1. 1

    Slack’s original appeal was that it had a much better user experience than prior work chat/email/collaboration tools including the now-dead HipChat and Campfire.

    I much preferred HipChat actually; I never quite understood the appeal of Slack. I also don’t quite get the appeal of Discord, but I don’t really know any good alternatives (riot.im is NOT it, it’s even slower and worse than Slack). The Stack Overflow/Stack Exchange chat is still the best webchat I know of by the way.

    1. 6

      I also don’t quite get the appeal of Discord

      People ditching Slack for Discord is hilarious to me; it’s like ditching Facebook for Instagram. The underlying reasons for the problems are all still there. https://cadence.moe/blog/2020-06-06-why-you-shouldnt-trust-discord

      1. 1

        Yeah, dunno. I think for a lot of people it’s mostly just a matter of UX; a lot of the points in that article are kind of “invisible” (until you run in to them, that is). I never liked Discord’s UX myself though, the low-contrast text alone was enough to turn me away (although that article says it’s mostly fixed now).

      2. 3

        I also don’t quite get the appeal of Discord

        Compared to Slack? As well as Discord’s UX improvements over Slack listed in the article, I’ve seen one open-source project choose Discord over Slack because Discord’s free plan includes unlimited message history, compared to Slack’s 10,000-message limit.

        I don’t really know any good alternatives

        I’ve only used it a few times, but so far I quite like Zulip and its threading model where each message is not only within a channel, but also under a “topic” (like an email subject line). I’ve encountered problems finding, rereading, and linking to past discussions in Discord and Slack before—I expect that Zulip’s topics feature would mitigate those problems.

        1. 1

          Personally, I was turned off just by Discord’s low-contrast text, although the link posted in another comment said that’s fixed now. You can have the best chat in the world, but if I can’t read the actual text then, well…

          Zulip looks nice at nice at a glance, I haven’t heard of that before. And it’s completely Apache licensed too. Guess that’ll be the first thing I try if I ever need to set up a chat.

        2. 3

          The best alternative I know of is Mattermost. It runs well, seems to have a good API, and gets the job done.

          1. 2

            It has a good mobile client and self-hosting is super easy…and a $5 prgmr instance will handle it with headroom to spare.

          2. 2

            I thought Hipchat was a giant garbage heap. Slack is vastly less likely to fuck up my messages or do weird stuff when I view history. The thing Slack has going for it is that it basically works.

            1. 1

              I find it funny that I had the exact opposite opinion when I used both. I didn’t like Hipchat at all until I tried Slack and realized how much worse things could get.

              I told the manager that made the call to switch from Hipchat to Slack that he was moving us from garbage to a garbage fire.

              1. 1

                Hipchat was regularly doing things like duplicating messages in the scrollback, dropping them, or reversing their order (either pairwise or for entire days).

                I was on the Linux desktop client for both, if that matters.

                What problems did you find with Slack?

                1. 1

                  Search was outright broken. The desktop client would crash when I searched, then, when I relaunched it, attempt to get me to pay for an upgrade to their service. That was so regular, I wrote a script to blow away its cache.

                  If I used it while on battery, it cut the amount of autonomy I could expect before needing to charge by about two thirds.

                  It would arbitrarily turn the sound on for my laptop speakers and set my volume to max if my bluetooth headset went out of range. So, when I went from my desk to the conference room down the hall, if I did not remember to close slack before I did that, next time someone posted a music video to our chat, slack would just start playing it at full volume.

                  Attaching a screenshot routinely crashed the client.

                  It would make my fan spin loudly when it was left running in the background.

                  I was using the desktop client on a fully patched, always up-to-date Fedora GNOME system.

            2. 1

              Element (was riot.im) may be slow, but there are tons of matrix clients. Also, Element is three different apps (web/electron, ios, android), I assume you mean the web version is slow? And which server are you using it on? A crowded server (e.g. matrix.org) makes is slow as well.

              But what’s important is that matrix is federated like IRC and email. Not centralized like mattermost, rocket.chat, zulip, slack, discord, teams, hipchat, …

              And an open and evolving standard.

              1. 1

                I only used the web version, for one chat hosted on riot.im. This was a while ago but the general “feel” wasn’t very fast or good at the time, at least in Firefox (it seems a lot of these things tend to preform better in Chrome, but I’m not going to use Chrome just for one thing).

                To be honest, I don’t really care all that much about centralized vs. decentralized/federated; just being an open platform like Zullip or MatterMost is “good enough” for me, although even that isn’t a hard requirement. By far the most important factor I judge these apps on is just basic UX.

                There’s only one other web client in that list by the way (FluffyChat; I don’t really want to install software for very occasional/casual use of chat) and it errors out with Failed to create WebGL context: WebGL is currently disabled. Okay, so I enable WebGL and can create a username now, and then I get Overflow on channel: flutter/platform. Messages on this channel are being discarded in FIFO fashion. The engine may not be running or you need to adjust the buffer size if of the channel. I’m not sure what to do with that, so I gave up.

                1.  

                  I hope you reconsider and try out matrix again in the future.

                  Another thing that I forgot about mattermost and rocket.chat. They are open core, just like gitlab. Some features require paying. While with synapse/element (server/client, matrix is just a protocol) (and e.g. redhat) you pay for hosting & support, not features.

            1. 4

              I’d love to go back to just IRC. Why couldn’t IRC as a protocol be good enough and then just design specialized clients around it to include features as desired? Slack, Hipchat, discord, etc don’t actually convince me that the IRC protocol + client specific “add-ons” wouldn’t be enough.

              1. 5

                IRC has problems, starting with a fundamental lack of multiline message support.

                That’s not where you want to go if you’re trying to convince developers to use basically anything else. (I mean, I like IRC too, but only despite some of those major flaws.)

                1. 4

                  I’d love to go back to just IRC.

                  me too, but slack has blown up because they took (some of) what’s good about IRC and made it pretty, and made it accessible for normal people. that doesn’t mean it’s good - there’s so much that’s bad, including but not limited to the ‘always available’ expectation that asshats^H^H^H^H^H^H^H some people use to evaluate whether you’re a ‘team player’.

                  i think my biggest gripe with slack actually (apart from ‘always available’) is how they implemented discussion threads. it’s my opinion that the model sucks terribly, because threads live ‘outside’ of their channel, and it requires me to use a trackpad/mouse to access the threads rather than keeping them in the channel and providing shortcuts to open/collapse them.

                  that said, if slack the company built native desktop apps (i don’t care so much about mobile), i might complain about it less. they certainly have the wherewithal to do it.

                  1.  

                    I don’t want to use IRC. There are a lot of times where I remember asking another developer how to do something and I’ll go back to search for it in the chat history.

                  1. 14

                    There are ways to prevent updates. We don’t tend to shout about it, because a core tenet of snaps is that machines don’t end up with old / insecure packages.

                    You could for example snap download clion and then manually install it with snap install clion* --dangerous and it would absolutely never update. Not as clean as just installing and “pinning” but it is possible, does work and can be used on your system to hold a package at a particular revision.

                    1. 5

                      Is there a way to get onto a “security releases only” track?

