Threads for mshroyer

  1. 3

    I do something a bit weird to store 2FA backup codes and other core “secrets”:

    1. Prepare a set of YubiKeys w/ on-device generated OpenPGP keypairs. Among other things I set good PINs and enable proof-of-presence (ykman openpgp keys set-touch enc on).
    2. Encrypt secrets (for example, github-recovery-codes.txt) to this set of OpenPGP keys.
    3. Put the encrypted secrets (github-recovery-codes.txt.gpg) in Google Drive/Dropbox/etc.

    For me, the advantages are:

    • The secrets are backed up to the cloud, and if I keep one of these YubiKeys on my keychain I can access them away from home if needed.
    • Because I’m encrypting secrets to single-purpose, seldom-used YubiKeys that require proof-of-presence (and which I distinguish from my normal U2F/FIDO2/SSH YubiKeys with a bright sticker), it would be challenging even for someone with control of my computer to get at a secret that I didn’t intend to access—as with secrets printed on paper and only typed into the computer when needed, but in contrast with secrets kept in my password manager. This is how I justify to myself that 2FA backup codes stored in this way still constitute “something I have” instead of being just another password.
    • The secrets are stored electronically, which can be easier to deal with than typing or OCRing printed secrets.
    • Even if someone takes my safe they’d have a very difficult time doing anything with these secrets without knowing my YubiKey PIN.

    Obvious downsides include:

    • It’s expensive to buy a whole extra set of YubiKeys.
    • This approach requires using GnuPG and various smart card tools, and that all can be uncomfortably fiddly.
    • I had to write some Python scripts to do things like check the invariant “this collection of .gpg files is encrypted to the correct set of keys”.

    As other people have commented in this thread, printing 2FA backup codes and putting them in a good fire safe is a sensible and straightforward approach.

    1. 1

      seems kinda tactless to give a fancy name to this vulnerability and release the details only 3 days after the patches went out.

      I mean, you know, not an Apple fanboy or anything, but pobody’s nerfect right?

      1. 8

        Maybe, maybe not?

        But I think the much more important thing is that they found this vulnerability and reported it to Apple, who then fixed it, making all macOS users safer in the process. I think that’s much more noteworthy than whether the vulnerability was given a fancy name after the fact.

        1. 5

          Tactless or not, it does feel a bit like the resident owner of a fine glass house has chosen to start a stone-throwing contest.

          1. 1

            You mean they should have announced the fancy name a few days in advance before the disclosure like everyone else does?

          1. 7

            I did this for a while.. It mostly worked well but never worked great. The pcscd / gpg-agent dance was flaky.. and most days would have to start one or the other.

            Since OpenSSH added FIDO2 and it’s in OpenBSD by default, I have completely switched to using it.. and I have to say it’s painless!

            I even did a writeup showing how to use two different keys (resident and non-resident) on the same device: https://deftly.net/posts/2020-06-04-openssh-fido2-resident-keys.html

            1. 2

              Since OpenSSH added FIDO2 and it’s in OpenBSD by default, I have completely switched to using it.. and I have to say it’s painless!

              I want to use it. But as far as I understand, GitHub and others do not support it yet, right?

              1. 2

                Ya, last I tried it didn’t work on GitHub. They always lag behind pretty bad with regard to OpenSSH features.

                1. 1

                  I’m confused, isn’t this a client-side OpenSSH feature? Shouldn’t GitHub be agnostic to whether the key lives on a FIDO2 device?

                  Is it a matter of GitHub not supporting the ed25519 key type?

                  1. 2

                    The FIDO stuff is a new key type: ed25519-sk

            1. 65

              My vote goes to 1Password, for ease of use, built in security model (client side encryption), versatility in handling all kinds of data (notes, credit cards, etc) and reliability of the plugins to work with all websites and apps. Other password management apps that I’ve tried have frequently had problems with some websites. Sometimes 1Password still has edge cases where e.g. 2FA is not automatically filled in and you have to copy paste it manually. But I haven’t seen a better app yet.

              1. 6

                Yeah, me too. I ended up at 1Password after trying a lot of both offline and online systems.

                1. 2

                  Have you had a chance to compare it with LastPass?

                  1. 6

                    My work used LastPass and I couldn’t have created a worst UI if I’d tried. There was no easy way to generate a new password. It took three clicks in non-obvious places to get to it.

                    1. 2

                      I used LastPass for several years before switching to 1Password a year ago. Wish I had switched earlier. LastPass’s UI design needs a lot of work and over time actually got worse with various annoying small bugs.

                      1. 2

                        Hard no to LastPass. I used it years ago, audited it one evening on a lark, found a few vulns, reported them, a couple got fixed, a couple got me told to fuck off.

                        And also, LastPass: Security Issues

                        1. 2

                          When I previously used LastPass, there were some weird differences between the browser version and the desktop version - there were some things that each of them couldn’t do.

                          One oddity worth noting - I don’t use the desktop app with 1Password. I’ve found their browser extension, 1PasswordX, to be more stable (it also has the benefit of working on Linux).

                          I believe with the addition of HaveIBeenPwned integration on the LastPass security dashboard, they’re pretty much similar feature wise (though maybe 1Password can store 2FA tokens). I’ve used 1Password because it felt way less clunky than LastPass and it doesn’t require me to install a random binary on my Linux machines in order to access my passwords.

                          1. 1

                            I switched to 1Password from LastPass a couple years ago and haven’t looked back.

