1.  

      There’s a linked called “cached” under each submission that takes you to an Archive.is copy. Both the original and cached links are working for me. Try cached if original keeps 404ing.

      1.  

        Could you paste a curl -i of the behavior you’re seeing? Link seems fine here, that’s puzzling.

      1. 5

        Mostly web programming and related topics. https://push.cx, feed is https://push.cx/feed

        1. 2

          @nickpsecurity asked recently for this, too. I think this would be useful and would take a PR for it.

          The search code has grown kind of janky. It would be a good start to split objects for story searching from comment searching; having them mixed with all the conditionals makes them hard to follow. There was also a PR to add tests but that’s stalled.

          1. 1

            Thanks for reminder. Yeah, Ill try to write up a search PR sometime today. I should have time.

          1. 3

            Sidenote: it really irritates me how the culture tag’s negative hotness modifier causes this weekly thread to drop off the front page almost immediately. It’s only 12 hours old and already halfway down page 2.

            1. 1

              We used to just tag it with ask and nothing more, but as it’s a meta tag now it fails validation without another tag as well. I picked culture from the list originally because it felt the “best” fit for this thread, but that also irks me how quickly it vanishes. I’m sure it makes a difference to how many people comment on the thread (although if you’re around here for any length of time you’ll know it appears on a Monday, so can go look for it.)

              I wonder if there is a better “second” tag for these threads that wouldn’t have the negative cost attached, without mis-appropriating the tag.

              /cc @kzisme

              1. 2

                practices or programming seem fine. I’d also prefer this thread not drop away so fast. /cc @kzisme who often posts these.

                1. 1

                  How about programming? “Use when every tag or no specific tag applies”

              1. 2

                Huh, I always thought this was a quirk of old Java, that it created a seam for mocking or something. Sort of like how the C/C++ practice of only having a single return statement in a function existed to prevent various bugs around forgetting to free memory. That eventually floated free of the original purpose and was a general-purpose maxim I saw applied to memory-managed languages. This article feels like it still knows a bit about why the practice existed (“Surely there’s a better way to do the required testing”) and is looking for a new justification.

                1. 1

                  IIRC, older Java mocking libraries could only mock an interface. Nowadays, I think they generate a class at runtime if need be.

                1. 1

                  I wanted to put way more information on the listing but it turns out it’s effectively just a single line it allows you to post, is this a limitation of LinkedIn or was this a choice for the board to have the actual listings somewhere else?

                  1. 1

                    Huh, that’s a really strange limitation and I don’t understand it. I’ve reviewed the settings pages and I can’t see anything like that. When I click “Start a conversation” or “Post a job” I’m prompted for a title and body, and the body text takes several hundred words of lorem ipsum without complaint. If you reload and still can’t post more than one line, please message your posting to me (here or on LinkedIn) and I’ll add it.

                    1. 1

                      It was me being silly in the end. It said “Add a link” in the body and I thought it actually was just for adding a link and tried to cram the whole thing into the title, yet another lesson about late night work output. Thanks for letting me sort it out without getting banned.

                      1. 1

                        Unlike my other inboxes on LinkedIn, it has not turned into a steady stream of recruiter spam, so I feel pretty relaxed about the whole thing.

                  1. 7

                    I pretty much always have three books going, so currently:

                    • Light reading: Thinking in Bets by Annie Duke. Risk, uncertainty, heuristics. I’m not usually a fan of books with the structure “I did X for 20 years so let me apply that to all of life”, but this one’s hitting the books for its research and I’m a sucker for poker stories.
                    • Dense reading: Discourses, Fragments, Handbook by Epictetus, translated by Robin Hard. On a stoicism kick. Reading around the dualism of book one has made this a slog and I may skip ahead or move on to Seneca.
                    • Programming: Domain Modeling Made Functional, Scott Wlaschin. Still working on this one.
                    1. 2

                      That’s exactly my strategy as well (one light, one dense and one technical), I find it means I’m always in the mood to read something (otherwise I’ll resort to shallow articles and silly tutorials online).

                      I’ve also found the full Discourses more “diluted” than the Enchiridion and didn’t finish it. I definitely suggest you pick up the latter, if you haven’t already.

