1. 3

    I can’t read the thread (have hard blocked Reddit from my work laptop) so don’t know if this was linked there already but there was this interesting article about Bank Python couple months back: https://calpaterson.com/bank-python.html

    1. 3

      Lots of good articles in that calpeterson blog.

      1. 2

        That’s the article linked from the Reddit thread.

        1. 1

          Story’s linking some reddit discussion instead of the article.

          Why the indirection?

          1. 5

            The linked thread is a q&a with someone who’s worked on these systems.

            1. 4

              Except it isn’t - the link goes to a Reddit discussion about the Bank Python article. There is a thread within the comments where someone is doing an AMA, but it is difficult to find.

              The link should be changed - either to go directly to Cal Peterson’s article, or to link to the appropriate thread of comments.

              1. 2

                You’re totally right, I thought because it was at the top it was the linked thread. Apologies

                1. 1

                  huh, I messed that up then, I intended to link directly to the ama subthread :-/

        1. 7

          The main impact _why had on my life is that I will never forget that “addiction is like Pokemon!”

          1. 11

            Whenever people mention _why, I immediately think of Mark Pilgrim. While his book Dive Into Python isn’t nearly as whimsical as _why’s, it was many people’s first introduction to Python. Similarly, Dive Into HTML5 was an critical reference if you didn’t want to have to parse the W3 specification.

            Similar to _why, Pilgrim also removed himself from the Internet. Incidentally, one of his essays is entitled “Addiction is…”; he was fired for writing it.

            1. 4

              I read _why’s poignant guide, but it was a slog and didn’t actually get me programming again. I read Dive Into Python and that was what set me on the path to professional programming. Mark was a real one.

              1. 3

                I didn’t know Pilgrim’s story. I miss his posts.

                1. 1

                  Ah. I remember Mark, but wasn’t looped into that community enough to actively notice his disappearance (if that makes sense). I think I read Dive Into HTML5.

                  I’m pretty close to joining the “computers were a terrible mistake” club myself, but for the moment, it’s how I keep my family fed.

              1. 6

                I think the importance of choosing the right email service provider for an “outgoing SMTP relay” is glossed over in this post. Using a provider to send email has no advantages of using a VPS if their IP addresses are regularly being added to spam blacklists because they have hacked accounts that are sending phishing emails.

                I was a SendGrid customer last summer. Because I rented my own IP addresses, I assumed I wouldn’t be affected, but it took weeks for them to acknowledge customer support queries, much less respond to them.

                1. 3

                  My thoughts exactly when I saw that. I don’t really think this could be classified as true self hosting if all your doing is shipping your mail off to another provider. I love the thought of doing this, but not the practicality and maintenance overhead associated with it all.

                  I’ve been with Fastmail for quite some time now and couldn’t be happier with it.

                  1. 3

                    In comparison, I have a tiny Vultr VM that runs my outgoing SMTP server and nothing else. You have to contact their technical support to enable outbound SMTP and let them know the reason (personal email) and volume (tiny) of email, and then they enable it. I’ve not had any problems with any large provider blocking this IP. Their $3.50/month plan gives you an IPv4 address and more than enough RAM and CPU for a workload that happily ran on a 100 MHz Pentium with 32 MiB of RAM as a background task among many others.

                    As far as I’m aware, most providers track multiple kinds of reputation. They’ll block entire IP ranges if the owner doesn’t respond to complaints about spam (which is why folks like Vultr make blocking outbound SMTP a default: you can’t automatically register 1000 accounts for sending spam and if they receive reports of large volumes of spam then they can block access until you fix things). They’ll typically block individual IPs for short periods, given that they can be recycled quickly, and not hit problems. They may block (or, rather, divert to spam folders) an entire domain if it sends a lot of spam. Most of them check SPF / DKIM things so if email claims to come from your domain but doesn’t have the correct origin / signatures then they won’t count it as spam from you.

