1.  

    Securing MTA must be a cursed job.

    Back in the old days we had near weekly RCEs in sendmail and exim and these days it’s OpenSMTPD with strong ties to the f’ing OpenBSD project. That’s the one project I expect an RCE the least from; much less two in as many months.

    Email is hard.

    1.  

      It’s actually 3 — this one has two separate CVE’s in a single release, including a full local escalation to root on Fedora due to Fedora-specific bugs adding an extra twist (CVE-2020-8793).

      The other bug here (CVE-2020-8794) is a remote one in the default install; although the local user still has to initiate an action to trigger an outgoing connection to an external mail server of the attacker, so, I guess OpenBSD might not count it towards the remote-default count of just two bugs since years ago.

      1.  

        You’re saying a local user has to do something to make it remote? Can you explain how that makes it remote?

    1. 3

      I see 8 rules I need to keep in mind when using stringify() to map objects like this. Also, if multiple if/else statements are “not scalable at all”, how is the mapObj and the duplicated key strings in the regex better?

      If I needed to do this I think I would reach for Map() instead of JSON.stringify(), but perhaps I’m missing something?

      1. 18

        Also, the regex replacement is dangerous as the keys might appear in the values of a different object with the same shape. This really isn’t a good solution.

        1. 2

          How does Map help?

          1. 1

            It doesn’t really; my kneejerk way of doing this would look like:

            for (let [key, value] of new Map(Object.entries(todayILearn))) {
                if (key === '_id') output.set('id', value);
                else if (key === 'created_at') output.set('createdAt', value);
                else if (key === 'updated_at') output.set('updatedAt', value);
                else output.set(key, value);
            }
            

            Now I’ve written it out it’s no different from the author’s first “inelegant” solution :-)

            1.  

              It may seem a bit “ineleganter” because of these ifs and all, but looks significantly safer and significantly more readable to me then the stringify version there. I haven’t tested it, but I assume it’s also much more performant.

              I think there is value in the article in that that it shows some “rules” on how things get stringified (I just wish the naming was better), but the example is a totally wrong one in my opinion - both in proposing the dangerous regex and the use case not being a good one for stringify in the first place, at least in my opinion.

              Maybe with some work the article can get improved?

        1. 22

          For me, Catalina worked fine since I’ve installed Beta 2 last summer.

          Even the usual suspects, VMWare, Vagrant/VirtualBox and Homebrew survived the update just fine.

          I see no crashes (at least not more than the usual once-every-two-months need to reboot), nor other weirdness. Compared to Mojave, even the random Bluetooth disconnects I had with my Magic Trackpad stopped happening.

          Of course this is total non-news and I’m not going to publish a blogpost saying that Catalina is fine for me nor would that reach, much less survive on, the front page of any news aggregator if I actually were to write such a blog post.

          Unfortunately, we only read about people having issues and we conclude that everybody must have problems.

          1. 6

            Hear hear! I think we should share our positive experiences more often, since it’s in our nature to latch on and to spread the negative ones.

            1. 3

              I think we should share our positive experiences more often, since it’s in our nature to latch on and to spread the negative ones.

              From the article:

              It’s interesting to me how — apart from the usual fanboys — I still haven’t seen any unequivocally positive feedback about Mac OS Catalina.

              Is your experience positive (it got better) or is your experience neutral (it didn’t get worse)? What is the best thing about Catalina, and what would be the elevator pitch for why somebody should install it?

              1. 3

                apart from the usual fanboys

                I certainly wouldn’t consider myself an Apple fanboy, but when I look at the current state of all the other platforms, nothing comes quite close enough for what I need and like.

                Is your experience positive (it got better) or is your experience neutral (it didn’t get worse)?

                I take issue with the implication that things chugging along just fine is somehow not a positive thing. I was doing well yesterday, and I am doing about the same today. Not better and not worse. Am I somehow worse off today because of that? If I am not worse off, then is my experience not positive?

                What is the best thing about Catalina, and what would be the elevator pitch for why somebody should install it?

                Two things sprung to mind immediately:

                • I was pleasantly surprised both this week and the week before that the OS notified me of my daily average use of the computer over the prior days. The numbers were, unsurprisingly to me, extremely high. I knew I was spending too much time on the computer recently, but the computer itself giving me hard numbers is what finally convinced me to take steps toward spending less time on it.

                • I really appreciate the increased security that notarization brings. Hell, I’ve even written a native app and gotten it sandboxed, notarized and deployed on the App Store so I’ve experienced more “pain” than the average Catalina user in this regard, yet I still think it’s a fantastic improvement.

                1. 1

                  That looks super interesting.

                  I really like separating any UI-application in a client-server layer, to avoid accidentally letting business logic, heavy computation, and blocking IO to creep into/block the UI threads (something I’ve seen happen with many QT-based GUI-application). The risk of this is heavily reduced by making the barrier more concrete through separate processes with RPC, while also adding opportunity for more resilience since the client and server process can be restarted separately if an issue occurs.

                  Would be interesting to see some more details of the GUI/Swift part of the application for someone not familiar with that toolchain, are you planning to write more articles in this series?

                  1. 1

                    Thanks! Yes, I do plan to write more about the technical bits of the app in the future. I think I’ll do another post after I’ve got the Windows port ready. I’m thinking it would be fun to compare Windows Forms and SwiftUI in a post. It might be a while before I get to it, though, because I’m juggling a ton of stuff at once at the moment.