                      1. 1

                        I’m also trying this:

                        • One light/escapism: Fool’s Errand - Robin Hobb
                        • One heavy: Selected Non-Fictions - Borges
                        • One research: The Search for the Perfect Language - Umberto Eco
                      1. 2

                        Spammer’s back, we’re trying +s so the channel won’t be listed in /list commands the bot is probably using to pick targets. This may stick around indefinitely; the channel list is almost never the discovery method visitors use.

                        1. 1

                          Didn’t work, got hit by last night’s renewed attack. I re-enabled +r for a while longer. They’re attacking with compromised routers/IOT devices and folks are developing countermeasures, but the spammers are dedicated enough that it’s a bit of an arms race. I don’t know much of the details, it’s being handled well by Freenode staff and the only reason we’re seeing it at all is that we and they try to err in favor of being open to newbies instead of hard on spambots.

                        1. 2
                          • Starting to look for Rails web dev work after a break: Chicago or remote, preferring part-time contract but we’ll see what shows up. Appreciate any connections folks can make.
                          • Got some good practice with Ardour by editing down a long Zencastr call with a friend, using this workflow. Next steps for the podcast are plumbing: domain name, homepage, feed, scheduling, ruthlessly cutting scope.
                          • Started making Anki cards from my Haskell notes. The first four chapters (with lots of terms that want to slip away from me like “weak head normal form”) became 85 cards. I wish I’d done this as I was studying at Recurse, but at least this is an easy task to start-and-stop that I can fit into scheduling gaps.
                          1. 37

                            I’ve been very happy with pass, a command-line tool that stores passwords and notes in a git repository. Being a directory of text files, it’s easy to use standard command-line tools on or tinker with programmatically. There’s a thriving ecosystem of plugins, tools, and clients.

                            I also use autopass for autofilling in X applications. As time goes in, I fill in more and more autotype fields to check ‘remember me’ boxes and other non-standard fields. It’s really convenient. (One annoyance is that if any password files are not valid YAML, autopass errors to stdout without opening a window, so I hit my hotkey and nothing happens.)

                            1. 11

                              One more vote for pass, i’ve been a happy user for years now. Was missing a proper browser extension for it so I built one: Browserpass. It’s no longer maintained by me due to lack of time, but the community is doing a far better job at maintaining it than I possibly could so that’s all good!

                              1. 10

                                Pass looks pretty neat, but the reason I stick with KeePass(XC) is that Pass leaks metadata in the filenames - so your encryption doesn’t protect you from anyone reading the name of every site you have an account with, which is an often overlooked drawback IMO.

                                1. 5

                                  Your filenames don’t have to be meaningful though. It would be relativity trivial to extend pass to use randomly generated names, and then use an encrypted key->value file to easily access the file you want.

                                  On the other hand, if someone already has that access to your device, accessing ~/.mozilla/firefox/... or analogous other directories with far more information is just as trivial, and has probably more informational value.

                                  1. 3

                                    Then youre working around a pretty central part of pass’s design, which I don’t really like. It should be better by default.

                                    wrt your second point, if you give up when they can read the filesystem, why even encrypt at all? IMO the idea is you should be able to put your password storage on an untrusted medium, and know that your data are safe.

                                    1. 12

                                      if you give up when they can read the filesystem, why even encrypt at all?

                                      Because in my opinion, there’s a difference between a intruder knowing that I have a “mail” password, and them actually knowing this password.

                                2. 5

                                  The QR code feature of pass is neat for when you need to login on a phone.

                                  1. 2

                                    Huh, you made me read the man page and learn about this - it’s really cool! What’s your usage like for this though? Just use any barcode reader and then copy paste in the password box?

                                    1. 1

                                      A barcode reader I trusted, but yeah - its a good hack because I usually have my laptop which has full disk encryption.

                                      1. 2

                                        Yeah, when you said that all I could think of was the barcode scanner that I used to use where it would store the result of each barcode scanned in a history file… Not ideal :)

                                  2. 2

                                    Seems like the android version’s maintainer is giving up. (Nice, 80k lines of code in just one dep…)

                                    The temptation to nih it is growing stronger but I don’t have enough time :(

                                  1. 6

                                    As well as the link above, if you are affected by +r in the channel, please have a look at our registration FAQ, which makes the above mode irrelevant to you, allowing you to talk past it: https://freenode.net/kb/answer/registration

                                    As always, apologies for the issues we have right now, and we have a number of our volunteers working hard to deal with it.

