1. 2

    Keeps me wonder why no-one ever talks about rotating ssh host keys, as most people see it as something that should never change - hence I can’t even remember GitHub or GitLab updating their keys…

    1.  

      Because unless you have a model to manage deployment of systemwide known-hosts files, or are using an ssh certificate authority for host keys, or use DNSSEC-signed DNS and all clients have validating resolvers and configure clients to trust DNS over local TOFU cache, unless you have one of those … the TOFU store (~/.ssh/known_hosts by default) will mean that rotating host keys causes pain.

      This is probably why GitHub is still on RSA+DSA, with no Ed25519 host-keys: the act of adding a new keytype will cause real-world breakage for many clients, many of whom won’t be aware that they’re using SSH under the hood. They’re accumulating technical debt by being unable to change and not working with their client community to manage a process to update with minimal disruption.

      1.  

        Adding an Ed25519 wouldn’t be breaking though, just dropping an old key.

        And actual rotation is a bit easier since UpdateHostKeys was introduced, but you still need to keep the old key around long enough for a sufficient amount of clients to have connected and updated. What amount is “sufficient” for any given use case is harder to determine though.

        1.  

          Different versions of different SSH clients handle this with varying levels of grace.

          In some versions of OpenSSH, adding a new key of a preferred type would immediately try to verify that host-key, ignoring the known ones, and hard-fail because it wasn’t already known but host keys of other types were.

          Now look at how long some OS distributions linger for, with real-world users using ancient OpenSSH with backported features.

          That’s the problem which services like GitHub have to consider: the end-users who are best able to understand the issue and adapt with help are the least likely to be stuck using ancient OS releases.

    1. 14

      The “old newspaper” format is very cool and folksy and also as a partially blind person very very hard to read.

      1. 8

        The repeated reflowing on load is also rather obnoxious.

        1. 3

          Super annoying. Thanks for the report! https://github.com/treenotation/dumbdown/issues/8

        2. 4

          also as a partially blind person very very hard to read.

          Short answer: any specific things you hate and are there reading apps you love?

          Longer answer: I designed for Scroll to be the most accessible publishing platform ever. Will pull this off by having everything be public domain and the clean Dumbdown/Tree Notation source for every article readily available.

          The design is to make it easy for readers to “take all the content with you” and consume it with their favorite reader. Think RSS but 100x better, since you actually get the full content in the simplest possible notation and can use whatever tool you want to render it just the way that works best for you.

          1. 5

            Short answer: any specific things you hate and are there reading apps you love?

            Hate is way too strong a word. I have partial vision in one eye at 20/200 vision with a severe astigmatism so my eyeball jumps around a lot. Packing the text into a super dense layout like that makes it nearly impossible for me to actually attain focus on each line in the article, making the layout very hard for me to read.

            Glad to hear it’s an open platform with flexible rendering though, I’ll definitely take a more careful look, and thanks for sharing!

            1. 1

              The design is to make it easy for readers to “take all the content with you” and consume it with their favorite reader.

              In that case it would be super cool if the static site itself had different viewing options for the same content that people could choose from.

              The newspaper layour is “cool” but I’d like to be able to switch to a more standard blogging layout with one article at a time, larger font, margins on desktop, table of contents, hyperlinks between related articles, perhaps search, etc. A simple cookie could track my preference for which “viewer” I prefer.

              1. 1

                if the static site itself had different viewing options for the same content that people could choose from.

                I wouldn’t be opposed to this.

            2. 3

              Totally agree! It would also be really cool, to only have the summary of each article shown. Sadly according to the readme the author is not interested in that…

            1. 3

              It seems the conclusion isn’t “8 bits are enough for a version number” and rather “a bunch of userspace software ASSUMED 8 bits would be enough for a version number, so we better just stick with it if we don’t wanna break stuff”

              1. 6

                Userspace didn’t just assume that though, it was built into the way that the version codes are exposed in the userspace headers. And with the overflowed version there are now multiple kernel versions that userspace can no longer tell apart by comparing those version codes.

              1. 1

                Interesting approach! The one thing that slightly bothers me is that it means that a side-channel that lets you somehow retrieve the host key from the sshd means that all secrets in the store would suddenly be readable.

                I guess it would be easy enough to generate a unique key per host that isn’t read by any persistent process however.

                1. 1

                  Yeah, the only reason I chose ssh host keys was that it was easy to prototype with. In a production setting I’d probably use some kind of persistent host key.

                1. 6

                  Wow, their commits are … idiosyncratic.

                  1. 4
                    1. 2

                      That’s because this isn’t an official git repo. The upstream is just a daily tarball.

                    2. 2

                      At least it’s not quite as bad as e.g. Bash, but yeah…

                      1. 1

                        Nothing special, just special PicoLisp with LLVM-IR as raw backend.

                      1. 2

                        To me this looks like an unencrypted equivalent of a master password: an extra password you need to remember and enter whenever you use your password manager. But unlike a proper master password that can be cryptographically protected, this one is sent in the clear.

                        1. 1

                          Not sure if this is comparable. You’re not writing that part down anywhere so it should be at least as save as any other password that is exclusively inside your head. But this is then multiplied with the security of an actually save password from a password manager. If their security is breached for whatever reason, the second factor aka Horcrux makes the breached data unusable.

