1. 13

    I don’t believe the logic behind the EARN IT act adds up. If we ban things because unsavory people use them then why does the US allow guns, for example?

    This excerpt summarizes a majority of the article, and I think it exemplifies a particularly weak line of argument. People will be more likely to be convinced a law is right or not by you elaborating on what it does and how that effects them than they would be because you’ve moralized the pretenses under which it was passed. Case in point since you mention them just after that, the NRA has been pushing the “most gun owners are good guys!” angle for a very long time and it’s done little but intensify the ire of people they might be trying to sway. Saying “we shouldn’t ban encryption because not everyone that uses encryption is a pedophile” doesn’t exactly make the strongest case.

    1. 8

      the NRA has been pushing the “most gun owners are good guys!” angle for a very long time and it’s done little but intensify the ire of people they might be trying to sway.

      I think part of the issue is that the NRA isn’t always trying to sway the other side with this line. They’re often trying to rally support on their side. As such, I see using the same line of argument as useful in helping people on the right who may not normally identify with a tech issue to see it in the same way they view their gun rights.

      1. 3

        While I agree with most of what you’re saying, there just has to be a better way to combat illegal sexual exploitation than this. As much as I don’t like that it is still a big thing on the internet, removing encryption is not the solution.

        1. 4

          Sexual exploitation of kids was a thing before the internet was a consumer thing. Those who partake in such despicable acts will just find another way to do what they do if online transit is no longer practical or safe. And then we’ll have no legitimate encryption, and still have sexual exploitation of kids.

          1. 2

            I’m not against encryption either. Maybe if you really want to confront that part of the issue I think instead of talking about how it’s “not all encryption” I would personally take on the route of not only further exploring how futile it is to try to curb these crimes by pursuing them once they’re already being shared, but also showing how much more effective things like community programs might be at trying to fight the issue at its source.

          2. 3

            Saying “we shouldn’t ban encryption because not everyone that uses encryption is a pedophile” doesn’t exactly make the strongest case.

            Maybe it does, if one poses it as “encryption is the tool that allows you safely exchange, say, intimate pics with your partner, and financial information with your family members; if we ban it, your next-door neighbor could creep into your personal stuff”.

            1. 3

              That’s my point.

          1. 13

            I always say this, but if you’re argument is

            Vim is everywhere.

            (emphasis mine), then you can’t also claim

            It’s ultra customisable

            1. 8

              I agree. A lot of his other criticisms can be addressed via the customisation. Vim now has plugins to speak LSP, so it can have syntax highlighting and cross-referencing that is exactly the same as Visual Studio Code. As long as you install everything, on every machine you use.

              I’ve written four books, a PhD thesis, 150+ articles, a bunch of scientific papers, and a few hundred thousand lines of code in vim. I mostly use it for two reasons:

              1. A lot of development I do is on remote machines. Being able to edit code or build from any terminal is useful. I would probably replace a lot of this with the VS Code remote extension if it were open source (unfortunately, the server part isn’t and so it’s limited to a depressingly small set of supported platforms at the moment).
              2. My fingers are used to vim and sulk if I am not in vim (sorry, vim mode in other editors is not the same.

              For text (of the human-readable kind), I think vi’s modal interface is actually a good things (one of the very few things I disagree with Jef Raskin about), because writing and editing are separate tasks and you are more productive if you completely separate them in your workflow. For code, it’s not really a benefit and I mostly use it to avoid having to retrain my fingers.

              The one feature that I miss on non-vim editors is unlimited, persistent, branching undo. This was something we tried to duplicate and make general with Étoilé. If I edit some code with vim and it was, at some point in the past, in a working state, I can always go back and find that, even if I’ve rebooted a few times. This makes me a lot more comfortable experimenting without regular VCS commits. Ideally, I’d want an editor with automatic git integration that would create a stream of git commits for my in-progress changes and then squash them when I did a named commit (or, even better, leave them in a local branch and merge the squashed version into that).

              1. 1

                Ideally, I’d want an editor with automatic git integration that would create a stream of git commits for my in-progress changes and then squash them when I did a named commit (or, even better, leave them in a local branch and merge the squashed version into that).

                Couldn’t you basically do that with some buffer auto commands in Vim, where it would need to detect what “branch” you’re on and the commit all the changes? And a “squashcommit” git alias to then commit (pardon the pun) to this timeline?

                1. 4

                  There’s this: https://github.com/bartman/git-wip

                  I’ve used this in the past and it worked really well for me.

                  1. 2

                    Yup, though with Vim’s branching undo I’d want that branching to also be reflected in the git history, so if I do ‘undo’ a bunch of times and then start typing again, there’s a git branch that reflects my prior state that I can go back to (and, ideally, as we did with Étoilé, allow easy cherry-picking from other undo branches). But what I really want is that exposed with a nice GUI in a graphical editor. I rarely use vim’s branching undo because I can never remember the commands.

                2. 4

                  Why can’t you claim that?

                  1. 9

                    Because if you customize vim a lot (custom keybinds, functions, plugins, whatever, …) then you will build muscle memory and habits that are tied to your vim setup. With that in mind, using vi on OpenBSD or vim.minimal on ubuntu server would still be a pain, because you’d lack all the customisation from your local setup.

