1. 9

    Contrary to the comments at Reddit, I’m pretty sure Apple cannot do this unless you have installed a MDM profile…

    Locking, remote wipe, etc are limited to your iCloud account. There is no equivalent to “Google Play Services”. APNS has no control; it only handles push notifications.

    1. 15

      Contrary to the comments at Reddit, I’m pretty sure Apple cannot do this unless you have installed a MDM profile…

      When the OS is closed source how would you know?

      1. 12

        If you think Apple has a gaping backdoor in all of their phones which violates the mission of their product line, then please prove me wrong. In fact, take this opportunity to short their stock and prove it to the world. You could make yourself really rich really fast.

        Nobody else has done it, and everything Apple has done with their product line has been to constantly increase user security, not install backdoors for remote control and spying.

        I do not think they are perfect, but this would be a huge blow to their public perception and would certainly tarnish their brand for years to come.

        1. 7

          Objectively, I think that u/user545 has a valid point. When proprietary software is in place there is no way to verify that such software does what the user expects it to do, and nothing more. Just because Apple has said it doesn’t spy on its users, doesn’t mean such a statement is true; and we cannot trust them, because we don’t know what the program does in the inside.

          1. 9

            Perhaps it’s not as severe as user545 says.

            I think the argument can be transposed to anything done by anyone else:

            • I didn’t see how cars were built. So I have to assume the worst.
            • I didn’t see how roads were built. So I have to assume the worst.
            • I didn’t audit this open source project’s source code myself. So I have to assume the worst.
              • Or I only heard from someone that this source code checks out. But I don’t know that person, so I have to assume the worst (that they’re lying to me).
              • I didn’t audit the crypto algorithms. So I have to assume the worst.
              • I didn’t compile it myself. So I have to assume the worst.
              • I didn’t compile my compiler myself. So I have to assume the worst.
              • I didn’t compile my operating system myself with my own compiler. So I have to assume the worst.
              • I didn’t mine and process the raw resources to create my computer. So I have to assume the worst.

            Sure I can assume the worst, but then I probably wouldn’t live in a society.

            “Assume the worst” feels like an impractical rule to follow. Instead, it’s a practical tradeoff of efficiency (of my time) and likelihood I need to “assume the worst”. I’m not discounting the valuable effort that security researchers do to audit and break into these systems. Especially if they take this approach, that’s great. But they’re way more qualified and have more resources (eg - time, money) than me to do it. I’m not going to blindly assume the worst that these security researchers are out to trick me.

            I agree with feld. Apple isn’t perfect. They may change in the future. But Apple seem less likely than Google to implement a backdoor like this based on the way they position themselves in the market right now.

            1. 5

              You’re missing two things:

              1. “They’re usually defective since suppliers dont care or have liability.”

              2. “Intelligence agencies and law enforcement are threatening fines or jail for not putting secret backdoors in. The coercive groups also have legal immunity. Their targets can do 15 years if they talk.”

              No 1 also applies to FOSS. With those premises, I definitely cant trust closed-source software to not have incidental or intentional vulnerabilities. Now, we’re back to thorough design and review by parties we trust. Multiple, skilled, mutually-suspicious groups.

              1. 2

                Thanks,

                I agree with you on #1, including that it applies to FOSS. I may argue that a supplier has more incentive to fix it if you’re a potentially influential customer over a FOSS that has a disinterested maintainer (making you fall back to build-it-yourself or audit yourself. And to be clear, FOSS is definitely a better option than if the non-cooperative supplier is a monopoly). But I’d admit only be able to back up anecdotally, which isn’t a strong case.

                For #2, couldn’t that also apply to key maintainers in FOSS if they are contributing to the same project? I’d take a random guess that governments may find it impossible to coerce a small set of individuals. 15 years would equality scare FOSS maintainers as well. Sure, a geographical barrier may make that more difficult, but I’d guess that human-based intelligence agencies like the CIA probably have some related experience in this. I agree that FOSS makes it harder to sneak one by reviewers, but maybe there’s not many people needed to coerce to get the backdoor in a release.

                I only tangentially review security topics, so I’m not sure if that’s a realistic threat or just a tinfoil haty thought <:-).

                I guess I’m putting more emphasis from the perspective of typical (non-technical) user of software to:

                1. care more about security / privacy
                2. pressure companies they support to have better security/privacy practices

                Over distrusting all companies and have a significantly worse user experience of using software in general. Non-technical users generally like the fallback of technical support over just “figure it out yourself” or “you lost all your data because you couldn’t manage your secrets”.

                I’m curious, if a company allowed you to audit their source code before you approved/used it, would that significantly minimize the advantages FOSS software have over proprietary software for you?

                1. 2

                  I may argue that a supplier has more incentive to fix it if you’re a potentially influential customer over a FOSS that has a disinterested maintainer

                  This hasn’t been the case at all in the mobile space. The supplier has an incentive to not fix things so you buy a new device where as FOSS maintainers want your device to last as long as possible.

                  1. 2

                    I’d agree the motivation for some suppliers to upsell to newer devices, although I don’t really understand motivation for FOSS maintainers to want you to use your device as long as possible. As a one who maintained iOS libraries, there’s strong motivation to deprecate older devices/platforms since it’s a maintenance burden that sometimes hinders new feature work (and typically the most active contributors use the latest stuff). And when pitted against supporting the latest devices vs the older devices, chances are the newer stuff will win in those debates.

                    Thinking through the supplier stuff a bit more doesn’t make that much difference though. Sure, it doesn’t feel like a great business practice for a company to upsell. But it’s also how those companies stay in business. It could be viewed similarly to a maintenance support fee for existing devices. If suppliers offered the a retainer fee, it would effectively be the same thing then?

                    1. 2

                      The lineageOS team does amazing work keeping old Android devices on the latest release. Also means app devs don’t have to worry because these old devices support all the new apis and features.

                  2. 2

                    “For #2, couldn’t that also apply to key maintainers in FOSS if they are contributing to the same project?”

                    That’s a great observation. I held off mentioning it since people often say, “That’s speculation or conspiracy. Prove it with examples.” And the examples would have secrecy orders so… I just dropped the examples where they can find proof it happened. There very well could be coercive action against FOSS maintainers. Both Truecrypt developers and someone doing crypto on Linux filesystems kind of disappeared out of nowhere not talking about the project any longer. Now we’re into heresay and guesswork, though. Also, they might be able to SIGINT FOSS with a secrecy order. We might be able to counter that having people in foreign countries looking for the problem, submitting a fix, and the rule is to always take a fix. They have to spot the problem that might be out of their domain expertise, though.

                    Plenty of possibilities. I just don’t have anything concrete on mandated, FOSS subversion. I will say one of the reasons I’d never publish crypto under my own name or take money for it is this threat. I think it’s very realistic. I think we haven’t seen it play out since the popular libraries for crypto were so buggy that they didn’t need such a setup. If they did, they’d use it sparingly. Those also ran on systems that were themselves ridden with preventable 0-days.

                    Far as open vs closed with review, I wrote an essay on that here.

                    1. 2

                      Thanks for that essay, that was insightful.

                      I’m roughly remember the Truecrypt incident and that was suspect, although never came across the linux file system crypto circumstance. Was it similar to Truecrypt? Was that developer already known. My googling didn’t seem to show up any mention of that at all.

                  3. 1

                    There is one thing I am wondering about. Government agencies require backdoors but I would think they also require backdoors that are kept secret. How does that work with FOSS software? Alright yes they could sneek it in the compiled version maybe but distros are all moving to reproducible builds so that would be detected.

                    1. 2

                      Ignore the Karger/Thompdon attack: only happened twice that I know of. The nation-state attackers will go for low-hanging fruit like other black hats. They also need deniability. So, they’re most likely to either (a) use all bug hunting tools to find what’s already there and (b) introduce the kinds of defects people already do by accident. With (b), discoveries might not even burn the source if they otherwise do good work.

                      For FOSS, they’ll slip the vulnerability into a worthwhile contribution. It can be either in that component or be an interaction between it and others. Error-handling code of a complex component is a particularly-good spot since they often have errors.

              2. 10

                They are able to push updates over the internet and the whole thing is proprietary. I am unable to tell you what the system does because I cant see it. And at any time apple can push arbitrary code which could add a back door without anyone knowing.

                When you can’t see what is going on you have to assume the worst.

                1. 5

                  I can’t tell whether this is 1. a defense of open-source in general and android in particular or 2. a critique of apple.

                  Neither works.

                  1. See example of what just happened. or the firefox/mr robot partnership recently. open source does not automatically confer transparent privacy.

                  2. Apple has, in fact, emerged as a staunch defender of user privacy. There are many many examples of apple defending users against law enforcement.

                  You can’t wish Apple to be terrible about privacy and use that as the argument.

                  1. 3

                    Sure you can. They could take money to secretly backdoor the phone for NSA and use lawyers to tell FBI to get loss for image reasons. The better image on privcy leads to more sales. The deal with NSA puts upper bound on what FBI will do to them since they might just get data from NSA.

                    If that sounds far fetched, remember two things:

                    1. The telecoms were taking around $100 million each from NSA to give them data that they sometimes passed onto feds to use with parallel construction. Publicly they said they gave it out only with warrants. RSA went further to say they encrypted the data but weakened the crypto for $30 mil. The Core Secrets leak also said FBI could “compel” this.

                    2. In Lavabit trial, Feds argued he wouldnt have losses if customers didnt know he gave Feds the master key. He was supposed to do it under court order and then lie about it.

                    Given those two, I dont trust any profit-motivated company in US to not hand over data. Except maybe Lavabit in the past. Any of them could be doing it in secret for money that they take or get fines/jail.

                    1. 3

                      I would say Apple is more comparable to Lavabit than the others – they’re actively and publicly taking steps to protect their users’ privacy.

                      I wouldn’t argue that they will never do it, but to paint Apple and Google with the same brush on user privacy is silly and irresponsible.

                      1. 2

                        Well, we know that the secret, court meeting was going to put him in contempt or else. He had to shut the business down to avoid it. Apple may have been able to do more due to both size and making case public debate. Then again, that may have been a one-time victory followed by a secret loss. You can’t know if there’s two legal systems in operation side by side, one public and one secret. I assume the worst if the secret system is aggressively after something.

                        “I wouldn’t argue that they will never do it, but to paint Apple and Google with the same brush on user privacy is silly and irresponsible.”

                        I agree with this. Apple is a product company. Google is a full-on, surveillance company. Google is both riskier for their users now and more over time as they collect more which more parties get in various ways.

                    2. 3

                      I am not defending android at all. As you can see in the OP post android is absolutely horrible for privacy and control. I also agree that open source is not flawless of course but open source enables us to have the opportunity to inspect the programs we use (usually while contributing features) from what I understand the firerfox event was pushed through a beta/testing channel and not through the FF source. I would hope all linux distros have this feature turned off when packaging FF.

                      The OP comment was asking me to prove that Apple is able to change user settings over the network and I think that is an unreasonable statement to make when the software is closed source. I also mentioned that it is possible as apple is able to push new updates at any time with arbitrary code. So they have the capability of doing anything that is possible hardware wise.

                      1. 2

                        Fair on your 2nd point of responding to the OP and I don’t know whether they have the capability. However, they seem, at least at the moment, disinterested in taking random liberties with their users’ privacy.

                        1. 3

                          disinterested in taking random liberties with their users’ privacy.

                          I think that’s probably true but no one in this thread actually knows and one day its quite likely that the US government will force them to backdoor devices if they haven’t already.

                    3. [Comment removed by author]

                      1. 1

                        I can be sure in the way I can find out if needed. With proprietary software I can not be sure even if I was willing to put in the effort unless I wanted to spend my whole life trying to reverse engineer a build that would be out of date in a few months.

                        1. 1

                          Ill add that the move toward tamper-resistant enclaves and integrity checks will make that even harder since some are about denying you read access or flagging your device on access attempt. You’re effectively punished for trying to verify their software.

                          1. 2

                            I find these fairly problematic because one of the main uses for these systems is to prevent the user making modifications that the OEM doesn’t want and DRM but at the same time the do have genuinely useful features that would be desirable if they were under my control.

                            There are a lot of other things in IT I think fall under the same category. My bank offers you data showing all the different categories of things you have spent on in the month which is really useful for me to have but really creepy for the bank to have.

                            1. 2

                              Yeah. There are also schemes that put the user in control to get those benefits. That most suppliers don’t implement them tells us a bit about their intent.

                      2. 1

                        How do you know they are able to do that then?

                        Because all system updates that got installed on my phone came only after I manually approved them. Unless I am not aware of some previously demonstrated capability this sounds like exactly the same kind of unsubstantiated argument you are arguing against.

                        1. 1

                          What criteria do you use for approving or denying updates and how would that be able to stop a backdoor being installed?

                          1. 2

                            It doesn’t matter since the original argument was that Apple can do the same thing (automatically install/change software on your device) which they cannot. You have to assent to the installation (of updates, backdoor or whatever). May not be a difference you care about, but I do.

                            I agree that black box software makes it impossible to know if software can be trusted, but binary package of an open source software is also just a black box if I am not able to generate the same hash when compiling myself which in my admittedly not recent experience happened a lot.

                            1. 1

                              “You have to assent to the installation “

                              You would need a copy of source for all priveleged hardware and software on their platform to even begin to prove that. You dont have that. So, you don’t know. You’re acting on faith in a profit-motivated, company’s promises.

                              I’ll also add one that has enough money to do a secure rewrite or mod of their OS but doesnt intentionaly. They don’t care that much. They’re barely even investing into Mac OS X from what its users say. Whereas, Sun invested almost $300 million into redoing Solaris for version 10. That brought us things like ZFS.

                              A company with around a $100 billion that cares less about QA than smaller businesses shouldnt be trusted at all. They’ve already signalled that wealth accumulation was more important.

                              Meanwhile, tiny OK Labs cranked out mobile sandboxing good enough that General Dynamics bet piles of money on them for Defense use. Several other companies cranked out security-enhanced CPU’s, network stacks, DNS, end-to-end messaging, and so on. Quite a few were for sale, esp those nearing bankruptcy. Shows Apple had plenty of opportunities to do the same or buy them. Didnt care. They’ll make billions anyway.

                              1. 2

                                I agree with pretty much everything you say and while interesting, I am not sure how it is relevant to what I said.

                                I did not argue that one should trust Apple (even though I do think iPhone has a better track record than Android). My point was simply that all other things being equal I prefer platforms that don’t suddenly change on some company’s whim and let me decide when or if I want to perform an update and that AFAICT Apple does not push those updates without user’s consent.

                                I assume your argument is that consenting is meaningless as I cannot perform any reasonable security analysis of what I will receive. True that I can’t, but I also value predictability and speaking from a personal experience I feel I lose some of it with auto-updates.

                    4. 4

                      objdump -d

                      1. 3

                        When the OS is open source how would you know? Have you personally audited all of linux? How do you know you can trust third-party audits? I don’t think “it’s open source” provides much in terms of security all things considered.

                      2. 3

                        how do you know, what APNS does.

                      1. 13

                        Ah they tricked me with this one, it’s a Medium article hidden behind another domain.

                        (Whenever I see “medium.com” next to lobsters articles I know not to click, since the result will be a weak thinkpiece by a frontend developer, wrapped in obtrusive markup.)

                        1. 3

                          i had literally the exact same response. “Ah, a medium article….about frontend dev……(tab closed)”.

                          1. 3

                            Interesting ‘hot take’!

                            You judge people based on the ‘medium’ that they use.

                            1. 8

                              “The medium is the message” ;)

                              I have to admit though that seeing a medium link is generally a negative signal for me. Still click on many of them.

                              1. 7

                                I think Medium’s original USP was “only quality content”.

                                Predictably, that didn’t scale.

                                1. 1

                                  Many confuse Marshall McLuhan’s original meaning of that phrase. It didn’t really mean that the way a message was delivered was part of the message itself. It actually meant that the vast majority of messages were medium or average.

                                  It would have been better said, “meh, the message is average.”

                                  1. 5

                                    This didn’t really make sense to me, so I looked it up, and I don’t think that’s right. The original meaning is exactly what we’ve come to understand it as:

                                    The medium is the message because it is the medium that shapes and controls the scale and form of human association and action. The content or uses of such media are as diverse as they are ineffectual in shaping the form of human association. Indeed, it is only too typical that the “content” of any medium blinds us to the character of the medium. (Understanding Media: The Extensions of Man, 1964, p.9)

                                    I wonder where you’ve heard your interpretation?

                                    1. 5

                                      This comment is obviously a troll. Fitting, given that McLuhan himself was a troll.

                                      1. 4

                                        Interesting interpretation. I am not sure how he originally came to that phrase, but his book certainly spent a lot of time and effort arguing for the now prevalent meaning.

                                1. 2

                                  Cool visualisations, although I wonder how well they’ll work without Javascript or on mobile. Kudos to them for adding ‘Heads up, you’re about to experience some scroll-driven animations. If you’d like to skip that, you can jump ahead to the final state.’

                                  The issue itself is pretty funny. There are some pretty obvious solutions, like buying jeans with bigger pockets. I suspect the reason is relatively simple: pockets are needed less when most women carry a bag with them everywhere they go, while most men don’t.