                          1. 2

                            You’re not writing that part down anywhere so it should be at least as save as any other password that is exclusively inside your head.

                            Except that you are giving it to every site where you have a password. In my experience, the likelihood that at least one site where you have an account is compromised at some point is high; at which point a motivated attacker with access to your password manager can figure out your horcrux very quickly.

                            To me this seems like additional work (you can no longer use browser-based autofill for your password manager*) for not much security gain. Edited to add: that said, it does add some security, so if you’re comfortable with the tradeoff it’s not a bad thing to do!

                            I’d also note that physical security keys that implement WebAuthn/FIDO2 are dramatically better than OTP apps in terms of phishing resistance and ease of use; I strongly encourage their use over OTP apps wherever possible.

                            * I think there’s a fair argument that you shouldn’t use this at all, because it increases your risk surface dramatically; if one bad site can somehow convince your password manager is at a particular origin, zero-touch autofill could cause you to lose all your passwords at once.

                            1. 1

                              Except that you are giving it to every site where you have a password.

                              Except that you’d give a different one to each site that you’re doing it with, which is why they suggest only doing it with important accounts if it seems like too much effort.

                            2. 2

                              Master password isn’t supposed to be written anywhere either.

                              A password manager can incorporate the master password in per-site passwords a cryptographically-secure non-reversible way. This is extra layer of security on top of the “Horcrux” method, because even sites that receive passwords in clear text (and then leak them and make them public to everyone) won’t leak the master password in clear text.

                              1. 1

                                A password manager can incorporate the master password in per-site passwords a cryptographically-secure non-reversible way.

                                If you’re already using a password manager and are fine with passwords that you can’t remember, this seems fully inferior to just using CSRNG generated passwords.

                                This is extra layer of security on top of the “Horcrux” method, because even sites that receive passwords in clear text (and then leak them and make them public to everyone) won’t leak the master password in clear text.

                                But the horocrux isn’t a master password, it’s just one half of the password that isn’t stored in the password manager with the other half, and so them leaking that password would only impact the password for that one site, and you as a user can’t protect against that.

                                1. 1

                                  CSRNG alone is vulnerable to loss of the master password. CSRNG + database of truly random per-site seeds gives you a second factor. To me this is analogous to horcrux + database of per-site passwords: two factors, one in your head (horcrux/master pw), another on your disk (pw manager), and you need both to get full per-site passwords.

                                  The horcrux method is:

                                  password = on_your_disk + in_your_head
                                  

                                  vs traditional encrypted password db:

                                  password = decrypt(on_your_disk, in_your_head)
                                  

                                  or even closer to a generator with per-site seeds:

                                  password = hash(on_your_disk + in_your_head)
                                  

                                  In all these cases you have two factors, each safe without the other part, and the only difference is that Horcrux method doesn’t hide the in-your-head part as well as other methods.

                                  This makes Horcrux less secure, because if you leak on_your_disk half and any one of the generated passwords, all the passwords will be compromised. Other methods can survive that case.

                                  1. 1

                                    CSRNG alone is vulnerable to loss of the master password.

                                    But so would the “A password manager can incorporate the master password in per-site passwords a cryptographically-secure non-reversible way” approach as well though.

                                    CSRNG + database of truly random per-site seeds gives you a second factor.

                                    I’m confused as to what you’re getting at here. The CSRNG would just be used to generate a password that’s then stored in your password manager, the same way that most people that use unique passwords and a password manager already does it? But most people don’t use local password managers, so for them it’d still just be one thing you know, the master password.

                                    To me this is analogous to horcrux + database of per-site passwords: two factors, one in your head (horcrux/master pw), another on your disk (pw manager), and you need both to get full per-site passwords.

                                    For hosted password manager services, this would be 1+(number of services) things you know, and nothing you have, unless the service has 2FA support.

                                    For local password managers, it’d be 1+(number of services) things you know, but also at least one thing you have, the database. (Though with my PGP key on a YubiKey it would be 2 things I have, the database and my YubiKey.)

                                    1. 1

                                      I’m confused as to what you’re getting at here

                                      Sorry, misunderstanding. By “CSRNG alone” I’ve meant solutions like https://lesspass.com that don’t have an on-disk part.

                                      By master password I mean solutions like https://keepass.info that have on-disk database encrypted with a master password.

                                      I don’t understand your distinction between hosted and local password managers. I assume any decent password manager that has online sync would never reveal passwords or your master password to the host, which makes security of hosted and local pw managers identical. If the host gets passwords in plaintext that’s fundamentally broken software, and I wouldn’t try to save it with any DIY method.

                                      1. 1

                                        Sorry, misunderstanding. By “CSRNG alone” I’ve meant solutions like https://lesspass.com that don’t have an on-disk part.

                                        Ah, right.

                                        I don’t understand your distinction between hosted and local password managers. I assume any decent password manager that has online sync would never reveal passwords or your master password to the host, which makes security of hosted and local pw managers identical. If the host gets passwords in plaintext that’s fundamentally broken software, and I wouldn’t try to save it with any DIY method.

                                        While they definitely shouldn’t have the plaintext passwords, the fact that they’re available through an online service means that the password database itself isn’t another factor that you physically possess, it’s something anyone can theoretically query to try to bruteforce their way in.

                                    2. 1

                                      This makes Horcrux less secure, because if you leak on_your_disk half and any one of the generated passwords, all the passwords will be compromised. Other methods can survive that case.