                                    1. 2

                                      No apologies needed. Dealing with such an irritating and sadistic troll must be dispiriting, I’m sorry you have to deal with it. We’ve really appreciated Freenode’s reliability and support for years now.

                                      I haven’t seen spambot attacks in a few hours. I’ve removed +r from #lobsters in the hopes this is done.

                                    1. 23

                                      Nix is one of those tools where you don’t know what you aren’t getting until you get it. There are so many things wrong with this post, but I only know that because I spent weeks wrestling with lots of those issues myself.

                                      You basically need to read all the nix pills (https://nixos.org/nixos/nix-pills/), the nix manual, the nixpkgs manual and the nixos manual in a loop gradually filling in what is going on… which takes a long time.

                                      Nix is very confusing at first, but enables things that you would not have thought possible once you know what you are doing. The core people don’t seem to evangelize much because it is just one of those tools that solved their problems so well, they don’t have to care about the outside world anymore.

                                      I use nixos for my laptop, desktop and a few servers, have all my machines config under version control and can roll the machines back to any version whenever I want, remote administer them, build an install on one computer, test it in a VM and then ship it with a single command to another machine. I won’t go back to another OS despite there being room for improvement, because no other OS comes close in terms of what you can do (my path has been windows -> ubuntu -> arch linux -> freebsd -> openbsd -> nixos).

                                      1. 18

                                        I use NixOS on everything and completely agree. It’s a massive investment. It was worth it for me, but it shouldn’t have to be a massive investment. Need better tooling and docs.

                                        1. 5

                                          Yeah, there are lots of things I wish I could explain, but the explanations take a large investment. Take for example the complaint about making a new language instead of using something existing… It seems sensible on the surface, until you understand deeply enough to know why laziness is needed, and features like the pervasive use of interpolation to generate build scripts… Once you understand those, you know why a new language was made.

                                          The lack of tooling IS a valid complaint, and the fact the language isn’t statically typed could also be a valid complaint, but the community is growing despite all those issues, which is a good sign.

                                          1. 6

                                            I’m hoping https://github.com/haskell-nix/hnix will help with that point, and the tooling.

                                        2. 6

                                          You basically need to read all the nix pills (https://nixos.org/nixos/nix-pills/), the nix manual, the nixpkgs manual and the nixos manual in a loop gradually filling in what is going on… which takes a long time.

                                          I’ve tried reading all of this but I found it all horribly confusing and frustrating — until I read the original thesis on it, which I still think is (perhaps surprisingly) still the best resource for learning how nix works. It’s still a pretty big investment to read, but imho it’s at the very least a much less frustrating experience than bouncing from docs to docs.

                                          (I wonder if the same is true of the NixOS paper?)

                                          1. 3

                                            How do you manage secrets in configuration files? Passwords, ssh keys, tls certs and so on. If you put them into a nix-store they must be world-readable, right?

                                            One could put a reference to files outside the store in configuration files, but then you loose a bit of the determinism of NixOS and it’s not always easily possible with third-party software to load e.g. passwords from an external file anyways.

                                            Besides the learning curve, that was the single big problem which kept me from diving deeper into the nix ecosystem so far.

                                            1. 7

                                              You are right, no passwords should ever go in the nix store.

                                              The encryption key for my backup script is in a private root owned file I put under /secrets/ . This file is loaded in my cron job so the nix store simply references the secret but doesn’t contain it. This secret dir isn’t under version control, but is backed up with encrypted backups.

                                              Every daemon with secret config I have seen on nixos has a “password file” option that does the same thing.

                                              1. 3

                                                How do you manage secrets in configuration files?

                                                For my desktop machine I use pass with a hardware key. E.g. nix (home-manager) generates an .mbsyncrc with

                                                PassCmd "pass Mail/magnolia"
                                                

                                                For remote machines, I use nixop’s method for keeping keys out of the store:

                                                https://nixos.org/nixops/manual/#idm140737318276736

                                              2. 1

                                                Nix is one of those tools where you don’t know what you aren’t getting until you get it. There are so many things wrong with this post

                                                I have to disagree, but not with the second sentence - I was sure as I wrote the post that it was full of misconceptions and probably outright errors. I wrote it in part to capture those in the hopes that someone can use them to improve the docs.