                    In the mean time, the application is source available so you can take a look at the GUI code here.

                    1. 1

                      Interesting, looking forward for it.

                      Are you planning to showcase how you work with XCode? Would be nice to get a overview of how the workflow looks for these kind of apps.

            2. 3

              same experience here. I have encountered some crashes on my work laptop, but since I’ve had zero issues on my home laptop, I’d much sooner attribute that to my employer’s custom management software than the OS itself.

            1. 5

              Cloudflare is very interested in how we can contribute to a web which is kept up-to-date. Please make suggestions in the comments below.

              I’m not entirely sure this is a problem in the first place; if it works, then it works … updating for the sake of it probably isn’t useful?

              1. 3

                That’s what the attackers abusing XSS vulnerabilities of old libraries think too. If it’s works, then it works.

                1. 3

                  Like which? I checked and jQuery doesn’t have a lot of them, and those that do exist are very limited in scope and won’t apply to most sites.

              1. 8

                Oh cool, a new language from Microsoft that helps us write correct code.

                Throws Verona on the pile with P, P#, IVy, Dafny, F*, Midori, Koka, and Lean

                (I kid, I kid. Microsoft does a lot of great work in this field, but a lot of their experiments end up not working out.)

                1. 10

                  But you have a point nevertheless…

                  • PHP -> Asp
                  • Java -> C#
                  • JVM -> .net
                  • Google -> Bing
                  • /your/filesystem/path -> \your\filesystem\path (hehe, I know, I know… but it’s funny)
                  • netscape -> explorer
                  • ODF -> OOXML
                  • {Your functional} -> F# …
                  • Rust -> Ver[m]ona

                  EDIT (I almost forgot)

                  • GNU Linux -> WSL

                  It’s just the Microsoft way

                  1. 2

                    Huh. Never thought about it before but does Microsoft (research) have a Lisp?

                    1. 8

                      As a matter of fact, yes! Microsoft Lisp was a LISP interpreter in the 1980s for DOS.

                      As I recall, it was slower than BASIC, had a terrible editor, and was missing basic stuff like being able to parse 'x as (quote x)

                    2. 1

                      I think ASP (1996) predates PHP (1997).

                      Both were ultimately a really bad idea though.

                      1. 11

                        PHP was a genius idea in its time, because it enabled extremely cheap shared hosting.

                        If you had a low-traffic site, your options around 2002 were either a PHP host for under $5/mo, or the cheapest available colocated host at around $200/mo.

                        It wasn’t a better language, but it was a much better setup experience with a smoother on-ramp that cost less to host (which echoes, to me, modern criticisms of golang).

                        1. 3

                          PHP/FI first appeared in 1994/1995, and although the “FI” part bears little resemblance to the “modern” PHP3 that showed up in 1997 (of which I think it’s fair to say PHP7 has much more in common with than PHP/FI), several critical ideas showed up here that undoubtedly influenced the design and development ASP.

                          1. 1

                            ASP was a good idea (glue to stick together existing application code and render its output to the web) that everybody ignored and just tried to create entire applications with. It was never meant to do that, which is why it was so terrible at doing so for the first 5 or so years of its life

                            1. 1

                              Why were they bad ideas?

                          2. 5

                            What’s the definition of “working out” ? P looks like it’s still active:

                            https://github.com/p-org/P

                            I remember it had this success story but I don’t know the details very well. I’m not a Windows user so I haven’t been motivated to look.

                            https://blogs.msdn.microsoft.com/b8/2011/08/22/building-robust-usb-3-0-support/

                            It sounds like this Verona project is very early, but I think they framed the problem “right”. I would like something like Rust that works better with legacy code. Rewriting code for only of security purposes (as opposed to functionality) is a waste and splits the ecosystem / developer effort. It’s the most expensive way to achieve that goal.

                            And empirically speaking I don’t think it happens… People talk about it but don’t do it on major systems because of the effort involved. (e.g. speaking as someone who has been “rewriting” bash for nearly 4 years, with Oil. Of course Oil isn’t motivated only by security..)

                            For example, I would be surprised if Firefox is >90% Rust within 10 years. Or even 20 years. It makes more sense to split the application up and rewrite certain parts of it in a safe language. That is, follow the Verona strategy (if it is feasible, which is a big “if”, and something that’s a worthy target of research).

                            1. 1

                              Re P. From Microsoft’s site:

                              “P got its start in Microsoft software development when it was used to ship the USB 3.0 drivers in Windows 8.1 and Windows Phone. These drivers handle one of the most important peripherals in the Windows ecosystem and run on hundreds of millions of devices today. P enabled the detection and debugging of hundreds of race conditions and Heisenbugs early on in the design of the drivers, and is now extensively used for driver development in Windows.”

                            2. 1

                              Don’t forget about Spec# and Sing#

                              1. 1

                                My understanding is that F* code (EverCrypt in particular) shipped in Windows kernel.

                              1. 2

                                One of the beauties of passphrases - and the way we should be educating people to use them - is that it doesn’t just have to be random words squished together, but could instead be a complete sentence, spaces, punctuation, capitalization, and all.

                                Now, of course, with standard rules you can guess those too. But it still introduces a lot more natural variation that is still simple for the individual to remember.

                                “This password is actually pretty bad, but has never been cracked.” is hard to guess, even if you have a word list and whittle down options based on standard rules of grammar.

                                Of course, it isn’t as good as some auto-generated sequence of pure randomness of the same length, but it is better than “correcthorsebatterystaple” (why wouldn’t you use spaces there?!).