                                      I believe that you’ve misunderstood the article here. “You split your password into 2 parts” to me means that you have a unique horocrux per site, so it leaking won’t affect the passwords for any other service. And this would be why they suggest potentially only doing it for high-importance passwords if it seems like much effort. Otherwise it wouldn’t be any more effort for 10 sites than for 1.

                            1. 12

                              Seems that CentOS just lost the only reason people used it - being a free RHEL clone :)

                              Now people that used CentOS will move either to Oracle Linux (same clone as CentOS just with Oracle logo) or to Ubuntu Linux LTS.

                              Of course after FreeBSD adopted quite a lot Systemd Refugees it will as well welcome the CentOS Refugees :)

                              1. 5

                                Now people that used CentOS will move either to Oracle Linux (same clone as CentOS just with Oracle logo) or to Ubuntu Linux LTS.

                                Well, maybe.

                                At work we use CentOS because some of our our customers use RHEL, and it lets us do cheap CI and testing, with a final round on RHEL before release.

                                On the other hand, we’re still using versions 6 and 7, so this won’t affect us for a while…

                                1. 3

                                  Most CentOS users will wait for other to pickup from where CentOS left or move to OpenSUSE leap

                                  1. 2

                                    Oh, I remember this comment from Twitter. As I said there, it’s reductive to say that the only reason people used CentOS is because it’s a free RHEL clone. I use CentOS because it is RHEL-like and has a longer lifespan than Fedora. I use it at home on some systems and to run a server for my blog and other projects.

                                    Also, as I said there, it’s sad when people promote an open source project at the expense of others. I don’t know what your position is with FreeBSD but I hope the larger project has more empathy and general decorum. If your only selling points are “we don’t use systemd” then that’s not so hot. What’s the positive reason I’d want to adopt FreeBSD?

                                    • Disclaimer - I work for Red Hat. I’m in comms these days, though, and was not involved in this decision in any way. Overall I don’t think it’s nearly as bad for most users as is being made out, and for companies that are depending on a free clone for their production environments… “I hope a public company will indefinitely supply a part of my infrastructure at no cost” is not a plan I’d feel confident in.
                                    1. 2

                                      As I said there, it’s reductive to say that the only reason people used CentOS is because it’s a free RHEL clone. I use CentOS because it is RHEL-like and has a longer lifespan than Fedora.

                                      That reads very much like “People don’t only use CentOS because it’s a free RHEL clone, but I only use CentOS because it’s a free RHEL clone.” to me?

                                      1. 2

                                        I guess you can come to that conclusion if you squint hard and ignore the context of the discussion. My emphasis here is on the clone part. The chief complaint seems to be “CentOS won’t be almost exactly a package-for-package, version-for-version clone of RHEL anymore, it will be slightly different!”

                                        For my purposes that doesn’t really matter. It’s not like Stream is going to be so radically different from RHEL that what I know about working with RHEL won’t transfer, nor am I depending on it to be “identical” to RHEL. A RHEL-like OS that may have slightly newer packages that aren’t quite as well tested as RHEL is likely going to work just fine for my use case. I’m not trying to run certified software on CentOS rather than paying for a RHEL subscription. I just want a reasonably stable OS for light usage – if it were a production server that mattered for a business, I’d look at paying for a subscription.

                                        But I don’t want to, say, learn FreeBSD just to host my personal blog. I don’t want to worry about upgrading every year or so, so Fedora isn’t a good fit. It’s fine on my desktop, I want the latest GNOME and so forth - so I don’t mind upgrading once every six to 12 months. But for my web site and personal servers at home, that’s too often. I could use Debian or Ubuntu, but if I use an Fedora/RHEL-type OS in other situations, I might as well preserve my muscle memory for working with my other systems.

                                        I might be projecting, but I suspect a lot of folks are like me and have used CentOS for non-production uses because we know RHEL and it’s an easy drop-in for a lot of uses for a Linux OS. For a wide swath of use cases, it seems to me that it’ll do just fine.

                                        1. 1

                                          I don’t think your use case is so far off. A lot of people have been using CentOS as “a free, redhat-like distro”, which is 100% not a bad thing for private use (I am not opening the can of worms that is paying for RHEL or SLES).

                                          As per my other comment, I’ve hardly heard of people using Fedora for servers. Might be my debian-centric filter bubble though.

                                          For example we at work use it to build stuff that will run on customers’ server with RHEL (not certified, or our userspace daemons don’t matter) - and I think this is perfectly fine. We kinda NEED to build on this, but we’re not running it on RHEL, if someone would need to pay for a development license of this, then it’s the customer, not us. So we’re on CentOS 7 which will be fine until 2024, but no idea what will then happen.

                                          1. 2

                                            My understanding is that Red Hat is planning to expand the no-cost RHEL plans to cover things like CI/CD (which you could do now with UBI if you have a container use case, but not for some other use cases). It’s not ready today, but my understanding is that we are planning to expand the no-cost subscriptions to cover some of the other CentOS use cases.

                                        2. 1

                                          Your perspective sounds valid for someone not having used Red Hat (without the Enterprise) Linux in the past.

                                          I can’t put my finger on it, maybe it’s simply “server vs desktop” but CentOS always seemed like a full “Red Hat Linux, as in 5.x 6x, 20y ago” replacement to me and Fedora did not.