                                                But to disagree with the first sentence, I was keenly aware through the learning and writing that I was missing fundamental concepts and struggling to fill the gaps with pieces from other tools that didn’t quite fit. If there is indeed a whole ‘nother level of unknown unknowns, well, that’s pretty disheartening to me.

                                                1. 1

                                                  I can’t speak for your experience, but that’s how it was for me anyway, on the plus side it also meant nix solved more problems I was having after I understood better. I even thought nix was over complicated to the point I started writing my own simpler package manager, only to find nix had solved problems I ran into before I knew what they were.

                                              1. 5

                                                Adding story text that summaries/previews the story is frowned upon. It’s added for some things, like titles that don’t clearly indicate their content, which tends to happen with academic papers and some trade publications in PDF format.

                                                In this case, the story text could have been something like “I reduced my technology use and ended up feeling better.” The current story text (a list of things with a sentence afterwards that explains the list) is not really helpful. I recommend avoiding such story text in future submissions.

                                                1. 8

                                                  Sorry, was my first story submit. Thanks for the editing and help!

                                                  1. 5

                                                    No worries. And welcome to Lobste.rs!

                                                  2. 4

                                                    I removed it.

                                                  1. 1

                                                    My hazy memory of when this paper came out is that there was public speculation that cosmic rays caused bit flips in RAM and this paper was some of the earliest public evidence, motivating development of commercially-available ECC RAM. (But as usual with these things, there’s probably someone who proved the problem 20 years before and some 60s mainframe with solid gold ECC RAM.)

                                                    1. 10

                                                      Since the last thread I sold my Ergodox. It was just too large for me, and when I mouse I often use my left hand to type on the right side of the keyboard.

                                                      I replaced it with an OLKB Planck also with mx browns. It’s a small columnar keyboard running the versatile and well-documented qmk firmware. I still use the Norman Layout mapped like this. I’ve set the modifiers (shift/ctrl/alt/super/raise/lower - last are the color-coded up/down arrows) to be one-shot keys because I found my most common typo was holding them a just a hair too long (though that had a bug along the way).

                                                      I think a Let’s Split with qmk would be an improvement over the Planck. Unless I’m careful about posture, I find my wrists unhappy about being turned out after an hour or two. Fingers crossed there’s a group buy for a kit soon (from someone other than Massdrop; they badly mishandled the Planck run).

                                                      1. 1

                                                        Let’s Split’s are actually stocked now by online stores since they’re so inexpensive to produce. Last I checked I saw a different store months ago but just with a cursory search I see this one’s stocking them currently. From personal experience the more expensive part of building a let’s split would likely be the plate if you care to have a metal one. I haven’t found anyone stocking plates for this configuration (even though it’s relatively simple and now kind of common) and group buys that include a laser cutting service are rare. I paid $80 (!!!!) through like lasergist or something for the stainless steel plates on a full let’s split, and deciding whether or not to press buy was like a kick in the gut…

                                                        EDIT: like I said if you don’t care about a metal plate specifically, you should be able to procure an acrylic plate sandwich set fairly easy and inexpensively. The website I linked actually sells them.

                                                      1. 6

                                                        Yeah, I know someone who runs a keyserver and they are getting absolutely sick of responding to the GDPR troll emails.

                                                        Love the idea to use activitypub (the same technology involved in mastadon) for keyservers. That’s really smart!

                                                        1. 16

                                                          Offtopic: Excuse me.

                                                          I think it depends on some conditions, so not everybody is going to see this every time. But when I click on medium links I tend to get this huge dialog box come up over the entire page saying some thing about registering or something. It’s really annoying. I wish we could host articles somewhere that doesn’t do this.

                                                          My opinion is that links should be links to some content. Not links to some kind of annoyware that I have to click past to get to the real article.

                                                          1. 11

                                                            Use the cached link for Medium articles. It doesn’t have the popup. Just the content.

                                                            1. 1

                                                              Could you give an example? That sounds like a pleasant improvement, but i don’t know exactly what you mean by a cached link.

                                                              1. 3

                                                                There is a’ cached’ link under each article title on lobste.rs

                                                                1. 1

                                                                  Thanks.