                    1. 2

                      I use a Vultr openbsd VM for my e-mail. It’s the only thing I haven’t moved over to my dedicated server. I’ve still had issues in the past with e-mail not making it to the big servers, but I think it’s been getting better (fewer people tell me my e-mail went straight to spam, even for people I haven’t e-mailed before).

                      I fear if I move off of that VM to a new IP address, I’d probably start facing all those issues again, even with correct SPF, DKIM, DMAC, etc. That’s just the nature of over-aggressive e-mail filters.

                      1. 3

                        I fear if I move off of that VM to a new IP address, I’d probably start facing all those issues again, even with correct SPF, DKIM, DMAC, etc. That’s just the nature of over-aggressive e-mail filters.

                        I have the same setup as you (Vultr), and if it’s any consolation, I just migrated my email to a new server and new IP, and have had no issues so far :).

                        I agree that email filters seem to have gotten less strict. I’ve only had issues sending mail to Yahoo mail lately.

                        1. 2

                          I suspect that there are different rules for known and unknown domains. If your domain has a history of not sending spam, it probably doesn’t matter where it’s coming from: if you have a solid reputation and you have DKIM / SPF so that emails you send are accounted to your reputation, it will be received correctly.

                      2. 1

                        So you were affected despite having a dedicated address?

                      1. 12

                        There’s no real meat here. The article doesn’t say which brand and model of device was compromised nor does it describe how.

                        1. 11

                          My god the conclusion here. “What can we do about it? Nothing. Keep buying internet-connected garbage, and just be sure to hire more IT personnel to keep patching it.” Come onnnnnnnnnn ugh.

                          1. 4

                            I found several news articles that reported on this, but most of them aren’t from technical publications. A 2017 SecurityWeek news article “Hacked Smart Fish Tank Exfiltrated Data to ‘Rare External Destination’” was more rigorous, though:

                            A weakness in the report is that it is sparse on details. A Darktrace spokesman explained that this is due to customer usage. How each customer uses its technology is different and Darktrace itself isn’t privy to that information. It examines network behavior, but not traffic content. The result is that the information provided gives examples of incidents detected by Darktrace, but little technical detail on the incident itself.

                            Darktrace quickly detected “anomalous data transfers from the fish tank to a rare external destination.” In fact, 10GB of data was transferred outside of the network, via the fish tank. What isn’t specified, however, is what the data comprised, where on the network it came from, how it was moved to the fish tank for exfiltration, nor whether the malware methodology used to acquire the data before exfiltration was also discovered.

                            I don’t know how “10 GB of unknown data” became the “high-roller database”, though. 🤷

                          1. 7

                            In a parallel dimension where courts are more accessible, our hero sued the company for every dime they made using the unlicensed software.

                            1. 6

                              Or alternately, perhaps our hero knew about the Principles of Community-Oriented GPL Enforcement and decided not to go to court first and not to seek the absolute maximum monetary damages.

                              1. 9

                                Incidentally, the Software Freedom Conservancy recently announced that they are changing enforcement strategies to prioritize litigation.

                                From https://sfconservancy.org/copyleft-compliance/enforcement-strategy.html#the-need-for-litigation:

                                In our private negotiations, pursuant to our Principles of Community-Oriented GPL Enforcement, GPL violators stall, avoid, delay and generally refuse to comply with the GPL. Their disdain for the rights of their customers is often palpable. Their attitude is almost universal: if you think we’re really violating the GPL, then go ahead and sue us. Otherwise, you’re our lowest priority.

                                1. 6

                                  The principles are designed to get more compliance. In this case they got compliance, so that’s good. But there is some disagreement about the best strategy to get max global compliance.

                                  1. 5

                                    Nah, take the company down without hesitation or remorse.

                                    It’s not like the company wouldn’t do the same if it was in their financial interest.

                                    1. 3

                                      I’m familiar with this document, but I’ve not reviewed it in a few years. Thanks for linking to it!

                                      It’s my understanding that avoiding court at first is generally the normal course of action preceding litigation.