                                          So it’s not really about being “free”, it’s about still using that thing. (I’m in the Debian/Ubuntu camp, thus my lack of real knowledge about Fedora)

                                          1. 1

                                            Was this meant to be a reply to the parent comment? Because I don’t feel like it really relates to what I said. :)

                                            1. 1

                                              Actually it was meant for you, re: what you answered to jzb, because I didn’t see the focus on a “free RHEL”.

                                              If I arrived at the distro scene today I’d see CentOS as a free RHEL - but my point was that if I want a server that my goal wouldn’t be “I need a free RHEL” but more “I want something that uses RPM and I don’t see Fedora as a server distro”. RHEL-compat is not important and a distro being free is more the norm than the exception.

                                              But maybe I completely missed your point there.

                                      1. 2

                                        I think you maybe linked the same thing?

                                        1. 4
                                      1. 3

                                        AUGH! Can we just find a better system than PAM for authentication? It is absolutely full of these traps that leave your system wide open.

                                        1. 2

                                          Well, the actual trap in this case was an actual bug which could have occurred with any authentication system, which just happened to be exposed by a specific faulty configuration.

                                        1. 21

                                          Related: In case you missed it (as I did up until a few days ago) the blame view on GitHub has an inconspicuous button next to each chunk that redoes the blame on the file prior to that particular change:

                                          https://github.blog/2017-01-18-navigate-file-history-faster-with-improved-blame-view/

                                          It has made iterative blaming much faster for me.

                                          1. 16

                                            And if you want to do that locally, tig’s blame view supports that as well using ,.

                                          1. 12

                                            The grace period should be long over.

                                            It’s time for the EU to stop being nice and start the fines.

                                            1. 9

                                              The author, and anyone else experiencing similar things, need to start by filing a complaint with their local Data Protection Authority for anything to be able to happen.

                                              1. 4

                                                Don’t mean to be a downer but just filing complaints is probably not enough either. Joining (or setting) up campaigns is still the way to go. It’s not as if Schrems et. al. suddenly stopped working because they won some cases etc.

                                              2. 3

                                                The local data authorities are doing that, this website tracks the fines https://www.enforcementtracker.com/

                                              1. 2

                                                This is why ExaBGP exists; there’s no need to run something as beastly as BIRD. It also includes powerful Watchdog capabilities where an external script/tool can be used to enable/disable advertising based on the health of other services.

                                                That said, it’s nice to see more people learning about this functionality. It’s really great.

                                                edit: ahh, 5880 / BFD is new enough that it’s not in ExaBGP yet. Then again I don’t remember ever needing it; our failovers were almost instantaneous with our watchdog designs and the loss of a single router wasn’t a concern.

                                                1. 2

                                                  On the other hand, BIRD has fairly extensive documentation, meaning that it’s easy to figure out it’s capabilities and limitations, and how to do things in general, which cannot be said about ExaBGP.

                                                  1. 1

                                                    That was the opposite of what our Ops team found @ Cisco when I was there

                                                1. 16

                                                  also annonymizes the request IPs using MD5 hashing

                                                  Hashing an IPv4 address, which has a very small search space, especially with something as fast as MD5, is not anonymization. On modern hardware it wouldn’t take very long to generate a rainbow table for the entirety of the IPv4 address space, which you can then look up every IP in.

                                                  1. 2

                                                    Came here to say this. Common anonymization techniques involve replacing the last half of the IP address with nulls.

                                                  1. 3

                                                    Awesome read, thank you calvin and the author!

                                                    I end-up using poll() like average kid, but coroutines and threads with explicit flow controls ala libtask are a good thing to explore.

                                                    It had to have a few asm (maybe go portable with .S files? that worked for libtask and p9p and Go iirc).

                                                    But… Does this work? Only the stack pointer is saved, and not the state of CPU registers:

                                                    void print_4_is_the_thing(void) {
                                                        int a = 4;
                                                        task_relinquish();
                                                        printf("%d\n", a);
                                                    }
                                                    

                                                    Some more asm was required for https://github.com/jamwt/libtask/blob/master/asm.S

                                                    But reading at setjmp()’s man page, it looks like not only it saves the registers state in jmp_buf, but also the stack pointer!

                                                    The setjmp() function saves various information about the calling environment (typically, the stack pointer, the instruction pointer, possibly the values of other registers and the signal mask) in the buffer env for later use by longjmp(). In this case, setjmp() returns 0. – setjmp(3)

                                                    So that means it is possible to get it running without the inline asm compiler extension and using just the POSIX behavior of setjmp()? I want to try it by simply removing the asm and see what it does… But it seems like it has a different role:

                                                    This task has not been started yet. Assign a new stack pointer, run the task, and exit it at the end. – the blog article

                                                    That would make it extremely portable, as every architecture supporting setjmp() and longjmp() would therefore support it.

                                                    1. 2

                                                      Some more asm was required for https://github.com/jamwt/libtask/blob/master/asm.S

                                                      That’s because libtask chooses to save and restore the full context manually rather than using setjmp/longjmp or similar.

                                                      Another one you might want to look at is libmill/libdill, which uses sigsetjmp/siglongjmp by default (presumably to make it singal safe), with a custom assembly version for x86_64 (and i386 for libdill).