                            LastPass got unusably slow for me after I had more than a few hundred entries in it. I don’t know if they’ve fixed their performance problems by now, but I can’t think of anything I miss.

                        2. 5

                          Long time 1Password user here. It’s by far the best tool I’ve ever used. And I believe it goes beyond the application itself, as the support team is also great. Given a matter as sensible as all my credentials to login into several different services, having good support is mandatory IMO.

                          1. 4

                            1Password here too. Excuse the cliché, but it just works. The cost is minimal for me — $4/mo, I think.

                            I’ve been slowly moving some 2FA to it, but it seems dependent on 1Password itself detecting that the site supports it vs. something like Authy where I can add any website or app to it.

                            1. 4

                              I just switched to 1Password after 5-10 years on Lastpass. There’s some quirks, it’s not perfect, I generally prefer it to Lastpass.

                              The only thing Lastpass truly does better is signup form detection. Specifically I like the model Lastpass uses of detecting the form submission, 1Password wants you to add the password prior to signing up, which gets messy if you fail signing up for some reason.

                              1. 2

                                1Password wants you to add the password prior to signing up, which gets messy if you fail signing up for some reason.

                                Oh yeah, this is a constant frustration of mine. ALso, whenever I opt to save thep assword, I seem to have a solid 4-5 seconds of waiting before I can do this. This seems to be 1Password X, FWIW. Back in the good old days of 1Password 6 or so when vaults were just local files, the 1P browser extension seemed to save forms after submission.

                              2. 2

                                I’ve been able to get my whole family onto a secure password manager by consolidating on 1Password. I don’t think I would have been successful with any of the other options I’ve found.

                              1. 2

                                I’d previously tried to use an iPad Pro with the Apple Pencil (gen 1) as a note-taking device. It worked, and it’s superior for drawing, even. But it showed that the iPad isn’t designed as a dedicated paper replacement: the Pencil slips too easily on the glass, my palm was constantly smudging and rubbing on the screen, and I had to remember to keep the Pencil charged up. Worse, I couldn’t just leave the iPad open on my desk to glance at while I cross-referenced other materials for extended periods: because of the backlit display, it’s set to sleep after a minute or so.

                                Taken all together, these papercuts meant that even though I had an iPad Pro with an Apple Pencil, I would still turn to actual pen and paper more often. reMarkable 2 is the first device I’ve tried that I’m actually inclined to reach for over paper. The author nails it: using this thing is shockingly natural.

                                (I wish it had better ePUB navigation, on the other hand. And the desktop app could be a lot better, at least on macOS.)

                                1. 7

                                  WhatsApp end-to-end encrypts all chats, by default, using the Signal protocol; Telegram only supports optional encryption of 1:1 messages with a more questionable protocol.

                                  Either choice gives you better security guarantees than WhatsApp ,

                                  It’s totally fine to dislike Facebook or to want an open source client. I may have different priors than the author, and for my part I trust Telegram, as a company, less than I trust Facebook with my data. But I’d have to think WhatsApp is flatly lying about it use of the Signal protocol to consider my conversations on Telegram more private than those on WhatsApp.

                                  Ultimately, though, I agree with the author that Signal is the best choice out of the three.

                                  1. 1

                                    The section on MoCA was interesting—I didn’t even know that exists.

                                    But I’m really confused about the network topology the author settled on (partially because it isn’t clearly described). Multiple routers is probably the wrong choice for this kind of situation—multiple switches and APs, sure, but not multiple routers.

                                    If I were setting this up I’d have a single router between my local network and Sonic. The router would give out IPv4 DHCP assignments and IPv6 router advertisements to the LAN. You can set up all the switches and APs you like behind that router, but directly exposing your LAN to your ISP’s network seems like a brittle mistake (and also possibly a security nightmare).

                                    1. 1

                                      Ah, I wasn’t clear enough. I ended up running my two consumer routers in AP mode. I have a single managed switch sitting between the local network an Sonic.

                                    1. 6

                                      Don’t be scared to consider Cat 8.1 (40GB/s up to 30m), because it is standardized with the RJ45-connectors contrary to Cat 7, which isn’t.

                                      1. 3

                                        If you’re going from scratch, is there a good reason not to just do fibre for the runs and put RJ45 converters in the walls for easy-to-plug-in ?

                                        1. 3

                                          That’s also an idea, but this comes at considerably more cost and is a bit problematic for some home-network applications like PoE. With fibre, it’s not as simple as with cables to connect surveillance cameras, wifi antennas, or anything else. And given PoE++ supports up to 70W, I could think of many applications where this might come in handy. :)

                                          1. 1

                                            I like to follow the rule of “always pull an extra Cat5 or two if you have the room with any cable pull” (although recently updated the rule to Cat6 and now it sounds like I should do 8.1). When I did this with fiber a few years back, I had no plans for the Cat5, but did end up using it for POE later. As an aside, if you use Cat5 (not e) with POE, IME it will stop working reliably at some point. :(

                                          2. 1

                                            Where can I find out more about what it means for Cat 8.1 to be standardized with RJ45?

                                            Does this mean the Cat 8.1 spec specifies a certain RJ45 pinout? Or something else?

