open source. Both versions are officially supported by Fairphone and we will provide continuous software updates.

                                                                    In addition, and because the code is openly available, everybody is free to work on making other operating systems work on the Fairphone 2. The community already offers alternative operating systems like Sailfish OS, Ubuntu Touch and LineageOS.

                                                                    1. 2

                                                                      Fairphone requires proprietary firmware blobs anyway.

                                                                      1. 1

                                                                        Thanks, haven’t seen Fairphone before. I really hope there will be enough of a niche for companies like them and Librem going forward.

                                                                        1. 5

                                                                          As a Fairphone user: the market is made by buying the damned phones.

                                                                          I wish there was an official Sailfish distro. I’m a happy user of the community port, but I also tolerate some glitches. Like not being able to calibrate the proximity sensor or run android apps.

                                                                          But, as stated, they do have a non-Google android for those who want to be closer to the mainstream and a Google android for people who don’t care that much.

                                                                      2. 2

                                                                        You can unlock the bootloader on most Android phones and you can run LineageOS or other AOSP forks, sometimes Ubuntu Touch and Sailfish ports, or postmarketOS.

                                                                        You typically have to run the vendor android kernel fork if you want to have useful functionality, but some devices (Nexus 5, Nexus 7, Xperia Z2, Xperia Z2 Tablet) can run mainline Linux.

                                                                        https://wiki.postmarketos.org/wiki/Devices

                                                                        1. 1

                                                                          I know that you can unlock the bootloader, but I think that’s very far from ideal. Also the tools themselves tend to be closed source, and sketchy. You should be able to decide what runs on your phone without jumping through hoops.

                                                                      1. 10

                                                                        I’ve been using that for over 2 years already as the SSH server residing inside initial ramdisk, for remote LUKS decryption purposes.

                                                                        1. 3

                                                                          Cool! Do you have a link to how you set that up?

                                                                        1. 6

                                                                          Great article! I wonder whether the future of HTML escaping libraries will lie with something like ammonia, which actually parses the HTML before emitting a sanitized version, instead of simple text-replacement - at a certain point, I guess it becomes a better idea to just do what a browser would do in order to ensure that your sanitation worked…

                                                                          1. 5

                                                                            Yeah, I prefer using DOM functions for everything, including templating. With the DOM, everything gets escaped in proper context and you can do other sanity checks, like always outputting strictly well-formed stuff. A HTML document isn’t really a string and I prefer to avoid pretending it is.

                                                                            1. 2

                                                                              Do you have a link or example for this method?

                                                                            2. 3

                                                                              Related; DOMPurify, uses DOM APIs exposed to JavaScript to ensure that browser and sanitizer show the we parsing behavior.

                                                                            1. 18

                                                                              I don’t like the design of Enchive.

                                                                              The process for encrypting a file:

                                                                              1. Generate an ephemeral 256-bit Curve25519 key pair.
                                                                              2. Perform a Curve25519 Diffie-Hellman key exchange with the master key to produce a shared secret.

                                                                              OK.

                                                                              1. SHA-256 hash the shared secret to generate a 64-bit IV.

                                                                              Kinda OK, can justify this complexity by the need for a quick check before decryption (“validate the IV against the shared secret hash and format version”) if we got the correct key.

                                                                              1. Add the format number to the first byte of the IV.

                                                                              OK.

                                                                              1. Initialize ChaCha20 with the shared secret as the key.

                                                                              This is using raw multiplication result as a key. It’s recommended to hash the result (but not pure SHA256 as we’re already exposing 56 bits of it as IV) before using is as a cipher key (for example, NaCl uses HSalsa20 as a quick hash for that).

                                                                              1. Write the 8-byte IV.
                                                                              2. Write the 32-byte ephemeral public key.
                                                                              3. Encrypt the file with ChaCha20 and write the ciphertext.

                                                                              OK. But for big files, it may be worth using chunked authenticated encryption to avoid spilling out unauthenticated plaintext or wasting time (see https://www.imperialviolet.org/2014/06/27/streamingencryption.html and my implementation https://github.com/dchest/nacl-stream-js).

                                                                              1. Write HMAC(key, plaintext).

                                                                              Here we have three problems.

                                                                              First is that is uses the same key for HMAC as for encryption. I don’t think there’s a particular interaction problem between HMAC-SHA-256 and ChaCha20 that would lead to something scary, but this design is not ideal. To fix this and previous issue in one shot, the authors could use a 64-byte hash function to derive both encryption and authentication keys from Curve25519 shared key: encr_key || mac_key = SHA512(shared_key), or use HMAC-SHA256 with different personalization strings (encr_key = HMAC-SHA256(“EncrKey”, shared_key) and mac_key = HMAC-SHA256(“AuthKey”, shared_key), or HKDF.