                                  Probably better not to have too many gender politics posts here tho.

                                  1. 11

                                    My wife carries bags mostly because pockets on women’s clothes are ridiculous and because your solution while theoretically sound, fails miserably in practice if you cannot find such clothes.

                                    This issue might be funny to you, but at this point is just frustration for her and to be honest for me too.

                                    1. 5

                                      it works wonderfully on mobile

                                      1. 5

                                        Do you have good tips for women jeans with big pockets?

                                      1. 1

                                        Do you really carry anything in your pockets? I find it very uncomfortable.

                                        1. 5

                                          Yes and my wife would like to too.

                                          1. 3

                                            Of course I do. It may not be very comfortable, but unlike an external bad, it doesn’t restrict your movement, and that’s a big advantage.

                                            The article is aice data collection and visualization effort.

                                            1. 2

                                              A “mobile” phone in a pocket surely restricts my movements, especially sitting. Personally sometimes I use a briefcase just for my phone and keys. It’s heavier but you may put it on your knees. Also it looks better than stuffed pockets. Article and presentations are very nice indeed.

                                              1. 3

                                                For the briefcase you need one hand, ot you need to be sitting in order to put it on your lap. I intentionally choose phones that fit in a pocket comfortably, and I’m not happy with that stupid trend of phone size increasing to the point when even men’s pockets are not enough.

                                            2. 2

                                              I carry my phone, phones, house keys, work keycard and tissues, I wouldn’t survive with women’s pockets.

                                              1. 3

                                                I usually add a wallet and a small bottle of alcohol-based hand sanitizer which is really great if you are eating something on the go.

                                                I’d like to add that roughly one in 15 people worldwide has a form of diabetes and that a large portion of them also carries medication and a sugary and a salty snack as treatment.

                                              2. 1

                                                Not if the pocket is deep enough. I have pants that I can fit my phone in the pocket and it’s no issue because the phone sits lower on my leg.

                                              1. 8

                                                To be fair, they should also mark as “Not Secure” any page running JavaScript.

                                                Also, pointless HTTPS adoption might reduce content accessibility without blocking censorship.
                                                (Disclaimer: this does not mean that you shouldn’t adopt HTTPS for sensible contents! It just means that using HTTPS should not be a matter of fashion: there are serious trade-offs to consider)

                                                1. 11

                                                  By adopting HTTPS you basically ensure that nasty ISPs and CDNs can’t insert garbage into your webpages.

                                                  1. [Comment removed by author]

                                                    1. 5

                                                      Technically, you authorize them (you sign actual paperwork) to get/generate a certificate on your behalf (at least this is my experience with Akamai). You don’t upload your own ssl private key to them.

                                                      1. 3

                                                        Why on earth would I give anyone else my private certificate?

                                                        1. 4

                                                          Because it’s part of The Process. (Technical Dark Patterns, Opt-In without a clear way to Opt-Out, etc.)

                                                          Because you’ll be laughed at if you don’t. (Social expectations, “received wisdom”, etc.)

                                                          Because Do It Now. Do It Now. Do It Now. (Nagging emails. Nagging pings on social media. Nagging.)

                                                          Lastly, of course, are Terms Of Service, different from the above by at least being above-board.

                                                      2. 2

                                                        No.

                                                        It protects against cheap man-in-the-middle attacks (as the one an ISP could do) but it can nothing against CDNs that can identify you, as CDNs serve you JavaScript over HTTPS.

                                                        1. 11

                                                          With Subresource Integrity (SRI) page authors can protect against CDNed resources changing out from beneath them.

                                                          1. 1

                                                            Yes SRI mitigate some of the JavaScript attacks that I describe in the article, in particular the nasty ones from CDNs exploiting your trust on a harmless-looking website.
                                                            Unfortunately several others remain possible (just think of jsonp or even simpler if the website itself collude to the attack). Also it needs widespread adoption to become a security feature: it should probably be mandatory, but for sure browsers should mark as “Not Secure” any page downloading programs from CDNs without it.

                                                            What SRI could really help is with the accessibility issues described by Meyer: you can serve most page resources as cacheable HTTP resources if the content hash is declared in a HTTPS page!

                                                          2. 3

                                                            WIth SRI you can block CDNs you use to load JS scripts externally from manipulating the webpage.

                                                            I also don’t buy the link that claims it reduces content accessiblity, the link you provided above explains a problem that would be solved by simply using a HTTPS caching proxy (something a lot of corporate networks seem to have no problem operating considering TLS 1.3 explicitly tries not to break those middleboxes)

                                                            1. 4

                                                              CDNs are man-in-the-middle attacks.

                                                          3. 1

                                                            As much as I respect Meyer, his point is moot. MitM HTTPS proxy servers have been setup since a long time, even though usually for a far more objectionable purposes than content caching. Some companies even made out of the box HTTPS URL filtering their selling point. If people are ready or forced to trade security for accessibility, but don’t know how to setup HTTPS MitM proxy, it’s their problem, not webmasters’. We should be ready to teach those in needs how to setup it of course, but that’s about it.

                                                            1. 0

                                                              MitM HTTPS proxy servers have been setup since a long time, even though usually for a far more objectionable purposes than content caching. […] If people are ready or forced to trade security for accessibility, but don’t know how to setup HTTPS MitM proxy, it’s their problem, not webmasters’.

                                                              Well… how can I say that… I don’t think so.

                                                              Selling HTTPS MitM proxy as a security solutions is plain incompetence.

                                                              Beyond the obvious risk that the proxy is compromised (you should never assume that they won’t) which is pretty high in some places (not only in Africa… don’t be naive, a chain is only as strong as its weakest link), a transparent HTTPS proxy has an obvious UI issue: people do not realise that it’s unsafe.

                                                              If the browsers don’t mark as “Not Secure” them (how could them?) the user will overlook the MitM risks, turning a security feature against the users’ real security and safety.

                                                              Is this something webmasters should care? I think so.

                                                              1. 4

                                                                Selling HTTPS MitM proxy as a security solutions is plain incompetence.

                                                                Not sure how to tell you this, but companies have been doing this on their internal networks for a very long time and this is basically standard operating procedure at every enterprise-level network I’ve seen. They create their own CA, generate an intermediate CA key cert, and then put that on an HTTPS MITM transparent proxy that inspects all traffic going in an out of the network. The intermediate cert is added to the certificate store on all devices issued to employees so that it is trusted. By inspecting all of the traffic, they can monitor for external and internal threats, scan for exfiltration of trade secrets and proprietary data, and keep employees from watching porn at work. There is an entire industry around products that do this, BlueCoat and Barracuda are two popular examples.

                                                                1. 5

                                                                  There is an entire industry around products that do this

                                                                  There is an entire industry around rasomware. But this does not means it’s a security solution.

                                                                  1. 1

                                                                    It is, it’s just that word security is better understood as “who” is getting (or not) secured from “whom”.

                                                                    What you keep saying is that MitM proxy does not protect security of end users (that is employees). What they do, however, in certain contexts like described above, is help protect the organisation in which end users operate. Arguably they do, because it certainly makes it more difficult to protect yourself from something you cannot see. If employees are seen as a potential threat (they are), then reducing their security can help you (organisation) with yours.

                                                                    1. 1

                                                                      I wonder if you did read the articles I linked…

                                                                      The point is that, in a context of unreliable connectivity, HTTPS reduce dramatically accessibility but it doesn’t help against censorship.

                                                                      In this context, we need to grant to people accessibility and security.

                                                                      An obvious solution is to give them a cacheable HTTP access to contents. We can fool the clients to trust a MitM caching proxy, but since all we want is caching this is not the best solution: it add no security but a false sense of security. Thus in that context, you can improve users’ security by removing HTTPS.

                                                                      1. 1

                                                                        I have read it, but more importantly, I worked in and build services for places like that for about 5 years (Uganda, Bolivia, Tajikistan, rural India…).

                                                                        I am with you that HTTPS proxy is generally best to be avoided if for no other reason because it grows attack surface area. I disagree that removing HTTPS increases security. It adds a lot more places and actors who now can negatively impact user in exchange for him knowing this without being able to do much about it.

                                                                        And that is even without going into which content is safe to be cached in a given environment.

                                                                        1. 1

                                                                          And that is even without going into which content is safe to be cached in a given environment.

                                                                          Yes, this is the best objection I’ve read so far.

                                                                          As always it’s a matter of tradeoff. In a previous related thread I described how I would try to fix the issue in a way that people can easily opt-out and opt-in.

                                                                          But while I think it would be weird to remove HTTPS for an ecommerce chart or for a political forum, I think that most of Wikipedia should be served through both HTTP and HTTPS. People should be aware that HTTP page are not secure (even though it all depends on your threat model…) but should not be mislead to think that pages going through an MitM proxy are secure.

                                                                2. 2

                                                                  HTTPS proxy isn’t incompetence, it’s industry standard.

                                                                  They solve a number of problems and are basically standard in almost all corporate networks with a minimum security level. They aren’t a weak chain in the link since traffic in front of the proxy is HTTPS and behind it is in the local network and encrypted by a network level CA (you can restrict CA capabilities via TLS cert extensions, there is a fair number of useful ones that prevent compromise).

                                                                  Browser don’t mark these insecure because to install and use a HTTPS proxy requires full admin access to a device, at which level there is no reason to consider what the user is doing as insecure.

                                                                  1. 2

                                                                    Browser don’t mark these insecure because to install and use a HTTPS proxy requires full admin access to a device, at which level there is no reason to consider what the user is doing as insecure.

                                                                    Browsers bypass the network configuration to protect the users’ privacy.
                                                                    (I agree this is stupid, but they are trying to push this anyway)

                                                                    The point is: the user’s security is at risk whenever she sees as HTTPS (which stands for “HTTP Secure”) something that is not secure. It’s a rather simple and verifiable fact.

                                                                    It’s true that posing a threat to employees’ security is an industry standard. But it’s not a security solution. At least, not for the employees.

                                                                    And, doing that in a school or a public library is dangerous and plain stupid.

                                                                    1. 0

                                                                      Nobody is posing a threat to employees’ security here, a corporation can in this case be regarded as a single entity so terminating SSL at the borders of the entity similar to how a browser terminates SSL by showing the website on a screen is fairly valid.

                                                                      Schools and public libraries usually have the internet filtered yes, that is usually made clear to the user before using it (atleast when I wanted access to either I was in both cases instructed that the network is supervised and filtered) which IMO negates the potential security compromise.

                                                                      Browsers bypass the network configuration to protect the users’ privacy.

                                                                      Browsers don’t bypass root CA configuration, core system configuration or network routing information as well as network proxy configuration to protect a user’s privacy.

                                                                      1. 1

                                                                        Schools and public libraries usually have the internet filtered yes, that is usually made clear to the user before using it [..] which IMO negates the potential security compromise.

                                                                        Yes this is true.

                                                                        If people are kept constantly aware of the presence of a transparent HTTPS proxy/MitM, I have no objection to its use instead of an HTTP proxy for caching purposes. Marking all pages as “Not Secure” is a good way to gain such awareness.

                                                                        Browsers don’t bypass root CA configuration, core system configuration or network routing information as well as network proxy configuration to protect a user’s privacy.

                                                                        Did you know about Firefox’s DoH/CloudFlare affair?

                                                                        1. 2

                                                                          Yes I’m aware of the “affair”. To my knowledge the initial DoH experiment was localized and run on users who had enabled studies (opt-in). In both the experiment and now Mozilla has a contract with CloudFlare to protect the user privacy during queries when DoH is enabled (which to my knowledge it isn’t by default). In fact, the problem ungleich is blogging about isn’t even slated for standard release yet, to my knowledge.

                                                                          It’s plain and old wrong in the bad kind of way; it conflates security maximalism with the mission of Mozilla to bring the maximum amount of users privacy and security.

                                                                          1. 1

                                                                            TBH, I don’t know what you mean with “security maximalism”.

                                                                            I think ungleich raise serious concerns that should be taken into account before shipping DoH to the masses.

                                                                            Mozilla has a contract with CloudFlare to protect the user privacy

                                                                            It’s bit naive for Mozilla to base the security and safety of milions of people world wide in the contract with a company, however good they are.

                                                                            AFAIK, even Facebook had a contract with his users.

                                                                            Yeah.. I know… they will “do no evil”…

                                                                            1. 1

                                                                              Security maximalism disregards more common threatmodels and usability problems in favor of more security. I don’t believe the concerns are really concerns for the common user.

                                                                              It’s bit naive for Mozilla to base the security and safety of milions of people world wide in the contract with a company, however good they are.

                                                                              Cloudflare hasn’t done much that makes me believe they will violate my privacy. They’re not in the business of selling data to advertisers.

                                                                              AFAIK, even Facebook had a contract with his users

                                                                              Facebook used Dark Patterns to get users to willingly agree to terms they would otherwise never agree on, I don’t think this is comparable. Facebook likely never violated the contract terms with their users that way.

                                                                              1. 1

                                                                                Security maximalism disregards more common threatmodels and usability problems in favor of more security. I don’t believe the concerns are really concerns for the common user.

                                                                                You should define “common user”.
                                                                                If you mean the politically inepts who are happy to be easily manipulated as long as they are given something to say and retweet… yes, they have nothing to fear.
                                                                                The problem is for those people who are actually useful to the society.

                                                                                Cloudflare hasn’t done much that makes me believe they will violate my privacy.

                                                                                The problem with Cloudflare is not what they did, it’s what they could do.
                                                                                There’s no reason to give such power to a single company, located near all the other companies that are currently centralizing the Internet already.

                                                                                But my concerns are with Mozilla.
                                                                                They are trusted by milions of people world wide. Me included. But actually, I’m starting to think they are much more like a MitM caching HTTPS proxy: trusted by users as safe, while totaly unsafe.

                                                                                1. 1

                                                                                  So in your opinion, the average user does not deserve the protection of being able to browse the net as safe as we can make it for them?

                                                                                  Just because you think they aren’t useful to society (and they are, these people have all the important jobs, someone isn’t useless because they can’t use a computer) doesn’t mean we, as software engineers, should abandon them.

                                                                                  There’s no reason to give such power to a single company, located near all the other companies that are currently centralizing the Internet already.

                                                                                  Then don’t use it? DoH isn’t going to be enabled by default in the near future and any UI plans for now make it opt-in and configurable. The “Cloudflare is default” is strictly for tests and users that opt into this.

                                                                                  they are much more like a MitM caching HTTPS proxy: trusted by users as safe, while totaly unsafe.

                                                                                  You mean safe because everyone involved knows what’s happening?

                                                                                  1. 1

                                                                                    I don’t believe the concerns are really concerns for the common user.

                                                                                    You should define “common user”.
                                                                                    If you mean the politically inepts who are happy to be easily manipulated…

                                                                                    So in your opinion, the average user does not deserve the protection of being able to browse the net as safe as we can make it for them?

                                                                                    I’m not sure if you are serious or you are pretending to not understand to cope with your lack of arguments.
                                                                                    Let’s assume the first… for now.

                                                                                    I’m saying the concerns raised by ungleich are serious and could affect any person who is not politically inept. That’s obviously because, anyone politically inept is unlikely to be affected by surveillance.
                                                                                    That’s it.

                                                                                    they are much more like a MitM caching HTTPS proxy: trusted by users as safe, while totaly unsafe.

                                                                                    You mean safe because everyone involved knows what’s happening?

                                                                                    Really?
                                                                                    Are you sure everyone understand what is a MitM attack? Are you sure every employee understand their system administrators can see the mail they reads from GMail? I think you don’t have much experience with users and I hope you don’t design user interfaces.

                                                                                    A MitM caching HTTPS proxy is not safe. It can be useful for corporate surveillance, but it’s not safe for users. And it extends the attack surface, both for the users and the company.

                                                                                    As for Mozilla: as I said, I’m just not sure whether they deserve trust or not.
                                                                                    I hope they do! Really! But it’s really too naive to think that a contract is enough to bind a company more than a subpoena. And they ship WebAssembly. And you have to edit about:config to disable JavaScript
                                                                                    All this is very suspect for a company that claims to care about users’ privacy!

                                                                                    1. 0

                                                                                      I’m saying the concerns raised by ungleich are serious and could affect any person who is not politically inept.

                                                                                      I’m saying the concerns raised by ungleich are too extreme and should be dismissed on grounds of being not practical in the real world.

                                                                                      Are you sure everyone understand what is a MitM attack?

                                                                                      An attack requires an adversary, the evil one. A HTTPS Caching proxy isn’t the evil or enemy, you have to opt into this behaviour. It is not an attack and I think it’s not fair to characterise it as such.

                                                                                      Are you sure every employee understand their system administrators can see the mail they reads from GMail?

                                                                                      Yes. When I signed my work contract this was specifically pointed out and made clear in writing. I see no problem with that.

                                                                                      And it extends the attack surface, both for the users and the company.

                                                                                      And it also enables caching for users with less than stellar bandwidth (think third world countries where satellite internet is common, 500ms ping, 80% packet loss, 1mbps… you want caching for the entire network, even with HTTPS)

                                                                                      And they ship WebAssembly.

                                                                                      And? I have on concerns about WebAssembly. It’s not worse than obfuscated javascript. It doesn’t enable anything that wasn’t possible before via asm.js. The post you linked is another security maximalist opinion piece with little factual arguments.

