1. 3

    I don’t know why “NO” was capitalised there. I mean, that’s not exactly welcoming in itself.

    Also:

    Apparently, even after a maintainer’s NO, there can be space for further conversation and clarification

    “Apparently”? I’m really not getting a welcoming vibe.

    1. 9

      I’ve seen a few posts about Slack’s backend engineering. I’m normally interested in stuff like this, but honestly, their frontend client is so slow - so frustratingly slow - that I never read them. I wish they’d get it sorted out, I mean it’s truly abysmal.

      1. 3

        This is an excellent post, great engineering work. I’m bookmarking it to send to people who do sloppy roll-outs. I highly recommend you read it even if you don’t like the client.

        1. 1

          I’ve never really experienced it being that slow. When do you find it slow?

          1. 3

            All the time. This is on fairly crappy hardware, mind, but still, compared to almost all other applications on my system it’s incredibly sluggish.

            1. 2

              I use their desktop app on a pretty fast MBP. Switching between teams is painful, and I have a lot of issues with views being displayed and then updated a few seconds later, which is disorienting.

              1. 1

                I tap a push notification from slack on mobile, and it takes >30 seconds to show me the message (on an iPhone 6s, one of the most used devices).

                1. 1

                  Slack tends to run slow in larger teams. Normally, I’d chalk it up to slower hardware, but I recently started using it on a newer Dell work laptop, and it is very easy for it to get slowed down if you’re doing anything with the rest of the machine.

                  I think the slack desktop front-end really could use a round of performance improvements so that it runs well on hardware that wasn’t literally released this year, or otherwise highly priced.

                  @nhooyr: What is the relative size of the teams you’ve been using it on? How many gifs do they use, how many channels are you usually in?

              1. 2

                Does someone know what Amazon Linux is based upon?

                1. 3

                  Wikipedia says the previous version is based on RHEL, and with the introduction of systemd with AL2, I’d guess they’d stuck with that.

                1. 11

                  The Reddit thread linked in the GitHub issue is interesting:

                  There are several scary things about this:

                  • Unknown Mozilla developers can distribute addons to users without their permission
                  • Mozilla developers can distribute addons to users without their knowledge
                  • Mozilla developers themselves don’t realise the consequences of doing this
                  • Experiments are not explicitly enabled by users
                  • Opening the addons window reverts configuration changes which disable experiments
                  • The only way to properly disable this requires fairly arcane knowledge Firefox preferences (lockpref(), which I’d never heard of until today)

                  This all gives me a huge lack of confidence in the privacy and security of Firefox.

                  1. 2

                    Absolutely fascinating. Thanks for posting this.

                    1. 2

                      Thanks for conducting the benchmarking Mark! We are excited to be the fastest GPU database again.

                      1. 4

                        Someone get this man a hat.

                      1. 2

                        This tweet has a great summary:

                        I got an extended validation certificate for “Stripe, Inc” but in another state. Can you tell the difference?

                        1. 1

                          Requires malformed file on SPI flash (needs physical access or bug in BIOS)

                          Unfortunately. Still, incredible work.

                          1. 2

                            Fascinating article. Thanks for posting this. It’s inspired me to do the same.

                            1. 1

                              This is a bit more of a product release page than anything else, so maybe release.

                              Unfortunately, it’s really light on technical details. So, maybe not a great fit. :(

                              1. 2

                                Yeah, release is good, thanks. I posted it because I thought people might be interested in signing up for the preview. I’m curious to hear more.

                                1. 5

                                  Edit: For the record, this is what I’m talking about: https://www.wired.com/story/uber-settles-with-ftc-again-this-time-over-2014-privacy-breach/

                                  After all, it gives the FTC oversight over the company’s privacy and security practices for 20 years.

                                  So much for that, then.

                                  1. 6

                                    If you read the whole thread from start, it gives you an entirely new perspective: 1, 2, 3, 4 and the Linus’ reply - 5

                                    1. 2

                                      Later, he explains why he reacted so strongly in his earlier reply, and apologises:

                                      https://lkml.org/lkml/2017/11/21/315

                                    1. 20

                                      Elsewhere, he also explains why he reacted so strongly in his earlier reply, and apologises:

                                      https://lkml.org/lkml/2017/11/21/315

                                        1. 4

                                          Maybe they meant “already posted”? https://lobste.rs/s/ewyawz/massive_us_military_social_media_spying

                                          There’s not a whole lot of technical content here. “Leaked” is maybe too strong a term, too: no doubt heads are rolling as we speak, but I haven’t seen any evidence that somebody made those S3 buckets public on purpose.

                                          As for the political content, not much news either for those who have been paying attention. But certainly, some lobsters are uncomfortable with bad news of this sort, and will downvote you without explanation. I say shrug it off and keep posting whatever you think is relevant. It’s your site too!

                                          1. 1

                                            Hey, yeah. That makes sense. I wasn’t too bothered - just curious. Cheers for the reply!

                                        1. 2

                                          Offtopic, but: .horse? Really?

                                          1. 2

                                            The author got that question on HN and answered as follows:

                                            The first page I wrote when I was making the site was this one (https://ircdocs.horse/specs/) – and the initial drafts were a fair bit screechier than what’s there now. I wanted people to know that everything on ircdocs is pretty much just my thoughts (as opposed to the more consensus-based approach of IRCv3), and figured the horse TLD would make people take it less seriously.

                                            Didn’t exactly work out, now that a fair number of devs are using it as a legit protocol reference. Still, gives the site some decent character and makes it memorable :P

                                            1. 1

                                              What of it?