                                                                              Secondly, it’s MAC-then-encrypt, which exposes cipher to various attacks before there’s a chance of authenticating. Finally, I would also authenticate everything, not just the ciphertext. So I’d use HMAC(mac_key, everything) where everything is IV, ephemeral public key, and ciphertext. This way, HMAC will be checked before decrypting, and malicious payload will be rejected early.

                                                                              Enchive uses an scrypt-like algorithm for key derivation, requiring a large buffer of random access memory.

                                                                              If it’s scrypt-like, why not just use scrypt? I haven’t checked the whole algorithm, but I can already see a drawback: it uses SHA-256 to perform work on memory. Scrypt specifically uses a very fast function (8-round Salsa20) so that it can perform this computation as quickly as possible, which is very important for a memory-hard function.


                                                                              To summarize: there’s nothing particularly broken with this design, as far as I can tell from a quick look, but it’s not a solid design, unfortunately.

                                                                              1. 5

                                                                                Enchive’s author here. These are all good points. Most of the mistakes are me not knowing any better when I designed it, but, fortunately, none of them fatal as far as I know.

                                                                                But for big files, it may be worth using chunked authenticated encryption to avoid spilling out unauthenticated plaintext

                                                                                I did eventually figure out chunked authentication for myself months later, but too late for Enchive. If I ever redesign the file format, it would definitely use chunked authentication, among other corrections like using EtM.

                                                                                If it’s scrypt-like, why not just use scrypt?

                                                                                At the time (early 2017) I couldn’t find a drop-in scrypt library with a friendly license, and I didn’t want to try implementing it myself. A major design goal was ANSI C and no dependencies. As a result, Enchive can easily be compiled just about anywhere, probably even decades into the future (to, say, decrypt some old archives). As evidence of this, you can build it and run it on Windows 98 decades in the past.

                                                                                1. 5

                                                                                  I get the feeling most of those shortcomings are caused by direct use of primitives. I suspect that the author was trying to:

                                                                                  1. minimize dependencies – especially looking at optparse.h, which is (mostly) redundant on a POSIX system due to getopt(3) existing – and source files, and
                                                                                  2. keep the license unencumbered (all third party code seems to be in the public domain:, but then ended up making dangerous decisions given raw primitives.

                                                                                  argon2 not being in there is probably not an accident but a result of how difficult it is to implement and how he’d have two hash functions (SHA-256 and BLAKE2 for the argon2 state).

                                                                                  The author might’ve had a better result and less work with naive use of Monocypher, libsodium or TweetNaCl, though TweetNaCl still would’ve let him shoot himself in the foot with raw X25519.

                                                                                  1. 1

                                                                                    If it’s scrypt-like, why not just use scrypt?

                                                                                    Yeah, it’s like they’re not aware that scrypt comes with a file encryption utility.

                                                                                    1. 3

                                                                                      I didn’t mean using the file encryption utility itself, but the KDF primitive. Although, indeed, the scrypt utility is great (I use it for my files), but it doesn’t do asymmetrical encryption, which seems to be the point of Enchive.

                                                                                      1. 1

                                                                                        but it doesn’t do asymmetrical encryption, which seems to be the point of Enchive.

                                                                                        Ah, I missed that part. Hmm, well in that case Enchive seems pretty alright as far as goals are concerned. Hopefully the author will incorporate your suggestions.

                                                                                  1. 1

                                                                                    Squanching. Then trying to find something worth watching until Season 4 of Rick and Morty.

                                                                                    1. 6

                                                                                      I work from home so I don’t have to put up with any of this nonsense. :)

                                                                                      1. 18

                                                                                        Everything about this is wrong, and that’s ignoring the irony in complaining about blogs on one’s blog.

                                                                                        There are no more quirky homepages.

                                                                                        There are no more amateur research librarians.

                                                                                        Yes, there are. They’re just harder to find among the noise of an influx of several hundred million new content creators, most of whom prefer to focus on creating content and not messing around with HTML. In all likelihood, there are probably more “quirky homepages” today than there were when the web first started, but the fraction of “quirky homepages” to facebook posts makes them harder to see.

                                                                                        And the blog did not “break the web”. What does that even mean? It’s nonsensical. Bah humbug!