                    To sum it up, vim is installed everywhere, but your customisations are not, so you can only benefit of one of these advantages at a time.

                    1. 4

                      This is where Emacs shines. With Evil and Tramp, one can use the familiar customised vim keys while editing files remotely, as long as the remote system has SSH.

                      1. 6

                        Just FYI, vim has remote editing as well.

                        1. 2

                          As @swehren mentioned, vim can edit remote files by specifying path as “ssh://host:/path/to/file”. I don’t know how this works with your emacs plugin, but this is definitely not ideal. I use vi to administrate my dns/mail/http servers, and even though I could easily edit file comfortably from my local machine, I still need to login on the remote end to restart services, read logs, etc… The only use case I see is to edit PHP files remotely, and even then this would be bad, because you cannot use autocompletion of filenames, and saving files takes longer due to network latency.

                          Navigation file structure and editing files locally is still the easiest option IMO. And this is also why OpenBSD added mg(8) to the base system !

                          1. 7

                            Tramp is not so much a plugin, as a “Transparent Remote (file) Access, Multiple Protocol”. When connected via one of the various methods (inline, external or GVFS-based) you get to do almost everything as you would on a local system (therefore “transparent”). That means you can also use M-! or Eshell to run commands, copy files, diffs, etc. without having to worry where what is.

                          2. 1

                            I found evil to not include all the things my vim setup has, but won’t remember what until I try to use them again.

                          3. 1

                            Good point. Maybe this calls for splitting up my vimrc into two files, a .basic.vimrc which has commonly used configuration not tied to plugins or installed programs and my regular .vimrc which would source the former.

                            The .basic.vimrc can then be copied wherever I need it.

                            1. 2

                              A different solution is to go with an empty ~/.vimrc (the simple existence of this file automatically set “nocompat”, so you get a full vim experience), and try your best to use it like this. Vanilla vim is already real powerful as an editor, and once its default keybinds and mechanism enter your muscle memory, you’ll realize just how futile many plugins are.

                              I did that for years (working on personal C projects mostly), and it was great. I then switched to vis 2 years ago, and never looked back. It mixes vim with sam, so you get multiple selection and cursors on top of vim, which is neat. As it really ressemble vim, I can apply my muscle memory to defaukt vim as well, except for the substitute command (which is :x/foo/ c/bar/ in vis).

                              The fact I commited to using default vim for so long helped a lot switching to vis, as it doesn’t have the same plugins (though it can be extended in lua).

                              1. 1

                                Good suggestion, however gvim is incredibly ugly without any color schemes and I really like being able to copy-paste with ^C and ^V.

                          4. 4

                            Heavily cutomized vim very quickly starts looking nothing like vanilla vim. It’s infeasible to carry around your dotfiles everywhere (though there are ways you can bring subsets of your configuration everywhere), and the more customizations you have, the less effective you’ll be without them. It has to do with the emphasis on macros and simple keybindings that vim has and the muscle memory that requires.

                            1. 1

                              See my other comment on a potential solution: https://lobste.rs/s/wpmmbt/should_i_use_vim_full_time#c_gg386z

                          5. 2

                            In practice, I think I disagree. I use vim on production machines and sundry random boxes with little customization, and I use local copies with dozens of plugins and a stack of custom keybindings. There are occasional frustrations, but not especially overwhelming ones.

                            “Being able to use roughly the set of vi features plus some niceties” remains a fairly portable skillset. I might have a different experience if I’d overridden the core vi-style semantics of the interface all that much, but apart from a couple of bindings I haven’t, and I’d suggest that best practice is to leave most of that stuff in place and augment it rather than replacing it. That’s why there’s a convention of prefixing things with the leader key and so forth.

                            1. 1

                              As always, it’s a gradient. I was thinking more of people customizing to look like this, remapping hjkl, etc.

                              And besides, I was just talking about the argument. Practice is a different thing, but when you see people who have only used vim try to use vi and seem just as confused as a newcomer, then I do think that there is a difference worth mentioning.

                          1. 4

                            I just wrote a further commentary about this post from Aral Balkan at my own blog: Private client-side-only PWAs are hard, but now Apple made them impossible.. I decided not to post as a new story as it is basically a “me too” with Aral’s post that further touches the topic of why private client-side-only PWAs are important.

                            1. 6

                              I’ve never tried a “private client-side-only PWA”. I’ve never tried a PWA that was as good as a native app. And I could not name a PWA, offhand, that is better than a normal web site.

                              Is it possible that they are killing off a very small amount of value here relative to the surveillance crap that they are, and absolutely should be, eliminating? Or am I overlooking a mass of valuable things that I will be sorry to see gone? If it’s the latter, can you give some examples of where a PWA outshines a native app and a normal web site, and would be eliminated by this move in Safari?

                              1. 1

                                Be aware that this is not PWA specific, this affects any kind of site. PWA is just a marketing term, they are normal web sites that are progressively enhanced by new APIs. All those websites that you don’t use often but you have data saved for, will have such data emptied.