                                            1. 6

                                              It is really simple, and I understand you, because it confused the heck out of me before I figured it out. Up until (including) Cat 6A, it was part of the standard to use RJ45-connectors. Their disadvantage is that it’s really hard to shield them, which is why Cat 7 brought a new connector type (GG45) which looks almost like RJ45 but is not compatible with it (you can plug an RJ45 into a GG45 socket, but not the other way round). Additionally, Cat 7 isn’t even an international standard and quite messy. Most people use Cat 7 cables but terminate them with RJ45 connectors, which makes zero sense because this way you don’t even make use of the special shielding and grounding in the cable. It’s effectively a waste of money.

                                              Cat 8.1 came later and fixed a lot of stuff. It is an international standard and uses the RJ45 connectors again (which is possible due to advances in shielding technology). There is also Cat 8.2, which uses different connectors, but that’s another matter. The cables themselves (Cat 8.1 and 8.2) are the same.

                                              What I meant with my comment was this: If you renovate you house and install cables, the cables are the only thing that matter. If you really upgrade to 40GB/s in 10 years, it is possible. Even if, by then, other connectors are the norm, you can replace them on the existing cables, but you cannot easily replace the cables themselves in your wall, obviously.

                                              tl;dr: If you want more than 10GB/s (which is not unreasonable anymore) and want to be future proof, skip Cat 7 and go directly with Cat 8 cables and Cat 8.1 RJ45 connectors.

                                              1. 1

                                                Ah thanks for the explanation, that’s very helpful. It didn’t even occur to me that Cat 7 wouldn’t have specified the use of an RJ45 connector at all.

                                                1. 1

                                                  You are very welcome! Yes, this fact is rarely mentioned and, for me at least, means that Cat 7 could very well not even exist.

                                          1. 6

                                            Call me spoiled, but a 10G network between my NAS and various computers (a Mac mini, a workstation) is life-changing for me. Daily backup is faster, no seeking delays when play / scrolling 4K videos and just in general file transfers snappier. I live in an apartment now so cat6e works fine for me. But if I moved, I would seek solutions to have 10G connectivity in every room.

                                            1. 3

                                              What kind of switches are you using? Last I really looked, 10 gigabit Ethernet hardware was still expensive enough to put it out of my reach for home use.

                                              1. 2

                                                I am on MikroTik switch like the other threads already mentioned.

                                              2. 2

                                                I’m about 1/2 way through replacing most of my home network with 10gbase-t - I just finished pulling new cat7 cable to replace cat5 that came with the house and wasn’t able to support 10g (or even 1g on a few of the links).

                                                There still aren’t a lot of options for 10g home lab grade equipment. It seems like it’s either a nice used switch from eBay that makes my neighbors think I have a jet engine in my garage or a really cheap unmanaged 10g switch (e.g. MicroTik or something similar).

                                                1. 4

                                                  Everything from MikroTik is managed, and the models with “router” in the name dual boot SwOS/RouterOS. Heck, the 10G capable Marvell switch chip they use even supports accelerated L3 forwarding, and they finally started using that (in betas and for IPv4 only for now, IIRC)

                                                  1. 3

                                                    I’ve been using Mikrotik for many years now, but I feel that their software and hardware QA has gone downhill lately. I got burned by a variant of this 10Gb problem, and they still haven’t made it right. A lot of their layer 3 stuff is a little off (search for BGP issues) too.

                                                    That said, no one else is even close to their price point for a redundant power switch (even most of the cheap stuff will accept power over passive POE and a wall wart). My advice is to use for L2 functionality, heavily test, and have spares even for home networks. And allow a fair amount of time to get accustomed to their rather exotic configurations, which change more often than they should.

                                                1. 3

                                                  My first impression of this was “this guy has a lot at stake with nudes.”

                                                  I agree with the idea that we should hold companies to the same standard and stop excusing big companies that we happen to like the product of (as a whole, not necessarily on the individual level). I don’t personally use icloud for anything other than text documents, but I can see how it would be an issue for sensitive information.

                                                  1. 6

                                                    In the category of data that people hold onto in their iCloud backups, nudes are probably the most sensitive and well-understood variety. I think it totally makes sense to invoke that as a way to remind people of the sensitivity of the data they’re handing over to other companies.

                                                    1. 3

                                                      I don’t know if it’s a generational thing or if I’m just an odd guy, but I don’t have any nudes of myself or others. I would be more worried about any sort of tax forms, bills, recovery codes, etc that I was storing in text on iCloud.

                                                    2. 6

                                                      My first impression of this was “this guy has a lot at stake with nudes.”

                                                      Indeed.

                                                    1. 4

                                                      Pretty good article.

                                                      I went in thinking Apple was being hypocritical and now think that perhaps their move was pretty smart. Can’t push too much at once.

                                                      Also pretty surprised at Alphabet’s different approach also pretty smart.

                                                      1. 1

                                                        I was looking for information about Android’s approach, and found the following on Google’s support:

                                                        If your backups are uploaded to Google, they’re encrypted using your Google Account password. For some data, your phone’s screen lock PIN, pattern, or password is also used for encryption.

                                                        If you back up to Google Drive, here’s what’s backed up:

                                                        • Contacts
                                                        • Google Calendar events and settings
                                                        • SMS text messages (not MMS)
                                                        • Wi-Fi networks and passwords
                                                        • Wallpapers
                                                        • Gmail settings
                                                        • Apps
                                                        • Display settings (brightness and sleep)
                                                        • Language and input settings
                                                        • Date and time
                                                        • Settings and data for apps not made by Google (varies by app)

                                                        Photos are another story, I guess.