                                1. 5

                                  You can also mix words from every language you know, which is what my password generator script does.

                                  % for i in {1..10}; do ./pwgen.sh 4; done
                                  hover-seafarer-snigl-hare
                                  transitory-nautheimskur-valhaj-affekt
                                  pappaumbúðum-thimbleful-afbrotamála-stykkjatölu
                                  áðurnefnds-dye-storpart-vestaver
                                  hraðfrysting-afkastavexti-larkspur-levitate
                                  vältrampad-trollrukkone-ward-boðorða
                                  polymorfi-trosvittne-tenestemerke-trough
                                  dukkardrakti-tungbruka-millipede-lineal
                                  peremptorily-úrsúlu-fotbadi-seigliva
                                  strollan-provision-fágætast-snuggle
                                  
                                  1. 8

                                    Even though it’s 2019 and this this should not need to be said, but yet it is: be careful with characters outside of the ascii space because that will bring you into contact with many opportunities for whoever takes and stores your password to run into character encoding bugs.

                                    If they don’t have specific support and just blindly hash bytes, you might still run into issues due to different Unicode normalization on different platforms you are typing your password on.

                                    And if they do have specific support for Unicode, you can be nearly 100% sure they will have bugs in it anyways.

                                    If you want Unicode in your passwords, make sure they do work on all the platforms you intend to log in from. Don’t be the person who can’t log in during an emergency when they are on their phone and it’s sending the ü in the password as “LATIN SMALL LETTER U” followed by a “COMBINING DIARESIS” rather than the “LATIN SMALL LETTER U WITH DIARESIS” that the site has seen when it was hashing your password (and that assuming both times correct UTF8 was used)

                                1. 5

                                  This video is part of a wonderful series that explains how computers work literally down to the wire. I have never seen a better explanation and at least for me, this managed to demystify the last part of the whole equation: when CPU instructions hit the actual hardware.

                                  What a bold move to explain computers by quickly hooking up a CPU on a breadboard and just „turning it on“

                                  I can’t recommend this enough. If you can squeeze in the time and you are at all interested in electronics, you cannot miss this.

                                  (Disclaimer: I loved these so much that I signed up on Patreon at a level high enough to award me on-screen credit)

                                  1. 7

                                    There is one really ugly thing that ruins IPv6 for end users and makes it worse than IPv4 for reaching one another directly without an intermediate party.

                                    It’s called DHCP-PD. There is, technically nothing wrong with it, it’s just a protocol for telling the customer’s router what /64 network it should use. However, many ISPs treat it like dynamic IPv4 at its worst and force frequent prefix changes, even on business connections.

                                    With dynamic IPv4, you can use dynamic DNS and DNAT to keep things reachable by the same address. It’s an ugly and fragile but somewhat usable solution.If your very network changes every day, you can’t even reach a box right next to you unless you are using a router above consumer grade that can do DHCP with DDNS updates, or use mDNS etc.

                                    If that approach becomes the default, it’s the end of end user networking as we know it. Everything will be useless without a third party that has a fixed address.

                                    1. 2

                                      I completely agree with you. I was testing DHCP-PD in our data center and almost all open source implementations suck pretty much. At the moment our approach is to use a custom, REST based API to dispatch static /64 networks to VPS and static /48s for VPN customers.

                                      However, in theory DHCP-PD could solve all of this, but by default there is no easy way to map a prefix to a customer statically.

                                      Maybe it’s time to write a new RFC.

                                      1. 3

                                        It’s not just about implementations. I don’t know if proprietary implementations suck less, but I do know that ISP are often forcing a prefix change intentionally, to force customers to get a much more expensive connection with a statically allocated prefix if they want it to stop.

                                        My fear is that even if good, easy to use implementations appear, ISPs will choose to make it a premium service that an average user will not want to pay for.

                                        1. 2

                                          …, but I do know that ISP are often forcing a prefix change intentionally, to force customers to get a much more expensive connection with a statically allocated prefix if they want it to stop.

                                          In a previous life, wearing a network sysadmin hat, broken equipment was the bane of all our lives. One example were DHCP clients that ignored the lease time either treating it as infinity or worse a single second.

                                          IPv6 to some degree has offered packet pushers the opportunities of a greenfield deployment and arguably is Good Practice(tm) to have everything in flux from day zero to tickle out bugs.

                                          Personally I would not be so quick to point to malice where there are good practical reasons to do so. After all, supposedly this is part of the whole infrastructure-as-code malarkey line of thought that is actively preached here.

                                          Of course I understand that there are people who want to run a service from their home connection, but the majority do not. In the minority that do (game servers maybe, but probably am showing my age here…xpilot w00t!) you likely need service discovery which requires a central authority (DDNS), or if you are hipster enough DHT, blockchain or IPFS.

                                          Personally myself, I’m more upset that global IPv6 multicast (IIRC you have some useable space with every /48) is not available and all the amazing use cases (such as streaming your own radio/video) that would bring.

                                          1. 1

                                            My ISP (which admittedly is like heaven on earth) hands out dynamic prefixes by default, but if you want a static prefix, all you need to do is send them an email or even a tweet.

                                            They even offer reverse DNS delegation for free once you have your static prefix.

                                            You still use DHCP-PD to ask for the prefixes for your subnets (they give you a /48), but the prefix remains static.

                                            1. 1

                                              Do you even think there’s a market for such a premium service any more? Something to motivate the ISPs?