                      1. 2

                        Publishers are free to utilize “tracks” to publish multiple major/minor versions available for the user to select from. In this case, the OP may have been able to use one of CLion’s many channels available would most likely have give them a stable security/bug fixes only track. Here you can see JetBrain’s maintains CLion releases/tracks all the way back to their 2017.3 release:

                        ~$ snap info clion
                        name:      clion
                        summary:   A cross-platform IDE for C and C++
                        publisher: jetbrains✓
                        store-url: https://snapcraft.io/clion
                        contact:   https://www.jetbrains.com/clion/
                        license:   Proprietary
                        description: |
                          CLion is a cross-platform IDE which natively supports C and C++, libc++ and Boost. It offers
                          instant navigation to a symbol's declaration or usages, code generation for
                          constructors/destructors, operators and more. There are dozens of refactorings, code analysis
                          (including Data Flow Analysis and Clang-Tidy integration) and integration with GDB and LLDB. CLion
                          uses the well-known CMake build system, supports Google test, Boost.Test, and Catch unit testing.
                          There is Doxygen for documenting the code, Valgrind Memcheck for memory profiling, and support for
                          all the popular Version Control Systems, it can even provide a VIM-emulation mode via a plugin.
                          
                          CLion is available for a free 30-day evaluation.
                          Monthly and yearly subscription options are available for companies and individual users. Find out
                          more on https://www.jetbrains.com/clion/buy/
                        snap-id: 6JBjLwyVchga4cOSDqhWJd9NgQfrTYam
                        channels:
                          latest/stable:    2020.2   2020-07-29 (123) 502MB classic
                          latest/candidate: 2020.2   2020-07-29 (123) 502MB classic
                          latest/beta:      2020.2   2020-07-29 (123) 502MB classic
                          latest/edge:      2020.2   2020-07-29 (123) 502MB classic
                          2020.2/stable:    2020.2   2020-07-29 (123) 502MB classic
                          2020.2/candidate: 2020.2   2020-07-29 (123) 502MB classic
                          2020.2/beta:      2020.2   2020-07-29 (123) 502MB classic
                          2020.2/edge:      2020.2   2020-07-29 (123) 502MB classic
                          2020.1/stable:    2020.1.3 2020-07-22 (121) 463MB classic
                          2020.1/candidate: 2020.1.3 2020-07-22 (121) 463MB classic
                          2020.1/beta:      2020.1.3 2020-07-22 (121) 463MB classic
                          2020.1/edge:      2020.1.3 2020-07-22 (121) 463MB classic
                          2019.3/stable:    2019.3.6 2020-05-06 (113) 460MB classic
                          2019.3/candidate: 2019.3.6 2020-05-06 (113) 460MB classic
                          2019.3/beta:      2019.3.6 2020-05-06 (113) 460MB classic
                          2019.3/edge:      2019.3.6 2020-05-06 (113) 460MB classic
                          2019.2/stable:    2019.2.5 2019-10-30  (92) 447MB classic
                          2019.2/candidate: 2019.2.5 2019-10-30  (92) 447MB classic
                          2019.2/beta:      2019.2.5 2019-10-30  (92) 447MB classic
                          2019.2/edge:      2019.2.5 2019-10-30  (92) 447MB classic
                          2019.1/stable:    2019.1.4 2019-05-30  (73) 386MB classic
                          2019.1/candidate: 2019.1.4 2019-05-30  (73) 386MB classic
                          2019.1/beta:      2019.1.4 2019-05-30  (73) 386MB classic
                          2019.1/edge:      2019.1.4 2019-05-30  (73) 386MB classic
                          2018.3/stable:    2018.3.4 2019-02-01  (61) 409MB classic
                          2018.3/candidate: ↑                               
                          2018.3/beta:      ↑                               
                          2018.3/edge:      ↑                               
                          2018.2/stable:    2018.2.7 2018-11-29  (55) 389MB classic
                          2018.2/candidate: ↑                               
                          2018.2/beta:      ↑                               
                          2018.2/edge:      ↑                               
                          2018.1/stable:    2018.1.7 2018-11-21  (52) 319MB classic
                          2018.1/candidate: ↑                               
                          2018.1/beta:      ↑                               
                          2018.1/edge:      ↑                               
                          2017.3/stable:    2017.3.5 2018-11-21  (51) 314MB classic
                          2017.3/candidate: 2017.3.5 2018-11-21  (51) 314MB classic
                          2017.3/beta:      2017.3.5 2018-11-21  (51) 314MB classic
                          2017.3/edge:      2017.3.5 2018-11-21  (51) 314MB classic
                        

                        So if OP wanted to stick with a stable 2019.1 release, they may be able to snap install clion --channel 2019.1/stable --classic, or use snap refresh.

                        Not all publishers take on the burden of doing this, but many that don’t want to break their users with major interface changes do :-)

                    1. 7

                      I find them about equally easy to read, but I think I’m unusual that way.

                      1. 26

                        taviso is doing good work, but I’d love to know how much being deeply embedded in a big company that produces closed source software influences this mindset.

                        For me, reproducible builds are just as well for projects without multi million dollar funding and hundreds of full time people, it’s about having a common understanding that you can reproduce the build for software that you’ve downloaded, for a Linux distribution for example. Or just so that multiple people can build the source without relying on the “official” build pipeline, which would then yield (after verifying and signing, yadda yadda) the official release artifact, done by one of the important people in the project. I know it doesn’t make sense for Chrome because you have to trust Google anyway.

                        1. 16

                          Yeah I don’t understand this post. Like what does the part quoted below mean?

                          1. Why would a single vendor create and setup 2 disparate build infrastructures?

                          The setup I’m imagining for reproducible builds for open source is that someone can build binaries for you, and then you can build them yourself on your own hardware and verify that you got the same binary.

                          If you don’t have reproducible builds, then you can’t do that. People do not want to build all their code from scratch. But it’s absolutely a good thing that they CAN do it and CHECK the result.

                          Reproducible builds provide the best of both worlds – you don’t have to build it yourself, but you also have some assurance that what you’re running matches the source code (and if you don’t, you can get that assurance by building it)

                          1. In open source, you do not care about “stealing proprietary source code”. I think this whole post doesn’t apply to any of the reproducible build work I’ve seen.

                          Also, at Google the builds are deterministic/reproducible simply because of caching and distributed builds. About 10-15 years ago a very skilled former teammate of mine went around stamping out determinism problems in a lot of tools so that the cache rate was increased. Sorry I don’t have details since it was a long time ago. But Google’s internals builds are content-based, and sandboxed, thus reproducible.

                          So I’m honestly puzzled by the post (although I agree you have to take anything taviso says seriously, especially with regard to security. After all he was the guy who found out that Cloudflare spraying random bytes all over the Internet due to a buffer overflow that could have been easily prevented)

                          Q. Build servers get compromised, and that’s a fact. Reproducible builds mean proprietary vendors can quickly check if their infrastructure is producing tampered binaries.

                          I think this is true, but ignores significant trade-offs. The vendor needs to create and maintain two disparate build infrastructures, and then provide additional people privileged access to that new infrastructure. If you don’t do this, there was no benefit to reproducible builds because you’d be building the same potentially compromised binary twice.

                          We know that attackers really do want to compromise build infrastructure, but more often they want to steal proprietary source code, which must pass through build servers.

                          This means that vendors will increase the likelihood of attacks that really are happening, to prevent an attack that could happen.

                          That is a significant trade off, and the decision to invest in reproducible builds isn’t as obvious as supporters claim.

                          1. 8

                            If you care about supply chain security at the distro level, have a look at what Guix is up to. Reproducible builds are just one ingredient, and probably not the most difficult either. It’s definitely not the Google product build system use case, though.