                                                        As for contacts, they may be encrypted for backups, but they’re all fully available from other Google services like GMail, right? 🤔

                                                        1. 2

                                                          https://support.google.com/android/answer/2819582?hl=en

                                                          What gets backed up

                                                          If your backups are uploaded to Google, they’re encrypted using your Google Account password. For some data, your phone’s screen lock PIN, pattern, or password is also used for encryption.


                                                          OK, so, let’s be real here:

                                                          • If the data is encrypted with your Google Account password, then either they’re storing your password in cleartext on the device and/or in the cloud, both of which options would be a rather bad idea given that you’re supposed to only use the password to get the authentication session token, or that you have to enter it all the time, which would be a rather poor UX. (I presume they must be storing it on the device, encrypting it with the lock PIN/pattern?)

                                                          • Even if they themselves don’t have a password, I don’t see how they could possibly resist a request from a secret court to save such password the next time it is supplied by the user; this doesn’t compare favourably to what Apple was supposed to have been working on.

                                                          As for lock PIN or pattern, what sort of encryption are they using? These are usually just a few digits long, there aren’t that many combinations to try out all the inputs if you already have all the data for it locally.

                                                          1. 2

                                                            If the data is encrypted with your Google Account password, then either they’re storing your password in cleartext on the device and/or in the cloud

                                                            Is this necessarily true? I feel like there could be some ways to “effectively” do this, without storing your password in cleartext. Here’s an example: If you are asked for your pw when you encrypt, Google can sha512 your password and use that to decrypt in the same kind of way.

                                                            Of course, I don’t know that Google is making that ask at each encryption / decryption. Also, that would mean you would lose your data if you forgot your password, which is probably not the case. However, I just want to point out there could be some clever use of cryptography going on here.

                                                            1. 1

                                                              Well, your reply started with “let’s be real” but you’re only presuming on what Google’s doing. I’m not sure they are as bad at encryption as you credit them for, but I can’t prove that either.

                                                              At any rate, Google is working with US gov law enforcement, to the extent that US-based companies are obliged to. That’s not great, but that’s expected.

                                                                1. 1

                                                                  I don’t know what Google does, but we know what Firefox Sync does, and it doesn’t require them to store your password in plaintext or to enter it all the time. They run your password through a key derivation algorithm, with different parameters so that the server-side hash and the encryption key wind up different in spite of starting with the same password.

                                                                  The two derived keys are what the client retains a plain text copy of.

                                                            1. 9

                                                              Agree with this 100%, Windows is the best Linux distro

                                                              You can roughly split software into two categories:

                                                              • Software that breaks randomly if you don’t update it: youtube-dl
                                                              • Software that breaks randomly if you update it: everything else

                                                              I only want to update software in the first category and not software in the second category, but because Linux userspace is all-in on making everything rely on very specific versions of everything else, you can only either update everything or nothing.

                                                              On Windows, the only way to ship software is to statically link all of your dependencies, so I can update software individually with no problems. There’s a small amount of Linux software running in WSL, all of which I am fine with never updating, so it works out.

                                                              1. 10

                                                                I only want to update software in the first category and not software in the second category, but because Linux userspace is all-in on making everything rely on very specific versions of everything else, you can only either update everything or nothing.

                                                                Sounds like you should give guix or nix a try; they are built around that whole concept of isolating updates and making them trivial to roll back if you turn out to not want them.

                                                                1. 17

                                                                  “Try guix or nix” feels like the “monads are just monoids in the category of endofunctors” of recommending hassle-free OS choices.

                                                                  1. 1

                                                                    I see why the perception is this way, but really don’t think this should be the case. Mind if I quote you on this in a blogpost on how to practically use Nix later? :-)

                                                                    1. 1

                                                                      Not at all.

                                                                  2. 4

                                                                    I’ve been working on getting NixOS to run well under WSL2. I’ve gotten pretty close.

                                                                  3. 5

                                                                    But there’s another split to consider:

                                                                    • Software that’s safe to use indefinitely without updating: applications that never touch the network or untrusted input
                                                                    • Software that needs to be updated to be used safely: everything else
                                                                    1. 3

                                                                      The only software I can think of that falls into the first category is calculator to be honest… What other can you think of?

                                                                      1. 1

                                                                        Almost all software should sit in that camp or be able to be configured to sit in that camp. There’s literally no reason at all for most software to touch the network. One of the most underrated aspects of having a system package manager is you don’t have every program having to reimplement auto-update functionality securely. Updating is taken care of in your package manager, in one place, once. Updating is the only place the vast, vast majority of desktop software would ever “need” to touch the network.

                                                                        Text editors, word processors, office software, email clients, video players.. the list goes on. None of them need to touch the internet at all.

                                                                        1. 4

                                                                          I’m not talking about the internet. I’m talking about untrusted input. You are severely hampering your experience if you are never going to open a file from an untrusted source with your office software, email clients or video players. Even image viewers are potential vectors of attack. So, what software apart from a calculator falls into the category of “you never have to update it since it doesn’t interact with untrusted input”?

                                                                          1. 2

                                                                            It’s generally considered to be unsafe to open untrusted files with Microsoft Office even if it’s entirely up to date…

                                                                        2. 1

                                                                          I also struggle to think of much software that falls into that first category. That’s the point I intended to make: most of the software we use needs to be (capable of being) updated regularly. Various package managers have their downsides, but adopting a stance of generally not updating software isn’t really a solution (unless one cares to spend way more effort staying on top of CVEs than I do).