                                                                                      And you have to edit about:config to disable JavaScript…

                                                                                      Or install a half-way competent script blocker like uMatrix.

                                                                                      All this is very suspect for a company that claims to care about users’ privacy!

                                                                                      I think it’s understandable for a company that both cares about users privacy and doesn’t want a marketshare of “only security maximalists”, also known as, 0%.

                                                                                      1. 1

                                                                                        An attack requires an adversary, the evil one.

                                                                                        According to this argument, you don’t need HTTPS until you don’t have an enemy.
                                                                                        It shows very well your understanding of security.

                                                                                        The attacker described in threat model are potential enemies. Yorr security depends on how well you avoid or counter potential attacks.

                                                                                        I have on concerns about WebAssembly.

                                                                                        Not a surprise.

                                                                                        Evidently you never had to debug neither an obfuscated javascript nor an optimized binary (without sources or debug symbols).

                                                                                        Trust one who did both: obfuscated javascript is annoying, understanding what an optimized binary is doing is hard.

                                                                                        As for packet loss caching at all, you didn’t reas what I wrote, and I won’t feed you more.

                                                                                        1. 1

                                                                                          According to this argument, you don’t need HTTPS until you don’t have an enemy.

                                                                                          If there is no adversary, no Malory in the connection, there is no reason to encrypt it either, correct.

                                                                                          It shows very well your understanding of security.

                                                                                          My understanding in security is based on threat models. A threat model includes who you trust, who you want to talk to and who you don’t trust. It includes how much money you want to spend, how much your attacker can spend and the methods available to both of you.

                                                                                          There is no binary security, a threat model is the entry point and your protection mechanisms should match your threat model as best as possible or exceed it, but there is no reason to exert effort beyond your threat model.

                                                                                          The attacker described in threat model are potential enemies. Yorr security depends on how well you avoid or counter potential attacks.

                                                                                          Malory is a potential enemy. An HTTPS caching proxy operated by a corporation is not an enemy. It’s not malory, it’s Bob, Alice and Eve where Bob wants to send Alice a message, she works for Eve and Eve wants to avoid having duplicate messages on the network, so Eve and Alice agree that caching the encrypted connection is worthwile.

                                                                                          Malory sits between Eve and Bob not Bob and Alice.

                                                                                          Evidently you never had to debug neither an obfuscated javascript nor an optimized binary (without sources or debug symbols).

                                                                                          I did, in which case I either filed a Github issue if the project was open source or I notified the company that offered the javascript or optimized binary. Usually the bug is then fixed.

                                                                                          It’s not my duty or problem to debug web applications that I don’t develop.

                                                                                          Trust one who did both: obfuscated javascript is annoying, understanding what an optimized binary is doing is hard.

                                                                                          Then don’t do it? Nobody is forcing you.

                                                                                          As for packet loss caching at all, you didn’t reas what I wrote, and I won’t feed you more.

                                                                                          I don’t think you consider that a practical problem such as bad connections can outweigh a lot of potential security issues since you don’t have the time or user patience to do it properly and in most cases it’ll be good enough for the average user.

                                                                  2. 2

                                                                    My point is that the problems of unencrypted HTTP and MitM’ed HTTPS are exactly the same. If one used to prefer the former because it can be easily cached, I can’t see how setting up the latter makes their security issues worse.

                                                                    1. 3

                                                                      With HTTP you know it’s not secure. OTOH you might not be aware that your HTTPS connection to the server is not secure at all.

                                                                      The lack of awareness makes MitM caching worse.

                                                              1. 7

                                                                Bad idea, it should error or give NaN.

                                                                1/0 = 0 is mathematically sound

                                                                It’s not mathematically sound.

                                                                a/b = c should be equivalent to a = c*b

                                                                this fails with 1/0 = 0 because 1 is not equal to 0*0.

                                                                Edit: I was wrong, it is mathematically sound. You can define x/0 = f(x) any function of x at all. All the field axioms still hold because they all have preconditions that ensure you never look at the result of division by zero.

                                                                There is a subtlety because some people say (X) and others say (Y)

                                                                • (X) a/b = c should be equivalent to a = c*b when the LHS is well defined

                                                                • (Y) a/b = c should be equivalent to a = c*b when b is nonzero

                                                                If you have (X) definition in mind it becomes unsound, if you are more formal and use definition (Y) then it stays sound.

                                                                It seems like a very bad idea to make division well defined but the expected algebra rules not apply to it. This is the whole reason we leave it undefined or make it an error. There isn’t any value you can give it that makes algebra work with it.

                                                                It will not help programmers to have their programs continue on unaware of a mistake, working on with corrupt values.

                                                                1. 14

                                                                  I really appreciate your follow-up about you being wrong. It is rare to see, and I commend you for it. Thank you.

                                                                  1. 8

                                                                    This is explicitly addressed in the post. Do you have any objections to the definition given in the post?

                                                                    1. 13

                                                                      I cover that exact objection in the post.

                                                                      1. 4

                                                                        It will not help programmers to have their programs continue on unaware of a mistake, working on with corrupt values

                                                                        That was my initial reaction too. But I don’t think Pony’s intended use case is numerical analysis; it’s for highly parallel low-latency systems, where there are other (bigger?) concerns to address. They wanted to have no runtime exceptions, so this is part of that design tradeoff. Anyway, nothing prevents the programmer from checking for zero denominators and handling them as needed. If you squint a little, it’s perhaps not that different from the various conventions on truthy/falsey values that exist in most languages, and we’ve managed to accommodate to those.

                                                                        1. 4

                                                                          Those truthy/falsey values are an often source of errors.

                                                                          I may be biased in my dislike of this “feature”, because I cannot recall when 1/0 = 0 would be useful in my work, but have no difficulty whatsoever thinking of cases where truthy/falsey caused problems.

                                                                        2. 4

                                                                          1/0 is integer math. NaN is available for floating point math not integer math.

                                                                          1. 2

                                                                            It will not help programmers to have their programs continue on unaware of a mistake, working on with corrupt values.

                                                                            I wonder if someone making a linear math library for Pony already faced this. There are many operations that might divide by zero, and you will want to let the user know if they divided by zero.

                                                                            1. 7

                                                                              It’s easy for a Pony user to create their own integer division operation that will be partial. Additionally, a “partial division for integers” operator has been been in the works for a while and will land soon. Its part of operators that will also error if you have integer overflow or underflow. Those will be +?, /?, *?, -?.

                                                                              https://playground.ponylang.org/?gist=834f46a58244e981473c0677643c52ff

                                                                          1. 65

                                                                            This blogpost is a good example of fragmented, hobbyist security maximalism (sprinkled with some personal grudges based on the tone).

                                                                            Expecting Signal to protect anyone specifically targeted by a nation-state is a huge misunderstanding of the threat models involved.

                                                                            Talking about threat models, it’s important to start from them and that explains most of the misconceptions in the post.

                                                                            • Usable security for the most people possible. The vast majority people on the planet use iOS and Android phones, so while it is theoretically true that Google or Apple could be forced to subvert their OSs, it’s outside the threat model and something like that would be highly visible, a nuclear option so to speak.
                                                                            • Alternative distribution mechanisms are not used by 99%+ of the existing phone userbases, providing an APK is indeed correctly viewed as harm reduction.
                                                                            • Centralization is a feature. Moxie created a protocol and a service used by billions and millions of people respectively that provides real, measureable security for a lot of people. The fact is that doing all this in a decentralized way is something we don’t yet know how to do or doing invites tradeoffs that we shouldn’t make. Federation atm either leads to insecurity or leads to the ossification of the ecosystem, which in turn leads to a useless system for real users. We’ve had IRC from the 1990s, ever wonder why Slack ever became a thing? Ossification of a decentralized protocol. Ever wonder why openpgp isn’t more widespread? Noone cares about security in a system where usability is low and design is fragile. Ever tried to do key rotation in gpg? Even cryptographers gave up on that. Signal has that built into the protocol.

                                                                            Were tradeoffs made? Yes. Have they been carefully considered? Yes. Signal isn’t perfect, but it’s usable, high-level security for a lot of people. I don’t say I fully trust Signal, but I trust everything else less. Turns out things are complicated when it’s about real systems and not fantasy escapism and wishes.

                                                                            1. 34

                                                                              Expecting Signal to protect anyone specifically targeted by a nation-state is a huge misunderstanding of the threat models involved.

                                                                              In this article, resistance to governments constantly comes up as a theme of his work. He also pushed for his tech to be used to help resist police states like with the Arab Spring example. Although he mainly increased the baseline, the tool has been pushed for resisting governments and articles like that could increase perception that it was secure against governments.

                                                                              This nation-state angle didn’t come out of thin air from paranoid, security people: it’s the kind of thing Moxie talks about. In one talk, he even started with a picture of two, activist friends jailed in Iran in part to show the evils that motivate him. Stuff like that only made the stuff Drew complains about on centralization, control, and dependence on cooperating with surveillance organization stand out even more due to the inconsistency. I’d have thought he’d make signed packages for things like F-Droid sooner if he’s so worried about that stuff.

                                                                              1. 5

                                                                                A problem with the “nation-state” rhetoric that might be useful to dispel is the idea that it is somehow a God-tier where suddenly all other rules becomes defunct. The five-eyes are indeed “nation state” and has capabilities that are profound; like the DJB talk speculating about how many RSA-1024 keys that they’d likely be able to factor in a year given such and such developments and what you can do with that capability. That’s scary stuff. On the other hand, this is not the “nation state” that is Iceland or Syria. Just looking at the leaks from the “Hacking Team” thing, there are a lot of “nation states” forced to rely on some really low quality stuff.

                                                                                I think Greg Conti in his “On Cyber” setup depicts it rather well (sorry, don’t have a copy of the section in question) and that a more reasonable threat model of capable actors you do need to care about is that of Organized Crime Syndicates - which seems more approachable. Nation State is something you are afraid of if you are political actor or in conflict with your government, where the “we can also waterboard you to compliance” factors into your threat model, Organized Crime hits much more broadly. That’s Ivan with his botnet from internet facing XBMC^H Kodi installations.

                                                                                I’d say the “Hobbyist, Fragmented Maximalist” line is pretty spot on - with a dash of “Confused”. The ‘threats’ of Google Play Store (test it, write some malware and see how long it survives - they are doing things there …) - the odds of any other app store; Fdroid, the ones from Samsung, HTC, Sony et al. - being completely owned by much less capable actors is way, way higher. Signal (perhaps a Signal-To-Threat ratio?) perform an good enough job in making reasonable threat actors much less potent. Perhaps not worthy of “trust”, but worthy of day to day business.

                                                                              2. 18

                                                                                Expecting Signal to protect anyone specifically targeted by a nation-state is a huge misunderstanding of the threat models involved.

                                                                                And yet, Signal is advertising with the face of Snowden and Laura Poitras, and quotes from them recommending it.

                                                                                What kind of impression of the threat models involved do you think does this create?

                                                                                1. 5

                                                                                  Who should be the faces recommending signal that people will recognize and listen to?

                                                                                  1. 7

                                                                                    Whichever ones are normally on the media for information security saying the least amount of bullshit. We can start with Schneier given he already does a lot of interviews and writes books laypeople buy.

                                                                                    1. 3

                                                                                      What does Schneier say about signal?

                                                                                      1. 10

                                                                                        He encourages use of stuff like that to increase baseline but not for stopping nation states. He adds also constantly blogged about the attacks and legal methods they used to bypass technical measures. So, his reporting was mostly accurate.

                                                                                        We counterpoint him here or there but his incentives and reo are tied to delivering accurate info. Moxie’s incentives would, if he’s selfish, lead to locked-in to questionable platforms.

                                                                                2. 18

                                                                                  We’ve had IRC from the 1990s, ever wonder why Slack ever became a thing? Ossification of a decentralized protocol.

                                                                                  I’m sorry, but this is plain incorrect. There are many expansions on IRC that have happened, including the most recent effort, IRCv3: a collectoin of extensions to IRC to add notifications, etc. Not to mention the killer point: “All of the IRCv3 extensions are backwards-compatible with older IRC clients, and older IRC servers.”

                                                                                  If you actually look at the protocols? Slack is a clear case of Not Invented Here syndrome. Slack’s interface is not only slower, but does some downright crazy things (Such as transliterating a subset of emojis to plain-text – which results in batshit crazy edge-cases).

                                                                                  If you have a free month, try writing a slack client. Enlightenment will follow :P

                                                                                  1. 9

                                                                                    I’m sorry, but this is plain incorrect. There are many expansions on IRC that have happened, including the most recent effort, IRCv3: a collectoin of extensions to IRC to add notifications, etc. Not to mention the killer point: “All of the IRCv3 extensions are backwards-compatible with older IRC clients, and older IRC servers.”

                                                                                    Per IRCv3 people I’ve talked to, IRCv3 blew up massively on the runway, and will never take off due to infighting.

                                                                                    1. 12

                                                                                      And yet everyone is using Slack.

                                                                                      1. 14

                                                                                        There are swathes of people still using Windows XP.

                                                                                        The primary complaint of people who use Electron-based programs is that they take up half a gigabyte of RAM to idle, and yet they are in common usage.

                                                                                        The fact that people are using something tells you nothing about how Good that thing is.

                                                                                        At the end of the day, if you slap a pretty interface on something, of course it’s going to sell. Then you add in that sweet, sweet Enterprise Support, and the Hip and Cool factors of using Something New, and most people will be fooled into using it.

                                                                                        At the end of the day, Slack works just well enough Not To Suck, is Hip and Cool, and has persistent history (Something that the IRCv3 group are working on: https://ircv3.net/specs/extensions/batch/chathistory-3.3.html)

                                                                                        1. 9

                                                                                          At the end of the day, Slack works just well enough Not To Suck, is Hip and Cool, and has persistent history (Something that the IRCv3 group are working on […])

                                                                                          The time for the IRC group to be working on a solution to persistent history was a decade ago. It strikes me as willful ignorance to disregard the success of Slack et al over open alternatives as mere fashion in the face of many meaningful functionality differences. For business use-cases, Slack is a better product than IRC full-stop. That’s not to say it’s perfect or that I think it’s better than IRC on all axes.

                                                                                          To the extent that Slack did succeed because it was hip and cool, why is that a negative? Why can’t IRC be hip and cool? But imagine being a UX designer and wanting to help make some native open-source IRC client fun and easy to use for a novice. “Sisyphean” is the word that comes to mind.

                                                                                          If we want open solutions to succeed we have to start thinking of them as products for non-savvy end users and start being honest about the cases where closed products have superior usability.

                                                                                          1. 5

                                                                                            IRC isn’t hip and cool because people can’t make money off of it. Technologies don’t get investment because they are good, they get good because of investment. The reason that Slack is hip/cool and popular and not IRC is because the investment class decided that.

                                                                                            It also shows that our industry is just a pop culture and can give a shit about good tech .

                                                                                            1. 4

                                                                                              There were companies making money off chat and IRC. They just didn’t create something like Slack. We can’t just blame the investors when they were backing companies making chat solutions whose management stayed on what didn’t work in long-term or for huge audience.

                                                                                              1. 1

                                                                                                IRC happened before the privatization of the internet. So the standard didn’t lend itself well for companies to make good money off of it. Things like slack are designed for investor optimization, vs things like IRC being designed for use and openness.

                                                                                                1. 2

                                                                                                  My point was there were companies selling chat software, including IRC clients. None pulled off what Slack did. Even those doing IRC with money or making money off it didn’t accomplish what Slack did for some reason. It would help to understand why that happened. Then, the IRC-based alternative can try to address that from features to business model. I don’t see anything like that when most people that like FOSS talk Slack alternatives. Then, they’re not Slack alternatives if lacking what Slack customers demand.

                                                                                                  1. 1

                                                                                                    Thanks for clarifying. My point can be restated as… There is no business model for federated and decentralized software (until recently , see cryptocurrencies). Note most open and decentralized tech of the past was government funded and therefore didn’t face business pressures. This freed designets to optimise other concerns instead of business onrs like slack does.

                                                                                            2. 4

                                                                                              To the extent that Slack did succeed because it was hip and cool, why is that a negative? Why can’t IRC be hip and cool?

                                                                                              The argument being made is that the vast majority of Slack’s appeal is the “hip-and-cool” factor, not any meaningful additions to functionality.

                                                                                              1. 6

                                                                                                Right, as I said I think it’s important for proponents of open tech to look at successful products like Slack and try to understand why they succeeded. If you really think there is no meaningful difference then I think you’re totally disconnected from the needs/context of the average organization or computer user.

                                                                                                1. 3

                                                                                                  That’s all well and good, I just don’t see why we can’t build those systems on top of existing open protocols like IRC. I mean: of course I understand, it’s about the money. My opinion is that it doesn’t make much sense to insist that opaque, closed ecosystems are the way to go. We can have the “hip-and-cool” factor, and all the amenities provided by services like Slack, without abandoning the important precedent we’ve set for ourselves with protocols like IRC and XMPP. I’m just disappointed that everyone’s seeing this as an “either-or” situation.

                                                                                                  1. 2

                                                                                                    I definitely don’t see it as an either-or situation, I just think that the open source community typically has the wrong mindset for competing with closed products and that most projects are unapproachable by UX or design-minded people.