                                              When I got rid of the rack I had in the basement, I offered parts to the people I know who also have racks. “Do you want it, or any parts? Spare nuts?” None did, “I’ve also gotten rid of my rack and replaced it with colo servers”.

                                              I can believe that ISPs force address changes intentionally, but I’m reluctant to believe the reason you suggest.

                                          2. 1

                                            I think we’re in a world without fixed addresses already. My primary internet access device has had two address changes so far today. One when I changed from WLAN to 4G, the second when I changed back to WLAN. Am I unusual?

                                            That I can’t run servers on the connection that serves my WLAN is an annoyance. But one that has to be weighed against the effect of dhcp-pd+privext on web clients. I see that when I use firefox focus, there isn’t really any way to track me on the web. If I had a permanent address, or a permanent prefix shared with noone, avoiding tracking would not be within my power.

                                          1. 5

                                            I’ve recently switched to Devuan for some of my systems, and the possibility of running something simpler and less pervasive than systemd would make me reconsider.

                                            On my laptop I’m running Fedora, so systemd, but it was never a problem anyway.

                                            1. 6

                                              On my laptop I’m running Fedora, so systemd, but it was never a problem anyway.

                                              why is it a problem on the server then? IMHO, juggling daemons on a desktop workstation is much more involved that on a server where you mostly fire-and-forget a very limited amount of daemons and where normally there aren’t even any users logged in.

                                              1. 3

                                                SystemD is a problem on the server because of the problems it has caused me there.

                                                1. 2

                                                  Those systems are not powerful servers. They’re small and limited devices, that I’d like to keep as simple as I can. I try to keep the set of installed software minimal, basically :)

                                              1. 2

                                                If your goal is to run a business on a open source SaaS product, why not license it primarily as AGPL or GPLv3 and then offer competitors an option to purchase a commercial non-free license? That way they can either pay you to let them build upon it (and you should require royalties!), and you won’t lose money, or if they use the free version, they can only compete by offering it for a cheaper price, if they have more cpu to throw at it.

                                                1. 2

                                                  It seems to me the point is that Sentry doesn’t want to compete on price.

                                                  1. 8

                                                    nor should they need to. Offering their hosted solution for money allows them to offer the on-premise solution for free. And compared to other similar services that offer the source code and nothing else, sentry’s documentation for self-hosting is outstanding and they seem to be willing to even invest time in making self-hosting as easy as possible.

                                                    That’s surprising because all motivation should pressure them into making it as convenient as possible for them to host it and as hard as possible for self-hosters to do it themselves.

                                                    But that’s absolutely not what they are doing which I like a lot.

                                                    I’m saying this as a paying customer of their hosted install, btw, but what pushed me over the edge to actually becoming their customer was the assurance that if worse comes to worst and they either shut down or get bought out that I will be able to keep my investment in the client-side integration by hosting the server parts ourselves.

                                                1. 1

                                                  When I learned Unix in the late 90ies through installing my very first Linux distro on my machine, I accidentally came across zsh as a replacement for bash which everybody was using back then.

                                                  On their website, right in the middle, there was a link to the User-friendly user guide. As a total beginner, that was exactly what I wanted and so I went ahead, clicked that link and began reading.

                                                  The guide turned out to be very user-friendly indeed and it didn’t just teach me ZSH in specific but actually Unix shells in general. It also thought me all the features that zsh had back then and that bash was lacking and with it being my first and only shell on my first and only Unix machine, there was no reason not to make use of all of those features.

                                                  So in the end, I learned Unix through zsh and it’s oh so very good user’s guide and I stuck with zsh ever since out of brand loyalty and nostalgia.

                                                  I can use bash and I know (some of) the differences to zsh, but if it’s a machine I’m actually using, I’m chsh-ing to zsh for sure. Only in zsh I know the names of many, many setopt option flags and only in zsh I know how to configure auto completion and, heck, I even know how to set up colored prompts by heart.

                                                  But for general usage and shell scripting, bash and zsh by now are very interchangable, so if you ask me what you should be going with, I would say: whatever your OS comes with and whatever you’re most likely to see installed on the machines you’re working on.

                                                  1. 5

                                                    Some devs are not very happy with that new notary thing.

                                                    1. 4

                                                      It only applies for binaries downloaded with the browser. Anything on a game launcher or similar is already unaffected.

                                                      1. 1

                                                        Isn’t it related to every executable (and kext) that is being built by every developer?

                                                        1. 3

                                                          No. it’s only related to binaries marked as quarantined. It’s up to the transferring application to set that extended attribute. Compilers don’t. Browsers do.

                                                          Stuff you build for yourself is unaffected. Same goes for whatever pre-built binary brew downloads.

                                                          1. 1

                                                            Compilers don’t. Browsers do.

                                                            The Notary service does it. Not the browser. The browser (well, only Safari AFAIK) leaves a note so that the OS can tell you where a document, file or binary came from. But that is not the notarization process. That happens on Apple’s servers. You have to send your app to the Notarization API and you will get back a binary that has some special signed meta data attached.

                                                            If it were as simple as the browser adding this then every piece of malware would be doing that.

                                                            Note that this does not cost money. You don’t need a $100 developer subscription. All you need is an Apple ID.

                                                            1. 1

                                                              I was talking about setting the quarantine xattr. Unless an executable has that flag set, the OS will execute it even when it’s not signed.

                                                              Of course notarization has to be done by Apple and not each user individually. That was the main goal of the change.