                            For security, you don’t really want bit-identical builds so much as a reproducible assurance case. Having a durable, meaningful, and comprehensive verification process is a much more difficult problem than just getting the hashes to match. Minimizing and stabilizing your TCB is a good start, I suppose.

                            1. 2

                              taviso is doing good work, but I’d love to know how much being deeply embedded in a big company that produces closed source software influences this mindset.

                              I choose to believe he wouldn’t write this strawman argument, and instead that my ISP is forcing me onto the unsecured HTTP connection to put up this article. Surely Tavis wouldn’t host his blog without valid HTTPS!

                            1. 11

                              As Tavis says himself: https://twitter.com/taviso/status/1288244033710481408:

                              Yes, there are reasonable non-security reasons you might want it, I’m only opposed to the security arguments.

                              Reproducible builds do not add much from a security perspective because to validate them, you have to do the entire work yourself and trusts the inputs.

                              They are however useful from a development, debugging, deployment and distribution perspective (as mentioned already several times in the comments) and he does not deny that.

                              1. 4

                                Reproducible builds do not add much from a security perspective because to validate them, you have to do the entire work yourself and trusts the inputs.

                                Nope, you can have multiple builders within the community who reproduce the build and sign off on it being identical. There’s a level of trust between “trust the vendor and their infrastructure entirely” and “build everything yourself”, and it is precisely this level that I have seen promoted by the reproducible builds people. :-)

                                1. 2

                                  F-Droid does this automatically. If upstream provides an APK, and F-Droid can exactly reproduce that APK, then F-Droid will distribute the one it built with the original’s signature applied in addition to F-Droid’s signature.

                                2. 2

                                  And yet.

                                  Such builds don’t prevent your source code from being malicious. They do make it harder for a compromised toolchain to go undetected by random users. They also help users verify the source they see is the source that built.

                                  If you build the same artifact twice and get different results, you learn nothing. Build it twice and get the same result, you know the toolchain did the same things both times, and that’s comforting.

                                  1. 1

                                    Reproducible builds do not add much from a security perspective because to validate them, you have to do the entire work yourself and trusts the inputs.

                                    Which isn’t what they are writing though? Tavis claims the following:

                                    Now if the vendor is compromised or becomes malicious, they can’t give the user any compromised binaries without also providing the source code. […] Regardless, even if we ignore these practicalities, the problem with this solution is that the vendor that was only trusted once still provides the source code for the system you’re using. They can still provide malicious source code to the builders for them to build and sign.

                                    So this is largely from only one perspective, and that is proprietary vendors where the pristine source is only gotten from the the vendor publishing the binaries themselves. This hold for proprietary vendors, but doesn’t for Open-Source distributions as pointed out earlier in this comment section.

                                  1. 1

                                    All of the parts that involve injections into a Javascript context can be summarized as “never inject anything into a script block”, with the exception that a full, well-formed JSON document where all slashes have been written as escaped (e.g. "foo\/bar" instead of "foo/bar") should be safe.

                                    1. 12

                                      Come to the dark side, we have enums and match statements.

                                      1. 1
                                        switch (enum_variable) {
                                        case enum_xx:
                                        case enum_yy:
                                        }
                                        

                                        would be another way of doing it. It requires using the syntax-heavy switch everywhere, maybe it was implicit that structs was used precisely used to avoid enum + switch. No idea…

                                      1. 17

                                        The key idea around semver is around choice.

                                        I disagree. The key idea in semver is awareness.

                                        When I’m bumping versions of a bunch of libraries, I want to know which version bumps are most likely to cause breakage.

                                        1. 30

                                          The reason they spread these misconceptions is straightforward: they want to discourage people from using the AGPL, because they cannot productize such software effectively.

                                          This doesn’t stand up to even a modicum of scrutiny. First of all, it assumes you know the intent of Google here. I don’t think Google’s intentions are that great to be honest, but as a rule of thumb, if you form an argument on knowing the intentions of other humans, it’s probably a bad argument unless you can provide credible evidence of their intent. Secondly, I see no such credible evidence in this article, and the lack of attention paid to how Google handles other licenses in this article is borderline disingenuous. All I see is a casual observation that Google’s policy benefits them systemically, which I would absolutely agree with! But that shouldn’t be a surprise to anyone.

                                          Why? Because it omits critical context. The AGPL is not the only license that Google bans. They also ban the WTFPL, which is about as permissive as it gets. They ban it because they have conservative legal opinions that conclude it has too much risk to rely on. I think those legal opinions are pretty silly personally, although I am somewhat biased because I’ve released code under the WTFPL only to have one Googler after another email me asking me to change the license because it’s banned at Google.

                                          My point is that there are other reasonable business explanations for banning licenses. Like that a team of lawyers paid to give their best expert advice on how a judge would rule for a particular license might actually, you know, be really risk averse. Licenses aren’t some black and white matter where things that are true and things that are not are cleanly separated in all cases. There’s oodles of grey area largely because a lot of it actually hasn’t been tested in court. Who would have thought the courts would rule the way they did in Google v. Oracle?

                                          What’s the cost of being wrong and having Google required to publish all of their source code? Can anyone here, even a Googler, even begin to estimate that cost? If you haven’t thought about that, then you probably haven’t thought deeply enough to criticize the intentions on this particular piece of “propaganda.” Because that’s probably what Google’s lawyers are weighing this against. (And probably an assortment of other such things, like the implications of allowing AGPL but giving each such use enough scrutiny as to be sure that it doesn’t wind up costing them dearly.)

                                          But by all means, continue punishing companies for making their policies like this public. Because that’s a great idea. (No, it’s not. Despite how annoying I find Google’s policies, I really appreciate having them documented like they are.)

                                          Disclaimer: I don’t like copyleft, but primarily for philosophical reasons.

                                          1. 11

                                            I don’t think Google’s intentions are that great to be honest, but as a rule of thumb, if you form an argument on knowing the intentions of other humans, it’s probably a bad argument unless you can provide credible evidence of their intent.

                                            As someone who previously worked on the open source team at Google and sat in the office and am friends with these humans, I can say very strongly that those lawyers do not have some sort of hidden agenda. It is also certainly false to assume they are not competent at their job. My read is that they are, as you might expect, very good at their job (noting I am also not a lawyer).

                                            A common mistake I see many commenters (and news stories etc etc) and I think you head to unintentionally, is to talk about Google as if it is a single anthropomorphic entity with its own thoughts and feelings. This piece does the same. There is not “a Google” that is making amoral decisions for its global benefit . There is an office of humans that try their best and have good intentions.

                                            The team makes decisions in this order:

                                            1. Protect the open source ecosystem.
                                            2. Protect the company.

                                            “Protect the ecosystem” is hard to believe if you buy into the “amoral entity” argument but is provably true: the easiest way to protect the company is to ban open source contribution (aside from forced copyleft terms) at all, but Google does this a lot under the Apache 2 (permissive) license. The banned licenses, as you note, are those that either do not have enough specificity (like WTFPL) or ones with what the legal team believe are onerous terms. They are good laywers, and so you have to assume they have a pretty strong case for their interpretation. Even if you think they are wrong (as all law is essentially malleable), hashing things out in court to decide what the terms of the license truly mean is a really bad use of time and money.

                                            1. 13

                                              There is not “a Google” that is making amoral decisions for its global benefit . There is an office of humans that try their best and have good intentions.