                                                                                            3. 3

                                                                                              Open, standard chat tech has had persistent history and much more for decades in the form of XMPP. Comparing to the older IRC on features isn’t really fair.

                                                                                              1. 2

                                                                                                The fact that people are using something tells you nothing about how Good that thing is.

                                                                                                I have to disagree here. It shows that it is good enough to solve a problem for them.

                                                                                                1. 1

                                                                                                  I don’t see how Good and “good enough to solve a problem” are related here. The first is a metric of quality, the second is the literal bare minimum of that metric.

                                                                                          2. 1

                                                                                            Alternative distribution mechanisms are not used by 99%+ of the existing phone userbases, providing an APK is indeed correctly viewed as harm reduction.

                                                                                            I’d dispute that. People who become interested in Signal seem much more prone to be using F-Droid than, say, WhatsApp users. Signal tries to be an app accessible to the common person, but few people really use it or see the need… and often they are free software enthusiasts or people who are fed up with Google and surveillance.

                                                                                            1. 1

                                                                                              More likely sure, but that doesn’t mean that many of them reach the threshold of effort that they do.

                                                                                            2. 0

                                                                                              Ossification of a decentralized protocol.

                                                                                              IRC isn’t decentralised… it’s not even federated

                                                                                              1. 3

                                                                                                Sure it is, it’s just that there are multiple federations.

                                                                                            1. 28

                                                                                              That is a very reductionist view of what people use the web for. And I am saying this as someone who’s personal site pretty much matches everything prescribed except comments (which I still have).

                                                                                              Btw, Medium, given as a positive example, is not in any way minimal and certainly not by metrics given in this article.

                                                                                              1. 19

                                                                                                Btw, Medium, given as a positive example, is not in any way minimal and certainly not by metrics given in this article.

                                                                                                Chickenshit minimalism: https://medium.com/@mceglowski/chickenshit-minimalism-846fc1412524

                                                                                                1. 13

                                                                                                  I wouldn’t say medium even gives the illusion of simplicity (For example, on the page you linked, try counting the visual elements that aren’t blog post). Medium seems to take a rather contrary approach to blogs, including all the random cruft you never even imagined existed, while leaving out the simple essentials like RSS feeds. I honestly have no idea how the author of the article came to suggest medium as an example of minimalism.

                                                                                                  1. 8

                                                                                                    Medium started with an illusion of simplicity and gradually got more and more complex.

                                                                                                    1. 3

                                                                                                      I agree with your overall point, but Medium does provide RSS feeds. They are linked in the <head> and always have the same URL structure. Any medium.com/@user has an RSS feed at medium.com/feed/@user. For Medium blogs hosted at custom URLs, the feed is available at /feed.

                                                                                                      I’m not affiliated with Medium. I have a lot of experience bugging webmasters of minimal websites to add feeds: https://github.com/issues?q=is:issue+author:tfausak+feed.

                                                                                                  2. 3

                                                                                                    That is a very reductionist view of what people use the web for.

                                                                                                    I wonder what Youtube, Google docs, Slack, and stuff would be in a minimal web.

                                                                                                    1. 19

                                                                                                      Useful.

                                                                                                      algernon hides

                                                                                                      1. 5

                                                                                                        YouTube, while not as good as it could be, is pretty minimalist if you disable all the advertising.

                                                                                                        I find google apps to be amazingly minimal, especially compared to Microsoft Office and LibreOffice.

                                                                                                        Minimalist Slack has been around for decades, it’s called IRC.

                                                                                                        1. 2

                                                                                                          It is still super slow then! At some point I was able to disable JS, install the Firefox “html5-video-everywhere” extension and watch videos that way. That was awesome fast and minimal. Tried it again a few days ago, but didn’t seem to work anymore.

                                                                                                          Edit: now I just “youtube-dl -f43 ” directly without going to YouTube and start watching immediately with VLC.

                                                                                                          1. 2

                                                                                                            The youtube interface might look minimalist, but under the hood, it is everything but. Besides, I shouldn’t have to go to great lengths to disable all the useless stuff on it. It shouldn’t be the consumer’s job to strip away all the crap.

                                                                                                          2. 2

                                                                                                            That seems to be of extreme bad faith though.

                                                                                                            1. 11

                                                                                                              In a minimal web, locally-running applications in browser sandboxes would be locally-running applications in non-browser sandboxes. There’s no particular reason any of these applications is in a browser at all, other than myopia.

                                                                                                              1. 2

                                                                                                                Distribution is dead-easy for websites. In theory, you have have non-browser-sandboxed apps with such easy distribution, but then what’s the point.

                                                                                                                1. 3

                                                                                                                  Non-web-based locally-running client applications are also usually made downloadable via HTTP these days.

                                                                                                                  The point is that when an application is made with the appropriate tools for the job it’s doing, there’s less of a cognitive load on developers and less of a resource load on users. When you use a UI toolkit instead of creating a self-modifying rich text document, you have a lighter-weight, more reliable, more maintainable application.

                                                                                                                  1. 3

                                                                                                                    The power of “here’s a URL, you now have an app running without going through installation or whatnot” cannot be understated. I can give someone a copy of pseudo-Excel to edit a document we’re working together on, all through the magic of Google Sheet’s share links. Instantly

                                                                                                                    Granted, this is less of an advantage if you’re using something all the time, but without the web it would be harder to allow for multiple tools to co-exist in the same space. And am I supposed to have people download the Doodle application just to figure out when our group of 15 can go bowling?

                                                                                                                    1. 4

                                                                                                                      They are, in fact, downloading an application and running it locally.

                                                                                                                      That application can still be javascript; I just don’t see the point in making it perform DOM manipulation.

                                                                                                                      1. 3

                                                                                                                        As one who knows JavaScript pretty well, I don’t see the point of writing it in JavaScript, however.

                                                                                                                        1. 1

                                                                                                                          A lot of newer devs have a (probably unfounded) fear of picking up a new language, and a lot of those devs have only been trained in a handful (including JS). Even if moving away from JS isn’t actually a big deal, JS (as distinct from the browser ecosystem, to which it isn’t really totally tied) is not fundamentally that much worse than any other scripting language – you can do whatever you do in JS in python or lua or perl or ruby and it’ll come out looking almost the same unless you go out of your way to use particular facilities.

                                                                                                                          The thing that makes JS code look weird is all the markup manipulation, which looks strange in any language.

                                                                                                                          1. 3

                                                                                                                            JS (as distinct from the browser ecosystem, to which it isn’t really totally tied) is not fundamentally that much worse than any other scripting language

                                                                                                                            (a == b) !== (a === b)

                                                                                                                            but only some times…

                                                                                                                            1. 3

                                                                                                                              Javascript has gotchas, just like any other organic scripting languages. It’s less consistent than python and lua but probably has fewer of these than perl or php.

                                                                                                                              (And, just take a look at c++ if you want a faceful of gotchas & inconsistencies!)

                                                                                                                              Not to say that, from a language design perspective, we shouldn’t prize consistency. Just to say that javascript is well within the normal range of goofiness for popular languages, and probably above average if you weigh by popularity and include C, C++, FORTRAN, and COBOL (all of which see a lot of underreported development).

                                                                                                                      2. 1

                                                                                                                        Web applications are expected to load progressively. And that because they are sandboxed, they are allowed to start instantly without asking you for permissions.

                                                                                                                        The same could be true of sandboxed desktop applications that you could stream from a website straight into some sort of sandboxed local VM that isn’t the web. Click a link, and the application immediately starts running on your desktop.

                                                                                                                      3. 1

                                                                                                                        I can’t argue with using the right tool for the job. People use Electron because there isn’t a flexible, good-looking, easy-to-use cross-platform UI kit. Damn the 500 mb of RAM usage for a chat app.

                                                                                                                        1. 4

                                                                                                                          There are several good-looking flexible easy to use cross-platform UI kits. GTK, WX, and QT come to mind.

                                                                                                                          If you remove the ‘good-looking’ constraint, then you also get TK, which is substantially easier to use for certain problem sets, substantially smaller, and substantially more cross-platform (in that it will run on fringe or legacy platforms that are no longer or were never supported by GTK or QT).

                                                                                                                          All of these have well-maintained bindings to all popular scripting languages.

                                                                                                                          1. 1

                                                                                                                            QT apps can look reasonably good. I think webapps can look better, but I haven’t done extensive QT customization.

                                                                                                                            The bigger issue is 1) hiring - easier to get JS devs than QT devs 2) there’s little financial incentive to reduce memory usage. Using other people’s RAM is “free” for a company, so they do it. If their customers are in US/EU/Japan, they can expect reasonably new machines so they don’t see it as an issue. They aren’t chasing the market in Nigeria, however large in population.

                                                                                                                            1. 5

                                                                                                                              Webapps are sort of the equivalent of doing something in QT but using nothing but the canvas widget (except a little more awkward because you also don’t have pixel positioning). Whatever can be done in a webapp can be done in a UI toolkit, but the most extreme experimental stuff involves not using actual widgets (just like doing it as a webapp would).

                                                                                                                              Using QT doesn’t prevent you from writing in javascript. Just use NPM QT bindings. It means not using the DOM, but that’s a net win: it is faster to learn how to do something with a UI toolkit than to figure out how to do it through DOM manipulation, unless the thing that you’re doing is (at a fundamental level) literally displaying HTML.

                                                                                                                              I don’t think memory use is really going to be the main factor in convincing corporations to leave Electron. It’s not something that’s limited to the third world: most people in the first world (even folks who are in the top half of income) don’t have computers that can run Electron apps very well – but for a lot of folks, there’s the sense that computers just run slow & there’s nothing that can be done about it.

                                                                                                                              Instead, I think the main thing that’ll drive corporations toward more sustainable solutions is maintenance costs. It’s one thing to hire cheap web developers & have them build something, but over time keeping a hairball running is simply more difficult than keeping something that’s more modular running – particularly as the behavior of browsers with respect to the corner cases that web apps depend upon to continue acting like apps is prone to sudden (and difficult to model) change. Building on the back of HTML rendering means a red queen’s race against 3 major browsers, all of whom are changing their behaviors ahead of standards bodies; on the other hand, building on a UI library means you can specify a particular version as a dependency & also expect reasonable backwards-compatibility and gradual deprecation.

                                                                                                                              (But, I don’t actually have a lot of confidence that corporations will be convinced to do the thing that, in the long run, will save them money. They need to be seen to have saved money in the much shorter term, & saying that you need to rearchitect something so that it costs less in maintenance over the course of the next six years isn’t very convincing to non-technical folks – or to technical folks who haven’t had the experience of trying to change the behavior of a hairball written and designed by somebody who left the company years ago.)

                                                                                                                            2. 1

                                                                                                                              I understand that these tools are maintained in a certain sense. But from an outsider’s perspective, they are absolutely not appealing compared to what you see in their competitors.

                                                                                                                              I want to be extremely nice, because I think that the work done on these teams and projects is very laudable. But compare the wxPython docs with the Bootstrap documentation. I also spent a lot of time trying to figure out how to use Tk, and almost all resources …. felt outdated and incompatible with whatever toolset I had available.

                                                                                                                              I think Qt is really good at this stuff, though you do have to marry its toolset for a lot of it (perhaps this has gotten better).

                                                                                                                              The elephant in the room is that no native UI toolset (save maybe Apple’s stack?) is nowhere near as good as the diversity of options and breadth of tooling available in DOM-based solutions. Chrome dev tools is amazing, and even simple stuff like CSS animations gives a lot of options that would be a pain in most UI toolkits. Out of the box it has so much functionality, even if you’re working purely vanilla/“no library”. Though on this points things might have changed, jQuery basically is the optimal low-level UI library and I haven’t encountered native stuff that gives me the same sort of productivity.

                                                                                                                              1. 3

                                                                                                                                I dunno. How much of that is just familiarity? I find the bootstrap documentation so incomprehensible that I roll my own DOM manipulations rather than using it.

                                                                                                                                TK is easy to use, but the documentation is tcl-centric and pretty unclear. QT is a bad example because it’s quite heavy-weight and slow (and you generally have to use QT’s versions of built-in types and do all sorts of similar stuff). I’m not trying to claim that existing cross-platform UI toolkits are great: I actually have a lot of complaints with all of them; it’s just that, in terms of ease of use, peformance, and consistency of behavior, they’re all far ahead of web tech.

                                                                                                                                When it comes down to it, web tech means simulating a UI toolkit inside a complicated document rendering system inside a UI toolkit, with no pass-throughs, and even web tech toolkits intended for making UIs are really about manipulating markup and not actually oriented around placing widgets or orienting shapes in 2d space. Because determining how a piece of markup will look when rendered is complex and subject to a lot of variables not under the programmer’s control, any markup-manipulation-oriented system will make creating UIs intractably awkward and fragile – and while Google & others have thrown a great deal of code and effort at this problem (by exhaustively checking for corner cases, performing polyfills, and so on) and hidden most of that code from developers (who would have had to do all of that themselves ten years ago), it’s a battle that can’t be won.

                                                                                                                                1. 5

                                                                                                                                  It annoys me greatly because it feels like nobody really cares about the conceptual damage incurred by simulating a UI toolkit inside a doument renderer inside a UI toolkit, instead preferring to chant “open web!” And then this broken conceptual basis propagates to other mediums (VR) simply because it’s familiar. I’d also argue the web as a medium is primarily intended for commerce and consumption, rather than creation.

                                                                                                                                  It feels like people care less about the intrinsic quality of what they’re doing and more about following whatever fad is around, especially if it involves tools pushed by megacorporations.

                                                                                                                                  1. 2

                                                                                                                                    Everything (down to the transistor level) is layers of crap hiding other layers of different crap, but web tech is up there with autotools in terms of having abstraction layers that are full of important holes that developers must be mindful of – to the point that, in my mind, rolling your own thing is almost always less work than learning and using the ‘correct’ tool.

                                                                                                                                    If consumer-grade CPUs were still doubling their clock speeds and cache sizes every 18 months at a stable price point and these toolkits properly hid the markup then it’d be a matter of whether or not you consider waste to be wrong on principle or if you’re balancing it with other domains, but neither of those things are true & so choosing web tech means you lose across the board in the short term and lose big across the board in the long term.

                                                                                                                2. 1

                                                                                                                  Youtube would be a website where you click on a video and it plays. But it wouldn’t have ads and comments and thumbs up and share buttons and view counts and subscription buttons and notification buttons and autoplay and add-to-playlist.

                                                                                                                  Google docs would be a desktop program.

                                                                                                                  Slack would be IRC.

                                                                                                                  1. 1

                                                                                                                    What you’re describing is the video HTML5 tag, not a video sharing platform. Minimalism is good, I do agree, but don’t mix it with no features at all.

                                                                                                                    Google docs would be a desktop program.

                                                                                                                    This is another debate around why using the web for these kind of tasks, not the fact that it’s minimalist or not.

                                                                                                              1. 4

                                                                                                                Why re-create code editors, simulators, spreadsheets, and more in the browser when we already have native programs much better suited to these tasks?

                                                                                                                Because the Web is the non-proprietary application platform that actually has traction.

                                                                                                                1. 1
                                                                                                                  1. 1

                                                                                                                    That’s true for all useful platforms.

                                                                                                                1. 23

                                                                                                                  “It is difficult to get a [web developer] to understand something, when [their] salary depends on [them] not understanding it.”

                                                                                                                  ― Upton Sinclair

                                                                                                                  1. 4

                                                                                                                    My back looks like a pin cushion from all the arrows I received over the years fighting for web that would be more ethical and void of mostly useless crap. Some battles won, too many lost. I lost one just yesterday, but it didn’t occur to me that it was because of my money-induced blindness.

                                                                                                                    I actually like this quote and have used it myself before, but while I met many web developers over the years who didn’t care about bullshit described in the article, almost all of them didn’t simply because they were either ignorant of available technologies, didn’t care much about quality of anything they did and most often both.

                                                                                                                    1. 1

                                                                                                                      Some battles won, too many lost.

                                                                                                                      What were some of the wins?

                                                                                                                      1. 4

                                                                                                                        Example of a small recent one would be Klevio website (as it currently exists, less so after today). I am not linking to it because I don’t want referrals from Lobsters to show up in website’s logs, but is trivial to find.

                                                                                                                        Almost everything on this website works with Javascript turned off. It uses Javascript to augment experience, but does not needlessly rely on external libraries. Should work reasonably well even on poor connections. Does not track you and still has a privacy policy handling that tries to be closer to the spirit of GDPR then to what you may get away with.

                                                                                                                        It would certainly be easier for me and faster to develop (cheaper for company) if I just leaned on existing tools, build yet another SPA and have not spent more than a week arguing with lawyers about what is required.

                                                                                                                        Alas, because unsurprisingly most people do not opt-in to analytics, I am now working on a different confirmation dialog, more in line with what others are doing. It will still be better than most, but certainly more coercive than current.

                                                                                                                        And this is in a company that is, based on my experience, far more conscientious about people’s privacy than others I worked for.

                                                                                                                        1. 1

                                                                                                                          It would certainly be easier for me and faster to develop (cheaper for company) if I just leaned on existing tools, build yet another SPA and have not spent more than a week arguing with lawyers about what is required.