                                      GPLv3’s termination provision allows first-time violators automatic restoration of distribution rights when they correct the violation promptly

                                      In theory, OP could consider the violation remedied under this provision of the GPL3 (upon which the AGPL3 is based, IIRC, with the notable SaaS provision added). That halts future infringement but doesn’t address past infringement. It’s on OP to determine if there’s enough juice to be squeezed out to make the effort worth it.

                                      Copyright holders (or their designated agent) therefore are reasonable to request compensation for the cost of their time providing the compliance education that accompanies any constructive enforcement action.

                                      This is one of my favorite parts of this community-oriented enforcement mindset. However, a few hours of consulting time versus 100% of the profits of a service that made a company tens or hundreds of thousands of dollars, minus legal fees of probably 1/3… do the latter and donate the proceeds to the SFC or another great open source organization. I believe that’d do more for the community.

                                  1. 2

                                    Best thing I ever did was get rid of my t480. There’s a throttling issue on some of their laptops which basically means your CPU runs at a really low speed. Lenovo will never fix it. There’s an open ticket for it that they’ve ignored for years.

                                    This is on Linux by the way. All kernels/distros afaik.

                                    The screen was incredibly flimsy too. Just an all round painful piece of hardware.

                                    I replaced it with a Huawei matebook 13 which is literally half the price and infinitely better in every way.

                                    Not sure why there’s such a cult following.

                                    I write this in the hope that somebody else doesn’t get tricked into buying one of these things.

                                    1. 1

                                      There’s an open ticket for it that they’ve ignored for years.

                                      I’m not sure what ticket you are referring to, but Lenovo released firmware updates to fix this problem last year.

                                      Lenovo will never fix it.

                                      The T480 did not receive a firmware fix, but there is a very long thread about the issue on the Lenovo forums. From a comment on that thread:

                                      As of today there is no longer a need for a firmware workaround for the T480 and probably most other devices that were affected by this bug

                                      1. 1

                                        Cool it has finally been fixed. Still glad I’ll never see that laptop again though.

                                      2. 1

                                        T480 is a bit too new for me but the “cult following” maybe stems from people’s experiences. I’ve had a W500 or W510, some Txxx from ~2012, an x230, a T460p, and a T470p and they all worked flawless. That’s 10.5 years of professional + personal usage, pretty good run in my book.

                                      1. 7

                                        I find it curious that dotfiles are among the things listed by the author that don’t scale. I’ll quote Steve Losh because he says it better than I ever could:

                                        I can count on my balls how many times I’ve sat down to program at someone else’s computer in the last five years. It just never happens.

                                        1. 3

                                          I’ve done it. Either because it’s just Peer Programming, or because of a client’s Misplaced Paranoia.

                                          1. 2

                                            I’m equally surprised to see static blog generators there. Sure, some generators have slow build times for large sites… and many others don’t. If anything they scale better than CMSes because you only build the blog every so often, but it needs no maintenance and can be served to a large crowd of visitors per minute from a free or dirt cheap hosting.

                                            I generally agree with the idea that we should be solving problems for everyone whenever possible, but some things just can’t have universal “good” defaults. Highly domain specific example: MuseScore has no default shortcut for “toggle concert pitch”. For people writing for woodwinds, having one is a real time saver. Everyone else usually has no idea what on earth is “concert pitch”. People writing different kinds of music can benefit from simpler shortcuts for their common tasks a lot. I bet same goes for many other applications, if the default shortcut for a thing you do every minute is Ctrl-Alt-Meta-Escape-Super-F14, you should rather change it and add it to the dotfiles than put up with it or argue with people whose needs are different that they should cater to your needs.

                                            1. 1

                                              I’m equally surprised to see static blog generators there.

                                              This surprised me too, until I read a comment where the author explained their rationale:

                                              If the problem you’re solving is “I want to have a website to post my articles on”, then I think the solution should probably not involve git, local builds from the terminal, or CNAME configs to get a custom domain.

                                            2. 1

                                              Agreed. I mean it’s also not that I’m a clueless fool when I work with other people’s computers. It may take a bit longer, but I don’t see the problem.