                                                                      2. 5

                                                                        You are confusing package managers with operating systems here.

                                                                        Also linux has had Snaps for a while now - they do exactly what you are implying here but better: https://snapcraft.io/

                                                                        Software that breaks randomly if you update it: everything else

                                                                        Does this really happen? I’ve been running Arch linux for 5 years now and it happened maybe once. It seems like such an outdated meme.

                                                                        1. 9

                                                                          Nothing about Linux forces you to update anything or to dynamically link anything.

                                                                          1. 4

                                                                            My Ubuntu nags me about updates all the time.

                                                                            1. 11

                                                                              Ubuntu is just one of many Linux distros (and IMHO one of the worst)

                                                                              1. 0

                                                                                Sure. It’s always fun to waste time on configuring Arch.

                                                                          2. 1

                                                                            Software on Windows tends not to be statically linked, just when you distribute the software you ship the dynamic libs with it. (The d in dll stands for dynamic).

                                                                            1. 1

                                                                              Brew has an amazing compromise between sandboxing and updates. Try brew on Linux for things like this. I always have the latest python provided through brew, but won’t mess up my system if I pip install something unstable.

                                                                            1. 3

                                                                              Veering slightly off topic, I appreciate, but: has anyone actually used one of these? I love my HP-48gx, but I wouldn’t be averse to upgrading to something a bit more powerful if I didn’t have to give up keys or anything. I’ve been loathe to upgrade ever since my abortive attempt at using a 49g+.

                                                                              1. 1

                                                                                I’m curious as to what you use these calculators for, where upgrading would actually be a net win over your current kit? I haven’t touched my TI calculators (an 83plus and a TI-86) since 2001(?) and even then it was for one specific class, and checking my work, not doing the work.

                                                                                (edit: I’m making the assumption, based on previous interactions with you, that you’re still a software engineer, and not in a role that necessitates complex mathematical models – though, even then, I’d assume you’d use NumPy and friends…)

                                                                                1. 3

                                                                                  Two things. First, I do a reasonable amount of volunteer teaching and tutoring, and having a physical calculator is really handy for that (and kids like a non-TI for that, too). Second, when I’m doing retro video game work, checking bills, etc., I prefer using a physical calculator. I’ll use calc-mode in a pinch, but I just really prefer having the dedicated physical object. Even the 48 is overkill for either task, but I like the larger screen and RPN.

                                                                                  1. 1

                                                                                    Right on! Thanks for explaining!

                                                                                    1. 1

                                                                                      I mostly stopped using my HP graphing calculator after I got an HP 35s. It’s pricey for what it is but I really like it for general calculation, for some of the same reasons. And for anything more involved I turn to NumPy or Mathematica.

                                                                                1. 8

                                                                                  This is excellent news. I think I’ll finally be able to get rid of my functional but complicated YubiKey OpenPGP applet + gpg-agent setup, while retaining the benefits of hardware isolation and touch for user presence—and upgrading to ECDSA in the process.

                                                                                  More importantly, this may also be what it takes to get some of my friends, who haven’t yet made the leap to hardware token-backed SSH keys, to upgrade their security. Especially since it should work with not just the expensive YubiKey 4/5, but also cheaper U2F-only keys as well.

                                                                                  1. 3

                                                                                    This is excellent news. I think I’ll finally be able to get rid of my functional but complicated YubiKey OpenPGP applet + gpg-agent setup

                                                                                    I would love that too, but I use my GPG hardware key (NitroKey Start, which runs the gnuk firmware) for the pass password manager, as well as signing git tags sometimes. But I agree that with the low prices of U2F keys, it may be enough to convince friends and colleagues to a hardware token. Also, they can serve as an extra factor for PAM-based logins, which is nice.

                                                                                  1. 15

                                                                                    I’m a bit disappointed that the interviewer didn’t mention a single question regarding addiction or any ethical dimension. It’s kind of been assumed that not liking pornography is just a conservative, right-wing thing, but I don’t think that’s correct. I personally perceive it to be pushing harmful stereotypes (both as in what women should look like, or how intimacy should look like), and then there’s the problem with trafficking, and never knowing what’s actually going on behind the scenes. Chomsky says it well.

                                                                                    Setting aside things like these, which should be enough to say something isn’t right, but knowing the digital world (where creating addictions has become a common and often even necessary business model) reading

                                                                                    you have to be clever to innovate at the bleeding edge of the web.

                                                                                    makes me somewhat uneasy. Especially a front end developer should have to think about these questions. They are the ones tasked with creating “seamless experiences”, ultimately, disregarding the influence it has on people’s daily and personal life’s. I don’t think the interviewer should have just glossed over this. YouTube has hateful or harmful videos, but their raison d’être isn’t hosting them. PornHub will have it a bit harder that hosting and spreading pornography isn’t a big part of what they are.

                                                                                    From the technical perspective it’s somewhat interesting, I guess. It’s about the problems of high-demand video streaming, probably above the level of most other video sites, but still way below sites like YouTube. That’s like having an interview with a slaveholder on what kind of whips they have found to have the best quality CIA agent on what the best strategies are to manipulate a foreign election.

                                                                                    Edit: Rewrote a few sentences to avoid confusion, and replaced my analogy with a different one.

                                                                                    1. 13

                                                                                      I’m a bit disappointed that the interviewer didn’t mention a single question regarding addiction or any ethical dimension.