                                                      But reading at setjmp()’s man page, it looks like not only it saves the registers state in jmp_buf, but also the stack pointer!

                                                      The setjmp() function saves various information about the calling environment (typically, the stack pointer, the instruction pointer, possibly the values of other registers and the signal mask) in the buffer env for later use by longjmp(). In this case, setjmp() returns 0. – setjmp(3)

                                                      So that means it is possible to get it running without the inline asm compiler extension and using just the POSIX behavior of setjmp()?

                                                      It saves it and then restores it on longjmp(3), yes, but the inline assembly isn’t doing either of those things. It’s setting the new stack pointer to the newly allocated stack, which after that call is the current stack pointer. You can’t have setjmp/longjmp save/restore the pointer to the task’s stack if it was never set to the new stack to begin with.

                                                    1. 27

                                                      It’s worth linking to A&A’s (a British ISP) response to this: https://www.aa.net.uk/etc/news/bgp-and-rpki/

                                                      1. 16

                                                        Our (Cloudflare’s) director of networking responded to that on Twitter: https://twitter.com/Jerome_UZ/status/1251511454403969026

                                                        there’s a lot of nonsense in this post. First, blocking our route statically to avoid receiving inquiries from customers is a terrible approach to the problem. Secondly, using the pandemic as an excuse to do nothing, when precisely the Internet needs to be more secure than ever. And finally, saying it’s too complicated when a much larger network than them like GTT is deploying RPKI on their customers sessions as we speak. I’m baffled.

                                                        (And a long heated debate followed that.)

                                                        A&A’s response on the one hand made sense - they might have fewer staff available - but on the other hand RPKI isn’t new and Cloudflare has been pushing carriers towards it for over a year, and route leaks still happen.

                                                        Personally as an A&A customer I was disappointed by their response, and even more so by their GM and the official Twitter account “liking” some very inflammatory remarks (“cloudflare are knobs” was one, I believe). Very unprofessional.

                                                        1. 15

                                                          Hmm… I do appreciate the point that route signing means a court can order routes to be shut down, in a way that wouldn’t have been as easy to enforce without RPKI.

                                                          I think it’s essentially true that this is CloudFlare pushing its own solution, which may not be the best. I admire the strategy of making a grassroots appeal, but I wonder how many people participating in it realize that it’s coming from a corporation which cannot be called a neutral party?

                                                          I very much believe that some form of security enhancement to BGP is necessary, but I worry a lot about a trend I see towards the Internet becoming fragmented by country, and I’m not sure it’s in the best interests of humanity to build a technology that accelerates that trend. I would like to understand more about RPKI, what it implies for those concerns, and what alternatives might be possible. Something this important should be a matter of public debate; it shouldn’t just be decided by one company aggressively pushing its solution.

                                                          1. 4

                                                            This has been my problem with a few other instances of corporate messaging. Cloudflare and Google are giant players that control vast swathes of the internet, and they should be looked at with some suspicion when they pose as simply supporting consumers.

                                                            1. 2

                                                              Yes. That is correct, trust needs to be earned. During the years I worked on privacy at Google, I liked to remind my colleagues of this. It’s easy to forget it when you’re inside an organization like that, and surrounded by people who share not only your background knowledge but also your biases.

                                                          2. 9

                                                            While the timing might not have been the best, I would overall be on Cloudflare’s side on this. When would the right time to release this be? If Cloudflare had waited another 6-12 months, I would expect them to release a pretty much identical response then as well. And I seriously doubt that their actual actions and their associated risks would actually be different.

                                                            And as ISPs keep showing over and over, statements like “we do plan to implement RPKI, with caution, but have no ETA yet” all too often mean that nothing will every happen without efforts like what Cloudflare is doing here.


                                                            Additionally,

                                                            If we simply filtered invalid routes that we get from transit it is too late and the route is blocked. This is marginally better than routing to somewhere else (some attacker) but it still means a black hole in the Internet. So we need our transit providers sending only valid routes, and if they are doing that we suddenly need to do very little.

                                                            Is some really suspicious reasoning to me. I would say that black hole routing the bogus networks is in every instance significantly rather than marginally better than just hoping that someone reports it to them so that they can then resolve it manually.

                                                            Their transit providers should certainly be better at this, but that doesn’t remove any responsibility from the ISPs. Mistakes will always happen, which is why we need defense in depth.

                                                            1. 6

                                                              Their argument is a bit weak in my personal opinion. The reason in isolation makes sense: We want to uphold network reliability during a time when folks need internet access the most. I don’t think anyone can argue with that; we all want that!

                                                              However they use it to excuse not doing anything, where they are actually in a situation where not implementing RPKI and implementing RPKI can both reduce network reliability.

                                                              If you DO NOT implement RPKI, you allow route leaks to continue happening and reduce the reliability of other networks and maybe yours.

                                                              If you DO implement RPKI, sure there is a risk that something goes wrong during the change/rollout of RPKI and network reliability suffers.

                                                              So, with all things being equal, I would chose to implement RPKI, because at least with that option I would have greater control over whether or not the network will be reliable. Whereas in the situation of NOT implementing, you’re just subject to everyone else’s misconfigured routers.

                                                              Disclosure: Current Cloudflare employee/engineer, but opinions are my own, not employers; also not a network engineer, hopefully my comment does not have any glaring ignorance.