                                              This is not really like handing your hammer to another person on a construction site. This is more like having to put on their shoes and trousers, because the hammer is not the problem.

                                              1. 1

                                                Ya that seemed odd to me. I have have a dotfiles directory where I store configurations for the software I use most often. There has never been a time during machine setup or server configuration where running setup-dotfiles.sh has not given me the exact environment I like, customizations and all. It’s not like Vim is software that introduces a lot of breaking changes.

                                                1. 1

                                                  I’ve had to jump on a cow-orker’s workstation to help diagnose a problem and man, is it painful as nothing works like I expect it to. And the customizations I have aren’t that many (in fact, I tend to remove default settings in bash), but I’ve been using said settings for over 20 years now.

                                                  The problem I see with the author’s approach is either fighting for change (what if they reject it?) or just living with the ever changing set of defaults (which in my experience destroy any hope for a good long term work flow to develop).

                                                1. 2

                                                  When writing the post-mortem for this bug, I spotted that data in our staging and production services were different. And that’s why our data migration crushed and left one of the core tables in the broken state.

                                                  Isn’t the discrepancy between staging and production data the root cause of your issue? If your staging service data is different enough from production data that this happens, I don’t think adding additional testing of migrations is a real fix.

                                                  1. 4

                                                    Assuming your domain is constantine.su, I wonder whether the issue might be a combination of:

                                                    1. 4

                                                      Hetzner

                                                      Oh boy. Possibly related, possibly unrelated, but at work recently we had to block an entire IP range from Hetzner due to misbehaving crawlers that were not respecting various robots.txt rules and nofollow on internal links. There is a chance that there are probably some legitimate IPs in that range, but not worth the BS we were getting from those crawlers.

                                                      Also seconding your recommendation of rDNS. It has been essential for many, many years now.

                                                      1. 9

                                                        Well in that case you won’t get my mails, or be able to interact with any of my services, or update Quasseldroid.

                                                        Hetzner is one of the few hosters offering dedicated hosting powered with fully renewable energy, and one of the few hosters actually handing abuse reports correctly (as in, not terminating service from any abuse report, but only from court orders, which is useful behavior if you’re getting SWATed by internet trolls, who’ve also found they can use abuse reports for the same purpose)

                                                        1. 4

                                                          +1 for Hetzner. Their support and service is great! I’m using them as well because of their use of renewable energy. Changed from Linode a while back.

                                                          1. 3

                                                            They also aren’t crooks like some of their competitors. I’ve had Scaleway (Online SAS) increase prices for old dedicated servers without much advance notice, either; which is really a shame, because the only reason I bought the server was a low price (one of them I didn’t even have powered on, apparently). OVH appears to have played similar games as well. Hetzner does the opposite for long-term customers.

                                                          2. 2

                                                            Not to worry, I will still get your mail and all the rest!

                                                            AFAIK it the block was various front-end web services. I do not think it even applies to API instances, just those serving up full web pages. So you couldn’t access the various websites from a script that is deployed to Hetzner. And I suppose if you did mail a web instance, it wouldn’t receive them, but the IP block wouldn’t be the only reason for that.

                                                            Also good to hear another anecdote on Hetzner as a host. Aside from your comment, my only exposure to them is as the host of a hive of over-aggressive and poorly-configured crawlers over the last year.

                                                            I shared my anecdote because it might be relevant to the article’s main concern: If we had to block one of their IP ranges for web traffic, it is conceivable that other entities have blocked them for email.

                                                          3. 1

                                                            Oh that’s unfortunate. They’re a good host. I only moved off them because they finally stopped offering the VPS I was on after seven years.

                                                          4. 5

                                                            No, I’ve never used that domain for mail; it’s too long.

                                                            • Note that this is not a TLD issue, either, because only one of my domains is affected by “low reputation”, the other ones in the very same TLD are not. This has been 100% reproducible over the last few weeks.