                                There are many good PWAs out there which are as good or better than native apps. A good example that you might want to try out is the Kindle and Spotify ones. I’m usually on a Surface Pro X so I don’t have those apps as native “aarch64” binaries available for me but thats OK because the PWAs work just fine.

                                As for “private client-side-only PWAs” not being a thing, it is because the web is kinda rigged towards a client/server paradigm and doing many things client-side-only is a bit hard. Take a look at the apps that Hundred Rabbits is putting out, they are transitioning away from Electron into pure client-side PWAs and their work is amazing and inspiring, not all apps are in that stage yet but IIRC Dotgrid and Orca are. They tweeted about it couple days ago.

                                1. 2

                                  Thanks for some interesting examples.

                                  I’m conflicted. I see the usefulness of some of these, but I don’t want most sites to be able to store data on my system (and read it back again) for much longer than a session.

                                  Maybe a good compromise to ask for would be that these restrictions be eased when a user goes through the interactive steps necessary to “install” a PWA on their system.

                                  1. 2

                                    Then the solution is for the browser vendors to provide an easy to use option to set for how long such storage should live for a given site. So that for sites like this, you could tell the browser “erase this when the session ends”. Currently you can erase a site’s data on the browser options, or if you never want that browser to retain data after a session, you can use a private window. That data is erased when the window is closed.

                              2. 2

                                Just for clarity, what is a PWA?

                                1. 4

                                  It is a “Progressive Web App”. Sorry for the jargon usage without explanation. Basically it is a marketing term used to place some new web APIs and best practices into an umbrella of a “near native UX on a Web App”. What it usually means is that your application is:

                                  • Served from a secure context (a requirement for the other APIs anyway).
                                  • Has an application manifest (this contains metadata about your web app and is used by browsers and OSs to add icons, names, themes, etc)
                                  • Has a service worker (which enables your application to potentially work offline beyond what other cache solutions did in the past)

                                  So with these in place, browsers can offer a “Install this site and an app” feature which allows the site to open in its own window, with its own icon and name on the launchers and home screens.

                                  1. 1

                                    Thanks for clarifying. Are there any “mainstream” PWAs that I (as a nerd) might have encountered?

                                    1. 2

                                      Probably many as PWAs are normal web apps, they just progressively enhance themselves depending on your usage. The most noticeable way you can spot a PWA is when you’re browsing in a mobile chrome and it asks you if you want to install it. I think that is the only browser that actually asks it in an active manner like that. Many others have APIs to do it or menus. IMHO a good PWA is invisible, you don’t notice it inside your browser. It just works. If you’ve experienced sites that cope well with offline or intermittent connections, added a site to the home screen and it appeared in its own window without chrome, or even just a web app that is behaving really fast and snappy, you might be dealing with a PWA.

                                      As I mentioned before PWA is more of a marketing term to draw attention to a collection of APIs and best practices that moves the web forward and provide a better UX for the user. It gives us jargon to use in marketing copy and also jargon to discuss stuff among ourselves, but it is not a separate thing from the normal web. The important word in PWA is the W. It is still just the web, it just learned new tricks.

                                      One good example in my opinion are the instagram and the spotify web apps.

                                  2. 2
                                    1. 2

                                      I just updated the post with a definition and link to learn more.

                                  1. 4

                                    My gut feeling tells me it’s mostly due to the fact that a hash value of an int is the int itself, so there’s no time wasted on hashing.

                                    Oh wow I hope not. Is this actually true in CPython?

                                    1. 6

                                      This is the most sensible implementation as you want to avoid collisions in a hash table. It isn’t supposed to bear any cryptographic properties if that’s your concern. Here’s more: https://github.com/python/cpython/blob/master/Objects/dictobject.c#L134

                                      1. 5

                                        It’s not the most sensible implementation, because simple key patterns cause collisions that never resolve, even when resizing the hashtable. The comment you linked specifically mentions this pathology, and the numerous ways it destroys performance.

                                        The rest of the comment describes how CPython mitigates the issue by adding weak integer hashing to its collision probing. At first I thought integer keys were never hashed at any point, hence my surprise.

                                        From the comments it sounds like sequential integer dict keys are somehow common in Python, which I don’t understand. But I don’t write much Python.

                                        1. 6

                                          From the comments it sounds like sequential integer dict keys are somehow common in Python, which I don’t understand. But I don’t write much Python.

                                          While you can have a dict with keys of any hashable type – and a single dict may have keys of many types – the most common case, so overwhelmingly more common that it’s almost not even worth thinking about other cases, is a dict whose keys are all strings. This is because, sooner or later, basically everything in Python is backed by a dict. Every namespace is backed by a dict with string keys (the names defined in that namespace). Every object is backed by a dict with string keys (the names of the object’s attributes and methods). Keyword arguments to functions/methods? Yup, dict. In comparisons of languages by their “one big idea”, Python is sometimes described as having its big idea be “what if everything was a string-keyed hash table”?

                                          Anyway. This is so common that Python goes out of its way to have special-case optimized implementations for the case of a dict whose keys are all strings (and for what it’s worth, in CPython as of Python 3.4, str is hashed using SipHash-2-4).