                                                              1. 4

                                                                Agreed. A&A does have a point regarding Cloudflare’s argumentum in terrorem, especially the name and shame “strategy” via their website as well as twitter. Personally, I think is is a dick move. This is the kind of stuff you get as a result:

                                                                This website shows that @VodafoneUK are still using a very old routing method called Border Gateway Protocol (BGP). Possible many other ISP’s in the UK are doing the same.

                                                                1. 1

                                                                  I’m sure the team would be happy to take feedback on better wording.

                                                                  The website is open sourced: https://github.com/cloudflare/isbgpsafeyet.com

                                                                  1. 1

                                                                    The website is open sourced: […]

                                                                    There’s no open source license in sight so no, it is not open sourced. You, like many other people confuse and/or conflate anything being made available on GitHub as being open source. This is not the case - without an associated license (and please don’t use a viral one - we’ve got enough of that already!), the code posted there doesn’t automatically become public domain. As it stands, we can see the code, and that’s that!

                                                                    1. 7

                                                                      There’s no open source license in sight so no, it is not open sourced.

                                                                      This is probably a genuine mistake. We never make projects open until they’ve been vetted and appropriately licensed. I’ll raise that internally.

                                                                      You, like many other people confuse and/or conflate anything being made available on GitHub as being open source.

                                                                      You are aggressively assuming malice or stupidity. Please don’t do that. I am quite sure this is just a mistake nevertheless I will ask internally.

                                                                      1. 1

                                                                        There’s no open source license in sight so no, it is not open sourced.

                                                                        This is probably a genuine mistake. We never make projects open until they’ve been vetted and appropriately licensed.

                                                                        I don’t care either way - not everything has to be open source everywhere, i.e. a website. I was merely stating a fact - nothing else.

                                                                        You are aggressively […]

                                                                        Not sure why you would assume that.

                                                                        […] assuming malice or stupidity.

                                                                        Neither - ignorance at most. Again, this is purely statement of a fact - no more, no less. Most people know very little about open source and/or nothing about licenses. Otherwise, GitHub would not have bother creating https://choosealicense.com/ - which itself doesn’t help the situation much.

                                                                      2. 1

                                                                        It’s true that there’s no license so it’s not technically open-source. That being said I think @jamesog’s overall point is still valid: they do seem to be accepting pull requests, so they may well be happy to take feedback on the wording.

                                                                        Edit: actually, it looks like they list the license as MIT in their package.json. Although given that there’s also a CloudFlare copyright embedded in the index.html, I’m not quite sure what to make of it.

                                                                        1. -1

                                                                          If part of your (dis)service is to publically name and shame ISPs, then I very much doubt it.

                                                                2. 2

                                                                  While I think that this is ultimately a shit response, I’d like to see a more well wrought criticism about the centralized signing authority that they mentioned briefly in this article. I’m trying to find more, but I’m not entirely sure of the best places to look given my relative naïvete of BGP.

                                                                  1. 4

                                                                    So as a short recap, IANA is the top level organization that oversees the assignment of e.g. IP addresses. IANA then delegates large IP blocks to the five Regional Internet Registries, AFRINIC, APNIC, ARIN, LACNIC, and RIPE NCC. These RIRs then further assigns IP blocks to LIRs, which in most cases are the “end users” of those IP blocks.

                                                                    Each of those RIRs maintain an RPKI root certificate. These root certificates are then used to issue certificates to LIRs that specify which IPs and ASNs that LIR is allowed to manage routes for. Those LIR certificates are then used to sign statements that specify which ASNs are allowed to announce routes for the IPs that the LIR manages.

                                                                    So their stated worry is then that the government in the country in which the RIR is based might order the RIR to revoke a LIR’s RPKI certificate.


                                                                    This might be a valid concern, but if it is actually plausible, wouldn’t that same government already be using the same strategy to get the RIR to just revoke the IP block assignment for the LIR, and then compel the relevant ISPs to black hole route it?

                                                                    And if anything this feels even more likely to happen, and be more legally viable, since it could target a specific IP assignment, whereas revoking the RPKI certificate would make the RoAs of all of the LIRs IP blocks invalid.

                                                                    1. 1

                                                                      Thanks for the explanation! That helps a ton to clear things up for me, and I see how it’s not so much a valid concern.

                                                                  2. 1

                                                                    I get a ‘success’ message using AAISP - did something change?

                                                                    1. 1

                                                                      They are explicitly dropping the Cloudflare route that is being checked.

                                                                  1. 1

                                                                    Nice TODOs. ;)

                                                                    1. 7

                                                                      The twitter thread for this was the first time I heard of you, Hillel (I think that you also proposed other programs to be proven, in addition to leftpad? Edit: There it is!). Since then I’ve been reading many of your posts.

                                                                      I recently tried to do a pen-and-paper proof of a bubble sort, and see if and how this could be formalized. The context is “Suppose you’d made a programming language in which proving programs correct is as close as possible to what a mathematician would do on paper”. My experiences:

                                                                      • Mathematics uses a lot of notation that is not easy to write down in ASCII (quantifiers, operators, arrows, …).
                                                                      • You need to ‘encode’ programming language concepts in math. For example, I choose to encode an int array as a function from the natural numbers to the integers.
                                                                      • Some things are hard to formally express. For example, you can specify the requirements for a sorting function as ‘output contains the same elements as the input, but sorted’. The sorted part is relatively easy to express mathematically, but ‘contains the same elements’ is harder.