                                                                                                                          Is this really true? Not to downplay your craft but I always thought tinkering with HTML/CSS until things look right would be way easier than learning a separate library.

                                                                                                                          I checked out that website and it’s pretty refreshing that stuff actually works. If you want a little constructive feedback, the information density is very low especially on a desktop computer with a widescreen monitor. I have to scroll down 7 screens to get all the information, which could have fit on a single screen. Same with the “about us” page. I notice the site is responsive, giving a hamburger when you narrow your window, so maybe the “non-mobile” interface could be more optimized for desktop use.

                                                                                                                          1. 1

                                                                                                                            I don’t think it is in every case, but in this one I think it would be since everything was handwritten without picking up existing solutions for things like galleries. If you mean the SPA part, then I guess it becomes more moot. It would probably be about the same doing the first implementation, but this one, which is basically a bunch of static files, certainly has a higher cost of maintenance because we (I) didn’t get around to finishing it so page “components” still have to be manually copied to new files and updated everywhere when their content changes. The plan was to automate most of this, but we haven’t spent the time on it yet.

                                                                                                                            I agree with everything in the second paragraph. Regretfully that is one of those battles lost.

                                                                                                                            1. 1

                                                                                                                              so what do your managers feel is the benefit of having such low information density? how do these decisions get made?

                                                                                                                              1. 1

                                                                                                                                If I remember correctly it was because it supposedly looks modern, clean and in-line with company’s brand. It has been a while so my memory is fuzzy on this.

                                                                                                                    2. 2

                                                                                                                      I’ve heard this a few times already, but I’ve never quite understood what the implication is. What precisely are web developers not understanding? I get the default examples (eg. oil companies funding environmental research), but just can’t see the analogy in this case.

                                                                                                                      1. 22

                                                                                                                        You’re on week three of your new job at a big city ad and design firm. Getting that first paycheck was nice, but the credit card bill from the moving expenses is coming up, that first month of big city rent wiped out your savings, and you don’t really have a local personal network to find new jobs. The customer wants a fourth “tag” for analytics tracking. Do you:

                                                                                                                        1. Put it in
                                                                                                                        2. Engage in a debate about engineering ethics with your boss and his boss (who drives a white Range Rover and always seems to have the sniffles after lunch) culminating with someone screaming and you storming out, never to return?
                                                                                                                        1. 8

                                                                                                                          Web devs know that auto play videos and newsletter pop ups are annoying but annoying people is profitable

                                                                                                                      1. 3

                                                                                                                        If weather is bad enough to prevent me from hiking I plan to finish my Instapaper alternative (email myself a nicely formatted version of the article).

                                                                                                                        This is my first step in exploring possibility of using email clients as a feed reader interface.

                                                                                                                        1. 37

                                                                                                                          I think practically all “Why You Should…” articles would be improved if they became “When You Should…” articles with corresponding change of perspective.

                                                                                                                          1. 23

                                                                                                                            An even better formulation would be “Here is the source code for an app where I didn’t use a framework. It has users, and here are my observations on building and deploying it”.

                                                                                                                            In other words, “skin in the game” (see Taleb). I basically ignore everyone’s “advice” and instead look at what they do, not what they say. I didn’t see this author relate his or her own experience.

                                                                                                                            The problem with “when you should” is that the author is not in the same situation as his audience. There are so many different programming situations you can be in, with different constraints, and path dependence. Just tell people what you did and they can decide whether it applies to them. I think I basically follow that with http://www.oilshell.org/ – I am telling people what I did and not attempting to give advice.

                                                                                                                            (BTW I am sympathetic to no framework – I use my own little XHR wrapper and raw JS, and my own minimal wrapper over WSGI and Python. But yes it takes forever to get things done!)

                                                                                                                            1. 2

                                                                                                                              Thanks for the Taleb reference. I didn’t know it existed, and so far it is a good read.

                                                                                                                              1. 1

                                                                                                                                His earlier books are also good. It is a lot of explaining the same ideas in many different ways, but I find that the ideas need awhile to sink in, so that’s useful.

                                                                                                                                He talks about people thinking/saying one thing, but then acting like they believe its opposite. I find that to be painfully true, and it also applies to his books. You could agree with him in theory, but unless you change your behavior then you might not have gotten the point :-)


                                                                                                                                Less abstractly, the worst manager I ever had violated the “skin in the game” rule. He tried to dictate the technology used in a small project I was doing, based on conversations with his peers. That technology was unstable and inappropriate for the task.

                                                                                                                                He didn’t have to write the code, so he didn’t care. I was the one who had to write the code, so I’m the one with skin in the game, so I should make the technology choices. I did what he asked and left the team, but what he asked is not what the person taking over wanted I’m sure.

                                                                                                                                In software, I think you can explain a lot of things by “who has to maintain the code” (who has skin in the game). I think it explains why the best companies maintain long term software engineering staff, instead of farming it out. If you try to contract out your work, those people may do a shitty job because they might only be there for a short period. (Maybe think of the healthcare.gov debacle – none of the engineers really had skin in the game.)

                                                                                                                                It also explains why open source code can often be higher quality, and why it lasts 30+ years in many cases. If the original designer plans on maintaining his or her code for many years, then that code will probably be maintainable by others too.

                                                                                                                                It also explains why “software architect” is a bad idea and never worked. (That is, a person who designs software but doesn’t implement it.)

                                                                                                                                I’m sure these principles existed under different names before, and are somewhat common sense. But they do seem to be violated over and over, so I like to have a phrase to call people on their BS. :-)

                                                                                                                                1. 2

                                                                                                                                  Yeah, the phrase works as a good lens and reminder. Interestingly, as most parents will attest to - the “do as I say not as I do” is generally unsuccessful with kids. They are more likely to emulate than listen.

                                                                                                                            2. 2

                                                                                                                              I definitely agree with this change. It’d get more people thinking architecturally, something that’s sorely needed.

                                                                                                                            1. 11

                                                                                                                              One culture note I find really interesting: I remember 3-4 years ago a lot of people were griping about how “full stack” wasn’t real. Almost all of them argued that backend was so complicated you needed a specialist to do it well.

                                                                                                                              Now we’re seeing the exact same articles but now it’s the frontend that’s too complicated.

                                                                                                                              When it comes to specialisation, generalists underestimate the benefits but specialists overestimate the necessity.

                                                                                                                              1. 5

                                                                                                                                I think it’s related to how complicated front end has become.

                                                                                                                                I think the problem is that most people who call themselves “full stack” are, like most of us, quite highly experienced in one area, and have enough working knowledge to get by in the other areas.

                                                                                                                                Every “full stack vs not” discargument I’ve seen has boiled down to “full stack” people claiming that more specialised people are “single skill”.

                                                                                                                                I’ve never met or worked with anyone that did just one thing. In most teams/orgs I’d expect people to have some experience across most of the tech stack - but that doesn’t make them “full stack” any more than it makes me a mechanic because I can change a tire or replace a car battery, or a builder because I can put up a shelf.

                                                                                                                                That doesn’t mean there isn’t a place for people who are (or seemingly claim themselves to be, ala “full stack”) more evenly experienced over the stack than those who specialise, but in my experience these people tend to be the ones who just brush off anything that’s beyond them as “we don’t need to worry about it”.

                                                                                                                                1. 1

                                                                                                                                  I acknowledge that you used “most” and “tend” to allow exceptions, but your argument still rubs me the wrong way.

                                                                                                                                  I am one of those people who has described himself as a full-stack web developer. I feel comfortable doing this because I have designed and implemented back-ends and front-ends of services that scaled to hundreds of thousands of users. Obviously there exist much larger scales, but I think ~million users will cover the needs of most web services out there and in some countries, like Slovenia where I live, it will cover all of them. It does not seem unreasonable to me to have a term for noting that you can build any part of it if necessary.

                                                                                                                                  I do not claim to know everything I need to know at all times, but I do know enough about everything relevant that I can tell where the gaps are and fill them in a reasonable time. I find this perfectly reasonable in the same way as needing to learn a new language for a project does not disqualify a developer from still being a developer.

                                                                                                                                  I am not alone and have colleagues who can do the same or better. None of us argue that we are all anyone needs and even on smaller projects it is generally better if people focus on fewer things. Most of my work lately is on front-end and I certainly am not stupid enough to not notice that specialists can do many things better than me. If your project can benefit from that and can afford hiring such person, it would be stupid not to.

                                                                                                                                  As you say yourself, full-stack is really just a description for a different distribution of skills and experience over the stack and you can be a competent developer over huge part of it if you pay attention to what and why you are learning something and avoid switching tools and frameworks for the currently fashionable one every half a year.

                                                                                                                                  I don’t doubt most full-stack developers are bad at their job in the same way as most of any group of developers are (X specialists, Python developers…). Likewise no group of practitioners of noticeable size lacks individuals disparaging other groups.

                                                                                                                                  1. 1

                                                                                                                                    I did specifically qualify it as anecdotal:

                                                                                                                                    in my experience these people tend to be

                                                                                                                                    The rest of your comment just seems to reaffirm what I said though - fullstack is generally just a broader, shallower set of experience rather than narrow, deeper with someone more specialised.

                                                                                                                              1. 2

                                                                                                                                “If you were to go back in time to 1987, this is probably similar to what would have replaced the Amiga if Jack Tramiel had never left Commodore.”

                                                                                                                                Cool project, but I don’t think this is true. Amiga 500 had 512KB of RAM because it was bloody expensive. So did majority of competitors. Nobody would put 1.5MB in a computer at that time because it would severely reduce number of units you could shift for little benefit. Pretty much all software written at that point needed far less than that (even on multitasking Amiga).

                                                                                                                                Also, I believe 65C816 did not run at 14Hz back then. Not many chips did and both Amiga and Atari were running at 7-8Hz.

                                                                                                                                1. 3

                                                                                                                                  The A500 could be expanded up to 7 MB though, so I don’t think it’s completely out of line.

                                                                                                                                  I wonder if the CPU is actually the W65C816S, which is readily available at 14 MHz. I sent an email to Stefany and asked about it.

                                                                                                                                  Edit: it is indeed the W65C816S from Western Design Center.

                                                                                                                                1. 12

                                                                                                                                  Commodore was spectacular in how well it could snatch defeat from the jaws of victory. The Amiga was the most amazing machine the world had yet seen in 1985, they had possibly the best team of hardware and software engineers in the world, but management just…couldn’t leave it well enough alone.

                                                                                                                                  Bizarre decisions like:

                                                                                                                                  • The Amiga (later retroactively named the Amiga 1000) had a sidecar expansion port. The Amiga 500 had the same port, but upside down…so that all of the existing peripherals had to be upside down to work. Given how they were designed, it meant that none of them would.
                                                                                                                                  • The Amiga 2000 was the first machine that could use the Video Toaster, and the Video Toaster was the killer app for the Amiga. Then they made the Amiga 3000, which could also use the Video Toaster, except that the case was a quarter-inch too short for the Toaster card.
                                                                                                                                  • The Amiga 600 had a PCMCIA slot. Except that they rushed to manufacturing using a draft of the PCMCIA spec, rather than waiting for the final specification. The end result was that regular PCMCIA cards often wouldn’t work on the Amiga.
                                                                                                                                  • Amiga Unix on the Amiga 3000UX was considered one of the highest-quality SVR4 ports ever. Sun offered to produce the Amiga 3000UX for Commodore as a Sun-branded Unix workstation that could run Amiga software…and Commodore declined.

                                                                                                                                  We’d all be using Amigas now if Commodore’s management had literally been anything other than hilariously incompetent, I swear.

                                                                                                                                  1. 4

                                                                                                                                    Jimmy Maher’s book about the Amiga explores a number of these bizarre decisions and reaches a similar conclusion. The title says it all: The Future Was Here! http://amiga.filfre.net/

                                                                                                                                    1. 2

                                                                                                                                      Agree with everything except conclusion as even less incompetent companies failed including Sun. Only Apple survived and even they became are now basically producing PCs with their distro.

                                                                                                                                      However we might have been living in a different future if Amiga had an opportunity for a bigger impact. Mine certainly is as I went to study mathematics instead of CS because I could not imagine developing software for PCs in DOS era.

                                                                                                                                      1. 1

                                                                                                                                        Are you certain that the first 2 issues (upside-down sidecar port & case too short for toaster card) were the fault of management & not engineering?

                                                                                                                                      1. 2

                                                                                                                                        That’s rich, from a guy who done his best to advance client-server cloud model in his time.

                                                                                                                                        OK, not really happy about the acquisition either, but overall GitHub has been a massive boon to the community in general. It lowered the threshold to collaboration, publishing your projects and facilitated a bunch of dependency fetching ecosystems with much higher availability than was possible before.

                                                                                                                                        1. 5

                                                                                                                                          How did he do that?

                                                                                                                                          I thought he was involved in writing Netscape Navigator browser and its mail component neither of which promote cloud model.

                                                                                                                                          1. 2

                                                                                                                                            You posted that comment using a web browser which identifies itself as “Mozilla” and a cloud-hosted application called “lobste.rs”. IMO it’s fair to say that someone who was both a primary author of Mozilla-the-browser and a founder of mozilla.org was involved in enabling, even promoting the model lobste.rs uses.

                                                                                                                                            1. 2

                                                                                                                                              This is basically an argument that the web itself or really any client-server approach is promoting cloud model which I find absurd. Cloud-hosted wasn’t a technologically inevitable outcome as you could build something similar to email. You still can as you can use those same technologies JWZ help building to run your stuff on your own hardware.

                                                                                                                                              I don’t remember either JWZ or Mozilla in his time promoting running stuff in cloud (other people’s computers).

                                                                                                                                              1. 1

                                                                                                                                                He wrote software that made it feasible to put even user interface code on a server running in a colo somewhere. The UI on such software was primitive and laggy compared to using alternatives like MFC or Qt, but on the other hand a webapp didn’t have to be purchased, downloaded or installed.

                                                                                                                                                I don’t recall him saying that anyone should write webapps. But he wrote software that made it feasible, and did his best to get that software installed everywhere.

                                                                                                                                                1. -1

                                                                                                                                                  Other people’s computers? You make it sound like a P2P network. I know zero cloud services hosted on other people’s computers, as opposed to other corporations.

                                                                                                                                                  Oh and funny how email was decentralized right until its consolidation as browser-based client-server (sorry, cloud) platforms.

                                                                                                                                                  1. 3

                                                                                                                                                    “Other people’s computers” is a popular description of where cloud-hosted apps run. I don’t think anyone, certainly not me, means P2P by that.

                                                                                                                                                    Email is still decentralized. You can run your own server as I and many others do. It can also have a webmail interface like mine does and that has been true for 2 decades. The fact that users are consolidating on few providers does not make underlying technology more “cloudy” and that did not happen for the first decade also strongly suggest that change did not happen because of underlying (web) technology.

                                                                                                                                                    1. 1

                                                                                                                                                      What share of the world’s email has to be stored in a single database before you consider it centralised? 50% perhaps?

                                                                                                                                                      Google alone hosts a two-digit percentage of email users. I’ve heard the number 25% mentioned. Assuming one From address per message, an average of 1.4 To/Cc addresses and a 25% market share for Google, Google stores 50% of the email that was sent yesterday on behalf of the sender or any recipient. I self-host, so Google stores about 33% of my email.

                                                                                                                                                      (I made up the number 1.4. I don’t really care about the precise details. And I don’t care about whether you want to consider just Google or the also the next ten big hosters.)

                                                                                                                                                      1. 1

                                                                                                                                                        This debate has moved far away from JWZ and cloud to what feels off topic to main theme (Github+MS).

                                                                                                                                                        Since you asked, I have no idea what percentage of contained data if any should be a limit at which something counts as centralized. I think your question reveals and underlying dilemma which is are we talking about effectively centralized in a sense that for all intents and purposes everything happens at one place, or actually centralized in a sense, that it can’t happen elsewhere.

                                                                                                                                                        Clearly in the second sense email is not centralized as one can demonstrably run their own server as still so many do without penalties as long as the server is properly configured. It might not make economic or otherwise sense, but at least for now you are not technologically locked out.

                                                                                                                                                        I don’t think it is centralized in the first sense either and I am not sure your metric is valid. In that sense the whole web is already centralized or was, as Google scrapped everything public so in a way it stored close to all of it. Let’s imagine that we are left only with two email providers of approximately equal size and usage pattern. Then by your approach each of them will contain more or less all email and yet neither of which would actually be in a position where everyone had to be.

                                                                                                                                                        And to bring this closer to thread’s original topic, I don’t think any of this has much to do with web as such. It happened because costs of running your own server did not fall like the cost of hosted accounts which also provided a degree of freedom compared to ISP’s or company’s. What web did do, as it improved, is change client that is used to access email as there was less need for native OS ones. And even that is not completely true since Gmail has native client both for Android and iOS.

                                                                                                                                                        I think we would move to “cloud” services over time even if web did not exist or remained limited to HTML2. We would just be using Windows apps to do so.

                                                                                                                                          1. 38

                                                                                                                                            Appreciate the honesty here. My take: GitHub stars aren’t real. Twitter followers aren’t real. Likes aren’t real. It’s all a video game. If you want to assess the quality of the code, you have to read it. You can’t rely on metrics except as a weak indicator. I predict there will be services to let you buy Github stars if the current trend of overvaluing them continues.