                                              Yes, there is. The two are not mutually exclusive. A corporation like Google is structured in such a way that the sum of all its humans, all trying their best, serves the interests of the company. It’s not anthropomorphic, but it does have an agenda, and it’s not necessarily that of any of its constituent humans. Whether morality features prominently on that agenda is a legitimate matter for debate.

                                              I think you’re trying to open a semantic crack in which responsibility can be lost: misdeeds are attributed to Google, but since Google isn’t one person it can’t be guilty of anything. But if companies really aren’t more than the sum of their parts, at least one person at Google must be responsible for each of its transgressions, which I think casts doubt on the claim that they have good intentions.

                                               

                                              The team makes decisions in this order:

                                              1. Protect the open source ecosystem.
                                              2. Protect the company.

                                              Maybe that’s true of the open source team. It’d be hard to believe that of Google in general—partly because it’s a coompany and you’d expect it to protect itself first, but more concretely because there’s history. Google has been hegemonizing Android for years. They’re also trying to do the same to the Web, via Chrome. The open source ecosystem gets to use whatever Google puts out, or suffer. I don’t see how that’s healthy.

                                               

                                              “Protect the ecosystem” is hard to believe if you buy into the “amoral entity” argument but is provably true: the easiest way to protect the company is to ban open source contribution (aside from forced copyleft terms) at all, but Google does this a lot

                                              (I note that you don’t have a problem anthropomorphizing Google when it’s doing things you think are good.)

                                              I’ve yet to see the proof. Publishing open source software doesn’t necessarily speak to any commitment to the wellbeing of the open-source ecosystem, nor does it typically carry any great risk. Let’s take a couple of minutes to think of as many reasons as we can why a company might publish open-source software out of self-interest:

                                              • The existence of good tooling for markets you dominate (web, mobile) directly benefits you
                                              • Developers like publishing things, so letting them publish things is a cheap way to keep them happy if it doesn’t hurt you too badly
                                              • It’s great PR
                                              • If you have a way to use your open-source thing in a way that nobody else does, the free work other people do on it gives you an advantage

                                              You might say: so what? Obviously they have businessy motivation to care about open source, but what does it matter if the result is they care about open source? But, as we’ve seen, the moment it benefits them to work flat-out on destroying an open ecosystem, they do that instead.

                                              1. 3

                                                But, as we’ve seen, the moment it benefits them to work flat-out on destroying an open ecosystem, they do that instead.

                                                This could be said of nearly any corporation as well.

                                                Move from OS sales to cloud services, buy an open-source friendly company, release a good editor that works on the competition, and even inter-op with rhe competition.

                                                The example may have the best intentions in mind, insofar a corporation can, but could also be a long-con for traction and eventually blast out something that makes the users jump ship to the corporation’s platform.

                                                Best part of it all is, it could be hedging in case that “something” comes along. There is some win either way and an even bigger win if you can throw the ideals under the bus.

                                                1. 2

                                                  For sure. It’d be naïve to think Microsoft had become nice. They’ve become smarter, and they’ve become a smaller player comparatively, and in their situation it’s pragmatic to be a good citizen. Google was the same with Android before they won their monopoly.

                                                2. 2

                                                  (I note that you don’t have a problem anthropomorphizing Google when it’s doing things you think are good.)

                                                  It’s easy to do, mistakes were made, I’m human. Don’t assume malice or misdirection.

                                                  1. 5

                                                    I don’t assume either. I think it’s a natural way to communicate about organisations. But your opening gambit was about how talking about Google in those terms betrayed some error of thought, so I’d hoped that pointing this out might give you pause to reconsider that position. I didn’t mean to cast doubt on your sincerity. Apologies.

                                                    1. 2

                                                      All good 👍

                                                3. 10

                                                  Right, I mostly agree with what you’re saying! I do think a lot of people make the mistake of referring to any large company as a single entity, and it makes generalizing way too easy. With the WTFPL thing, I experienced that first hand: a bunch of individuals at Google reached out to me because none of them knew what the other was doing. And that’s a totally reasonable thing because no large company is one single mind.

                                                  Now, I don’t want to come off like I think Google is some great thing. The WTFPL thing really left a sour taste in my mouth because it also helped me realize just how powerful Google’s policies are from a systemic point of view. They have all these great open source projects and those in turn use other open source projects and so forth. My libraries got caught up in that, as you might imagine in this day and age where projects regularly have hundreds or thousands of dependencies, and Google had very powerful leverage when it came to me relicensing my project. Because it worked itself back up the chain. “{insert google project here} needs to stop using {foo} because {foo} depends on {burntsushi’s code that uses WTFPL}.” Now foo wants to stop using my code too.

                                                  I’m not saying any of this is particularly wrong, to be honest. I am an individualist at heart so I generally regard this sort of thing as okay from an ethical or legal perspective. But still, emotionally, it was jarring.

                                                  Do I think the lawyers in Google’s open source policy office think about that sort of effect it has on individuals? I don’t really. I don’t think many do. It’s probably a third order effect of any particular decision, and so is very hard to reason about. But from my perspective, the line of policy making on Google connects very directly to its impact on me, as an individual.

                                                  In the grand scheme of things, I think this is not really that big of a deal. I’m not all hot and bothered by it. But I do think it’s a nice counter-balance to put out there at least.

                                                  1. 4

                                                    To play devil’s advocate:

                                                    It appears that seasoned lawyers have deemed the license you use “not specific enough”.

                                                    Isn’t the whole point of a license to fully lay out your intentions in legal terms? If it doesn’t succeed at that, wouldn’t it be better to find another license that does a better job at successfully mapping your intentions to law?

                                                    1. 6

                                                      To be clear, I don’t use the WTFPL any more, even though I think it makes my intent perfectly clear. So in a sense, yes, you’re right and I changed my behavior because of it. I stopped using it in large part because of Google’s influence, although the WTFPL didn’t have a great reputation before Google’s policy became more widely known either. But most people didn’t care until Google’s policy influenced them to care. Because in order for my particular problem to exist, some amount of people made the decision to use my project in the first place.

                                                      I brought up the WTFPL thing for two reasons:

                                                      • To demonstrate an example of a license being banned that isn’t copyleft, to show that Google has other reasons for banning licenses than what is stated in the OP.
                                                      • To demonstrate the impact of Google’s policies on me as an individual.

                                                      I didn’t bring it up with the intent to discuss the particulars of the license though. I’m not a lawyer. I just play one on TV.

                                                      1. 2

                                                        But I think even Google’s influence is just one example of the commercial world interacting with the “libre” world; in this light, Google is just entering earlier and/or investing more heavily than its peers. And it could be argued that’s a good thing, as it puts libre creators more in touch with the real needs of industry. It’s the creator’s choice whether to acknowledge and adapt to that influence, or to bend to it entirely. As I see it, Google can’t make you do anything.

                                                        I do hope that Google carves out exceptions for things like Affero though, since I share Drew’s confusion at Google’s claim of incompatibility. I’m in the same boat, after all; I’m also a user of a niche license (License Zero), the legal wording of which I nevertheless have great confidence in.

                                                        I believe that at some point, companies like Google will have to bend to the will of creators to have control over how their work is licensed. I happen to use License Zero because it seems to provide more control on a case-by-case basis, which I think is key to effecting that shift.

                                                        1. 4

                                                          I do hope that Google carves out exceptions for things like Affero though, since I share Drew’s confusion at Google’s claim of incompatibility.