                                                            2. 7

                                                              I started running uMatrix and added rules to block all 1st party JS by default. It does take a while to white list things, yes, but it’s amazing when you start to see how many sites use Javascript for stupid shit. Imgur requires Javascript to view images! So do all Square Space sites (it’s for those fancy hover-over zoom boxes).

                                                              As a nice side effect, I rarely ever get paywall modals. If the article doesn’t show, I typically plug it into archive.is rather than enable javascript when I shouldn’t have to.

                                                              1. 2

                                                                I do this as well, but with Medium it’s a choice between blocking the pop-up and getting to see the article images.

                                                                1. 6

                                                                  I think if you check the ‘spoof noscript>l tags’ option in umatrix then you’ll be able to see the images.

                                                                  1. 1

                                                                    Nice trick, thanks!

                                                              2. 6

                                                                How timely! Someone at the office just shared this with me today: http://makemediumreadable.com

                                                                1. 4

                                                                  From what I can see, the popup is just a begging bowl, there’s actually no paywall or regwall involved.

                                                                  I just click the little X in the top right corner of the popup.

                                                                  But I do think that anyone who likes to blog more than a couple of times a year should just get a domain, a VPS and some blog software. It helps decentralization.

                                                                  1. 1

                                                                    And I find that I can’t scroll down.

                                                                    1. 3

                                                                      I use the kill sticky bookmarklet to dismiss overlays such as the one on medium.com. And yes, then I have to refresh the page to get the scroll to work again.

                                                                      On other paywall sites when I can’t scroll, (perhaps because I removed some paywall overlay to get at the content below,) I’m able to restore scrolling by finding the overflow-x CSS property and altering or removing it. …Though, that didn’t work for me just now on medium.com.

                                                                      1. 1

                                                                        Actually, it’s the overflow: hidden; CSS that I remove to get pages to scroll after removing some sticky div!

                                                                  2. 3

                                                                    What is the keyserver’s privacy policy?

                                                                    1. 5

                                                                      I run an SKS keyserver, have some patches in the codebase, wrote the operations documents in the wiki, etc.

                                                                      Each keyserver is run by volunteers, peering with each other to exchange keys. The design was based around “protection against government attempts to censor keys”, dating from the first crypto wars. They’re immutable append-only logs, and the design approach is probably about dead. Each keyserver operator has their own policies.

                                                                      I am a US citizen, living in the USA, with a keyserver hosted in the USA. My server’s privacy statement is at https://sks.spodhuis.org/#privacy but that does not cover anyone else running keyservers. [update: I’ve taken my keyserver down, copy/paste of former privacy policy at: https://gist.github.com/philpennock/0635864d34a323aa366b0c30c7360972 ]

                                                                      You don’t know who is running keyservers. It’s “highly likely” that at least one nation has some acronym agency running one, at some kind of arms-length distance: it’s an easy and cheap way to get metadata about who wants to communicate privately with whom, where you get the logs because folks choose to send traffic to you as a service operator. I went into a little more depth on this over at http://www.openwall.com/lists/oss-security/2017/12/10/1

                                                                      1. 5

                                                                        Thanks for this info.

                                                                        Fundamentally, GDPR is about giving the right to individuals to censor content related to themselves.

                                                                        A system set out to thwart any censorship will fall afoul of GDPR, based on this interpretation

                                                                        However, people who use a keyserver are presumably A-OK with associating their info with an append-only immutable system. Sadly , GDPR doesn’t really take this use case into account (I think, I am not a lawyer).

                                                                        I think what’s important to note about GDPR is that there’s an authority in each EU country that’s responsible for handling complaints. Someone might try to troll keyserver sites by attempting to remove their info, but they will have to make their case to this authority. Hopefully this authority will read the rules of the keyserver and decide that the complainant has no real case based on the stated goals of the keyserver site… or they’ll take this as a golden opportunity to kneecap (part of) secure communications.

                                                                        I still think GDPR in general is a good idea - it treats personal info as toxic waste that has to be handled carefully, not as a valuable commodity to be sold to the highest bidder. Unfortunately it will cause damage in edge cases, like this.

                                                                        1. 3

                                                                          gerikson you make really good points there about the GDPR.

                                                                          Consenting people are not the focus of this entirely though , its about current and potential abuse of the servers and people who have not consented to their information being posted and there being no way for removal.

                                                                          The Supervisory Authority’s wont ignore that, this is why the key servers need to change to prevent further abuse and their extinction.