                                                                                                                                            The endless self-promotion and programmers-masquerarding-as-brands on Twitter and Medium generates a huge amount of noise for an even larger amount of BS. The only winning move is to not engage.

                                                                                                                                            1. 9

                                                                                                                                              This is more true than one might think. There are a couple of projects on GitHub with thousands of stars, some more than all the BSDs source codes combined, with the promise to bring something amazing, while not even having a working proof of concept, and being completely abandoned.

                                                                                                                                              However, since it is true (to some degree) that having a larger user base in programming historically means that you won’t have to maintain a project on your own in the end it’s easy to be fooled by anything that appears to indicate a large userbase, like GitHub stars.

                                                                                                                                              Many people use GitHub more like a “might be interesting, let’s bookmark it” or “Wow, so many buzzwords”, etc.

                                                                                                                                              On the other hand there is quite a few projects that do one thing and do it well. Programmed to solve a problem, with 0-10 stars.

                                                                                                                                              One might think that are extreme cases, they are only in the sense that 0 stars is the extreme of not being able to have fewer. They are not rare cases.

                                                                                                                                              Another thing to consider is that GitHub is built a lot like a social network, so you have network effects, where people follow other people and one person liking something results in timelines, causing others to like it to remember to look at it, or “in case I need this some day”, and so one ends up having these explosions. Hackernews, Lobsters, reddit, etc. and in general having someone mention it to a bigger audience can help a lot too - and be it just “I have heard about this, but not looked at it yet”. It appears to be similar to the same story having zero upvotes on one day, and hundreds or thousands on another.

                                                                                                                                              The rest is probably rooted in human psychology.

                                                                                                                                              1. 3

                                                                                                                                                This is what I do. I use stars on Github pretty much only as a bookmarking tool.

                                                                                                                                              2. 4

                                                                                                                                                Spot on. On top of the detrimental “programmers-masquerarding-as-brands”, many GH repos are heavily marketed by the companies behind the projects. Covert marketing might be more popular than what people think.

                                                                                                                                                1. 7

                                                                                                                                                  Corporate OSS is winning the mindshare war. Plenty of devs would rather use a massive framework by $MEGACORP instead of something simple that doesn’t box them in. Pragmatism, they say.

                                                                                                                                                  (Of course, they don’t think twice about pulling in a community-sourced standard library (JS).)

                                                                                                                                                  Favorite example of this was a CTO talking about how they used Sinatra instead of Rails for their API endpoint and the flood of surprised replies, “but what if you need to change feature X?”, to which he said, “well, we understand all of the code, so it’s no big deal. Can you say the same about Rails?”

                                                                                                                                              1. 2

                                                                                                                                                I’m curious what other lobsters think Facebook should be doing?

                                                                                                                                                Let’s assume that it’s not profitable for them to offer their service to the EU if they can’t track their users, since that’s the basis of their business. Should they offer “opt in to tracking or pay a yearly fee”? Should they just leave the EU completely?

                                                                                                                                                1. 14

                                                                                                                                                  The “what should Facebook do if this isn’t profitable” question reminds me of the response to Taxi company’s being upset at Uber/Lyft cannibalizing their business: you don’t have a moral right to your business model, if it’s not profitable, do something else. We shouldn’t reduce quality of medical care because it victimizes undertakes.

                                                                                                                                                  If it’s not profitable, either don’t operate that service, or find some alternate business model that is profitable.

                                                                                                                                                  (FTR, I’m pretty dubious of the benefits of GDPR, but I think the “what about their business models” is one of the worst arguments against it)

                                                                                                                                                  1. 3

                                                                                                                                                    The “what should Facebook do if this isn’t profitable” question reminds me of the response to Taxi company’s being upset at Uber/Lyft cannibalizing their business: you don’t have a moral right to your business model, if it’s not profitable, do something else. We shouldn’t reduce quality of medical care because it victimizes undertakes.

                                                                                                                                                    I think the Uber comparison isn’t half bad.

                                                                                                                                                    For example, in Europe, a frequent problem was that Uber tried to undercut reasonable regulations (like having proper insurance for passenger transport and adhering to service standards like having to take any passengers). Here, Ubers approach was morally problematic (“moral” being local and all), and they tried to spin it as a moral issue and users choice.

                                                                                                                                                    1. 2

                                                                                                                                                      I’m not in the EU and don’t know enough about GDPR to make a comment on it specifically. I just asked what others thought Facebook should do if we assume that the restrictions placed on the by GDPR make their fundamental business model nonviable.

                                                                                                                                                      1. 2

                                                                                                                                                        Well, they should do as any other large company that suddenly found their business model regulated :). It’s not the first time this happens and not the last.

                                                                                                                                                        It’s their job to figure out, as much as it had been in their hands to avoid the discontent that lead to the GDPR from growing.

                                                                                                                                                        I’m not precisely enjoying GDPR either (I think it has vast flaws and actually plays into Facebooks hands), but Facebook is a billion-dollar company. “What shall we do now that winds are changing?” is really their question to answer.

                                                                                                                                                    2. 3

                                                                                                                                                      I’m curious what other lobsters think Facebook should be doing?

                                                                                                                                                      I can think of a few things, but monkeys will fly out of my butt before any of them happen. They could, for example…

                                                                                                                                                      • Mail everybody a copy of their data on solid-state storage.
                                                                                                                                                      • Destroy their databases.
                                                                                                                                                      • Shut down their data centers.
                                                                                                                                                      • Release all of their code into the public domain.
                                                                                                                                                      • Fire everybody with severance pay.
                                                                                                                                                      • Dissolve the corporation.
                                                                                                                                                      • Send Mark Zuckerberg back to his home planet.

                                                                                                                                                      Facebook is one of the cancers killing the internet, and should be treated like the disease that it is.

                                                                                                                                                      1. 2

                                                                                                                                                        Second option would be great, but enough of daydreaming :)

                                                                                                                                                        1. 1

                                                                                                                                                          You’re asking the wrong question.

                                                                                                                                                          1. 3

                                                                                                                                                            What ls the right question?

                                                                                                                                                            1. 3

                                                                                                                                                              @alex_gaynor has the right idea above: https://lobste.rs/s/krca7n/facebook_now_denying_access_unless_eu#c_si5pn0

                                                                                                                                                              The question “well what do you suggest then?” posed to people arguing against Facebook’s business practises implies some kind of self-evident virtuous right Facebook has to exist at the expense of all humanity’s effort.

                                                                                                                                                              I do not agree with this position. The world was fine before Facebook came along, for many people is fine without it, and will be fine if Facebook disappears. Facebook is a leech on people’s private lives, minds, and mental health.

                                                                                                                                                              It is not up to the common person to provide Facebook with a position. It is up to Facebook to provide a position for itself by virtue of being wholesome and useful to society. If they cannot, then that’s the end of it. I owe them nothing, no-one does.

                                                                                                                                                              1. 2

                                                                                                                                                                It is not up to the common person to provide Facebook with a position. It is up to Facebook to provide a position for itself by virtue of being wholesome and useful to society. If they cannot, then that’s the end of it. I owe them nothing, no-one does.

                                                                                                                                                                I agree, but if people continue to choose to use Facebook in the wake of the numerous controversies, then perhaps people just don’t value their privacy more than the services that sites like FB provide. FB is only as big as it is today because people use it.

                                                                                                                                                                1. 1

                                                                                                                                                                  I implied no such thing, and haven’t made a value judgement on Facebook or GDPR anywhere here. I simply asked what others here think that Facebook should do given the changed situation; I’m just curious as to what Facebook’s next moves could be.

                                                                                                                                                                  I find that question much more interesting than your condescending replies and tired opinions about Facebook, a service that I don’t particularly like and am not trying to defend.

                                                                                                                                                          1. 75

                                                                                                                                                            Capitalism is killing us in a very literal sense by destroying our habitat at an ever accelerating rate. The fundamental idea of needing growth and having to constantly invent new things to peddle leads to ever more disposable products, that are replaced for the sake of being replaced. There’s been very little actual innovation happening in the phone space. The vendors are intentionally building devices using the planned obsolescence model to force the upgrade cycle.

                                                                                                                                                            The cancer of consumerism affects pretty much every aspect of society, we’ve clear cut unique rain forests and destroyed millions of species we haven’t even documented so that we can make palm oil. A product that causes cancer, but that’s fractionally cheaper than other kinds of oil. We’ve created a garbage patch the size of a continent in the ocean. We’re poisoning the land with fracking. The list is endless, and it all comes down to the American ethos that making money is a sacred right that trumps all other concerns.

                                                                                                                                                            1. 22

                                                                                                                                                              Capitalism is killing us in a very literal sense by destroying our habitat at an ever accelerating rate.

                                                                                                                                                              The cancer of consumerism affects pretty much every aspect of society, we’ve clear cut unique rain forests and destroyed millions of species we haven’t even documented so that we can make palm oil.

                                                                                                                                                              One can get into a big debate about this, but the concept of externalities has existed for a long time and specifically addresses these concerns. Products do not cost what they should when taken their less tangible environment impact into account. It’s somewhat up to the reader to decide if the inability of society to take those into account is capitalism’s fault, or just human nature, or something else. I live in a country that leans much more socialist than the US but is unequivocally a capitalist country and they do a better job of managing these externalities. And China is not really capitalistic in the same way the US is but is a pretty significant polluter.

                                                                                                                                                              1. 5

                                                                                                                                                                Indeed, it’s not the fault of the economic system (if you think Capitalistic societies are wasteful, take a look at the waste and inefficiency of industry under the USSR). If externalities are correctly accounted for, or to be safe, even over-accounted for by means of taxation or otherwise, the market will work itself out. If the environmental cost means the new iPhone costs $2000 in real costs, Apple will work to reduce environmental cost in order to make an affordable phone again and everyone wins. And if they don’t, another company will figure it out instead and Apple will lose.

                                                                                                                                                                Currently, there is basically no accounting for these externalities, and in some cases (although afaik not related to smart phones), there are subsidies and price-ceiling regulations and subsidies that actually decreases the cost of some externalities artificially and are worse for the environment than no government intervention at all.

                                                                                                                                                                The easy example of this is California State water subsidies for farmers. Artificially cheap water for farmers means they grow water-guzzling crops that are not otherwise efficient to grow in arid parts of the state, and cause environmental damage and water shortage to normal consumers. Can you imagine your local government asking you to take shorter showers and not wash your car, when farmers are paying 94% less than you to grow crops that could much more efficiently be grown in other parts of the country? That’s what happens in California.

                                                                                                                                                                Step 1 and 2 are to get rid of the current subsidies and regulations that aggravate externalities and impose new regulation/taxes that help account for externalities.

                                                                                                                                                                1. 2

                                                                                                                                                                  I have talked to a factory owner in china. He said China is more capitalist than the USA. He said China prioritizes capital over social concerns.

                                                                                                                                                                  1. 1

                                                                                                                                                                    Ok? I can talk to lots of people with lots of opinions. That doesn’t make it true.

                                                                                                                                                                    1. 1

                                                                                                                                                                      It’s just impressive that a capitalist would say. If China was even remotely communist, don’t you find it interesting that most capitalists who made deals with China seem ok helping ‘the enemy’ become the second largest economy in the world? I prefer to believe the simpler possibility that China is pretty darn capitalist itself.

                                                                                                                                                                      1. 2

                                                                                                                                                                        I did not say China was not capitalist, I said it’s not in the same way as the US. There is a lot more state involvement in China.

                                                                                                                                                                        1. 2

                                                                                                                                                                          Is your claim then that state involvement means you have more pollution? Maybe I’m confused by what you were trying to get at, sorry :-/

                                                                                                                                                                          1. 2

                                                                                                                                                                            No, I was pointing out that different countries are doing capitalism differently and some of them are better at dealing with externalities and some of them are worse. With the overall point being that capitalism might be the wrong scapegoat.

                                                                                                                                                                  1. 7

                                                                                                                                                                    I think the consumer could be blamed more than capitalism, the companies make what sells, the consumers are individuals who buy products that hurt the environment, I think that it is changing though as people become more aware of these issues, they buy more environmentally friendly products.

                                                                                                                                                                    1. 30

                                                                                                                                                                      You’re blaming the consumer? I’d really recommend watching Century of the Self. Advertising has a massive impact and the mass of humans are being fed this desire for all the things we consume.

                                                                                                                                                                      I mean, this really delves into the deeper question of self-awareness, agency and free will, but I really don’t think most human beings are even remotely aware.

                                                                                                                                                                      Engineers, people on Lobster, et. al do really want standard devices. Fuck ARM. Give me a god damn mobile platform. Microsoft for the love of god, just publish your unlock key for your dead phone line so we can have at least one line of devices with UEFI+ARM. Device tree can go die in a fire.

                                                                                                                                                                      The Linux-style revolution of the 2000s (among developers) isn’t happening on mobile because every device is just too damn different. The average consumer could care less. Most people like to buy new things, and we’re been indoctrinated to that point. Retailers and manufactures have focus groups geared right at delivering the dopamine rush.

                                                                                                                                                                      I personally hate buying things. When my mobile stopped charging yesterday and the back broke again, I thought about changing it out. I’ve replaced the back twice already and the camera has spots on the sensor under the lenses.

                                                                                                                                                                      I was able to get it charging when I got home on a high amp USB port, so instead I just ordered yet another back and a new camera (I thought it’d be a bitch to get out, but a few YouTube videos show I was looking at the ribbon wrong and it’s actually pretty easy to replace).

                                                                                                                                                                      I feel bad when I buy things, but it took a lot of work to get to that point. I’ve sold or given away most of my things multiple times to go backpacking, I run ad block .. I mean if everyone did what I’d did, my life wouldn’t be sustainable. :-P

                                                                                                                                                                      We are in a really solidly locked paradigm and I don’t think it can simply shift. If you believe the authors of The Dictators Handbook, we literally have to run our of resources before the general public and really push for dramatically different changes.

                                                                                                                                                                      We really need more commitment to open standards mobile devices. The Ubuntu Edge could have been a game changer, or even the Fairphone. The Edge never got funded and the Fairphone can’t even keep parts sourced for their older models.

                                                                                                                                                                      We need a combination of people’s attitudes + engineers working on OSS alternatives, and I don’t see either happening any time soon.

                                                                                                                                                                      Edit: I forgot to mention, Postmarket OS is making huge strides into making older cellphones useful and I hope we see more of that too.

                                                                                                                                                                      1. 7

                                                                                                                                                                        I second the recommendation for The Century of the Self. That movie offers a life-changing change of perspective. The other documentaries by Curtis are also great and well worth the time.

                                                                                                                                                                        1. 3

                                                                                                                                                                          Century of the Self was a real eye opener. Curtis’s latest documentary, HyperNormalisation, also offers very interesting perspectives.

                                                                                                                                                                        2. 26

                                                                                                                                                                          Capitalism, by it’s very nature, drives companies to not be satisfied with what already sells. Companies are constantly looking to create new markets and products, and that includes creating demand.

                                                                                                                                                                          IOW, consumers aren’t fixed actors who buy what they need; they are acted upon to create an ever increasing number of needs.

                                                                                                                                                                          There are too many examples of this dynamic to bother listing.

                                                                                                                                                                          1. 12

                                                                                                                                                                            It’s also very difficult for the consumer to tell exactly how destructive a particular product is. The only price we pay is the sticker price. Unless you really want to put a lot of time into research it is hard to tell which product is better for the environment.

                                                                                                                                                                            1. 14

                                                                                                                                                                              It’s ridiculous to expect everyone to be an expert on every supply chain in the world, starting right from the mines and energy production all the way to the store shelf. That’s effectively what you are requiring.

                                                                                                                                                                              I’m saying this as a very conscious consumer. I care about my carbon footprint, I don’t buy palm oil, I limit plastic consumption, I limit my consumption overall, but it’s all a drop in the ocean and changes nothing. There are still hundreds of compounds in the everyday items I buy whose provenance I know nothing about and which could be even more destructive. Not to mention that manufacturers really don’t want you to know, it’s simply not in their interest.

                                                                                                                                                                              You’re creating an impossible task and setting people up to fail. It is not the answer.

                                                                                                                                                                              1. 2

                                                                                                                                                                                “It’s ridiculous to expect everyone to be an expert on every supply chain in the world, starting right from the mines and energy production all the way to the store shelf. That’s effectively what you are requiring.”

                                                                                                                                                                                I don’t think it is what they’re requiring and it’s much easier than you describe. Here’s a few options:

                                                                                                                                                                                1. People who are really concerned about this at a level demanding much sacrifice to avoid damaging the environment should automatically avoid buying anything they can’t provably trust by default. The Amish are a decent example that avoids a lot of modern stuff due to commitment to beliefs.

                                                                                                                                                                                2. There’s groups that try to keep track of corporate abuse, environmental actions, and so on of various companies. They maintain good and bad lists. More people that supposedly care can both use them and join them in maintaining that data. It would be split among many people to lessen each’s burden. Again, avoid things by default until they get on the good lists. Ditch them if they get on the bad ones.

                                                                                                                                                                                3. Collectively push their politicians for laws giving proper labels, auditing, etc that help with No 2. Also, push for externalities to be charged back to the companies somehow to incentivize less-damaging behavior.