                                                            • Hetzner IP space is not involved here, either — none of these rejects or accepts were over Hetzner IP space. Regardless, you’re ignoring the fact that Google has blacklisted a specific domain name, not the IP address which I’m using, because the very same IP address with the very same email body and the very same TLD, just a different (rarely-used) domain itself in From and MAIL FROM, gets accepted by Gmail, and doesn’t even end up in the Spam folder, either — goes straight to Inbox. Again, this has been reproducible 100% in the last few weeks. And just because some users report issues with their newly purchased servers at a huge provider like Hetzner doesn’t mean that it’s something that’s not supported or isn’t supposed to work. Of course, with enough volume and enough churn, some individual IPs may come blacklisted, which doesn’t mean that it’s representative for the whole space.

                                                            • And let’s not get all McCarthyism here on Lobsters, shall we? All those stories from 2013 about .su being used for spam and scam have zero credence, and are built around some scammer from abuse.ch shopping the very same story across multiple venues, going as far as Fox News (reprinting AP, I guess). Their suggestion on their own blog at the time was to completely block .su. (I don’t recall ever communicated with anyone from .ch. Should I maybe block .ch? Why don’t we all just block and blacklist each other?) And even if you disregard the potential bias of these databases and unclear methodologies, .su is still one of the cleanest TLDs out there, especially for how many domain name registrations that it has. Your own Spamhaus link reports .us at 33% bad (ouch!), .biz at 24%, .cn at 18,4%, so, .su at 11,5% bad comes out pretty clean in comparison (.com and .net are between 4 and 5%, which is hardly very clean, either, especially given the absolute numbers). This is even if you disregard the potential bias of their methodologies in the first place.

                                                            1. 2

                                                              I just re-read your email and it looks like the sequence of events is this:

                                                              • you configured your server to forward mail from your primary domain to your free GMail account
                                                              • GMail began thinking a significant portion of emails from your domain were malicious
                                                              • after a few months of this happening, GMail began blocking emails from your domain

                                                              I can see how this situation suggests that there should an easy way to get your domain unblocked. I also can see why Google doesn’t make it easy for actual malicious actors.

                                                              I ran my own email server (on a VPS provider with as many reputation issues as Hetzner) for more than a decade. I stopped not because my emails were being sent to spam or were being rejected, but because running your own email server correctly is hard. I think I can assume you weren’t running an open relay and had SPF and DKIM set up correctly, but without knowing the domain (which you didn’t mention in your original email and haven’t mentioned here) or the contents of the messages you were forwarding to GMail, it’s impossible for anyone to state that Google is overreaching by not accepting email from your domain.

                                                              1. 2
                                                                • The server has been forwarding the mail and running cron jobs for many years. Same domain, same IP, same recipient Gmail account. It’s not actually a free Gmail, BTW, because I was duped into believing that the mailbox size is infinite, whereas it has stopped growing at 15GB; so, due to all the mailing list archives, I now have to pay 1,99 USD/mo to be able to continue to receive new mail.

                                                                • In a newly added cron job a couple of months back, I’ve started sending myself a list of a few dozen domain names which I don’t control over to my Gmail. This has been done exclusively to my own Gmail address. How could you possibly classify a few dozen of plaintext domain names as malicious in a clean room?

                                                                • You make it a point that I’ve been sending these “malicious” emails for a “few months”, but you’re ignoring the fact that they aren’t actually malicious, nor were these the only emails that were being sent. How was I even supposed to know that one or two of these emails daily, in the presence of dozens of emails not so marked, would turn my domain name into having a persistent “low reputation”?

                                                                BTW, I do not actually use DKIM, but do use SPF and DMARC; note that these rejected emails do pass both SPF and DMARC; DMARC requires either SPF or DKIM to pass with domain alignment in order to generate a DMARC pass. My forwarding doesn’t appear to mangle existing DKIM signatures, but it would seem that even those emails are rejected, too. (However, emails from my own secondary domains without DKIM but with an SPF pass do get through.)