                                                                                      Porn has been around a really long time. I’m pretty sure there’s nothing new to be discovered or discussed almost anywhere on earth on the topic, much less here.

                                                                                      Like, the human race has brute-forced about every part of that solution space we can. There is not a dirty thought we can have that hasn’t occurred to scores of other people at one point in history or another–of this I’m certain.

                                                                                      1. 21

                                                                                        Porn has been around a really long time.

                                                                                        Not in the way it is now, as an endless torrent on demand. Modern porn has demonstrably changed society in ways that ancient porn did not. For example, women now believe that pubic hair is unclean and as a result of excessive pubic hair removal are getting health problems that pubic hair can prevent.

                                                                                        Also, just being around forever does not categorise something as innocuous or beneficial.

                                                                                        1. 3

                                                                                          Hairstyles have been coming and going in fads ever since we left the trees and discovered hair can be cut and washed. Having this apply also to pubic hair is not exactly a huge change.

                                                                                          1. 3

                                                                                            As the article notes, gynecologists disagree, but what do they know, I guess.

                                                                                        2. 8

                                                                                          Like comparing chewing coca leaves to mainlining cocaine.

                                                                                          1. 3

                                                                                            Quantity acquires a quality of its own, you know. Not to mention that quality is altogether different as well: 4K video isn’t the same as a blurry black and white photo. There’s a strange blindness to this effect in the tech industry, whether it comes to social media, endless tsunami of content on Netflix, or indeed porn. Much like Facebook’s idea that more communication is unconditionally better has backfired spectacularly, maybe it’s the same with porn. And then of course there’s also all the engineered “engagement” in all these areas. Don’t be so quick to say it’s all totally harmless.

                                                                                            1. 0

                                                                                              Well-put.

                                                                                            2. 6

                                                                                              I’m a bit disappointed that the interviewer didn’t mention a single question regarding addiction or any ethical dimension.

                                                                                              The audience is web developers wanting to read something interesting about web development at a big company. They also want most of them to enjoy the article. Talking about the damage they might be doing doesn’t serve either purpose. Most would’ve just clicked the little X or otherwise moved on.

                                                                                              There’s been a lot of good writing on that subject for anyone looking for it. The key words are easy to guess.

                                                                                              1. 6

                                                                                                You’re kinda circling back to the same point. Yes, talking about ethical implications of our jobs is hard, and uncomfortable, but it’s necessary. Of course nost people don’t want to do it, off course most people don’t want to read about it. But it’s our responsibility to talk and to read about those things. “I don’t like doing it” is not a valid excuse for not doing something it’s your responsibility to do.

                                                                                                That said, the comparison with slavery is a bit out of place, imo.

                                                                                                1. 10

                                                                                                  You’re doing that trick many people do here where it becomes all or nothing in every post, forum, etc. The stress of introspecting on these topics make many people do it at certain times and read relaxing content at other times. They’re fine splitting it up. Dare I’d say most people prefer that based on that simply being most popular way content is done online.

                                                                                                  Then, other people think they should be mentally engaged on these topics at all times in all articles, forums, etc due to their importance. They also falsely accuse people of not caring about social responsibilities if they don’t discuss them in every article where they might come into play. You must be in that group. Author of the original post and their audience is not. Hence, the separation of concerns that lets readers relax just focusing about web tech before optionally engaging with hard realities of life at another time in another article.

                                                                                                2. 2

                                                                                                  This isn’t a “what if my open source library was used by some military”-kind of question, I think that there is a much stronger connection between the two. Front end design is related to user behaviour, and I still consider this relation to be a technical question (UI design, user protection, setting up incentives, …).

                                                                                                  If the interviewer had asked these questions, and the interviewee had chosen not to comment, that would have been something, but the article currently just brushes it away affront by saying “ Regardless of your stance on pornography, …”.

                                                                                                  1. 3

                                                                                                    I’m a bit disappointed that the interviewer didn’t mention a single question regarding addiction or any ethical dimension

                                                                                                    A tech-related, Lobsters-worthy discussion of the topic would focus on how they collected user behavior, analyzed it, measured whether they were reaching their goals, strategized for how to achieve them, and specific methods of influence with associated payoffs. It would actually be more Barnacles-like since marketing is behind a lot of that. These technical and marketing techniques are politically-neutral in that they are used by many companies to measure and advance a wide range of goals, including pornography consumption. They could be discussed free-standing with little drama if the focus was really on the technology.

                                                                                                    You were doing the opposite. That quote is an ethical question, even says so, where you have political views about pornography consumption, you wanted theirs explored, and you might have had some goal to be achieved with that. The emotional language in the rest of your post further suggested this wasn’t about rational analysis of a technology stack. You also didn’t care what the writer or any of their readers thought about that. So, I countered representing the majority of people who just wanted to read about a web stack. A mix that either doesn’t care about ethics of porn or does with it being a depressing topic they want to handle at another time.

                                                                                                    I was on 2nd cup of coffee when you wanted me to be thinking about lives being destroyed instead of reading peaceful and interesting things easier to wake up to. Woke up faster in a different way. Oh well. Now, I’m off this drama to find a Thursday submission in my pile.

                                                                                                    1. 2

                                                                                                      A tech-related, Lobsters-worthy discussion of the topic would focus on how they collected user behavior, analyzed it, measured whether they were reaching their goals, strategized for how to achieve them, and specific methods of influence with associated payoffs.