                                                                          They also wont consider this case, just like the recent ICANN case where they want it to be a requirement to store your information publicly with your domain which was rejected outright. The keyservers are not necessary to the functioning of the keys you upload, and a big part of the GDPR is processing only as long as necessary.

                                                                          Someone recently made a point about the below term non-repudiation.
                                                                          Non-repudiation this means in digital security

                                                                          A service that provides proof of the integrity and origin of data.
                                                                          An authentication that can be asserted to be genuine with high assurance.
                                                                          

                                                                          KeyServers don’t do this!, you can have the same email address as anyone else, and even the maintainers and creator of the sks keyservers state this as well and recommend you check through other means to see if keys are what they appear to be, such as telephone or in person.

                                                                          I also don’t think this is an edge case i think its a wake up call to rethink the design of the software and catch up with the rest of the world and quickly.

                                                                          Lastly i don’t approve of trolling, if your doing it just for the sake of doing it “DON’T”, if you genuinely feel the need to submit a “right to erasure” due to not consenting to having your data published, please do it.

                                                                        2. 2

                                                                          Thank you for the link: http://www.openwall.com/lists/oss-security/2017/12/10/1, its a fantastic read and makes some really good points.

                                                                          Its easy for anyone to get hold of recent dumps from the sks servers, i have just hunted through a recent dump of 5 million + keys yesterday looking for interesting data. Will be writing an article soon about it.

                                                                      2. 3

                                                                        i totally agree, it has been bothering me as well, i am in the middle of considering starting up my own self hosted blog. I also don’t like mediums method of charging for access to peoples stories without giving them anything.

                                                                        1. 3

                                                                          I’m thinking of setting up a blog platform, like Medium, but totally free of bullshit for both the readers and the writers. Though the authors pay a small fee to host their blog (it’s a personal website/blog engine, as opposed to Medium which is much more public and community-like).

                                                                          If that could be something that interests you, let me know and I’ll let you know :)

                                                                          1. 2

                                                                            lmao you don’t even get paid when someone has to pay for your article?

                                                                            1. 1

                                                                              correction, turns out you can get paid if you sign up for their partner program, but i think it requires approval n shit.

                                                                            2. 2

                                                                              hey @pushcx, is there a feature where we can prune a comment branch and graft it on to another branch? asking for a friend. Certainly not a high priority feature.

                                                                              1. 3

                                                                                No, but it’s on my list of potential features to consider when Lobsters gets several times the comments it does now. For now the ‘off-topic’ votes do OK at prompting people to start new top-level threads, but I feel like I’m seeing a slow increase in threads where promoting a branch to a top-level comment would be useful enough to justify the disruption.

                                                                          1. 1

                                                                            Merge with this?

                                                                            1. 1

                                                                              Better to just delete. My mistake.

                                                                            1. 1

                                                                              So constant time comparison is an old classic for authentication primitives, even humorous examples (not to mention tons of websites) like passwords on some JTAG interfaces on old consoles having a return on first mismatch making a timing based extraction of the password trivial.

                                                                              According to the webpage, this was developed for post-quantum cryptography - but what other areas are there where data-dependent sorting times would be a notable risk?

                                                                              1. 2

                                                                                I think it’s just for crypto, as elaborated on page 48 of this paper. source

                                                                              1. 3

                                                                                The license for this software is unclear.

                                                                                Eschewing normal practice, there’s no LICENSE file in the source distribution.

                                                                                I’m asking this because DJB seems to have views on software licensing that are at odds with the majority of the FOSS community. I’m not sure if this is still the case though.

                                                                                1. 3

                                                                                  From djb’s previous writings and software, he probably intends this to be license-free software.

                                                                                  1. 7

                                                                                    And I know licensing is an interesting, complex topic that’s fun to armchair lawyer, so if folks want to pick up this topic please start by linking to and building your comment on the 20+ years of previous discussion, and avoid moralizing/shaming others’ licensing choices.

                                                                                    1. 2

                                                                                      I wouldn’t necessarily qualify many of djb’s works as “license free”. He has explicitly put many of them into the public domain. See some of the license related notations on https://cr.yp.to/distributors.html as well.

                                                                                      1. 1

                                                                                        Thanks for the link, it’s certainly an interesting perspective.