                                                            2. 1

                                                              Just as a semi-relevant data point, I send bulk mail from a server hosted at Hetzner and Gmail doesn’t block that. Gmail blocked that mail at the start and so did several others, because the server’s IPv4 address had been used for all kinds of evil things (the previous customer ran an unpatched wordpress site and was 0wned). But then I

                                                              • investigated each and every 4xx and 5xx SMTP response, and took care of every problem
                                                              • signed everything with DKIM and added an explicit SPF yes
                                                              • made the hostnames match, even ones that shouldn’t need to

                                                              It took a month or two for the old reputation to age away, and investigating every SMTP transaction for bulk mail was tedious, but the mail has been flowing smootly since. I don’t know what OP is doing, but “being hosted at Hetzner” isn’t a problem in itself, even if you start with your IPv4 address on a half-dozen blacklists.

                                                              1. 1

                                                                It took a month or two for the old reputation to age away

                                                                You don’t really have to do that, BTW. I think it’s pretty standard practice for providers to exchange the IP address in case you get one that’s burned and where it’s an issue for you (it might as well not be for their next customer).

                                                                1. 1

                                                                  It’s not much time, anyway, and mostly overlapped with the time to investigate other possible problems. Noone had checked the recipient list, for a start.

                                                            1. 3

                                                              …I stumbled across a post from the manufacturers of a usb docking station about customers with similar symptoms that only manifest on this particular laptop

                                                              I don’t think this description of the Plugable post is correct. They state that they received reports from some customers with a variety of different Dell laptop models (“XPS 13 9350, XPS 15 9550, and Precision 5510”) but that it only seemed to affect a small minority of the systems (“Why did the docks work great for the vast majority of customers’ XPS 9350 and 9550 systems (and Plugable’s identical in-house test systems) while a handful of other customers with the same systems were having problems”).

                                                              It turns out that the usb, hdmi and wifi are all sitting on top of each other and are not sufficiently well shielded.

                                                              While the post never mentions the specific laptop model by name (instead calling it “this laptop” or “the laptop”), I suspect the fact that this isn’t an issue in the majority of systems points towards a malfunctioning wireless card. A scan of comments on the Plugable post finds multiple people who contacted Dell and received a replacement card that fixed their issue.

                                                              1. 14

                                                                There is a third assumption not discussed in this article - that contributions to private repositories are always for employer repositories.

                                                                There is no way of discovering whether a private contribution is for an employer, for an employee’s closed-source side project, or for a freelancing project for a third party. I think this is a serious limitation that significantly limits the usefulness of this research method.

                                                                1. 5

                                                                  It is actually mentioned:

                                                                  This is not a perfect process, since users can disable showing private repository contributions, or it’s possible the developer has personal private repositories. This is why you want to check as many profiles as possible.

                                                                  (Bold not in original)

                                                                  This is why I suggested checking multiple people’s profiles, not just one.

                                                                  Also you can correlate weekend work dates across people to spot crunch time (I added this bit as additional suggestion to the article after it was published, it’ll show up when CDN cache resets. But private personal repos was in original post.)

                                                                  1. 3

                                                                    I also feel contributions to private repositories are not a strong indicator of work/life balance. Employees could be working long hours, often go through crunch time, be expected to reply to emails and phone calls during weekends…

                                                                    1. 1

                                                                      It’s just an initial filter, to remove companies that are obviously not a place to work for. Even if the company passes this filter you still need to e.g. ask about work/life balance during the interview (I updated the post to note that.)

                                                                      1. 2

                                                                        So a company should have to prevent employees from working outside of what the query defines as “work hours”, in order to avoid this type of bad annotation?

                                                                        There are so many variables here at play (what are work hours, asserting companies using github’s (not any other/internal repo) private repos, the reason of pushing things to a git remote (personal wiki, dotfiles, personal projects)). Just as hard to prove false would be: “how many employees are pushing to their private dotfiles during evenings?”

                                                                        Do you have any evidence for supporting this claim, or is it just pure guesswork? You say “empirically”, but I question that phrasing is applicable. I’m using a bit strong words here, sorry, but I think companies should not be dragged in dirt without evidence.