                                                        2. 1

                                                          I don’t get it, how is downloading a binary with a browser different than a game launcher?

                                                          1. 3

                                                            Game launcher (e.g., Steam) is verified. It’s now Steam’s job to police the contents of their platform. If they fail Apple can blacklist Steam for everyone at a moment’s notice, so Valve is incentivized to not ship malware through Steam.

                                                            1. 2

                                                              Browsers set the gatekeeper flag, game launchers don’t. It sounds stupid.

                                                              1. 0

                                                                Browsers don’t set any flags.

                                                                1. 2

                                                                  http://ix.io/1Y1C

                                                                  I beg to differ

                                                                  1. 1

                                                                    Yes but this is not used by Gatekeeper to decide whether or not to run a binary. This is just for the notification you will see in the Finder when you open the app. Notarization is a signing process. If it were just as simple as adding some meta data to a file then every piece of malware would be doing that.

                                                        1. 1

                                                          This is the first I’ve heard of the signing requirement. If it will actually cost $99/yr to distribute software for MacOS starting in January 2020 (two months!!!) I’ll need to be looking into a new laptop very soon. :/

                                                          1. 1

                                                            It already costs $99/yr to be able to sign for distribution, an it has been like that for a few years now (it sucks, but it’s nothing new). If you don’t sign, users get scary warnings and need to perform a couple of unobvious clicks to bypass them.

                                                            The only thing that changed recently is technicalities of the signing method. It’s always been PITA, now it’s PITA++ (instead of offline-ish binary signing with a cert now you need extra compiler flags and signing tool uploads the binary to Apple).

                                                            1. 1

                                                              I have read that notarization is only required if the app is signed. Unsigned app will still run like in 10.14, apparently.

                                                              1. 3

                                                                The only change compared to how it worked before is that now Apple is involved in signing the binary at the time of when the signing happens. Before that Apple was only involved when you got or renewed your paid membership.

                                                                In order to sign for Gatekeeper to be happy, you needed a paid dev program membership before this change and now after this change, you still do.

                                                                If you are opposed to this rule (and you do not want to tell gatekeeper to still execute the application despite it not being signed) to the point you want to leave the platform, then you should have done so when gatekeeper was introduced back at macOS 10.7 Leopard

                                                                1. 1

                                                                  Unsigned apps will always run, but only for users that went into the settings and changed the gatekeeper mode…

                                                                  1. 1

                                                                    Or right clicked on the file and chose “open”. Which is a really small barrier for only the most clueless users which are also the most likely to fall prey to malware.

                                                              1. 13

                                                                So a dev who never developed for macOS in the first place, has decided to continue to not do so, sighting the following reasons:

                                                                • Apple dropping 32 bit support in a forthcoming OS release
                                                                • Apple requiring a $99 yearly fee for app signing (eg. requires a developer account)
                                                                • A steam report (from 4 years ago!) that at that time macos users submitted more support issues than windows users[1]

                                                                Um.. Ok?
                                                                For sure, definitely do whatever you need to do for your business and personal circumstances.


                                                                [1]: No reasoning as to these numbers presented. Who knows, maybe the cause of the higher percentage of support tickets 4 years ago were for people who bought a game on steam thinking it was playable on macos, but turned it out wasn’t? Because most macos steam games were at that time mostly ports from windows (not sure this is even true, but maybe?)? At that time (4 years ago) poor framework (unity, etc) support for macos? Also strange that Linux users accounted for 1% share, but submitted… 30% of support requests? That’s pretty wild!

                                                                1. 6

                                                                  Apple requiring a $99 yearly fee for app signing (eg. requires a developer account)

                                                                  If $99 is too expensive for you to cover with sales of the game, then the game might indeed not be worth releasing, much less spend the time developing it (which is probably 10000s of time the cost of the developer program fee)

                                                                  Also, those $99 also give you access to the iOS store where nobody seems to have a problem developing for (and which review policy is much worse than notarization which is fully automated and takes less than 10 minutes)

                                                                  The original post feels like it’s trying to justify a business decision by giving all possible reasons but the one that’s actually true which is that the Mac gaming market is too small and the game sales will likely not be enough to recoup the development cost (which of corse dwarf that membership fee)

                                                                  1. 3

                                                                    If $99 is too expensive for you to cover with sales of the game, then the game might indeed not be worth releasing, much less spend the time developing it (which is probably 10000s of time the cost of the developer program fee)

                                                                    It’s not about 99$ being to expensive. It’s about 99$ being to expensive for a relatively small platform that requires a lot more attention (and therefore has a much smaller profit-margin) than the other platforms. This means that releasing for Apple products only becomes profitable when your strategy shifts from “survival on” to “dominating” the market. These are two completely different things and from a business perspective the author is certainly right.

                                                                    It’s also not just about the 99$ a year. It’s also about having to buy specific Apple hardware to test and sign your code on. which quickly blows up to a monthly salary for a small company. However, this in no way means that the game the author is releasing isn’t worth it. That simply is a logical fallacy.

                                                                    Also, those $99 also give you access to the iOS store where nobody seems to have a problem developing for (and which review policy is much worse than notarization which is fully automated and takes less than 10 minutes)

                                                                    The authors main complaint with the notarization seems to be that it limits people’s freedom. The author is clearly serving a niche market (rouge-like games) and is simply frustrated by the barriers to entry that Apple has erected. Because of this, some games will not be available to everyone. This flies directly against what the internet promised us in the 90’s and is just one extra point that makes the author think “nope, to risky, not doing that”.