                                          As to hashing of numeric types, it’s a bit more complicated than “ints hash to themselves”. Here’s what the Python documentation has to say. For the specific case of int, you can think of it as reducing to hash(n) == hash(n % sys.hash_info.modulus), where in CPython sys.hash_info.modulus is 2^61 - 1 on systems with 64-bit long and 2^31 - 1 on systems with 32-bit long.

                                          While I don’t have a way of being certain, I suspect the linked comment’s note that the hashing of int is “important” has to do with the importance of real-world int key values being unlikely to collide with the hashes of other common real-world key types.

                                          1. 1

                                            In comparisons of languages by their “one big idea”, Python is sometimes described as having its big idea be “what if everything was a string-keyed hash table”?

                                            I’ve always thought of PHP’s “one big idea” as “What if everything is an array” where array means PHP’s strange half-dict half-list interface that funnily enough Python is now one small step closer to.

                                        2. 1

                                          Avoiding collisions isn’t as important as using up a larger % of the spots before you need allocate and move things, I believe.

                                          1. 3

                                            Aren’t those the same thing? Less collisions implies you can go longer without expanding.

                                            1. 1

                                              It depends on the exact implementation, but in my understanding, not exactly; you also want a good distribution between your buckets, even if there are patterns / non-random distributions in the actual encountered keys. It might waste space rather than time, but it’s still not great.

                                              1. 3

                                                Python’s hash table isn’t implemented as an array-of-buckets. It’s a single contiguous array into which you insert a new element at the position determined by the hash of its key, and if that position is occupied you try the next one in a pseudo random order. Same with lookups: you try entries in succession until you find the one that equals (it’s usually the first one). And this is why the number of free spots and the probability of collisions are directly related.

                                        3. 2

                                          it is:

                                          Python 3.7.6 (default, Dec 21 2019, 11:56:31)
                                          [Clang 10.0.1 (clang-1001.0.46.4)] on darwin
                                          Type "help", "copyright", "credits" or "license" for more information.
                                          >>> hash(2)
                                          2
                                          >>> hash(37)
                                          37
                                          >>> hash(892474)
                                          892474
                                          
                                          1. 8

                                            Almost! hash(-1) returns -2.

                                            Python 3.8.1 (default, Jan  8 2020, 23:09:20)
                                            [GCC 9.2.0] on linux
                                            Type "help", "copyright", "credits" or "license" for more information.
                                            >>> hash(-1)
                                            -2
                                            >>> hash(-2)
                                            -2
                                            >>> hash(-3)
                                            -3
                                            
                                            1. 4

                                              wat

                                              do you happen to know why?

                                              1. 7

                                                Ah, it’s because the C API function uses -1 as an error code. It goes deeper than that too:

                                                In [1]: class yolo:
                                                   ...:     def __hash__(self):
                                                   ...:         return -1
                                                   ...:
                                                
                                                In [2]: y = yolo()
                                                
                                                In [3]: hash(y)
                                                Out[3]: -2
                                                
                                            2. 2

                                              I’ve heard that this is a somewhat common way to implement hashing for ints, but I don’t understand why it’s a good idea. Isn’t hash collisions terrible for hash tables? And isn’t a somewhat common key pattern “some number with some low bits masked”? And wouldn’t that be a pathological case for a hash table which grows with a factor of 2?

                                              Are hash table implementations which does hash(x) = x somehow better at handling collisions than most hash tables, or do they just hope that the ints people want to put in their tables have high entropy in the lower bits?

                                              1. 3

                                                IIRC there is some sort of random salt added to it and it goes through some internal hash for the actual hash table, since there was a DoS attack by abusing worst case scenario over HTTP requests.

                                            3. 2

                                              Why would that be a problem?

                                            1. 4

                                              Nice explanation.

                                              I was wondering what puzzle you used gray code for, and how you did use it?

                                              1. 2

                                                It sounds to me like this might have been useful for day 10 – the asteroid problem where the monitoring station rotates around detecting and/or destroying asteroids.

                                                1. 2

                                                  Interesting. I thought of using Gray Code for handling directions in day 11, but opted for simple bit shifting instead: https://github.com/timvisee/advent-of-code-2019/blob/master/day11a/src/main.rs#L4-L20

                                                2. 1

                                                  More interesting than the AoC puzzle connection is the connection between gray codes and the ancient Chinese rings puzzle, as well as the mathematically equivalent Baguenaudier.

                                                  If you like that kind of thing tavern puzzles makes a nice one.

                                                1. 6

                                                  Beautiful Visualisations here. I wonder if using non-smart phones can help in anyway.

                                                  1. 3

                                                    According to the article the data comes from a company collecting precise movements using software slipped onto mobile phone apps. So maybe installing/using less apps helps somewhat…

                                                    1. 4

                                                      After reading this, I deleted half the apps from my phone and disabled location services for most of the ones that were left.

                                                      1. 2

                                                        I would assume that disabling location permission for apps would also be sufficient. I can understand why maps needs my location, but not much else.

                                                        That said, the article does say the weather channel was also at this, and I guess a lot of people would give this more trust as its a default app on ios.

                                                        1. 5

                                                          Yes and no.