                                                          Large parts of Google work in a monorepo in which anything goes if it furthers the mission. The Google licensing site brings up that example of a hypothetical AGPL PostGIS used by Google Maps. In normal environments that wouldn’t be an issue: your code interfaces to PostGIS through interprocess APIs (which still isn’t linking even with the AGPL) and users interact with your code, but not with PostGIS. In the monorepo concept code can quickly be drawn into the same process if it helps any. Or refactored to be used elsewhere. That “elsewhere” then ends up under AGPL rules which could be a problem from a corporate standpoint.

                                                          It’s a trade-off between that flexibility in dealing with code and having the ability to use AGPL code, and the organizational decision was apparently to favor the flexibility. It can be possible to have both, but that essentially requires having people (probably lawyers) poring over many, many changes to determine if any cross pollination between license regimes took place. Some companies work that way, but Google certainly does not.

                                                          I believe the issue with WTFPL is different: because it’s so vague my guess is that the open source legal folks at Google would rather see that license disappear completely to protect open source development at large from the potential fallout of it breaking down eventually, while they probably don’t mind that the AGPL exists. At least that’s the vibe I get from reading the Google licensing site.

                                                          (Disclosure: I work at Google but neither on open source licensing nor with the monorepo. I also don’t speak for the company.)

                                                          1. 4

                                                            As I see it, Google can’t make you do anything.

                                                            Maybe I didn’t express it clearly enough, but as I was writing my comments, I was painfully aware of the possibility that I would imply that Google was making me do something, and tried hard to use words that didn’t imply that. I used words like “influence” instead.

                                                            And it could be argued that’s a good thing, as it puts libre creators more in touch with the real needs of industry. It’s the creator’s choice whether to acknowledge and adapt to that influence, or to bend to it entirely.

                                                            Sure… That’s kind of what I was getting at when I wrote this:

                                                            I’m not saying any of this is particularly wrong, to be honest. I am an individualist at heart so I generally regard this sort of thing as okay from an ethical or legal perspective. But still, emotionally, it was jarring.

                                                            Anyway, I basically fall into the camp of “dislike all IP.” I’d rather see it abolished completely, for both practical and ideological reasons. Then things like copyleft can’t exist. But, abolishing IP would change a lot, and it’s hard to say how Google (or any company) would behave in such a world.

                                                            1. 2

                                                              Anyway, I basically fall into the camp of “dislike all IP.” I’d rather see it abolished completely, for both practical and ideological reasons.

                                                              Maybe we should turn Google into a worker coop 😉 Then its employees could change IP policy like you say, the same way they successfully protested the deals w/ China & the US military.

                                                    2. 3

                                                      There is not “a Google” that is making amoral decisions for its global benefit . There is an office of humans that try their best and have good intentions.

                                                      Mike Hoye wrote a short article called “The Shape of the Machine” a couple of months ago that examines the incentives of multiple teams in a large company. Each team is doing something that seems good for the world, but when you look at the company as a whole its actions end up being destructive. The company he’s talking about also happens to be Google, although the lesson could apply to any large organization.

                                                      I definitely agree with you that Google has lots of capable, conscientious people who are doing what they think is right. (And to be honest, I haven’t thought about the licensing issue enough to be able to identify whether the same thing is at play here.) I just think it’s good to keep in mind that this by itself is not sufficient for the same to be said for the organization as a whole.

                                                    3. 9

                                                      This is exactly what I came here to say. Basing an argument on your own interpretation of a license is a great way to get into legal trouble. Not only is there the risk that a judge in a court of law may disagree with your interpretation but there is also the risk that you will invite litigation from others that have a different interpretation and disregarding the risk of losing that litigation that litigation has a cost.

                                                      So by using AGPL you incur not only the risk of having the wrong interpretation once it is tested in court but also the risk of an increase in costly litigation over time. This risk is further magnified by your size and how much larger it makes the target on your back.

                                                      1. 12

                                                        Basing an argument on your own interpretation of a license is a great way to get into legal trouble

                                                        The article starts with “I’m not a lawyer; this is for informational purposes only”, and then proceeds to make strong un-nuanced claims about the license and even proceeds to claim that Google’s lawyers are incompetent buffoons and/or lying about their interpretation. Saying you’re not an expert and then pretending you are in the very next sentence is pretty hilarious. It’s abundantly clear this article is to support the author’s politics, rather than examine legal details.

                                                        1. 6

                                                          I’m not a lawyer; this is for informational purposes only

                                                          I believe that Americans write that type of disclaimer because it is illegal over there to practice law without a license, and articles about software licenses can easily wander into dangerous territory. So based on that, I think it’s unfair to hold that up as a point against the article.

                                                          Disclaimer: I’m not a lawyer; this is for informational purposes only.

                                                          1. 1

                                                            I started to call that tactic ‘joe-roganizing’. He does the same: “I don’t know anything about this.”, Then, in the next sentence: ‘[very strong opinion] - everyone who disagrees is surely stupid….’

                                                        2. 9

                                                          I worked at a startup where we had a massive compliance burden (yay FDA!) and so had even fewer resources than usual. One of my jobs as engineering lead there was to go and audit the tools and source that we were using and set guidelines around what licenses were acceptable because we could not afford the lawyer time if there were any issues.

                                                          If the AGPL had been tested in court, I think companies would be a bit more chill about it, but I reckon that nobody wants to bankroll a legal exploration that could turn out very much not in their favor.

                                                          One of the annoying things too about licensing, especially with networked systems and cloud stuff, is that the old reliable licenses everybody basically understands (mostly) like BSD and MIT and GPL and LGPL were made in a (better) world where users ran the software on machines they owned instead of interacting with services elsewhere. We still haven’t really identified an ontology for how to treat licensing for composed services on a network, versus how to handle services that provide aggregate statistics for internal use but not for end users, versus dumbly storing user data, versus transforming user data for user consumption.

                                                          1. 4

                                                            What’s the cost of being wrong and having Google required to publish all of their source code?

                                                            That’s not how the AGPL works.

                                                            The AGPL does not force you to distribute anything.

                                                            If they’re “wrong”, they are in breach of contract. That’s it. They can then remedy that breach either by ceasing use of that software or by distributing their changes, or even by coming to some alternative agreement with the copyright holders of the AGPL’d software in question.

                                                            1. 2

                                                              This seems like a nit-pick. The point of my question was to provoke thought in the reader about the costs of violating the license. What are those costs? Can you say with certainty that they will be small? I’m pretty sure you’d need to be a lawyer to fully understand the extent here, which was my way of saying, “give deference where it’s due.”

                                                              I personally think your comment is trying to minimize what the potential costs could be, but this isn’t theoretical. Oracle v. Google is a real world copyright case that has been going on for years and has almost certainly been extremely costly. I don’t see any reason why an AGPL violation couldn’t end up in the same situation.

                                                              1. 4

                                                                It’s an actual misconception that many people have, and I don’t think it’s good to perpetuate it.

                                                                1. 2

                                                                  I guess that’s fair, but it seems like splitting hairs to me. Even you said “distributing their changes” as a possible remedy, and there’s a fine line between that and “publish all of their source code.” It really depends on how the law and license is interpreted, and nobody knows how it will be. So lawyers guess and they guess conservatively.

                                                                  1. 0

                                                                    The easiest way not to perpetuate it is to not use the AGPL.

                                                              2. 3

                                                                Thanks for saying this. I don’t work at Google, but I know many people who work at it and other large companies and have talked with them about license policy, and the article just reeks of ignorance as to how corporate lawyers work; even for relatively small companies.