                                                                      I choose to use functions to model arrays. An int array with n elements becomes a function from { 0, 1, …, n - 1 } to the integers. Now, we can phrase the requirement for a sorting function that the output function/array equals the composition of a permutation of { 0, 1, …, n - 1 } and the input function. Now you need some theory on permutations (most relevant: if you swap two elements in a permutation, it’s still a permutation).

                                                                      On top of that, you also need some axioms for integers. With these techniques and with a lot of loop invariants, it’s possible to prove the correctness of bubble sort. Then you realize you’ll also need to prove termination…

                                                                      Nothing in these steps is prohibitively hard, but it’s a lot of work and quite a rabbit hole!

                                                                      1. 2

                                                                        Some things are hard to formally express. For example, you can specify the requirements for a sorting function as ‘output contains the same elements as the input, but sorted’. The sorted part is relatively easy to express mathematically, but ‘contains the same elements’ is harder.

                                                                        Just to throw it out there since I got nerdsniped, are the following criteria not enough to express “contains the same elements”?

                                                                        • The input and the output contain the same number of elements.
                                                                        • For all elements in the input, the element is present in the output.

                                                                        Maybe one or both of those criteria is itself hard to express.

                                                                        1. 2

                                                                          If the input contains duplicates, the output could contain another element and still fulfil those requirements.

                                                                          You could hane it apply to both in->out and out->in. but but then the same thing could happen if there’s more than one element that has duplicates.

                                                                          1. 1

                                                                            Ah! Yep, I see it now. Thanks!

                                                                          2. 2

                                                                            @kyrias pointed out the issue, but you can make this valid by instead saying “every element of the input has the same count in the output.” In fact when I teach workshops I have students specify sorting both ways, as a permutation spec and as a counter spec.

                                                                        1. 5

                                                                          It’s got to be a keyword, that’s how it can work with is not, not also being a keyword.

                                                                          Also there’s a quite ubiquitous use of is that justifies its inclusion; compare a is None to a == None to not a… only by testing the identity can you know for certain that None was passed.

                                                                          1. 2

                                                                            You put that very clearly, here and in the other comments; I learned something today.

                                                                            One other ubiquitous use of is: type inspection, like if type(a) is MyClass or if type(a) is str.

                                                                            (Some of the time isinstance(a, MyClass) will also do, but if you want to exclude the possibility of subclass instances, only a type identity check suffices.

                                                                            Ooonn the other hand, one could also argue that is tempts people into checking for identity when a subclass would also suffice; and that this may needlessly prevent interoperation with otherwise-valid subclasses. Hm. I really like the keyword, though, especially compared to ===)

                                                                            1. 5

                                                                              Note that you don’t normally need is for this sort of type inspection, as type(a) == MyClass works fine pretty much always. I think the only time it wouldn’t work correctly is if one of the classes involved had a metaclass that overrode __eq__ and did something perverse with it. I think that the cases where you really need is are uncommon; you need to care about object identity and be in a situation where something is overriding == in a way that affects the comparison you care about. Python definitely should have something that checks object identity in the way that is does, but I don’t know if it needs to be a tempting keyword instead of a built-in function.

                                                                              (I’m the author of the linked to article.)

                                                                              1. 2

                                                                                Every language must have a means of checking both identity and equality … they are fundamentally different things. The choice to make both of them an operator is quite common, the only real distinction Python makes by choosing == and is over, say, == and === is that promotion to also being a keyword.

                                                                                And just because you find it to be uncommon does not mean that it is, in fact, uncommon. I use is all the time, for instance with enum.Enum members, to properly handle default values that need to be mutable, and to identify sentinel values in iterators (usually None, but not if None is a legitimate value of the iterator) … it’s also extremely necessary to things like the Singleton pattern in Python.

                                                                                Moreover you’re throwing out the baby with the bathwater … sure, exactly as you said you can use type(a) == MyClass pretty much anywhere you might use type(a) is MyClass, but why would you? Why necessarily invoke the performance cost of equality comparison? The underlying cost of is is near zero, but by using == you force lookup and execution of MyClass.__eq__ and, if that returns False or NotImplemented you further force lookup and execution of type(a).__eq__ … both of which could be implemented in such a way as to be unbearably time consuming.

                                                                                See the question of identity is, precisely, “are these the same thing” rather than “do these share the same attributes” … they’re fundamentally different questions, and when all you care about is identity, why bother asking for equality?

                                                                            2. 2

                                                                              Arguing that it has to be a keyword because otherwise you would have to write it differently is a weird argument to me. It just means that it would be written not is(a, b) instead, which might not read as nicely, but that’s a different argument.

                                                                              1. 7

                                                                                Perhaps I should have been more specific: is needs to be either a reserved keyword or an operator (in effect it’s both, though it’s not truly an operator because, like and, or, and not it cannot be overloaded) precisely because Guido et all intended it to be used as a syntactic construct… it cannot be a function because it would then have to be used with the call syntax, be able to be assigned to a name, and overloadable in user code. There is no desire for an overloadable identity operation, indeed allowing it to be overloaded would break fundamental language semantics. The same is true of None, which is why it’s also a keyword, though it could just be a globally available variable… in Python the argument for promoting to an operator is “should this bind values around it into an operation” and for promotion to a keyword is “should the meaning of this never even potentially change during runtime” and (optionally) “should this modify other keywords” … in the case of is the answer to all of those is “yes”, so the only option was to make it a keyword.