                                                                  1. 0

                                                                    I think that a solution would be to

                                                                    1. reduce active member count (in reverse chronological order) until a consensus can be found, and then
                                                                    2. gradually increase while maintaining the obtained consensus as an invariant

                                                                    That is, temporarily disable accounts with age <= 2y and, if the problem persists, continue with <= 3y, etc., and then re-enable in reverse order.

                                                                    1. 8

                                                                      I think disabling accounts based on a metric possibly correlated with aberrant behavior (account age) as opposed to the actual behavior (violating the norms of the site) would have negative effects on community health.

                                                                      If someone’s account is suspended, are they likely to continue contributing to the site after their account is reactivated?

                                                                      1. 2

                                                                        Disabling accounts based on a metric possibly correlated with aberrant behavior

                                                                        Oh, “finding the bad apples” is not the idea at all! The idea is to revert to a known-to-be-functional state, then work out a consensus on culture in that (smaller, more effective) group, and finally grow back in a controlled manner.

                                                                        If someone’s account is suspended, are they likely to continue contributing to the site after their account is reactivated?

                                                                        I can only speak for myself (I’d fall in the first batch, <1y), but yeah, I would.

                                                                      2. 4

                                                                        I don’t think this is a good idea, but to be honest I prefer lobste.rs form time when I didn’t have an account. In fact I would happily delete it if I could get back that calmer and more focused site. One of the reasons I asked for invitation was to be able to use ‘hide’ and start voting to stop HNification.

                                                                      1. 7

                                                                        @friendlysock, the post in question was going to be problematic regardless of our community health at the moment it was posted. Just look at the vote counts you highlighted. Crustaceans clearly have strong feelings about that company.

                                                                        That being said… yes, this would be a good time to inoculate new comers, re-inoculate old-timers, and push out those that resist.

                                                                        …I don’t know how to reply or otherwise respond to the chronologically first comment on your post. I have many skills, but not-making-it-worse is not one of them. Help? I want to say something like “No, just no. We’re doing a thing here. Watch us and do like us, or leave.”

                                                                        1. 11

                                                                          @friendlysock, the post in question was going to be problematic regardless of our community health at the moment it was posted. Just look at the vote counts you highlighted. Crustaceans clearly have strong feelings about that company.

                                                                          Having strong feeling is one thing, knowing which places are good to discuss them is another. It seems to me that with each passing month more and more people think that lobste.rs is good place to discuss anything they find interesting/important.

                                                                          Part of the problem, is that there are no explicit content rules - it’s hard to ask others to stop posting any kind of content if there are no guidelines what is and isn’t accepted here.

                                                                          1. 7

                                                                            One part of @friendlysock’s post struck me:

                                                                            This site is for practicing technologists and for people trying to learn about technology and better themselves as engineers and developers.

                                                                            I think it would be helpful if this or something similar was added to the story submitting guidelines on the Submit Story page. It would be more explicit than the current “if no tags apply, your story is off-topic” suggestion.

                                                                            1. 9

                                                                              Keep in mind, that is @friendlysock’s line, not an “official” Lobsters policy. I happen to agree with them, but I think that the truth is closer to @tt’s remark that this has always been a “place to discuss anything [the users] find interesting/important. Unspoken rules have but little force.

                                                                              1. 3

                                                                                It’s his view, not Lobsters’. I think, could be misremembering, there used to be more people agreeing with his view. The submissions were consistent with it when I came in. The votes went the other way in a later meta after they did for representative threads and comments. I’m guessing most people doing mass invite brought in people like them. Most of people that came in have the newer leanings about political posts. There were many before, though.

                                                                                Now, the majority opposes friendlysock’s position in day-to-day use of the site, votes, and comments. It’s why my welcomes that use the What Lobsters Is and Isn’t write-up don’t say it’s our rules or official policy: I just encourage them to focus on What Lobsters Is for high-quality, technical submissions that will be well-received by people focused on that.