                                              1. 1

                                                It’s just… weird! In a good way, but… yeah.

                                            1. 1

                                              So that’s it, I hope I’ve helped explain why we should use passwords with … combinations of several numbers, symbols and characters

                                              Unfortunately not. And it’s not recommended.

                                              https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/

                                              1. 1

                                                That’s not really a fair criticism since what Troy’s article says is that making people pick passwords with, for example symbols, does not necessarily improve security, e.g. “P@assw0rd” is not much better than “Password”.

                                                However that doesn’t change the fact that if more symbols are used than just letters the search space that an attacker has to go through is larger.

                                                The post is from the point of view of what hoops an attacker has to go through to get to a password, and about what developers should do to make that as hard as possible.

                                                Troy’s post is from the perspective of the user who has to pick a password and how restrictions such as having to use numbers and symbols or not being able to copy and paste do not lead to users picking better passwords.

                                                1. 2

                                                  Adding characters is far more effective at increasing the state space than expanding the alphabet. For example, assume you have a 10-character alphanumeric password; that’s 62^10 = 59.5 bits of state. If you add some special characters to your alphabet (let’s say eight of them), you’re up to 70^10 = 61.3 bits. If you add a single alphanumeric character, for 11, you now have 62^11 = 65.5 bits.

                                                  Alphabet is, for most intents and purposes, a complete waste of time. Passwords need to be longer and not in known dictionaries. Any other requirement is between useless and actively counterproductive.

                                                  1. 1

                                                    Any other requirement is between useless and actively counterproductive

                                                    It was never suggested that using symbols should be a requirement. The only suggestion in the post regarding this matter is that a password manager should be used.

                                                    Also, there were no suggestions about password lengths other than longer passwords are better than shorter ones, and the more character types the better. All of that is all true irrespectively of the discussion about making symbols in passwords be mandatory.

                                                    I agree that that type of requirement is counter productive, but I don’t see how the post has anything to do with that.

                                              1. 2

                                                This really doesn’t have any technical content. It’s Schneier giving an opinion about a news story in-progress.

                                                1. 1

                                                  I will try and link to a better source, next time.

                                                1. 34

                                                  Using the nightlies, holy poop it made me switch back to firefox.

                                                  1. 6

                                                    Same here. I actually switched to the betas when 58 starting being the nightlies. Only issue for me was hangouts, but my company recently switched away from hangouts so its not a problem anymore.

                                                    1. 9

                                                      My issues is that WebExtensions are not as powerful as older ones. Now it’s all “chromey” in it’s limitations.

                                                      1. 27

                                                        This really is a good thing for privacy and security.

                                                        1. 20

                                                          Also performance and compatibility.

                                                          1. 1

                                                            I’m curious why it’s a performance win. I would think spinning up an isolated JS virtual machine for each extension would be significantly more expensive and slower than the old compiled extensions.

                                                            1. 9

                                                              Old extensions weren’t compiled. The new ones don’t get their own JS VM. Performance win here is likely by cutting of old, crufty, synchronous APIs (mostly internal, but was hard to remove if used by lots of popular addons). This is easier once you declare them legacy.

                                                              1. 7

                                                                It was previously the case that a poorly written add-on could slow down all facets of Firefox in general. Now that the only way to hook into Firefox’s internals are via well-defined and optimized APIs, this should happen much less often.

                                                                1. 4

                                                                  It also allows the firefox devs to iterate quickly without worry of breaking extensions as there is a defined interface for extensions that they need to worry about.

                                                          2. 3

                                                            I have two questions about that:

                                                            One, I want the same theme capability as I’ve always had. I want Firefox to look like it does for me now, not like the stock Firefox. Is that possible?

                                                            Two, I want ad blocking and script blocking and all the other privacy-enhancing add-ons to work as well, not like they do in Chrome where the bad stuff is fundamentally still loaded, it’s just hidden at some point in the rendering cycle. Is that possible?

                                                            1. 6

                                                              You can still manually edit userChrome.css. Complete Themes are not supported in >= 57.

                                                              Blocked stuff is not “fundamentally still loaded”, not even in Chrome I think?!? E.g. Privacy Badger here returns {cancel: true} in an onBeforeRequest interception handler. IIRC the “just hidden” stuff is from very early days of Chrome extensions

                                                              1. 1

                                                                For addons, the answer is yes. See the Privacy add-on collection or other featured extensions

                                                                Your look and feel question is hard to answer, without knowing what Firefox looks like to you now. :) If you insist that tabs should be round, it’s not going to be easy, but possible.

                                                                1. 2

                                                                  I insist that tabs go below the address bar, like they did in in the original Firefox and like they do now with the right add-on: https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/

                                                        1. 19

                                                          [Citation most definitely needed], I’d imagine appliances running some form of Linux are way more prevalent numerically than hardware from Intel.

                                                          1. 10

                                                            Especially if you take into account all the mobile devices running Android (Linux) on an ARM chipset. I doubt that there’re more CPUs in the cloud than on the edge mobile devices.

                                                            ~Pietro

                                                            1. 4

                                                              Not to mention that the CPUs in the cloud probably run Linux anyways, so they would each just add 1 to Minix and 1 to Linux.

                                                            2. 3

                                                              I’d actually really like to see some numbers on that.

                                                              1. 2

                                                                Isn’t some weird java card OS used in SIM cards? That would probably win as far as units shipped (all phones since the 90s?).

                                                              1. 3

                                                                Hadn’t thought of this before. Sort of clever, but bloody idiotic at the same time.