                                                                                        1. 5

                                                                                          I upvoted both your comment and the post.

                                                                                          The author is right in her context and you’re right in yours. Seriously, you’re definitely right. …So is she.

                                                                                          What would you like to show her?

                                                                                          I’m thinking, tilde.town. But, I don’t mean the site, the space, or the concept. I mean the thing itself, the “content”: in this case, home pages. I clicked random a few times and came across these two: ~joe and ~selfsame

                                                                                          1. 2

                                                                                            What would you like to show her?

                                                                                            I dunno dude, I’m not into this stuff. I just know it exists and this style of “amateur 90s web design” has been oddly popular recently. I don’t bookmark them. But I do remember one. I found it because a 90s fanclub aggregation site was recently posted here (and/or HN) that linked to it. It was a very funny looking rental car site based out of England (I think) that’s still operating today. It had a thousand flashing GIFs and various cute things that made me wonder if it was for real or a parody (it was for real).

                                                                                            1. 3

                                                                                              So you’ve discovered the (in)famous Ling’s Cars. Though to be fair, Ling’s Cars is more early 2000’s (if only due to how much it likes to use flash). Ling’s website has been that way a long time, though it does get updated and changed over time.

                                                                                              1. 1

                                                                                                Lol, that’s the one. :)

                                                                                        1. 1

                                                                                          Hell! Did they abolished the rule of law while nobody was looking?

                                                                                          1. 4

                                                                                            I doubt it. It’s Germany, they do follow the law. Also, they have a history of domestic terrorism.

                                                                                            1. 5

                                                                                              In Germany, illegal searches are relatively common. I don’t want to say “all the time”, but regularly. They are later ruled (partially) illegal, the assets returned, and some costs paid.

                                                                                              Searches may be illegal (and I’m dead sure this will be ruled with Zwiebelfreunde as well) because the police tends to search more then they are allowed to. Entering rooms that are not to be searched, opening cabinets they are not allowed to open, getting permissions that they are not allowed to get. The police is aware of that, but also aware that there are no repercussions for transgressions.

                                                                                              The problem is that we have no such thing as “fruit of the poisonous tree”. The legal proceedings can still continue except in very crass cases if something “additional” is found.

                                                                                              Sadly in german, but here’s an interview with a constitutional judge(!) on the subject, stating that many of them are violating the constitution. http://www.taz.de/!5108848/

                                                                                              1. 1

                                                                                                I believe you are also having some politicians vs. federal constitutional court conflict going?

                                                                                                1. 2

                                                                                                  We regularly have, but this is not part of that. The practice I describe here is old.

                                                                                              2. 2

                                                                                                Sadly, we had our issues with domestic terrorism in Italy too, but we still feel the shame for the police behaviour in 2001, at Diaz school.

                                                                                                But you cannot preserve law and security by arresting people for drawings on a whiteboard.

                                                                                                1. 1

                                                                                                  but we still feel the shame for the police behaviour in 2001, at Diaz school.

                                                                                                  This is the first time I’m hearing of that. Wow. That’s horrible. :(

                                                                                                  1. 3

                                                                                                    I heard about it a year or two ago. Took me a while to calm down that night. They weren’t even sneaking around or trying to justify themselves like the corrupt cops often do over here. Just in-your-face, systematic brutality. That’s the exact kind of shit that we have the 2nd Amendment for. I mean, elite propaganda kept people from using it or even voting right. Still, I can’t think of any other option in a situation like that if you don’t want a pile of screaming, beat-down people in a building.

                                                                                                    1. 5

                                                                                                      Just in-your-face, systematic brutality.

                                                                                                      During cold war, in Italy, we had all sort of these things, in particular in the late 60 against students’ protests and political activists.

                                                                                                      The effect was twofold: some people were afraid to express their political opinions if they were not aligned with the Government, but it also spread radical extremism that used to justify armed war as a reaction to State’s violence.

                                                                                                      In reality, violent revolutionaries were actually useful to the US aligned government to justify repression against the pacific but effective political culture of the left. So much that in 2001, members of the police were sent among manifestants as “black blocks” that launched molotov against civil buildings in the streets and against police to justify the repression.

                                                                                                      This is why in Italy we do not consider arming civilians an option against the power: because trained cop are more effective and better armed anyway but if protestants are armed and dangerous you can justify any sort of repression.