                                                                                                      I think these kinds of things were missing from the article. I know this isn’t the place to discuss pornography, and I try not to go into it in the comments. What I just brought up was a disappointment in the style and focus of the interview, and it being one-sided.

                                                                                                      The emotional language in the rest of your post further suggested this wasn’t about rational analysis of a technology stack.

                                                                                                      Well I do think it’s important, so I apologize for being a tad emotional. But other than what I wrote, I don’t have anything else to contribute. I neither run nor plan to run a streaming site, so I end up not having too strong opinions on what is being used in the backend stack ^^.

                                                                                                      A mix that either doesn’t care about ethics of porn or does with it being a depressing topic they want to handle at another time.

                                                                                                      I understand that, that’s why I prefixed my top comment with what you quoted. I furthermore feel obligated to apologise if anyone had to go through any inconvenience thinking about the “ethics of porn” because of my comment, I guess? No but seriously, bringing up a concern like this, which I explicitly tried to link back to a technical question, should be ok.

                                                                                                      1. 1

                                                                                                        “I furthermore feel obligated to apologise if anyone had to go through any inconvenience thinking about the “ethics of porn” because of my comment, I guess? No but seriously, bringing up a concern like this, which I explicitly tried to link back to a technical question, should be ok.”

                                                                                                        There’s quite a few people here that are OK with it. I’m not deciding that for anyone. I just had to remind you that caring people who want a break in some places exist and that you do more good by addressing the porn problem where it’s at. I appreciate you at least considering the effect on us.

                                                                                                        “I neither run nor plan to run a streaming site”

                                                                                                        The main problem is consumer side where there’s mass demand following by all types of supply and clever ways to keep people hooked. You can’t beat that since they straight-up want it. What you might do is work on profiles for porn sites with tools such as NoScript that make them usable without the revenue-generating ads. Then, lots of people push for their use. If there’s any uptake, they get a temporary hit in their wallet but maybe an offset with ad-free Premium. I’m not sure the effectiveness. I just know they’re an ad model with tools existing to attack that.

                                                                                                        Griping about it on technical sites won’t change anything because… most viewers aren’t on technical sites and those that are rarely changed. So, it’s just noise. Gotta work on porn laws, labor protections for those involved, ethical standards in industry itself, ad blocking, etc.

                                                                                                3. 6

                                                                                                  If you would like to discuss the ethical aspects go to a different forum. I would rrecommend the community around Thaddeus Russell’s podcast for a critical and reasoned take from people that actually interact with sex workers https://www.thaddeusrussell.com/podcast/2

                                                                                                  1. 3

                                                                                                    I’ve mentioned it elsewhere, but I’m not here to discuss the ethical aspects, not am I in a position to be able to. My comments are related to the interviewer and his choice of questions.

                                                                                                    1. 1

                                                                                                      Your gave opinions, stated as scare-hints without support:

                                                                                                      “then there’s the problem with trafficking,”

                                                                                                      “which should be enough to say something isn’t right,”

                                                                                                      … and then based upon the now well-built pretext that porn “isn’t right” (and is therefore ethically ‘wrong’) - you commented on what the interviewer should have done - i.e. they should have had the same opinions and conceptions as yourself - and they should have turned the interview into one about ethics.

                                                                                                      The interview was interesting to read, because of the info about the tech. As bsima says, please take ethical discussion elsewhere.

                                                                                                      1. 2

                                                                                                        As you said, I prefixed the controversial parts by saying that it was my opinion. But I don’t think that the interviewer must have shared my views. The point I was raising was that I thought it wasn’t appropriate for the interview to just ignore a quite relevant topic, since this was about PornHub specifically, not their parent company.

                                                                                                        IMO, a just final question like

                                                                                                        “What are you doing to enforce age restrictions?”

                                                                                                        or

                                                                                                        “Due to recent reports, do you think that doing something against pornography addiction among younger generations can be tackled technically or does it need more (social) effort?”

                                                                                                        would have been more than enough, as to just show this is being considered. I’m not a journalist, so I don’t know how these questions could be phrased better, but I hope you do get my point.

                                                                                                      2. 1

                                                                                                        I’m not here to discuss the ethical aspects

                                                                                                        …and yet, it’s the ethical aspects that you brought up.

                                                                                                        1. 3

                                                                                                          Looking at this thread, I didn’t respond to people who started talking about the harmfulness of pornography or the lack thereof. This even though I would like to – yet I understand that it is off topic. In fact most of this sub-thread has been more about the meta-discussion.

                                                                                                          All I can say is that I will be more careful not be too provoke these kinds of discussions in the future. I was thinking critically a lot about the topic the last few months, so my comment might not have been as neutral as some might have wished.

                                                                                                    2. 5

                                                                                                      That’s like asking an interview with a slaveholder on what kind of whips they have found to have the best quality.

                                                                                                      This is more than a little hyperbolic.

                                                                                                      1. 4

                                                                                                        My analogy is that the direct consequences of technical questions are being more or less ignored, which I think is fair in both questions. Of course it’s not identical, but that’s stylistic devices for you.

                                                                                                      2. 2

                                                                                                        I could come up with quite a few objections to pornography, but the chap in your video link is not only not convincing, he is also hinting that he watches porn even though he denies it. He backs up his statement “porn is degrading to women” by qualifying “just look at it” which implies that he does that enough to have an opinion.