                                                                                                                                                                                4. Start their own businesses that practice what they preach. Build the principles into their charters, contracts, and so on. Niche businesses doing a better job create more options on the good lists in No 2. There’s entrepreneurs doing this.

                                                                                                                                                                                So, not all-knowing consumers as you indicated. Quite a few strategies that are less impossible.

                                                                                                                                                                                1. 4

                                                                                                                                                                                  @ac specifically suggested consumer choice as the solution to environmental issues, and that’s what I disagreed with.

                                                                                                                                                                                  Your point number 3 is quite different from the other three, and it’s what I would suggest as a far more effective strategy than consumer choice (along with putting pressure on various corporations). As an aside, I still wouldn’t call it easy - it’s always a hard slog.

                                                                                                                                                                                  Your points 1, 2 and 4 still rely on consumer choice, and effectively boil down to: either remove yourself from modern civilisation, or understand every supply chain in the world. I think it’s obvious that the first choice is neither desirable nor “much easier” for the vast majority of people (and I don’t think it’s the best possible solution). The second is impossible, as I said before.

                                                                                                                                                                                  1. 1

                                                                                                                                                                                    “consumer choice as the solution to environmental issues”

                                                                                                                                                                                    edit to add: consumer choice eliminated entire industries worth of companies because they wanted something else. It’s only worsened environmental issues. That’s probably not an argument against consumer choice so much as in favor of them willing to sacrifice the environment overall to get the immediate things they want.

                                                                                                                                                                                    “either remove yourself from modern civilisation, or understand every supply chain in the world”

                                                                                                                                                                                    This is another false dichotomy. I know lots of people who are highly-connected with other people but don’t own lots of tech or follow lots of fads. In many cases, they seem to know about them enough to have good conversations with people. They follow what’s going on or are just good listeners. Buying tons of gadgets or harmful things isn’t necessary for participation. You can get buy with a lot less than average middle or upper class person.

                                                                                                                                                                                    What you said is better understood as a spectrum to be in like most things. Lots of positions in it.

                                                                                                                                                                                    1. 2

                                                                                                                                                                                      I think we might actually be mostly in agreement, but we’re talking past each other a bit.

                                                                                                                                                                                      That’s probably not an argument against consumer choice so much as in favor of them willing to sacrifice the environment overall to get the immediate things they want.

                                                                                                                                                                                      I agree with this. But even when consumer choice is applied with environmental goals in mind, I believe its effect is very limited, simply because most people won’t participate.

                                                                                                                                                                                      This is another false dichotomy.

                                                                                                                                                                                      Yeah, but it was derived from your points :) I was just trying to hammer the point that consumer choice isn’t an effective solution.

                                                                                                                                                                                      You can get buy with a lot less than average middle or upper class person.

                                                                                                                                                                                      Totally. I’ve been doing that for a long time: avoiding gadgets and keeping the stuff I need (eg a laptop) as long as I can.

                                                                                                                                                                                      1. 1

                                                                                                                                                                                        “But even when consumer choice is applied with environmental goals in mind, I believe its effect is very limited, simply because most people won’t participate.”

                                                                                                                                                                                        Oh OK. Yeah, I share that depressing view. Evidence is overwhelmingly in our favor on it. It’s even made me wonder if I should even be doing the things I’m doing if so few are doing their part.

                                                                                                                                                                              2. 5

                                                                                                                                                                                The blame rests on the producers, not on the consumers.

                                                                                                                                                                                Consumers are only able to select off of the menu of available products, so to speak. Most of the choices everyday consumers face are dictated by their employers and whatever is currently available to make it through their day.

                                                                                                                                                                                No person can reasonably trace the entire supply chain for every item they purchase, and could likely be impossible even with generous time windows. Nor would I want every single consumer to spend their non-working time to tracing these chains.

                                                                                                                                                                                Additionally, shifting this blame to the consumer creates conditions where producers can charge a premium on ‘green’ and ‘sustainable’ products. Only consumers with the means to consume ‘ethically’ are able to do so, and thus shame people with less money for being the problem.

                                                                                                                                                                                The blame falls squarely on the entities producing these products and the states tasked with regulating production. There will be no market-based solution to get us out of the climate catastrophe, and we certainly can’t vote for a green future with our dollars.

                                                                                                                                                                                1. 4

                                                                                                                                                                                  Consumers are only able to select off of the menu of available products, so to speak. Most of the choices everyday consumers face are dictated by their employers and whatever is currently available to make it through their day.

                                                                                                                                                                                  That’s not true even though it seems it is. The consumers’ past behavior and present statements play a major role in what suppliers will produce. Most of what you see today didn’t happen overnight. There were battles fought where quite a few companies were out there doing more ethical things on supply side. They ended up bankrupt or with less marketshare while the unethical companies got way ahead through better marketing of their products. With enough wealth accumulated, they continued buying the brands of the better companies remaking them into scumbag companies, too, in many cases.

                                                                                                                                                                                  For instance, I strongly advise against companies developing privacy- or security-oriented versions of software products that actually mitigate risks. They’ll go bankrupt like such companies often always did. The companies that actually make lots of money apply the buzzwords customers are looking for, integrate into their existing tooling (often insecure), have features they demand that are too complex to secure, and in some cases are so cheap the QA couldn’t have possibly been done right. That has to be private or secure for real against smart black hats. Not going to happen most of the time.

                                                                                                                                                                                  So, I instead tell people to bake cost-effective security enhancements and good service into an otherwise good product advertised for mostly non-security benefits. Why? Because that’s what demand-side responds to almost every time. So, the supply must provide it if hoping to make waves. Turns out, there’s also an upper limit to what one can achieve in that way, too. The crowds’ demands will keep creating obstacles to reliability, security, workers’ quality of life, supplier choice, environment… you name it. They mostly don’t care either where suppliers being honest about costs will be abandoned for those delivering to demand side. In face of that, most suppliers will focus on what they think is in demand across as many proven dimensions as possible.

                                                                                                                                                                                  Demand and supply side are both guilty here in a way that’s closely intertwined. It’s mostly demand side, though, as quite a few suppliers in each segment will give them whatever they’re willing to pay for at a profit.

                                                                                                                                                                                  1. 3

                                                                                                                                                                                    I agree with a lot of your above point, but want to unpack some of this.

                                                                                                                                                                                    Software security is a strange case to turn to since it has less direct implications on the climate crisis (sure anything that relies on a datacenter is probably using too much energy) compared to the production of disposable, resource-intensive goods.

                                                                                                                                                                                    Demand and supply side are both guilty here in a way that’s closely intertwined. It’s mostly demand side, though, as quite a few suppliers in each segment will give them whatever they’re willing to pay for at a profit.

                                                                                                                                                                                    I parse this paragraph to read: we should blame consumers for buying what’s available and affordable, because suppliers are incapable of acting ethically (due to competition).

                                                                                                                                                                                    So should we blame the end consumer for buying a phone every two years and not the phone manufacturers/retailers for creating rackets of planned obsolescence?

                                                                                                                                                                                    And additionally, most suppliers are consumers of something else upstream. Virtually everything that reaches an end consumer has been consumed and processed several times over by suppliers above. The suppliers are guilty on both counts by our separate reasoning.

                                                                                                                                                                                    Blaming individuals for structural problems simply lets suppliers shirk any responsibility they should have to society. After all, suppliers have no responsibility other than to create profits. Suppliers’ bad behavior must be curtailed either through regulation, public education campaigns to affect consumption habits, or organizing within workplaces.

                                                                                                                                                                                    (As an aside, I appreciate your response and it’s both useful and stimulating to hear your points)

                                                                                                                                                                                    1. 2

                                                                                                                                                                                      “I parse this paragraph to read: we should blame consumers for buying what’s available and affordable, because suppliers are incapable of acting ethically (due to competition).”

                                                                                                                                                                                      You added two words, available and affordable, to what I said. I left affordable off because many products that are more ethical are still affordable. Most don’t buy them anyway. I left availability off since there’s products appearing all the time in this space that mostly get ignored. The demand side not buying enough of what was and currently is available in a segment sends a message to suppliers about what they should produce. Especially if it’s consistent. Under vote with your wallet, we should give consumers their share of credit or blame for anything their purchasing decisions as a whole are supporting or destroying. That most won’t deliberately try to obtain an ethical supplier of… anything… supports my notion demand side has a lot to do with unethical activities of financially-successful suppliers.

                                                                                                                                                                                      For a quick example, there are often coops and farmers markets in lots of rural areas or suburban towns in them. There’s usually a segment of people who buy from them to support their style of operation and/or jobs. There’s usually enough to keep them in business. You might count Costco in that, too, where a membership fee that’s fixed cost gets the customers a pile of stuff at a promised low-markup and great service. There’s people that use credit unions, esp in their industry, instead of banks. There’s people that try to buy from nonprofits, public beneit companies, companies with good track record, and so on. There’s both a demand side (tiny) and suppliers responding to it that show this could become a widespread thing.

                                                                                                                                                                                      Most consumers on demand side don’t do that stuff, though. They buy a mix of necessities and arbitrary stuff from whatever supplier is lowest cost, cheapest, most variety, promoting certain image, or other arbitrary reasons. They do this so much that most suppliers, esp market leaders, optimize their marketing for that stuff. They also make more money off these people that let them put lots of ethical, niche players out of business over time. So, yeah, I’d say consumer demand being apathetic to ethics or long-term thinking is a huge part of the problem given it puts tens of billions into hands of unethical parties. Then, some of that money goes into politicians’ campaign funds so they make things even more difficult for those companies’ opponents.

                                                                                                                                                                                      “Blaming individuals for structural problems simply lets suppliers shirk any responsibility they should have to society.”

                                                                                                                                                                                      Or the individuals can buy from different suppliers highlighting why they’re doing it. Other individuals can start companies responding to that massive stated demand. The existing vendors will pivot their operations. Things start shifting. It won’t happen without people willing to buy it. Alternatively, using regulation as you mentioned. I don’t know how well public education can help vs all the money put into advertising. The latter seems more powerful.

                                                                                                                                                                                      “(As an aside, I appreciate your response and it’s both useful and stimulating to hear your points)”

                                                                                                                                                                                      Thanks. Appreciate you challenging it so I think harder on and improve it. :)

                                                                                                                                                                                  2. 2

                                                                                                                                                                                    Only consumers with the means to consume ‘ethically’ are able to do so, and thus shame people with less money for being the problem.

                                                                                                                                                                                    This is ignoring reality, removing cheaper options does not make the other options cheaper to manufacture. It is not shaming people.

                                                                                                                                                                                    You are also ignoring the fact that in a free country the consumers and producers are the same people. A dissatisfied consumer can become a producer of a new alternative if they see it as possible.

                                                                                                                                                                                  3. 3

                                                                                                                                                                                    Exactly. The consumers could be doing more on issues like this. They’re complicit or actively contribute to the problems.

                                                                                                                                                                                    For example, I use old devices for as long as I can on purpose to reduce waste. I try to also buy things that last as long as possible. That’s a bit harder in some markets than others. For appliances, I just buy things that are 20 years old. They do the job and usually last 10 more years since planned obsolescence had fewer tricks at the time. ;) My smartphone is finally getting unreliable on essential functions, though. Bout to replace it. I’ll donate, reuse, or recycle it when I get new one.

                                                                                                                                                                                    On PC side, I’m using a backup whose age I can’t recall with a Celeron after my Ubuntu Dell w/ Core Duo 2 died. It was eight years old. Attempting to revive it soon in case it’s just HD or something simple. It’s acting weird, though, so might just become a box for VM experiments, fuzzing, opening highly-untrustworthy URLs or files, etc. :)

                                                                                                                                                                                  4. 7

                                                                                                                                                                                    Capitalism is killing us in a very literal sense by destroying our habitat at an ever accelerating rate

                                                                                                                                                                                    Which alternatives would make people happier to consume less – drive older cars, wear rattier clothing, and demand fewer exotic vacations? Because, really, that’s the solution to excessive use of the environment: Be happier with less.

                                                                                                                                                                                    Unfortunately, greed has been a constant of human nature far too long for capitalism to take the blame there.

                                                                                                                                                                                    1. 9

                                                                                                                                                                                      Which alternatives would make people happier to consume less – drive older cars, wear rattier clothing, and demand fewer exotic vacations?

                                                                                                                                                                                      Why do people want new cars, the latest fashions, and exotic vacations in the first place? If it’s all about status and bragging rights, then it’s going to take a massive cultural shift that goes against at least two generation’s worth of cultural programming by advertisers on the behalf of the auto, fashion and travel industries.

                                                                                                                                                                                      I don’t think consumerism kicked into high gear until after the end of World War II when modern advertising and television became ubiquitous, so perhaps the answer is to paraphrase Shakespeare:

                                                                                                                                                                                      The first thing we do, let’s kill all the advertisers.

                                                                                                                                                                                      OK, maybe killing them (or encouraging them to off themselves in the tradition of Bill Hicks) is overkill. Regardless, we should consider the possibility that advertising is nothing but private sector psyops on behalf of corporations, and should not be protected as “free speech”.

                                                                                                                                                                                      1. 2

                                                                                                                                                                                        If there was an advertising exception for free speech, people would use it as an unprincipled excuse to ban whatever speech they didn’t like, by convincing the authorities to classify it as a type of advertising. After all, most unpopular speech is trying to convince someone of something, right? That’s what advertising fundamentally is, right?

                                                                                                                                                                                        Remember that the thing that Oliver Wendell Holmes called “falsely shouting fire in a crowded theater” wasn’t actually shouting “fire” in an actual crowded theater - it was a metaphor he used to describe protesting the military draft.

                                                                                                                                                                                        1. 9

                                                                                                                                                                                          I agree: there shouldn’t be an advertising exception on free speech. However, the First Amendment should only apply to homo sapiens or to organisms we might eventually recognize as sufficiently human to possess human rights. Corporations are not people, and should not have rights.

                                                                                                                                                                                          They might have certain powers defined by law, but “freedom of speech” shouldn’t be one of them.

                                                                                                                                                                                      2. 3

                                                                                                                                                                                        IMO, Hedonistic adaptation is a problem and getting worse. I try to actively fight against it.

                                                                                                                                                                                        1. 2

                                                                                                                                                                                          It would be a start if we designed cities with walking and public transportation in mind, not cars.

                                                                                                                                                                                          My neighborhood is old and walkable. I do shopping on foot (I have a bicycle but don’t bother with it). For school/work, take a single bus and a few minutes walking. Getting a car would be a hassle, I don’t have a place to park it, and I’d have to pay large annual fees for rare use.

                                                                                                                                                                                          Newer neighborhoods appear to be planned with the idea that you’ll need a car for every single task. “Residential part” with no shops at all, but lots of room for parking. A large grocery store with a parking lot. Even train stations with a large parking lot, but no safe path for pedestrians/cyclists from the nearby neighborhoods.

                                                                                                                                                                                        2. 4

                                                                                                                                                                                          The new features on phones are so fucking stupid as well. People are buying new phones to get animated emojis and more round corners. It’s made much worse with phone OEMs actively making old phones work worse by slowing them down.

                                                                                                                                                                                          1. 7

                                                                                                                                                                                            There has been no evidence to my knowledge that anyone is slowing old phones down. This continues to be an unfounded rumor

                                                                                                                                                                                            1. 2

                                                                                                                                                                                              There’s also several Lobsters that have said Android smartphones get slower over time at a much greater rate than iPhones. I know my Galaxy S4 did. This might be hardware, software bloat, or whatever. There’s phones it’s happening on and those it isn’t in a market where users definitely don’t want their phones slowing down. So, my theory on Android side is it’s a problem they’re ignoring on purpose or even contributing to due to incentives. They could be investing money into making the platform much more efficient across devices, removing bloat, etc. They ain’t gonna do that.

                                                                                                                                                                                              1. 3

                                                                                                                                                                                                Android smartphones get slower over time at a much greater rate than iPhones.

                                                                                                                                                                                                In my experience, this tends to be 3rd party apps that start at boot and run all the time. Factory reset fixes it. Android system updates also make phones faster most of the time.

                                                                                                                                                                                                1. 1

                                                                                                                                                                                                  Hmm. I’ll try it since I just backed everything up.

                                                                                                                                                                                                  1. 3

                                                                                                                                                                                                    I’m still using a Nexus 6 I got ~2.5 years ago. I keep my phone pretty light. No Facebook or games. Yet, my phone was getting very laggy. I wiped the cache (Settings -> Storage -> Cached data) and that seemed to help a bit, but overall, my phone was still laggy. It seemed to get really bad in my text messaging app (I use whatever the stock version is). I realized that I had amassed a lot of text messages over the years, which includes quite a lot of gifs. I decided to wipe my messages. I did that by installing “SMS Backup & Restore” and telling it to delete all of my text messages, since apparently the stock app doesn’t have a way to do this in bulk. It took at least an hour for the deletion to complete. Once it was done, my phone feels almost as good as new, which makes me really happy, because I really was not looking forward to shelling out $1K for a Pixel.

                                                                                                                                                                                                    My working theory is that there is some sub-optimal strategy in how text messages are cached. Since I switch in and out of the text messaging app very frequently, it wouldn’t surprise me if I was somehow frequently evicting things from memory and causing disk reads, which would explain why the lag impacted my entire phone and not just text messages. But, this is just speculation. And a factory reset would have accomplished the same thing (I think?), so it’s consistent with the “factory reset fixes things” theory too.