                                                          The wifi MAC address method is also becoming quite prevalent. If your phone has wifi just enabled it can be pinged. [1]

                                                          Then over the cell network your signal can be triangulated.

                                                          1. https://techcrunch.com/2019/05/22/mind-the-privacy-gap/
                                                          1. 2

                                                            True, thats what skyhook does as well. Interestingly (and this might show a conflict of interest within Google) Android has started using random mac’s for wifi. https://source.android.com/devices/tech/connect/wifi-mac-randomization

                                                          2. 2

                                                            the weather channel was also at this, and I guess a lot of people would give this more trust as its a default app on ios.

                                                            Is it? I know there’s a weather app by default, but I thought the Weather Channel app was a separate download (not a regular iOS user here). I uninstalled The Weather Channel on my Android device after they were outed as scraping contacts and selling that off. No reason to install anything of theirs after that and now this as well.

                                                      1. 3

                                                        From what I understand, this measure targets the ssh-agent program which holds the key in memory until some random ssh client ask for it.

                                                        With key shielding, the private key is encrypted using a prekey, and both are kept in the same struct in memory. Which means that if an attacker dumps the whole struct, he should be able to decrypt the key using the prekey.

                                                        Are my assumptions correct ? If so, against which attack vector does it effectively protect the key ?

                                                        1. 3

                                                          I think the commit linked in the post gives the details you’re looking for. It sounds like this is a mitigation against sidechannel attacks, and works by increasing the amount of work someone using one of those attacks would have to do. As you noted it doesn’t appear to protect at all against an attacker who can just dump any random memory easily.

                                                          1. 3

                                                            The commit makes it much more explicit indeed, thanks for the pointer !

                                                            So to sum it up, the security model here is based on the fact that the prekey changes on each shield/unshield operation, thus resulting in an encrypted key in RAM that is changed on each call. In order to retrieve the key, an attacker would have to dump the whole encrypted key + prekey in one go, which is currently impossible with the existing side-channel attacks. This assumes that an attacker must also know the exact location in-memory of the prekey, all of which is higly improbable.

                                                            Fair enough.

                                                        1. 7

                                                          I should point out that XKCD was popularizing a technique called diceware, repeating a proposal from 1995. He was also doing it wrong: in diceware, you were supposed to have a delimiter between words, in order to increase the difficulty for a cracker that used dictionaries as input (since, without a delimiter, the same string can be interpreted as multiple different combinations of words, multiplying the number of opportunities for the cracker to get a hit).

                                                          As of 2014, the original diceware author specifically recommended moving to six words. Nothing in particular happened between 2012 and 2014 other than XKCD’s popularization of this nearly-twenty-year-old technique, so odds are that doing it with four words was not terribly secure in 2012 either.

                                                          (I don’t really blame Munroe for this problem. He probably didn’t remember where he got the technique himself – just part of ambient internet security lore. His popularization probably led to marginally better passwords and less password reuse, up until registries for auto-generated passwords started becoming common features of browsers.)

                                                          1. 2

                                                            without a delimiter, the same string can be interpreted as multiple different combinations of words, multiplying the number of opportunities for the cracker to get a hit

                                                            I’ve thought about this a little bit and I’m not seeing how the delimiter makes a difference. Can you provide an example?

                                                            1. 13

                                                              makedicespacespare could mean “make-dice-space-spare”, or “make-dices-paces-pare”, or a few other options. This reduces the number of possible passwords that you could have generated, reducing the entropy of your password slightly.

                                                              1. 1

                                                                Makes perfect sense. I was thinking of compound words not borrowing a letter or two from a neighboring word.

                                                              2. 3

                                                                Let’s say that somebody builds a password cracker specifically to hit diceware passwords. (Such a cracker probably exists – diceware was pretty common in the late 90s, and dictionary-based crackers like john the ripper are more elaborate versions of the same thing.) Such a cracker, if naively written, will brute force passwords the same way we generate them: pick four words, try them with a variety of delimiters and cases, & see if the thing hashes the same. With delimiters, every time it tries this, it will match if and only if all the words it chose are the same as the ones you chose – the basis for the entropy calculation. Without delimiters, there’s the possibility that two selections of words, when concatenated, will produce the same string (ex., “godisnowhere” can be read as “god is now here” or “god is nowhere”). Every such collision is an extra opportunity for the cracker to select a matching combination of words.

                                                                Let’s say you’ve got a dictionary of 2048 words, and you are using four words to produce the password, and you have no delimiters, and the cracker knows this. If there are no collisions, the cracker has a 1 in 2048 chance to pick each right word, for a 1 in 2048^4 chance to get all four right. If there are four collisions, you have a 4 in 2048^4 chance to get all four right.

                                                                Increasing that numerator enough to bring the ratio down to a reasonable number is hard for english, but if your password is in romanized japanese or korean (where all combinations of a relatively small set of sounds are more or less equally likely to be real words because of sound starvation & the transliteration of weird loan words into the syllablry) or in a language like german (where compound words are often composed of large sets of regular words strung together in an arbitrary order, rather than having distinct set of prefixes and suffixes), collisions become a lot more likely.