                                                                    I get where the author is coming from, because I have been forced to make the same choice in the past, albeit in a very different market.

                                                                    The original post feels like it’s trying to justify a business decision by giving all possible reasons but the one that’s actually true which is that the Mac gaming market is too small and the game sales will likely not be enough to recoup the development cost (which of corse dwarf that membership fee)

                                                                    If there is anything you should take from this post, it is not that it is a way to justify a business decision, but rather that business decisions are not always taken based on fully rational arguments.

                                                                  2. 4

                                                                    Unity worked fine way before 4 years ago. I remember playing Gone Home when it came out in 2013 on a MacBook.


                                                                    Signing fees are definitely one of the worst aspects of proprietary ecosystems. Especially when they apply to non-commercial projects, which they always do, they’re not even per project, they’re for “developer accounts”.

                                                                    1. 1

                                                                      Thanks for the data point. I personally couldn’t remember any games I played on macos back then that may have used unity.

                                                                      Somewhat related – as I recall macos “Mountain Lion”/10.8 was released in 2012, and I found early versions of 10.8, as well as the previous release (“Lion”/10.7) to be pretty damned buggy.
                                                                      Eventually 10.8 got pretty solid late into the “dot releases”, but I recall it being was /pretty rough/ for a while. ugh. :/

                                                                      1. 1

                                                                        I honestly don’t remember any bugginess, from Leopard to whatever it was in 2016-ish when I stopped using macOS.

                                                                  1. 24

                                                                    I see too many people rolling PHP-FPM only to show an IP address to the client. So, I wanted to share a simpler method which, I hope, can save you some time.

                                                                    1. 3

                                                                      This seems very elegant, but just to be thorough are there any drawbacks/tradeoffs?

                                                                      1. 4

                                                                        The same T&Cs apply as when using nginx for standard stuff. This will/might be wrong if this nginx is behind another nginx, then you should look at X_FORWARDED_FOR (or whatever it’s called exactly).

                                                                        1. 2

                                                                          Beware if you use another public facing server in front of nginx. For example, if you have a reverse proxy (HAproxy for example), then the variable $remote_addr can represent the IP address of the proxy, not the initial HTTP client.

                                                                          1. 4

                                                                            Have a look at the realip module that allows Nginx to set the remote address based on a header set by the frontend proxy provided it’s one you have decided to trust that it’s setting correct headers.

                                                                            Doing this over a custom solution in the application has the advantage that all remote address based features continue to work unaltered. Like geoip detection or logging addresses to web log files using built-in standard formats

                                                                        2. 2

                                                                          Yes this method also has my preference and we use that for years now. Years ago we used to use php (without php-fpm) for this, more or less like this:

                                                                          <?php
                                                                          echo $_SERVER['REMOTE_ADDR'] . PHP_EOL;
                                                                          

                                                                          But I was wondering: do you have suggestions for making it output both IPv4 and IPv6 addresses (like https://ip6.nl and others do) without adding additional complexity/dependencies like php (preferably with stock nginx or apache).

                                                                          1. 4

                                                                            To show both IPv4 and IPv6, the client needs to make two separate requests, to two separate domains that are configured differently, one with only an A record and one with only an AAAA record. Any given HTTP request is only going to be coming in on one or the other IP version.

                                                                            ip6.nl makes XHR requests to https://4only.ip6.nl/myip.plp and https://6only.ip6.nl/myip.plp and displays the results on the page, again with Javascript. While those servers could very well be running the nginx config in the linked article, the ability to show both on the same page is much more complicated, tech-wise.

                                                                            1. 2

                                                                              You might be able to do it with redirects. Have the IPv4 server redirect to the IPv6 server with ?v4=a.b.c.d, and vice versa. Both servers would display both addresses once available.

                                                                              It falls apart if you only have one type of address, since the redirect would be broken, but there’s probably a way around that. Maybe include the single address in the body of the 303, so if the redirect fails to connect you still have the initial IP address you used?

                                                                              1. 3

                                                                                The case where the caller can only connect on one protocol is probably very, very common still.

                                                                            2. 3

                                                                              But I was wondering: do you have suggestions for making it output both IPv4 and IPv6 addresses (like https://ip6.nl and others do) without adding additional complexity/dependencies like php (preferably with stock nginx or apache).

                                                                              The tcp/ip stack of the client decides whether to try to connect using v4 or v6 first. I’ve added two extra dns entries, one with only a v4 address, and one with only a v6 address atop of one that has both: http://ip.netsend.nl http://ip4.netsend.nl http://ip6.netsend.nl

                                                                            3. 2

                                                                              Nice trick! Thanks!

                                                                              However, you could add links to the relevant nginx-pages to your blog post as well.

                                                                            1. 3

                                                                              The arguments given in the article to support the headline claim seem to be:

                                                                              1. JWTs are bigger than minimally-sized cookies.
                                                                              2. JWTs might need similar handling to cookies - in one aspect of operation related to their handling. ‘You’re going to hit the database(sic) anyway’

                                                                              1: I’ve never tracked down a performance problem to the increased size of a Cookie header when it is an encoded JWT.

                                                                              2: Hitting a database once (Here this is Redis, but whatever) with a lookup by a guaranteed unique key, in order to check expiry or blacklist, is very cheap. JWTs allow the opportunity to embed more information about the user/session - so there could be many more ‘database’ queries (or microservice calls, or…) saved that would otherwise have been required.