                                                                There’s no ideology here, there’s just lawyers doing what they were hired to do: use an abundance of caution to give the company as ironclad a position as possible.


                                                                Hell, forget WTFPL, I’ve been waved off considering triple licensing of (approved) licenses by Googlers as “the lawyers would never go for this”. The lawyers are going to go for well understood, battle tested licenses where the failure cases aren’t catastrophic.


                                                                Besides that it seems like the article misunderstands what constitutes a “derivative work”, if the article’s definition of “derivative work” (i.e., the code must be modified, not simply “used as a dependency”) was the one used by the *GPL licenses, then there would be no need for LGPL to exist.

                                                                1. 1

                                                                  but as a rule of thumb, if you form an argument on knowing the intentions of other humans, it’s probably a bad argument

                                                                  This is not true.

                                                                  Firstly, the rule for another person and the rule for CORPORATIONS are completely different. Corporations do not operate like people do. When corporations are small, they sort of do, but as they grow larger then they become more corporations like.

                                                                  Secondly, it is impossible to know the intentions of other humans. So by this argument, no argument is ever good.

                                                                  We might give people the benefit of the doubt, because people are mostly good. They are ruled by an ethical system, built into their brain, to socialise and cooperate. Corporations do not have this internal system. Their motivational system is entirely profit based, and therefore you cannot treat them like people.

                                                                  If you have been alive long enough and paid attention to what corporations do, and especially google, the idea that they consider AGPL hostile, and wish to limit its influence and expansion, is highly plausible. How will they limit its influence? They could ban it completely, and then publish a document detailing why they think it’s bad. That’s highly plausible.

                                                                  Is risk-averse lawyering a factor? Most likely yes. But risk-averse lawyer adds to the hostility argument. Having received the advice from lawyers to not use AGPL, leadership would easily conclude that a limit to AGPL spread would give them the best chance of getting free software and have their way.

                                                                  Additionally, your steelman argument does not explain why google publishes that they do not like AGPL. They could keep it entirely internal. Why do you think they would do that? Free legal advice to competing startups?

                                                                  1. 3

                                                                    Firstly, the rule for another person and the rule for CORPORATIONS are completely different. Corporations do not operate like people do. When corporations are small, they sort of do, but as they grow larger then they become more corporations like.

                                                                    That makes sense in a certain light, sure. But I don’t see what it has to do with my point.

                                                                    Secondly, it is impossible to know the intentions of other humans. So by this argument, no argument is ever good.

                                                                    I don’t really agree. It might be true in the strictest philosophical sense, but that needn’t be our standard here. Intent is clearly something that we as a society have judged to be knowable to an extent, at least beyond some reasonable doubt. Just look at the criteria for being convicted of murder. It requires demonstrating something about the intent of someone else.

                                                                    Why do you think they would do that?

                                                                    When was the last time you saw any company publish legal advice generated by internal review?

                                                                    If you have been alive long enough and paid attention to what corporations do, and especially google, the idea that they consider AGPL hostile, and wish to limit its influence and expansion, is highly plausible. How will they limit its influence? They could ban it completely, and then publish a document detailing why they think it’s bad. That’s highly plausible.

                                                                    I think you’ve really missed my point. If the OP were an article discussing the plausibility of one of any number of reasons why Google published an anti-AGPL policy, then I would almost certainly retract my comment. But that’s not what it was. It’s a one sided turd without any consideration of alternative perspectives or explanations at all.

                                                                1. 20

                                                                  If a civil or structural engineer were told by their boss to do something so clearly deceitful and potentially harmful to the public on behalf of a big client, they could take their concerns to their professional society, who would protect them and perhaps even take other legal action to protect both the public and the reputation of the profession. In fact, if they didn’t, and one of their colleagues found out, they could be in trouble with their association – which could have real consequences for their career. But if a “software engineer” has such qualms, the best they can do is quit (leaving a vacancy for someone who may not have the same scruples) and maybe, as a stretch, put themselves at risk by trying to raise awareness as an unprotected individual whistleblower.

                                                                  That’s why I say we’re not real engineers. It’s nothing to do with what kind of work we do or how we do it. It has everything to do with our lack of professional standing in society at large, and institutions which can defend it. Until we can govern ourselves the way that architects or attorneys or doctors or all the real engineering disciplines do, we are just unusually well-paid labor, externalizing risk onto the public with no effective responsibility, to our collective shame.

                                                                  1. 4

                                                                    That’s why I say we’re not real engineers.

                                                                    I agree entirely - but have largely given up on a battle that most of my colleagues and employers incorrectly consider to be purely semantic.

                                                                    I’m also very, very wary of calls for compulsory regulation and registration with professional societies. A lot of what programmers do isn’t engineering, by design.

                                                                    1. 1

                                                                      I’m not interested in the semantics battle, myself. I’d say it’s still very early days for the professionalization of software, and I’d like to be clear that I’m not calling for anything in particular at present. Nor am I holding my breath. But I do anticipate some change over the span of my own career, and there’s plenty of historical precedent for anyone who cares to look. I spell out my position in some detail in my reply to LibertarianLlama.

                                                                    2. 4

                                                                      If a civil engineer does something bad, a building collapses and 100 people die.

                                                                      A software not-engineer does not have this problem 95% of the time.

                                                                      For the OP’s article, the story is a person who was asked to code a marketing website for a drug. Another person suicided while on said drug. Therefore, the marketing website is unethical.

                                                                      This is wrong. It could have been that the drug will save 10,000 people for every suicide it causes. It is the responsibility of the patient and their doctors to weigh the risk/reward of a particular drug. Doctors and researchers have a system they build the weigh the risk/reward of drugs and to control corporations that develop those drugs.

                                                                      To simply conclude that the drug is unethical, therefore making a website marketing it is unethical, based on one case of a negative outcome, with no mention of positive cases, is simple not a good way to arrive at the conclusion of whether this is ethical.

                                                                      That’s why I say we’re not real engineers. … It has everything to do with our lack of professional standing in society at large, and institutions which can defend it. … we are just unusually well-paid labor, externalizing risk onto the public with no effective responsibility, to our collective shame.

                                                                      Lawyers are considered bane of civilisations by many people. They build an overly legalised system to extract rent from societies via legal obligations. Why do you consider them to have ‘standing’ in society?

                                                                      Is your argument that if programmers get together, create “The Grand Association of Serious and Ethical Programeers”, that we will have standing? Or that we will be ‘serious business’ in the eyes of the public? Or that we will be real white collars? Or a real profession? And that we will be able to defend the honour and dignity of our sir programeers? Will we demand a uniform of t-shirts and hoodies like lawyers do? Because we are serious business.

                                                                      Programmers have deliver HUGE amount of value. There’s absolutely no gatekeeping. A random kid with internet access from the poorest part of the world can get a remote job, with salary that will completely transform his extended family’s lives. This is not possible as a lawyer, or a doctor, or an ‘engineer’. No matter how good you could be, without the correct due paid to the correct universities, and going through their gatekeeping processes. It is the realisation of the free market dream, in a way that is potentially completely transformative. But we shouldn’t have that, because some people decided to code a marketing website or a drug that has otherwise been okayed by those doctors and lawyers that you hold in such great esteem, and he didn’t like it that a person who was on that drug died from its side-effect.

                                                                      If you only read the news about people drowning, soon you will want to ban water.