                                                                This matters a lot for a naive/brute force dictionary cracker. I don’t think such crude tools are used much anymore, though, & somebody more familiar with modern crypto & modern security techniques can tell you whether or not it matters for rainbow tables & other more esoteric things. My knowledge of cryptography is decidedly limited & casual.

                                                            1. 19

                                                              First, I think there probably needs to be a little grace extended on hash rate calculations to both the XKCD comic, and the Dropbox article considering they’re 8 and 7 years old respectively.

                                                              Secondly, if you dislike the correcthorsebatterystaple advice you should say what you think is a better alternative so we can compare. From the screenshotted lobste.rs thread on this assuming the MacOS word dictionary and four words it has a search space of 235886^4 or roughly 10^21 possibilities. If instead your advice is for a user to pick a completely random password, then assuming they’re picking from the more or less 100 easily typable characters on a keyboard, they’ll need between a 10 and 11 character long random string to match the search space.

                                                              I think if you ask most people if they’d rather memorize correcthorsebatterystaple or ]S7DX)|{”^ they’ll choose the former.

                                                              1. 12

                                                                What is with the Bad Security Advice posts lately?

                                                                Passphrases are great but they aren’t great enough for the author to reach the conclusion he did. I’m not going to do the math in depth, but I’m pretty sure the math this guy is doing is wrong.

                                                                % wc -l /usr/share/dict/words       
                                                                  235886 /usr/share/dict/words
                                                                

                                                                And the passphrase “correcthorsebatterystaple”. BTW, each of those words is inside /usr/share/dict/words on macOS (a very small built-in wordlist). So assuming our users don’t venture outside that wordlist, we get on the order of 235886^4 parallelizable guesses, which is 76475977261682 times smaller than 26^25 (no idea how he’s getting that number, but pretty certain it’s wrong, lol).

                                                                Use scrypt, you fools!

                                                                1. 6

                                                                  I think the biggest flaw in the post is that the author doesn’t recognize exactly this point. Hash cracking can take advantage of other knowledge such as “people use variations of names, common words, dates” commonly, reducing the search space significantly.

                                                                  But, if your database is secure, and use use rate limiting aggressively on attempts, length is a pretty good defense…. but, ha, the notion that you’re database is secure is a joke.

                                                                  1. 2

                                                                    I’m not sure about exactly what the author was aiming for, but usually when people are evaluating a “correcthorsebatterystaple” type scheme, they’re not comparing it to someone choosing 26 random letters, but rather someone choosing a much shorter completely random passphrase something like 100^10 which are comparable search spaces.

                                                                  1. 6

                                                                    Unclear what problem you’re solving. Firefox shouldn’t write anywhere else than the profile directory (see @jefftk’s comment). If you don’t want it to access your user configs in ~/. config. you can redirect $HOME though. But maybe you also want to chroot then?

                                                                    If you want to separate all sorts of history and site data and settings and extensions and password storage etc, use different profiles. If you want separate cookie jars (e.g. online identifies) to work in parallel, use the Multi Account Containers Extension.

                                                                    1. 8

                                                                      The problem this solves is that some websites are now detecting private mode browsing, and using it as an opportunity to be a dick.

                                                                      1. 6

                                                                        Ugh, that’s bad. Can you give an example of those?

                                                                        1. 10

                                                                          Nytimes does private mode detection as part of their paywall.

                                                                        2. 4

                                                                          How do they detect it, and how are they being a dick? I’ve honestly never noticed anything weird in private browsing mode, but I don’t use it all that often either.

                                                                      1. 16

                                                                        If you want a good experience, the laptop needs to be sold to you as a “Linux laptop”, with the explicit promise that it has an OS with drivers that have been tested and pre-installed. Surprisingly few laptop makers are doing this (yet?).

                                                                        Linux works a lot better on my ThinkPad x270 than it ever did on the Dell XPS 13 “Developer Edition” (~5 years ago), which was sold with Ubuntu. Lenovo may not support Linux, but a lot of Linux developers use ThinkPads, so they tend to be well supported.

                                                                        The Dell XPS on the other hand was just a crappified Ubuntu install with proprietary drivers and applications to make it work. I’m not even sure why they installed all the binary crap, since Arch Linux also seemed to work for everything except bluetooth, and audio on HDMI out (which also never worked well on Ubuntu; did get that working eventually), so I just installed that over Ubuntu after I ran in to an apt-get bug that was never fixed in the Ubuntu LTS (“stability”).

                                                                        Maybe things have improved in the meanwhile, but “sold as Linux laptop” does not automatically equal “good Linux experience”.

                                                                        once, across a reboot, the entire settings panel (which is an app) just… vanished. I had to research what it’s called and reinstall it from apt. It was more funny than annoying.

                                                                        apt has the horrible habit of “helpfully” removing packages it thinks you no longer need. Removing package A may also remove vaguely related package B, even though B is not a dependency of A. There are even cases where installing a package can remove other packages, or uninstalling can also install packages. The logic can be really opaque and hard to grok.

                                                                        1. 8

                                                                          apt has the horrible habit of “helpfully” removing packages it thinks you no longer need.

                                                                          Weird Debian/Ubuntu stuff like this is why I never recommend apt-based distros anymore.