                                                                              Fear of performance problems without measurement isn’t very good engineering - and ‘might as well’ do something entirely different due to a single point of similarity also seems poor argument.

                                                                              1. 5

                                                                                Hitting a database once (Here this is Redis, but whatever) with a lookup by a guaranteed unique key, in order to check expiry or blacklist, is very cheap

                                                                                It’s just as expensive as hitting the database (or redis) once to get to the session information. You can aggregate that session information from multiple sources too before storing the session information.

                                                                                The thing is: once you need a central place to check tokens for validity, there is zero benefit over classic sessions with the actual data stored as part of a session record but now you also carry the responsibility of getting crypto right in addition of the issue of scaling a central identity validation service.

                                                                                With traditional sessions you only do that.

                                                                              1. 1

                                                                                So anything which can open the TCP port to PHP-FPM can execute arbitrary code as it? This seems like it might be a awkward if you had a setup where multiple different accounts have PHP-FPM processes running on the same machine, binding different TCP ports on localhost.

                                                                                I hope PHP-FPM at least defaults to binding to localhost rather than 0.0.0.0 (I think this is the case, but it’s been a while since I looked) and wouldn’t it be nice if it would bind a unix domain socket rather than a TCP socket, eh?

                                                                                1. 2

                                                                                  It defaults to binding to 127.0.0.1:9000. I don’t see who would change this to be a public interface. But I guess it’s possible.

                                                                                  https://github.com/php/php-src/blob/master/sapi/fpm/www.conf.in#L36

                                                                                  1. 1

                                                                                    Thanks! That’s pleasingly sensible. :)

                                                                                1. 16

                                                                                  Amusingly the site won’t load for me.

                                                                                  1. 13

                                                                                    ButtCloudFlare literally gatekeeping me with a captcha for using Tor :(

                                                                                    1. 1

                                                                                      You really blame them when their operating requirements include minimizing liability?

                                                                                      1. 6

                                                                                        It’s a terrible default. If someone gets a lot of e.g. bot registrations from Tor, they should have that option, but it’s really stupid for a static document site that cannot receive any interaction from the outside world.

                                                                                        1. 1

                                                                                          Do you think it should scan and interpret all the content on all the pages it serves to decide which get Tor filtering? Or what’s your alternative implementation that achieves the same level of protection with the labor cost of adding some firewall rules? Gotta be something their management would agree with.

                                                                                          1. 7

                                                                                            A more reasonable default would be to not show CAPTCHA until a POST request has happened.

                                                                                            1. 4

                                                                                              Bam! There it is! That could be a great sell since they’d spend less resources on the CAPTCHA’s in the first place. Maybe (depends on implementation). I’ll try to remember and mention it when I run into Cloudfare employees. :)

                                                                                    2. 3

                                                                                      It has no A or AAAA records. No MX record either.

                                                                                      $ dig any  stop-gatekeeping.email
                                                                                      
                                                                                      ; <<>> DiG 9.11.5-P4-RedHat-9.11.5-4.P4.fc29 <<>> any stop-gatekeeping.email
                                                                                      ;; global options: +cmd
                                                                                      ;; Got answer:
                                                                                      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45133
                                                                                      ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                                                                                      
                                                                                      ;; OPT PSEUDOSECTION:
                                                                                      ; EDNS: version: 0, flags:; udp: 512
                                                                                      ;; QUESTION SECTION:
                                                                                      ;stop-gatekeeping.email.		IN	ANY
                                                                                      
                                                                                      ;; ANSWER SECTION:
                                                                                      stop-gatekeeping.email.	3788	IN	HINFO	"RFC8482" ""
                                                                                      
                                                                                      ;; Query time: 22 msec
                                                                                      ;; SERVER: 8.8.8.8#53(8.8.8.8)
                                                                                      ;; WHEN: Thu Jul 25 03:31:29 EDT 2019
                                                                                      ;; MSG SIZE  rcvd: 72
                                                                                      
                                                                                        1. 2

                                                                                          It’s a domain just purchased for cheap, I guess this will be fixed soon if there ever is a bug.

                                                                                          Given how DNS works there might be different delays between the moment where the record is published and when it is made available.

                                                                                          Maybe it is a cache issue…

                                                                                          To accelerate domain changes:

                                                                                          From the users side, I use a local (dq) cache that points at the root servers, so I can flush my cache myself.

                                                                                          1. 1

                                                                                            It does have A (and AAAA) records:

                                                                                            $ dig +short A stop-gatekeeping.email
                                                                                            104.31.77.194
                                                                                            104.31.76.194
                                                                                            
                                                                                            $ dig +short AAAA stop-gatekeeping.email
                                                                                            2606:4700:30::681f:4cc2
                                                                                            2606:4700:30::681f:4dc2
                                                                                            

                                                                                            it just doesn’t respond to ANY queries by following RFC 8482

                                                                                            1. 1

                                                                                              Now it does. When I tested, it wasn’t responding to either A, AAAA, or ANY.

                                                                                        1. 1

                                                                                          The behavior exhibited by that bitrock installer is completely inacceptable for 2019. With encryption so readily available in all OSes doing a simple “does the given password match my copy I have in plain text” check is pure craziness.

                                                                                          This was all about offering a bullet point feature and nothing about actually offering a usable feature. Worse: by providing it they left their users with a false sense of security.