                                                                                                                                                                                                    My wife is still on a Nexus 5 (great phone) and she has a similar usage pattern as me. Our plan is to delete her text messages too and see if that helps things.

                                                                                                                                                                                                    Anyway… I realize this basically boils down to folk remedies at this point, but I’m just going through this process now, so it’s top of mind and figured I’d share.

                                                                                                                                                                                                    1. 2

                                                                                                                                                                                                      I’ll be damned. I baked up and wiped the SMS, nothing else. The phone seems like it’s moving a lot snappier. Literally a second or two of delay off some things. Some things are still slow but maybe app just is. YouTube always has long loading time. The individual videos load faster now, though.

                                                                                                                                                                                                      Folk remedy is working. Appreciate the tip! :)

                                                                                                                                                                                                      1. 2

                                                                                                                                                                                                        w00t! Also, it’s worth mentioning that I was experiencing much worse delay than a second or two. Google Nav would sometimes lock up for many seconds.

                                                                                                                                                                                                        1. 1

                                                                                                                                                                                                          Maps seems OK. I probably should’ve been straight-up timing this stuff for better quality of evidence. Regardless, it’s moving a lot faster. Yours did, too. Two, strong anecdotes so far on top of factory reset. Far as we know, even their speed gains might have come from SMS clearing mostly that the reset did. Or other stuff.

                                                                                                                                                                                                          So, I think I’m going to use it as is for a week or two to assess this change plus get a feel for a new baseline. Then, I’ll factory reset it, reinstall some apps from scratch, and see if that makes a difference.

                                                                                                                                                                                                          1. 2

                                                                                                                                                                                                            Awesome. Please report back. :-)

                                                                                                                                                                                                            1. 2

                                                                                                                                                                                                              I’ll try to remember to. I’m just still stunned it wasn’t 20 Chrome tabs or all the PDF’s I download during the day. Instead, text messages I wasn’t even using. Of all things that could drag a whole platform down…

                                                                                                                                                                                                              1. 2

                                                                                                                                                                                                                Sms is stored on the SIM card, right? That’s probably not got ideal I/O characteristics…

                                                                                                                                                                                                                1. 1

                                                                                                                                                                                                                  I thought the contacts were but messages were on phone. I’m not sure. The contacts being on there could have an effect. I’d have hoped they cached a copy of SIM contents onto in-phone memory. Yeah, SIM access could be involved.

                                                                                                                                                                                                      2. 2

                                                                                                                                                                                                        Now, that’s fascinating. I don’t go in and out of text a lot but do have a lot of text messages. Many have GIF’s. There’s also at least two other apps that accumulate a lot of stuff. I might try wiping them. Btw, folk remedies feel kind of justified when we’re facing a complex, black-box system with nothing else to go on. ;)

                                                                                                                                                                                                2. 2

                                                                                                                                                                                                  Official from apple: https://www.apple.com/au/iphone-battery-and-performance/

                                                                                                                                                                                                  They slow phones with older batteries but don’t show the user any indication that it can be fixed very cheaply by replacing the battery (Until after the recent outrage) and many of them will just buy a new phone and see it’s much faster.

                                                                                                                                                                                                  1. 12

                                                                                                                                                                                                    Wow, so much to unpack here.

                                                                                                                                                                                                    You said they slow old phones down. That is patently false. New versions of iOS are not made to run slowly on older model hardware.

                                                                                                                                                                                                    Apple did not slow phones down with old batteries. They throttled the CPU of phones with failing batteries (even brand new ones!) to prevent the phone from crashing due to voltage drops. This ensured the phone was still functional even if you needed your phone in an emergency. Yes it was stupid there was no notification to the user. This is no longer relevant because they now provide notifications to the user. This behavior existed for a short period of time in the lifespan of the iPhone: less than 90 days between introduction of release with throttling and release with controls to disable and notifications to users.

                                                                                                                                                                                                    Please take your fake outrage somewhere else.

                                                                                                                                                                                                    1. 5

                                                                                                                                                                                                      Apple did not slow phones down with old batteries. They throttled the CPU of phones with failing batteries (even brand new ones!) to prevent the phone from crashing due to voltage drops.

                                                                                                                                                                                                      In theory this affects new phones as well, but we know that as batteries grow older, they break down, hold less charge, and have a harder time achieving their design voltage. So in practice, this safety mechanism for the most part slows down older phones.

                                                                                                                                                                                                      You claim @user545 is unfairly representing the facts by making Apple look like this is some evil ploy to increase turnover for their mobile phones.

                                                                                                                                                                                                      However, given the fact that in reality this does mostly make older phones seem slower, and the fact that they put this in without ever telling anyone outside Apple and not allowing the user to check their battery health and how it affected the performance of their device, I feel like it requires a lot more effort not to make it look like an intentional decision on their part.

                                                                                                                                                                                                      1. 2

                                                                                                                                                                                                        Sure, but if you have an old phone with OK batteries, then their code did not slow it down. So I think it is still more correct to say they slowed down those with bad batteries than those that were old even if most of those with bad batteries were also bad which really depended on phone’s use.

                                                                                                                                                                                                        The difference is not just academic. For example I have “inherited” iPhone6 from my wife that still has a good battery after more than 2 years and performs fine.

                                                                                                                                                                                                        1. 2

                                                                                                                                                                                                          the fact that they put this in without ever telling anyone outside Apple

                                                                                                                                                                                                          It was in the release notes of that iOS release…

                                                                                                                                                                                                          edit: additionally it was known during the beta period in December. This wasn’t a surprise.

                                                                                                                                                                                                          1. 1

                                                                                                                                                                                                            Again, untrue. The 11.2 release notes make no mention of batteries, throttling, or power management. (This was the release where Apple extended the throttling to the 7 series of phones.) The 10.2.1 release notes, in their entirety, read thus:

                                                                                                                                                                                                            iOS 10.2.1 includes bug fixes and improves the security of your iPhone or iPad. It also improves power management during peak workloads to avoid unexpected shutdowns on iPhone.

                                                                                                                                                                                                            That does not tell a reader that long-term CPU throttling is taking place, that it’s restricted to older-model iPhones only, that it’s based on battery health and fixable with a new battery (not a new phone), etc. It provides no useful or actionable information whatsoever. It’s opaque and frankly deceptive.

                                                                                                                                                                                                            1. 0

                                                                                                                                                                                                              You’re right, because I was mistaken and the change was added in iOS 10.2.1, 1/23/2017

                                                                                                                                                                                                              https://support.apple.com/kb/DL1893?locale=en_US

                                                                                                                                                                                                              It also improves power management during peak workloads to avoid unexpected shutdowns on iPhone.

                                                                                                                                                                                                              A user on the day of release:

                                                                                                                                                                                                              Hopefully it fixes the random battery shutoff bug.

                                                                                                                                                                                                              src: https://forums.macrumors.com/threads/apple-releases-ios-10-2-1-with-bug-fixes-and-security-improvements.2028992/page-2#post-24225066

                                                                                                                                                                                                              additionally in a press release:

                                                                                                                                                                                                              In February 2017, we updated our iOS 10.2.1 Read Me notes to let customers know the update ‘improves power management during peak workloads to avoid unexpected shutdowns.’ We also provided a statement to several press outlets and said that we were seeing positive results from the software update.

                                                                                                                                                                                                              Please stop trolling. It was absent from the release notes for a short period of time. It was fixing a known issue affecting users. Go away.

                                                                                                                                                                                                              1. 4

                                                                                                                                                                                                                Did you even read the comment you are responding to? I quoted the 10.2.1 release notes in full–the updated version–and linked them too. Your response is abusive and in bad faith, your accusations of trolling specious.

                                                                                                                                                                                                                1. [Comment removed by moderator pushcx: We've never had cause to write a rule about doxxing, but pulling someone's personal info into a discussion like this to discredit them is inappropriate.]

                                                                                                                                                                                                                  1. 2

                                                                                                                                                                                                                    I don’t hate Apple. I’m not going to sell my phone because I like it. The battery is even still in good shape! I wish they’d been a little more honest about their CPU throttling. I don’t know why this provokes such rage from you. Did you go through all my old comments to try to figure out what kind of phone I have? Little creepy.

                                                                                                                                                                                                                    1. 2

                                                                                                                                                                                                                      I’m not angry about anything here. It’s just silly that such false claims continue to be thrown around about old phones intentionally being throttled to sell new phones. Apple hasn’t done that. Maybe someone else has.

                                                                                                                                                                                                                      edit: it took about 30 seconds to follow your profile link to your website -> to Flickr -> to snag image metadata and see what phone you own.

                                                                                                                                                                                                        2. -3

                                                                                                                                                                                                          They throttled the CPU of phones with failing batteries (even brand new ones!)

                                                                                                                                                                                                          This is untrue. They specifically singled out only older-model phones for this treatment. From the Apple link:

                                                                                                                                                                                                          About a year ago in iOS 10.2.1, we delivered a software update that improves power management during peak workloads to avoid unexpected shutdowns on iPhone 6, iPhone 6 Plus, iPhone 6s, iPhone 6s Plus and iPhone SE. [snip] We recently extended the same support to iPhone 7 and iPhone 7 Plus in iOS 11.2.

                                                                                                                                                                                                          In other words, if you buy an iPhone 8 or X, no matter what condition the battery is in, Apple will not throttle the CPU. (In harsh environments–for example, with lots of exposure to cold temperatures–it’s very plausible that an 8 or X purchased new might by now have a degraded battery.)

                                                                                                                                                                                                          1. 2

                                                                                                                                                                                                            You are making a claim without any data to back it up.

                                                                                                                                                                                                            Can you prove that the batteries in the new iPhones suffer voltage drops when they are degraded? If they use a different design with more/smaller cells then AIUI they would be significantly less likely to have voltage drops when overall capacity is degraded.

                                                                                                                                                                                                            But no, instead you continue to troll because you have a grudge against Apple. Take your crap elsewhere. It’s not welcome here.

                                                                                                                                                                                                            1. 3

                                                                                                                                                                                                              You’re moving the goalposts. You claimed Apple is throttling the CPU of brand new phones. You were shown this to be incorrect, and have not brought any new info to the table. Your claim that the newer phones might be designed so as to not require throttling is irrelevant.

                                                                                                                                                                                                              Please don’t accuse (multiple) people of trolling. It reflects poorly on yourself. All are welcome here.

                                                                                                                                                                                                              1. 3

                                                                                                                                                                                                                You can buy a brand new phone directly from Apple (iPhone 6S) with a faulty battery and experience the throttling. I had this happen.

                                                                                                                                                                                                      2. 1

                                                                                                                                                                                                        Google services update in the background even when other updates are disabled. Even if services updates are not intended to slow down the phone, they still do.

                                                                                                                                                                                                      3. 3

                                                                                                                                                                                                        The new features on phones are so fucking stupid as well.

                                                                                                                                                                                                        I think the consumer who pays for it is stupid.

                                                                                                                                                                                                        1. 3

                                                                                                                                                                                                          It’s both. The user wants something new every year and OEMs don’t have anything worthwhile each year so they change things for the sake of change like adding rounded corners on the LCD or cutting a chunk out of the top. It makes it seem like something is new and worth buying when not much worthwhile has actually changed.

                                                                                                                                                                                                          1. 4

                                                                                                                                                                                                            I think companies would always take the path of least resistance that works. If consumers didn’t fall for such stupid tricks the companies that did them would die off.

                                                                                                                                                                                                      4. 2

                                                                                                                                                                                                        Yep. I guess humanity’s biggest achievement will be to terraform itself out of existence.

                                                                                                                                                                                                        This planet does neither bargain nor care about this civilizations’ decision making processes. It will keep flying around the sun for a while, with or without humans on it.

                                                                                                                                                                                                        I’m amazed by the optimism people display in response to pointing out that the current trajectory of climate change makes it highly unlikely that our grand-grand-children will ever be born.

                                                                                                                                                                                                        1. 2

                                                                                                                                                                                                          The list is endless, and it all comes down to the American ethos that making money is a sacred right that trumps all other concerns.

                                                                                                                                                                                                          s/American/human

                                                                                                                                                                                                          You can’t fix a problem if you misunderstand what causes it.

                                                                                                                                                                                                          1. 5

                                                                                                                                                                                                            Ideology matters, and America has been aggressively promoting toxic capitalist ideology for many decades around the world. Humans aren’t perfect, but we can recognize our problems and create systems around us to help mitigate them. Capitalism is equivalent of giving a flamethrower to a pyromaniac.

                                                                                                                                                                                                            1. 3

                                                                                                                                                                                                              If you want to hash out how “toxic capitalism” is ruining everything, that’s fine–I’m just observing that many other countries (China, Germany, India, Mozambique, Russia, etc.) have done things that, to me at least, dispel the notion of toxic capitalism as purely being American in origin.

                                                                                                                                                                                                              And to avoid accusations of whataboutism, the reason I point those other countries out is that if a solution is put forth assuming that America is the problem–and hence itself probably grounded in approaches unique to an American context–it probably will not be workable in other places.

                                                                                                                                                                                                              1. 2

                                                                                                                                                                                                                Nobody is saying that capitalism alone is the problem or that it’s unique to America. I was saying that capitalism is clearly responsible for a lot of harm, and that America promotes it aggressively.

                                                                                                                                                                                                                1. 0

                                                                                                                                                                                                                  Don’t backpedal. You wrote:

                                                                                                                                                                                                                  The list is endless, and it all comes down to the American ethos that making money is a sacred right that trumps all other concerns.

                                                                                                                                                                                                                  As to whether or not capitalism is clearly responsible for a lot of harm, it’s worth considering what the alternatives have accomplished.

                                                                                                                                                                                                                  1. 0

                                                                                                                                                                                                                    Nobody is backpedaling here, and pointing at other failed systems saying they did terrible things too isn’t much of an argument.

                                                                                                                                                                                                        1. 18

                                                                                                                                                                                                          I love postgres (I’m a postgres DBA), and really dislike mysql (due to a long story involving a patch-level release causing server crashes and data loss).

                                                                                                                                                                                                          That said, there is still a technical reason to choose mysql over postgres. Mysql’s replication story is still significantly better than postgres’. Multi-master, in particular, is something that’s relatively straightforward in mysql, but which requires third-party extensions and much more fiddling in postgres.

                                                                                                                                                                                                          Now, postgres has been catching up on this front. Notably, the addition of logical replication over the last couple major versions really expands the options available. There’s a possibility that this feature will even be part of postgres 11, coming out this year (it’s on a roadmap). But until it does, it’s a significant feature missing from postgres that other RDBMSes have.

                                                                                                                                                                                                          1. 7

                                                                                                                                                                                                            There’s a possibility that this feature will even be part of postgres 11

                                                                                                                                                                                                            PG 11 is in feature freeze since April. I don’t think there was anything significant for multi-master committed before that.

                                                                                                                                                                                                            1. 3

                                                                                                                                                                                                              Good point. I’d seen the feature freeze deadline, but wasn’t sure if it had actually happened, and what had made it in (I haven’t followed the -hackers mailing list for a while). I was mostly speculating based on the fact that they’d announced a multi-master beta for last fall.

                                                                                                                                                                                                              I’m not surprised it’s taking a long time – it’s a hard problem – but it means that “clustering” is going to be a weak point for postgres for a while longer.

                                                                                                                                                                                                            2. 3

                                                                                                                                                                                                              Once you take all the other potential issues and difficulties with MySQL into account though, surely Postgres is a better choice on balance, even with more difficult replication setup?

                                                                                                                                                                                                              1. 5

                                                                                                                                                                                                                It really depends. If you need horizontally-scalable write performance, and it’s important enough to sacrifice other features, then a mysql cluster is still going to do that better than postgres. It’s possible that a nosql solution might fit better than mysql, but overall that’s a decision that I can’t make for you.

                                                                                                                                                                                                                I’ll add that there are bits of postgres administration that aren’t intuitive. Specifically, bloat of on-disk table size (and associated slowdowns) under certain loads can really confuse people. If you can’t afford to have a DBA, or at least a dev who’s a DB expert, mysql can be very attractive. I’m not saying that’s a good reason to choose it, but I understand why some people do.

                                                                                                                                                                                                                1. 1

                                                                                                                                                                                                                  What are your thoughts on MySQL vs MariaDB, especially the newer versions?

                                                                                                                                                                                                                  1. 3

                                                                                                                                                                                                                    Honestly, I haven’t looked closely at MariaDB lately. The last time I did was just to compare json datatypes – at the time, both mysql and mariadb were just storing json as parsed/verified text blobs without notable additional functionality.

                                                                                                                                                                                                                    I have to assume it’s better than mysql at things like stability, data safety, and other boring-but-necessary features. That’s mostly because mysql sets such a low bar, though, that it would take effort to make it worse.

                                                                                                                                                                                                                  2. 1

                                                                                                                                                                                                                    You clearly know more about databases than me, but I would question idea that MySQL is a good choice when you lack a DB expert. If anything, it is then when you shouldn’t use it. I still carry scars from issues caused by such lack of expertise at one of my previous employers.