                                                                                1. 1

                                                                                  It seems to me like the same arguments would mean that isinstance should also be a keyword though?

                                                                                  1. 3

                                                                                    Sure, it could be extended to any number of things — Python 2 didn’t see True or False as keywords, but that protection was extended to them in Python 3 — but would it add any semantic value to do so, by stripping call semantics from it and allowing it to be used as an operator or to directly interact with other keywords?

                                                                                    Some keywords have been downgraded (most notably print), but that was because there was added value in doing so, and also a colorable argument for overloading existed. The simple fact is that identity testing is a fundamental operation — much more so than introspecting class phylogeny — and the benefits of being a keyword far outweigh the minor confusion it can cause in relative newbies, while there’d be no advantage to removing it except for people who don’t know why it’s fundamental.

                                                                                    In other languages you’ve got equality as == and identity as ===… frankly we’ve got it easy with is.

                                                                                2. 2

                                                                                  is being built in means you know it can’t be overridden.

                                                                                  It being a function would be ugly

                                                                              1. 4

                                                                                It took Y half a year to get the web site up again, and finally all those dead links stopped screaming.

                                                                                Not only that, most parts of it never came back again at all.

                                                                                1. 10

                                                                                  What3Words are pretty weird, I’d prefer them not to succeed in the marketplace.

                                                                                  That said, I’m speculating they have a solid DMCA case here. I have not seen the code in question, but I figure W3W does geohashing by translating lat/long into 3 unique word tuples using a lookup table. This table has been chosen to be clear and unambiguous, and that’s the relevant IP (the hashing algo too, I imagine).

                                                                                  If WhatFreeWords had substituted their own lookup table, I doubt this would have been any problem.

                                                                                  I’d rather a competing standard was developed and hosted by OpenStreetMap, instead of trying to reverse-engineer some company that’s legally trigger-happy.

                                                                                  1. 10

                                                                                    This table has been chosen to be clear and unambiguous

                                                                                    You would think so, but it’s not the case. An article about What3Words listed reporter.smoked.received as the address of the Stade de France. But if you search reporter.smoked.received on What3Words, you will see it’s in Laredo, Missouri. Reporter.smoker.received, just one letter’s difference, is the Stade. W3W is not just a badly-licensed land grab, it’s also a terrible product!

                                                                                    1. 4

                                                                                      That’s intentional, the idea being that you know roughly where the identifier is meant to point to, so you would realize that you have the wrong one if it’s on a different continent. (See https://support.what3words.com/en/articles/2212868-why-are-the-words-randomly-assigned-wouldn-t-it-be-better-if-there-was-some-logic-hierarchy-structure-to-the-naming-structure)

                                                                                      1. 2

                                                                                        Thanks for the link. But it doesn’t really detract from my (admittedly wild-ass guess) legal theory.

                                                                                        The fact whether the words are actually unambiguous is not relevant - the point is that W3W can argue that they have made significant effort in choosing the words and that the lookup table is proprietary information, covered by DMCA protections.

                                                                                        (By the way, the article has been corrected to note that the address for Stade de France is the smoker variant)

                                                                                        1. 1

                                                                                          They don’t really argue that, though. As kyrias points out in their link the words are chosen at random. This seems like incredibly thin ice for copyright purposes, almost straying into conceptual art territory.

                                                                                          The W3W promise is three words to define a location. The hedge is three words, plus a general idea of where the location is so you know if there’s an error. The reality is three words plus an unknown probability of an error and no way to correct it. Real addresses feature hierarchy and redundancy for this reason.

                                                                                          1. 3

                                                                                            Since my comment I’ve been reading up a bit. Here’s a purported DMCA takedown notice (not neccessarily the exact one served for WhatFreeWords) that makes the same argument I surmised:

                                                                                            A key feature of W3W’s activities is its creation of unique three-word addresses (“3WAs”) for three-metre by three-metre “squares” of the Earth’s surface. […] 3WAs are generated through the use of software code and approximately 57,000,000,000 word combinations made from a wordlist of over 40,000 words compiled by and proprietary to W3W.

                                                                                      2. 7

                                                                                        I’d rather a competing standard was developed and hosted by OpenStreetMap, instead of trying to reverse-engineer some company that’s legally trigger-happy.

                                                                                        Plus codes come close I think; no need for yet another standard. Granted they’re not pronounceable words, but What3Words also needs homonym disambiguation so I’m not sure much is lost.

                                                                                        See also: Evaluation of Location Encoding Systems.

                                                                                        1. 2

                                                                                          I had plus codes in the back of my mind when I wrote my comment, but believed they weren’t fully open. Thanks for informing me.

                                                                                          Edit - the HN discussion on this submission is quite interesting. Among others, yet another competing geo-phrase service offers this critique of OLC/Plus Codes: https://www.qalocate.com/whats-wrong-with-open-location-code/

                                                                                          1. 1

                                                                                            not pronounceable words

                                                                                            I’m not convinced that English pronounceability is really such a killer feature for something that’s supposed to be usable worldwide. But that’s neither here nor there. Thanks for the links!