                                                                                          1. 4

                                                                                            C: 0.73 new features per year, measured by the number of bullet points in the C11 article on Wikipedia which summarizes the changes from C99, adjusted to account for the fact that C18 introduced no new features.

                                                                                            adjusted to account for the fact that C18 introduced no new features.

                                                                                            And that is why I love C. Yes, it has its problems (of which there are many), but it’s a much smaller, bounded set of problems. The devil I know. Many other languages are so large, I couldn’t even know all of the devils if I tried.

                                                                                            1. 25

                                                                                              The devil I know

                                                                                              if the devil you know is an omnipotent being of unlimited power that generations of warriors have tried to fight and never succeeded because it’s just too powerful, then I would argue that it might be worth trying to chose a different evil to fight.

                                                                                              Even in 2019 70% of security vulnerabilities are caused by memory-safety issues that would just not happen if the world wasn’t running on languages without memory-safety.

                                                                                              1. 1

                                                                                                I don’t think being memory safe is enough for a programming language to be a good C replacement.

                                                                                                1. 18

                                                                                                  No. It’s not enough. But IMHO it’s required.

                                                                                                  1. 4

                                                                                                    … a requirement that C, incidentally, does not fulfil. Now that memory-safe low-level languages have swum into our ken, C is no longer a good C replacement. ;-)


                                                                                                    Edited to add a wink. I meant this no more seriously than pub talk – though I believe it has a kernel of truth, I phrased it that way mainly because it was fun to phrase it that way. There are many good reasons to use C, and and I also appreciate those. (And acknowledge that the joke does not acknowledge them.)

                                                                                                    1. 3

                                                                                                      that is my point.

                                                                                                      1. 2

                                                                                                        Hi, sorry, I spent a lot of time on my edit – everything below the line plus the smiley above it wasn’t there when you replied. Sorry to readers for making this look confusing.

                                                                                                        It is indeed your point, and I agree with it.

                                                                                                  2. 6

                                                                                                    Nobody is arguing that it’s sufficient, but it is necessary.

                                                                                                    If I were to develop a new language today, a language that was as unsafe as C but had lots of shiny new features like ADTs and a nice package manager and stuff, I’d never get traction. It would be ridiculous.

                                                                                                    1. 1

                                                                                                      I don’t know. PHP and C are still pretty popular. You just target those markets with selective enhancements of a language that fits their style closely. ;)

                                                                                                  3. 1

                                                                                                    Doesn’t web assembly allow unchanged C to be memory safe?

                                                                                                    1. 2

                                                                                                      Sort of, but not really. Unmanaged C isn’t allowed to escape the sandbox it’s assigned but there is still plenty of opportunities for undefined behavior. Process-level isolation in OSes provide similar guarantees. In the context of WebAssembly, even if the TLS stack were segregated into its own module it would do nothing to mitigate a Heartbleed-style vulnerability.

                                                                                                      1. 2

                                                                                                        There are other environments where the C standard is vague enough to allow for C to compile to a managed and safe environment. As the local AS/400 expert, C there compiles to managed bytecode, which is then compiled again by a trusted translator.

                                                                                                        1. 1

                                                                                                          I try to keep up with folks’ skills in case opportunities arise. Do you know both AS/400 and z/OS? Or just AS/400?

                                                                                                          Also interested in you elaborating on it making C safer.

                                                                                                          1. 3

                                                                                                            No, z is a separate thing I don’t know much about.

                                                                                                            Because C on AS/400 (or i, whatever IBM marketing calls it this week) is managed code, it does things like checking the validity of pointers to prevent things like buffer overflows. It does that by injecting hardware-enforced tagging. To prevent you from cheating it, the trusted translator is the only program allowed to generate native code. (AIX programs in the syscall emulator, however, can generate native code, but are then subject to normal Unix process boundaries and a kernel very paranoid about code running in a sandbox.) The tags are also used as capabilities to objects in the same address space, which it uses in place of a traditional filesystem.

                                                                                                            1. 1

                                                                                                              Thanks. That makes sense except for one thing: hardware-enforced tagging. I thought System/38’s hardware enforcement was taken out with things just type- or runtime-checked or something at firmware/software level. That’s at least how some folks were talking. Do you have any references that show what hardware checking the current systems use?

                                                                                                              1. 1

                                                                                                                No, tags and capabilities are still there, contrary to rumours otherwise.

                                                                                                                The tagging apparatus on modern systems are undocumented and as a result I know little about them, but it’s definitely in the CPU, from what I’ve heard.

                                                                                                                1. 1

                                                                                                                  Ok. So, I guess I gotta press POWER CPU experts at some point to figure it out or just look at the ISA references. Least I know there wasn’t something obvious I overlooked.

                                                                                                                  EDIT: Just downloaded and searched the POWER ISA 3 PDF for capabilities and pointer to see what showed up. Nothing about this. They’re either wrong or it’s undocumented as they told you. If it’s still there, that’s a solid reason for building critical services on top of IBM i’s even if commodity stuff had same reliability. Security be higher. Still gotta harden them, of course.

                                                                                                    2. 1

                                                                                                      Sort of. It had a much larger set of problems than safe, system languages that compete with it. There’s less to know with them unless you choose to dance with the devil in a specific module. Some were more productive with faster debugging, too. So, it seems like C programmers force themselves to know and do more unnecessarily at least on language level.

                                                                                                      Now, pragmatically, the ecosystem is so large and mature that using or at least outputing C might make sense in a lot of projects.