                                                                              2. 8

                                                                                This only makes sense if that actually is the sole purpose of the site, but I don’t believe there’s agreement on that point, despite @friendlysock continually speaking as if there is, and as if he speaks for the community as a whole.

                                                                                1. 7

                                                                                  for people trying to learn about technology and better themselves as engineers and developers.

                                                                                  In particular, the implication that bettering yourself as an engineer is unrelated to understanding the ethical implication of your work is deeply disturbing to me.

                                                                                  1. 8

                                                                                    Do you believe that the posts in question actually furthered our understanding of the ethical implications of the work? To me, it read more like low effort shaming, or an attempt to stroke a sense of moral superiority.

                                                                                    Out of all ethical discussions on this site, what portion do you think further our understandings of ethical implications?

                                                                                    1. 4

                                                                                      That is not the implication I get at all. What I read is that “understanding the ethical implication of our work” is something we could agree to do elsewhere.

                                                                                      1. 2

                                                                                        I don’t see how what you said can be true without what I said.

                                                                                        If understanding ethical implication of your work is part of being a better engineer, then it’s a suitable topic for a site whose purpose is “trying to […] better themselves as engineers”.

                                                                              1. 1

                                                                                One thing i worry about with DIY VPNs is that my traffic will always originate from the same IP. Is there a way to make a vpn inside aws rotate up addresses for every new connection.

                                                                                1. 1

                                                                                  AWS EC2 IP addresses are ephemeral by default - they get reallocated every time the instance is stopped or terminated. If you’re following the instructions in the article (stopping the instance when you are not using a VPN), your IP address should be changing periodically.

                                                                                  1. 2

                                                                                    Indeed. So in the article I use an Elastic IP so that the VPN has the same IP each time the EC2 instance is started. However, you could use the dynamic public IP that EC2 allocates by default instead of the Elastic IP. As @martey pointed out the dynamic IP changes each time you stop and start the instance. The only thing with a dynamic IP is that you need to either change your client config each time to the new IP address or switch to using a hostname and some sort of Dynamic DNS provider and hook from the instance.

                                                                                1. 19

                                                                                  Kind of funny to see this coming from Gruber, who has been a consistent defender of keeping systems closed in the name of user experience. Facebook used to have RSS feeds, too, and Google Chat used to support XMPP; the writing’s been on the wall for a while. I am surprised that he (and the third-party app maintainers) are really naïve enough to imagine that Twitter can be talked into maintaining these APIs (which allow people to use their service without being advertised to) in the long term.

                                                                                  1. 7

                                                                                    Indeed. The problem (for both Twitter and Gruber) is that Twitter started out as a classic Web 2.0 play with open APIs, and only later realized that can be a money drain. Later services like Instagram only offer API access for the real customers - the advertisers.

                                                                                    1. 12

                                                                                      Yup. This alone makes Mastodon a superior alternative. Now the trick is getting the masses to move over :) (Though, I’m not REALLY sure I want that :)

                                                                                      1. 3

                                                                                        Yeah, or Twitter could have a paid tier that allowed 3rd party apps, better privacy tools, etc. But that’s not the way they want to roll, apparently.

                                                                                        1. 2

                                                                                          (Though, I’m not REALLY sure I want that :)

                                                                                          I know the feeling! I kinda liked Twitter better when my acquaintances weren’t in it, and we had actual meetups of Twitter users

                                                                                        2. 3

                                                                                          Later services like Instagram only offer API access for the real customers - the advertisers.

                                                                                          Instagram is an even worse example of API bait-and-switch than Twitter - they offered API access to developers (in 2014), deprecated it this January ¹, and then completely removed access this spring, months before the deprecation deadline ².

                                                                                        3. 2

                                                                                          I honestly never understood why anyone cares what Gruber has to say. I give him credit for inventing markdown. Really great idea!

                                                                                          All the rest he produces seems to be some variation of “apples is so amazing” and “google is so awful”. Most probably that is confirmation bias on my end, but really: Why does anyone care what Gruber has to say?