                                                                                              3. 4

                                                                                                Unlikely, from what I gathered, this is a search warrant for witnesses. Additionally taking all equipment that looks vaguely like computers and CD ROMs isn’t that unusual, police officers are sadly not that trained in this direction, some of them have trouble operating computers (a fellow student in my CS courses has taken part in a “computer course” for the police which largely consisted of the bare minimum of excel and word usage). It’s not the first time something like this happens (there are various accounts of this happening in the past, for example, a CCC member having their home equipment taken even though the warrant said “take the server the stuff happened on” and the server was in another datacenter).

                                                                                                The requirements for being a police officer in germany don’t intersect well with having basic knowledge of computers.

                                                                                              1. 2

                                                                                                That wouldn’t tell you anything. Lots of hackers in U.S. and Europe used relays in countries that oppose the U.S. for similar reasons. On top of it, the go back to gmail message might just be an insult on top of them slamming the private service. I’ve seen online comments telling people to use Gmail or Fastmail just because the newcomers won’t be reliable enough. I say the same thing where availability of email is most important, esp if money or court action is or might be involved. These small outfits might not be able to keep up on that even if more private.

                                                                                                So, it could be anyone if just going off that comment. Only thing I know for sure is that they took the small players down while the big ones are still up as predicted. Some things just take lots of money to stop rather than good design or intentions. It’s why I say split usage between big players for where availability is more important and smaller ones where privacy is more important. And GPG encrypt text/zip files with boring names sent over the smaller ones so you don’t have to trust them or mail clients either. That’s basic concept.

                                                                                                Note: Reposted from Reddit.

                                                                                                1. 1

                                                                                                  Nick, I’m Russian-American. I can tell better than most when someone’s pretending to be Russian.

                                                                                                  1. 1

                                                                                                    I hear you on that. Cool to know. Just imagine me saying, “itistoday, I’m American. I can tell when an American is pretending to X with speech saying Y. Take my word for it.” You’d probably want something you or others could verify. Things like this are more verifiable with experience seeing it. Maybe the Russian hackers being so common justifies a project illustrating their techniques in situations that had strong evidence of being them. That compared to stuff that wasn’t. People’s minds would see the patterns looking at it all.

                                                                                                    It’s not that important to me in this case. I was just reminding people that both independent and nation-state groups will try to fake that to mislead people. It worked, too, before surveillance states with multinational partnerships were a big thing. At least the governments are probably good at spotting the BS. The non-government parties are still vulnerable to that misdirection, though.

                                                                                                    1. 1

                                                                                                      You’d probably want something you or others could verify.

                                                                                                      I dunno, how about maybe the fact that they seem to have a preference for speaking almost exclusively in sophisticated English slang?

                                                                                                      How about the fact that most of their tweets are on American time and not Russian time?

                                                                                                      Or the fact that there’s basically zero incentive for non-state actors to attack these companies? (If anything, an anti-incentive).

                                                                                                      How about a million other blindingly obvious tells?

                                                                                                      1. 1

                                                                                                        Now you’ve gone from Argument from Authority to sharing reasons for what you believed just like I recommended. Good examples.

                                                                                                        1. 1

                                                                                                          You’re a smart guy Nick. I struggle to understand how you couldn’t make these observations yourself.

                                                                                                          1. 1

                                                                                                            I wasn’t making any observations about them. I don’t follow tweet or propaganda storms since it’s a lot of work for 99% noise. I was solely responding to a comment you made about attribution without details people might be interested in. You giving them just reinforced in my mind how tricky this stuff is. For instance, I used to script things to happen at certain times to mislead people in that exact way. Copying slang of certain groups to direct hate at them is something run-of-the-mill trolls do. You saying zero incentive is just an argument without evidence given companies get attacked all the time by customers, employees, con artists, and hackers for a huge range of reasons with nonsense or emotional being common. Quite a few individuals and groups have done sprees just for fun and publicity watching folks run around.

                                                                                                            Now, again, I have no doubt you’ve been watching this stuff closely enough that your mind cemented patterns that might tell you stuff. I just know the patterns themselves can be bullshit. I’ve seen and done it. To this day, people believe one thing happened when an entirely different thing happened. I’m not sure consistent attribution is even possible with high certainty once state actors are involved outside some use of malware samples. That’s kind of what I was getting at in making you share details which turned out to be fakeable.

                                                                                                            Truth is, I’m too focused on bigger, easier-to-pin-down problems to fight a losing battle against propaganda teams with money to spread lies far and wide. Since you posted on one, I’ll switch over to that one.

                                                                                                1. 1

                                                                                                  Brian Krzanich and others should be in jail for selling intentionally faulty, backdoored products to the public.