                                                                      1. 4

                                                                        Regardless of whether the drug itself is good or bad, the marketing was deceptive, which both the OP and I see as unethical. Anyone with even a passing acquaintance with the US (and international) pharmaceutical industry knows that they have a long history of doing some incredibly shady stuff, despite being highly regulated. Certainly they love loopholes. But that’s pretty tangential to my point, which was simply about what actions you can take as an engineer given a task that you judge to be unethical, what are the expected outcomes of those actions, and what that says about our societal status collectively, as a nascent profession.

                                                                        I get that you don’t like lawyers. Maybe (like some people would say about guns) it would be a better world if they had never been invented, but that’s strictly fantasy. In the real world, I think it’s pretty uncontroversial to point out that they wield significant power, have effective self-regulation and autonomy, and consequentially command respect. Certainly, as a profession, they are nearly as old as medicine, and equally established. It doesn’t matter how you feel about them as a class of people.

                                                                        I don’t see any need for your GASEP: in fact, we already have the ACM and the IEEE. And no, I don’t look forward to a world where (say) ACM membership is compulsory for junior web devs. There are several established ways that society regulates dangerous work. Building contractors, for example, must be licensed, bonded, and insured – but that doesn’t replace building permits and inspections. Architects have their own responsibilities. It’s a complex and nuanced topic that might not be the best basis for analogy anyway. What I’m saying is, as society gradually comes to rely more on our work, and the potential for real harm increases, that work will be regulated, one way or another. We can either self-regulate, or we can be entirely governed by legislation and the internal regulation processes of other fields. In practice, it will probably be both, and will emerge gradually over a generation or two, because our field is still too immature to have any real basis for standardizing practices. But I’m from a blue-collar background myself, and I’m in favor of software practitioners having at least some autonomy and professional standing, which requires self-regulation. We’re not all like handymen or union carpenters. At least some of us are doing work that’s more like that done by architects and structural engineers.

                                                                        In summary, you argue that:

                                                                        1. Most of what we do can’t cause real harm
                                                                        2. Doctors and researchers and laws already sufficiently regulate the drug market such that no professional judgement by website developers is needed
                                                                        3. The economic benefits of unrestricted access to high-paying tech jobs outweigh any prospective dangers

                                                                        I’d say that (1) is becoming less and less true as software chews through the world and digests what it can. As for (2), I suppose we can just wait for web-based pharmaceutical ads to be as regulated as on TV etc, but it’s entirely beside my point. As for (3), I think it’s worth distinguishing between the costs and benefits borne by practitioners and those borne by their employers, their customers, and society at large. A balance must be struck, and that balance may well shift over time.

                                                                        1. 3

                                                                          If a civil engineer does something bad, a building collapses and 100 people die.

                                                                          A software not-engineer does not have this problem 95% of the time.

                                                                          I’m pretty sure most of the civil engineer fuckups just result in expensive shore-ups and re-builds. But… I can’t actually back up that claim.

                                                                          It could have been that the drug will save 10,000 people for every suicide it causes.

                                                                          As mentioned elsethread, this was probably anti-acne drug Accutane.

                                                                          1. 1

                                                                            A software not-engineer does not have this problem 95% of the time.

                                                                            That is why even a senior software is engineer is equal / equivalent to a skilled builder / construction worker. They do not go to jail for the collapse. The Civil Engineer does (depending countries and jurisdictions on the size of what was built, etc).

                                                                            So, who’s ready to go to jail?

                                                                        1. 5

                                                                          I have read for years about how evil is email enumeration… but guess what? I think the benefits of being able to tell a user that is using the wrong username instead of a wrong password, outweighs any theoretical danger of revealing that certain email is being used. Change my mind.

                                                                          1. 10

                                                                            I’ll take a stab at trying to change your mind. For some context I’m a Penetration Tester by trade and this specific topic is, in my opinion a great example of subtle risks with huge real world impacts.

                                                                            The issue of username/email enumeration has two attack patterns:

                                                                            • Password spraying - Guessing a weak password across tons of accounts, like bruteforcing but trying to find the email with the weak password not the weak password for the email.
                                                                            • Password “stuffing” - Taking a known compromised credential and trying to authenticate to tons of other services that the credential pair was re-used at

                                                                            For password spraying, there is only one thing I actually need: a username/email. In the real world I go from an External Network Penetration Test to internal network access ~80% of the time because of username enumeration and some strategically guessed passwords. Having the ability to get a list of known usernames to target greatly reduces the amount of guesses I have to make and ramps my accuracy up a ton.

                                                                            For a full example, say I am targeting your corporate mail server based off of Exchange or O365 to try and guess credentials that I can then re-use on the target VPN infrastructure. My very first step is to grab a list of known emails/usernames from previous password dumps, public information, or directories. Then I generate a list of potential name combinations from location specific birth information by year. Next comes the actual username enumeration where I try and identify the “valid” accounts (aka what you are asking). In my example, Microsoft agrees with you and doesn’t believe that username/email enumeration is a risk… Which is why I wrote a ton of tooling to automatically use NTLM/HTTP timing based responses to enumerate the valid users. Now armed with a list of what are guaranteed usernames/emails, I just start picking down the list of the seasons hottest passwords over the next few days; Summer2020!, Password1!, Companyname2020!. All I really need is one credential. It’s not about the single user, it’s about the bulk knowledge. If I was going in blind without the confirmed accounts then I would be generating tons and tons more traffic and would be even easier to flag on, having enumeration puts the statistics of getting automated guesses way way more on the attackers side.

                                                                            The other example is password stuffing. This is more straight forward, given that I have a compromised username/email and password for a user I can take a bot that knows how to authenticate to tons of different services (banks, social media, blah blah blah) and try those combinations. If username enumeration exists on these services it actually allows me to check to see if accounts are valid for the service before actually submitting my automated logins. If I am a bot herder my job is to try and stay undetected for as long as possible and the enumeration greatly assists in that.

                                                                            Hopefully that helps! It’s one of those strange things where people forget about the collective risk and focus more on the singular threat models, attackers rarely care about the individual irl.

                                                                            1. 4

                                                                              This is great advice. And it really reinforces for me why appsec people should be way more involved in the software development process as early as possible.

                                                                              At a previous job we were identified by nine digit numeric characters (no, not those nine digits!). I built a public facing API for internal use that returned public facing data created by employees. No problem, thinks me. But I left the SSO ID on the API because why not? Ship it!

                                                                              A few days later one of the blue team guys sends me an email with 2/3rd of my database, exfiltrated by walking the API with a dictionary file and explains what you just explained above. Oops.

                                                                              1. 2

                                                                                Not a pen-tester, but I would’ve assumed allowing Password1! as a valid password is a bigger issue than email enumeration. You can now check against lists of bad passwords from dumps.

                                                                                1. 2

                                                                                  You’d think right? But you are fighting human nature and historical IT theories. As it turns out making a comprehensive deny list is extremely difficult, and then you add the fact that hashing is in play the only time it gets checked is at the filter level when changing that credential. You can’t just look up your passwords in your ntds.dit and compare it with historical dumps (I try and do that for my clients because the reality is the offensive tools are actually better at it than the defensive). As for historical reasons, often times IT resets credentials to a weak or organizationally default credential and it never gets changed, support desk staff often don’t remember to check the “change after first login” checkbox.