                                                                                                      1. 8

                                                                                                        I did a fairly major project in HyperCard back in the day (1986 maybe?). We were making an “expert system for the rest of us” product where you would build a rule set in a standard Mac application (written in Object Pascal and MacApp), then package it up for end users by building a UI in HyperCard. Which I still think is a good idea, btw!

                                                                                                        In addition to building a HyperCard extension to do IPC to the rule engine, I had to do a lot of glue code and utilities in HyperTalk. I ended up hitting the stack script limit of 32,000 characters repeatedly and having to find clever workarounds to the incredibly verbose language. Also, it turned out if you hit an error anywhere in a script that large, you would just be taken to line 1 of the giant script, so I searched for the error by sprinkling “play sound” commands around — the auditory equivalent of printf debugging.

                                                                                                        So I know a lot about HyperTalk, and yeah — if you’re an actual programmer, it was super annoying. Aside from x.y.z being z of y of x, it has “barewords” like Perl, so put foo into bar will change meaning when you define something called foo.

                                                                                                        1. 4

                                                                                                          hey, I am an actual programmer and I don’t find it annoying. It is very verbose but I find it quite clear and friendly. As for interfacing beyond the language, in the case of LiveCode there is something called “LiveCode Builder Language” which is a language like HyperTalk but that is statically compiled and used to interface with foreign libraries: https://livecode.com/docs/9-0-4/extending-livecode/livecode-builder-language-reference/

                                                                                                          You’d use that to extend LiveCode and bind into c, objc, java, whatever. It is a familiar language for those who know LiveCode and lowers the barrier of entry for writing libraries that do FFI in our ecosystem.

                                                                                                          I remember script limits quite well, they are really annoying I remember breaking scripts into multiple objects and calling each other to circunvent it 15 years ago. In the case of LiveCode you have many features that were not present in HyperCard such as behaviors which are scripts that can be bound to objects similar to a prototype chain and no script limits.

                                                                                                          1. 6

                                                                                                            Sorry for the “actual programmer” crack. The theory behind Hypertalk seemed to be that non-programmers would find it easier to understand, but in my experience on that project, Hypertalk actually made things more confusing for non-programmers because it was hard to tell what you could and couldn’t do. Having a syntax that looks English-like, but is really just a strict grammar using English words, was kind of the “uncanny valley” of programming (e.g., put newStr into character pos to (pos + the length of pattern) - 1 of inStr). And if on the other hand you were a programmer used to those aspects from more “normal” computer languages, it seemed like you might as well just use one of those instead.

                                                                                                            1. 3

                                                                                                              The uncanny valley is real is quite real this case. Thats why I keep saying english-like, it is not natural language processing, it is just a more verbose grammar. It is easy to teach though and easy to understand by reading examples.

                                                                                                              1. 1

                                                                                                                Having a syntax that looks English-like, but is really just a strict grammar using English words, was kind of the “uncanny valley” of programming (e.g., put newStr into character pos to (pos + the length of pattern) - 1 of inStr).

                                                                                                                I never had the chance to use HyperCard/Hypertalk in its prime, but that’s the essence of my discomfort with AppleScript.

                                                                                                            2. 1

                                                                                                              I’ve always found hypertalk / applescript to be a (the only?) read-only language. Sure I can edit an existing script, but there’s no way I could ever sit down and reach for it to create something “ex nihilo” as it were. Which I’ve always found to be a great shame, before Automator got the boot.

                                                                                                            1. 1

                                                                                                              I hope someone finds this useful! :)

                                                                                                              1. 1

                                                                                                                Have you considered to check out your dotfiles repo at ~/.config? Thats my current way to go, requires no aliases but some symlinks for some programs that dont know about .config yet.

                                                                                                                1. 1

                                                                                                                  I’d avoid using ~/.config if you want to use a repo like this for cross-platform config sharing (which is what I do, anyway) because it conflicts with the usual value of $XDG_CONFIG_HOME. For my part I put the bare repo in ~/.cfg.

                                                                                                                  1. 1

                                                                                                                    Thats not a problem, thats the purpose of how i do it - to track $XDG_CONFIG_HOME in git, which is usually at .config.

                                                                                                                  2. 1

                                                                                                                    I have, but IMHO one alias is way simpler than managing symlinks with, let’s say, GNU stow (https://www.gnu.org/software/stow/)

                                                                                                                    1. 1

                                                                                                                      The same can work without external software (beside a posix shell):

                                                                                                                      https://github.com/nero/etc/blob/master/deploy.sh

                                                                                                                1. 1

                                                                                                                  Thanks for sharing this. This has been my favorite approach for managing my core dotfiles across my personal *nix computers ever since I read about it here. One of my favorite “features” is that because it’s just git, I can maintain a parallel branch of things like .tmux.conf with customizations specific to my computers at the office.

                                                                                                                  One thing I’d add to the setup is running:

                                                                                                                  dfgit config --local status.showUntrackedFiles no
                                                                                                                  

                                                                                                                  to keep things sane in your git status output.

                                                                                                                  1. 4

                                                                                                                    Judging by the source, it’s using a WebRTC API to resolve my LAN IPv4 prefix. I didn’t know that was possible (so thanks for the enlightening article!)

                                                                                                                    1. 4

                                                                                                                      Hi! Author here. Yes, I forgot to mention that in the post. Perhaps an interesting follow up.

                                                                                                                    1. 1

                                                                                                                      I lost it when I ran into the “Right click is disabled!!!” pop-up. That’s some authentic nostalgia.