                                                                                  Like I said, it only takes one. Also password patterns follow human nature in more ways than one, I’ve been popping my American clients that have comprehensive blocklists left and right with Trump2020!. Passwords suck haha.

                                                                                  EDIT: To add another thing think about Password1!, lots of orgs have an 8 character password with special and numerical requirement. Technically it fits lots of places. If there is organizational SSO if the filters are not forced everywhere it can also propagate to other authentication areas.

                                                                                  1. 2

                                                                                    To add another thing think about Password1!, lots of orgs have an 8 character password with special and numerical requirement.

                                                                                    Even better is to have entropy requirements, including dictionary files. zxcvbn is a good example of a frontend library for this.

                                                                                    You can also compare hashes with the HIBP Pwned Passwords dataset and reject new passwords that match.

                                                                                    1. 1

                                                                                      Are there other databases than HIBP that are commonly used for this?

                                                                                      1. 2

                                                                                        I don’t know. Pwned Passwords has 573 million SHA1 hashes, so I’ve not felt the need to look further.

                                                                                2. 1

                                                                                  This is great advice. Thank you for writing such a comprehensive answer.

                                                                                3. 1

                                                                                  Aside from the technical side explored by other replies, depending on your location and/or the location of your users, you could face legal consequences. Under legislation such as the GDPR, an email address is considered personally identifying information. If someone realises that you are leaking such personal information and reports you, you could face a fine. In some cases, the user may also claim compensation from you. If the user suffers a loss due to your failure to safeguard their data, then it could a large amount of money. (e.g. Imagine you run a site which is legal, but not considered socially acceptable. A public figure signs up using their email address. Someone uses email enumeration to discover that said public figure has an account on your site, causing damage to their reputation and consequent loss of earnings)

                                                                                1. -7

                                                                                  2020: DaringFireball blogpslains \r \n ..

                                                                                  1. 3

                                                                                    Those are the carriage return and newline characters, and the blog post is about enter vs. return key codes. Related, but they don’t actually line up.

                                                                                  1. 7

                                                                                    Great read but the section on “third-world country” and “non-English” speaking was disappointing. We’ve seen major “first-world” websites get hacked by kids in “third-world” countries.

                                                                                    1. 1

                                                                                      Yeah, there are probably plenty of resources on Host header injection in the contractors’ native language – they just didn’t care, or weren’t very good.

                                                                                    1. 3

                                                                                      It’s an interesting idea, but I think he makes some mistakes in the details: ‘b’ and ‘d’ are easily confused in speech, and final ‘h’ is silent. Also, while hard ‘g’ and ‘j’ are very different sounds, the letter ‘g’ is often pronounced like ‘j’ (e.g. the correct pronunciation of ‘GIF’).

                                                                                      None of this is insurmountable, but I think it demonstrates a need for more work.

                                                                                      1. 3

                                                                                        There are also problems for other languages. Swedes have a hard time telling the difference between s and z, Germans between d/t, b/p, g/k at the end of a word, Japanese between r and l, and so on. The good thing about numbers is that they’re universal.

                                                                                        1. 1

                                                                                          final ‘h’ is silent

                                                                                          That’s not a problem if you know there’s always a consonant at the end.

                                                                                        1. 3

                                                                                          URLs aren’t the only place GitHub usernames are used. Using the web interface, in some cases, will create commits with the email [email protected].

                                                                                          UGH I hate Cloudflare so much. -.-

                                                                                          1. 1

                                                                                            I’m not sure why you’re seeing “email protected”—I don’t see that even with Tor. If you didn’t already find a way around the overeager protection, here’s the email address I see: myusername@users.noreply.github.com.

                                                                                            1. 2

                                                                                              They obfuscate anything with an @ sign in it, email or not. You have to enable Javascript for them to decode it, which I don’t in general.

                                                                                              But a little bird has told me about a Firefox extension that decodes these, and Cloudflare’s “protection” turns out to be absurdly simple:

                                                                                              https://addons.mozilla.org/en-GB/firefox/addon/email-protected/

                                                                                              const [key, ...encoded] = data.match(/.{2}/g).map(e => parseInt(e, 16))
                                                                                              let bytes = encoded.map(e => String.fromCharCode(e ^ key)).join("")
                                                                                              

                                                                                              All this annoyance and it turns out to be the kind of “protection” algorithm I would have written in middle school.

                                                                                          1. 3

                                                                                            While I’m in favor of getting rid of unique, discriminable usernames… you still need unique identifiers of some kind which can be exposed. Numeric or UUID seems to be fine. Are there any downsides to those?

                                                                                            I’m building a social media system that doesn’t have usernames per se; users have URLs (where their stuff lives) and cryptographic IDs (which identify them and allow portability), but they’ll be represented in the UI either by the names they choose for themselves or by “petnames” chosen by the viewer. Under the covers, an @-mention is the URL+pubkey pair, and it gets rendered differently for different viewers.

                                                                                            1. 24

                                                                                              Lobsters needs a whole “I didn’t read and misunderstood GDPR” tag. There’s just every week another article like this. People thinking they can be clever and circumvent laws with technology, just like some of the bitcoin fans believing they can avoid taxation.

                                                                                              kornel already said everything that’s to be said on this topic.

                                                                                              1. 9

                                                                                                This is also an issue with some people insisting you need to ask consent for any and all data you collect, which isn’t actually the case; the GDPR is more nuanced than that and has a list of items under which it considers data processing to be lawful, consent being just one of them. @kornel’s comment (“If you’re collecting non-essential information, you need consent”) is somewhat lacking in nuance in that regard.

                                                                                                Whether that’s a good or bad thing is up for grabs, but it’s certainly not as simple as often claimed.

                                                                                                1. 6

                                                                                                  Wat? Did you read the article? Your fears are addressed in the 3rd paragraph. It’s even above the fold.

                                                                                                  A few quick opening remarks: The whole point of this piece is to spark discussion and awareness in the industry and among users. Personally, I would never advocate for employing these tracking practices and I am glad to be working for an analytics vendor, that has always put privacy, transparency, and integrity first. Besides, from a legal perspective, this technique does not circumvent the GDPR or similar privacy laws. Just because ETags are technically not cookies, does not mean they are not covered within such guidelines and require no user consent.

                                                                                                  Emphasis, mine.

                                                                                                  1. 9

                                                                                                    I am pretty sure that sentence wasn’t there when I read that article.

                                                                                                    1. 1

                                                                                                      Correct. You can see an older version in Google’s cache: https://webcache.googleusercontent.com/search?q=cache:https%3A%2F%2Flevelup.gitconnected.com%2Fno-cookies-no-problem-using-etags-for-user-tracking-3e745544176b

                                                                                                      The third para was simply:

                                                                                                      One quick opening remark: The whole point of this piece is to spark discussion and awareness in the industry and among users. Personally, I would never advocate for employing these tracking practices and I am glad to be working for an analytics vendor, that has always put privacy, transparency, and integrity first.

                                                                                                1. 10

                                                                                                  Don’t worry, Google will soon start showing the expected (but incorrect) domain name in Chrome.

                                                                                                  1. 2

                                                                                                    Sarcasm?

                                                                                                    1. 4

                                                                                                      I don’t think it is, even if it is, it’s not far from the truth of google hiding paths in the url bar

                                                                                                  1. 3

                                                                                                    Please pick a globally unique natural primary key (e.g. a username) where possible.

                                                                                                    Ooof, not a good example to use. :-)

                                                                                                    (Usernames often need to change.)