                                                                          1. 11

                                                                            Hello!

                                                                            For a moment there, after reading your comment, I wanted to fold my keyboard like a taco.

                                                                            I am pretty confident that it wasn’t your intent… :)

                                                                            …Anyway… FYI, there is no such thing as Debian/Ubuntu. Debian is a thing and Ubuntu is a thing and they are distinct.

                                                                            Debian is a very old, well designed, and respected GNU distribution. Dependency management is hard (I mean, NP-complete!), but engineers in the Debian project know that, and they care. They worked out a system of rules for keeping the dependency graph clean. Beyond that, they make efforts to teach new maintainers how to understand those admittedly complex rules. They work hard to tame the chaotic sea of packages as much as possible. May their beards be long and tangle free forever!

                                                                            Ubuntu is … popular. I’ve used it before. My best friend still does, and asks me for help with his computer frequently.. One of my pet peeves is that a lot of individual little packages depend on big meta packages that depend on gigs of desktop environment stuff.. It’s almost impossible to run Ubuntu without the default environment installed. See, you don’t have to use it, but Ubuntu puts so little care and feeding into their dependency graph that you end up in nonsense situations…

                                                                            Both Debian and Ubuntu are “dpkg-based”. apt-get and apt and aptitude are front-ends.

                                                                            dpkg does as it is told. Two things tell it what to do: the front-end and the package dependency graph (let’s call that “the repo”.)

                                                                            I assume that all contemporary package managers that aren’t broken will “do as they are told”. So, the problem with Ubuntu is their package graph and maybe their front-end tool.

                                                                            My front-end never auto-removes anything, though does remind me that I can run a command to make it remove those things that nothing depends on. I use Debian and apt-get. When I manually invoke the auto-remove feature, so far it has never removed anything that was still needed, on account of that artfully human-curated dependency graph from the repos…

                                                                            1. 2

                                                                              The only time apt has ever proposed removing packages it deemed no longer needed is when I installed those packages in support of an out-of-distro package, e.g. a downloaded .deb archive or something from a repository which I subsequently removed. It was my experience with apt versus that with rpm - this was before RedHat thought up something like yum - which made me settle on Debian and Debian-based distributions. While building rpm packages was (and possibly is, it is a while ago I last built an rpm package) generally easier than equivalent .deb packages the robustness of a .deb system managed by apt was far higher than that of an .rpm system.

                                                                              1. 1

                                                                                What do you recommend instead?

                                                                                I have a lot of criticism about apt/dpkg-based distributions, but the alternatives seem to be consistently worse.

                                                                                1. 6

                                                                                  Void Linux.

                                                                                  1. -8

                                                                                    Void’s package manager and build system have been written from scratch.

                                                                                    … in C.

                                                                                    I think I’ll skip trying this. Using C or C++ in 2019 is just incredibly poor judgement.

                                                                                    1. 11

                                                                                      I would much rather my system has a fast and straightforward package manager written in lean C than something like Java, or Python. Calling his choice of C “incredibly poor judgement” comes across as patronising and kind of elitist - generally in poor taste

                                                                                      1. 4

                                                                                        Well the first commit to it was in 2009.

                                                                                        1. 1

                                                                                          I’ll comment that using C in 2019 can be the right choice for certain low level tasks like firmware or important system libraries or languages or operating systems.

                                                                                          As for XBPS, it was written in 2009 by an ex-NetBSD dev. C was the most respectable language for system level stuff at that point.

                                                                                      2. 1

                                                                                        Solus.

                                                                                    2. 3

                                                                                      Maybe things have improved in the meanwhile, but “sold as Linux laptop” does not automatically equal “good Linux experience”.

                                                                                      Another thing to note is that the “sold as Linux laptop” being conflated with “good Linux experience” tends to only be valid as long as the company continues to provide support.

                                                                                      1. 2

                                                                                        apt has the horrible habit of “helpfully” removing packages it thinks you no longer need

                                                                                        … but it will never remove any packages you installed…

                                                                                        1. 4

                                                                                          That’s the theory, but in practice it will also do really surprising things with packages you explicitly installed, not that this is a good model in the first place. I don’t have any examples at hand, and lack an apt-based machine. Here’s another old example which illustrates the kind of broken behaviour:

                                                                                          $ apt-get install consolekit:i386
                                                                                          
                                                                                          Reading package lists...
                                                                                          Building dependency tree...
                                                                                          Reading state information...
                                                                                          The following packages were automatically installed and are no longer required:
                                                                                            python-mutagen python-mmkeys python-cddb
                                                                                          Use 'apt-get autoremove' to remove them.
                                                                                          The following extra packages will be installed:
                                                                                            docbook-xml libck-connector0:i386 libpam-ck-connector:i386 libpam0g:i386
                                                                                            libpolkit-gobject-1-0:i386 sgml-data synaptic
                                                                                          Suggested packages:
                                                                                            docbook docbook-dsssl docbook-xsl docbook-defguide libpam-doc:i386 perlsgml
                                                                                            doc-html-w3 opensp dwww deborphan
                                                                                          Recommended packages:
                                                                                            rarian-compat
                                                                                          The following packages will be REMOVED
                                                                                            acpi-support aptdaemon apturl colord consolekit dell-recovery
                                                                                            gnome-bluetooth gnome-control-center gnome-power-manager gnome-system-log
                                                                                            gnome-user-share hplip indicator-datetime indicator-power indicator-sound
                                                                                            jockey-common jockey-gtk landscape-client-ui-install language-selector-gnome
                                                                                            libcanberra-pulse libck-connector0 libnm-gtk0 libpam-ck-connector
                                                                                            manage-distro-upgrade nautilus-share network-manager-gnome policykit-1
                                                                                            policykit-1-gnome printer-driver-postscript-hp pulseaudio
                                                                                            pulseaudio-module-bluetooth pulseaudio-module-gconf pulseaudio-module-x11
                                                                                            python-aptdaemon python-aptdaemon.gtk3widgets python-aptdaemon.pkcompat
                                                                                            sessioninstaller software-center software-properties-gtk
                                                                                            ubuntu-system-service ubuntuone-control-panel-common
                                                                                            ubuntuone-control-panel-qt ubuntuone-installer update-manager
                                                                                            update-notifier xul-ext-ubufox
                                                                                            The following NEW packages will be installed
                                                                                            consolekit:i386 docbook-xml libck-connector0:i386 libpam-ck-connector:i386
                                                                                            libpam0g:i386 libpolkit-gobject-1-0:i386 sgml-data synaptic
                                                                                          0 to upgrade, 8 to newly install, 46 to remove and 0 not to upgrade.
                                                                                          Need to get 3,432 kB of archives.
                                                                                          After this operation, 20.6 MB disk space will be freed.
                                                                                          Do you want to continue [Y/n]?
                                                                                          

                                                                                          Removed my wireless drivers like this once :-/ Easiest way to get them back was run the Dell recovery stuff :-(

                                                                                          I’ve been told that apt is the new apt-get; I don’t know how well it does in comparison, as this was before apt.

                                                                                          1. 4

                                                                                            There is a lot to unpack here.

                                                                                            It appears that you’re working with multiarch. That’s more complex that average.

                                                                                            Second, there does not appear to be a package named dell-recovery in the Debian repos. Was it there in the past, or is it a third party package? I bet it depended on specific versions of some packages rather than depending on something like “>= version 1.2.3. This is super-common among third party packages because the authors don’t know what to expect in the future from those packages and they fear an upstream upgrade breaking their package…

                                                                                            Finally, that package consolekit has been removed from Debian, so I can’t figure out how to check the reverse dependencies… But I can tell you, it was in the admin section. Those packages are all.. I dunno, “low level” or “fundamental”. It appears that you asked your 64-bit Debian to install the 32-bit version of a fundamental package.

                                                                                            1. 1

                                                                                              But why are those packages being removed? Why remove packages when installing a package? What’s the rational?

                                                                                              1. 1

                                                                                                There is a conflict between the new package (or its dependencies) and existingly installed packages (or their dependencies). Thus the package cannot be installed on the current syste. Instead of simply refusing, apt suggests a possible system the package could be installed on (by removing some current packages) and asks you if that is what you want to do.

                                                                                              2. 1

                                                                                                What would you prefer happen in this case? Just refuse to install?

                                                                                                1. 6

                                                                                                  For example; that’s what most systems do. Or give me an option asking me what to do. Certainly not removing critical packages like pulseaudio, gnome-control-center, etc. No other system I’ve used tries to be “smart” like this.

                                                                                                  Computers are really dumb, and algorithms like this doubly so. In attempting to do “the sane thing” apt-get is more likely to leave a system in a usable state, rather than the reverse.

                                                                                                  1. 2

                                                                                                    I understand your point that maybe it should force you to be explicit and remove conflicting packages yourself. It does however ask you if you want to continue after it has told you what it plans on doing. Also, often if you say no it’ll offer an alternate solution to the conflict that may be more palatable.

                                                                                                    1. 7

                                                                                                      It does however ask you if you want to continue after it has told you what it plans on doing

                                                                                                      Yeah, but the output needlessly long, noisy, and has a general “wall-of-text”-y feel to it. It’s easy to miss things, especially if it’s just a few packages that are removed (instead of a whole bunch).

                                                                                                      Here’s how it could look:

                                                                                                      $ apt-get install consolekit:i386
                                                                                                      
                                                                                                      The following packages will be REMOVED
                                                                                                        acpi-support aptdaemon apturl colord consolekit dell-recovery
                                                                                                        gnome-bluetooth gnome-control-center gnome-power-manager gnome-system-log
                                                                                                        gnome-user-share hplip indicator-datetime indicator-power indicator-sound
                                                                                                        jockey-common jockey-gtk landscape-client-ui-install language-selector-gnome
                                                                                                        libcanberra-pulse libck-connector0 libnm-gtk0 libpam-ck-connector
                                                                                                        manage-distro-upgrade nautilus-share network-manager-gnome policykit-1
                                                                                                        policykit-1-gnome printer-driver-postscript-hp pulseaudio
                                                                                                        pulseaudio-module-bluetooth pulseaudio-module-gconf pulseaudio-module-x11
                                                                                                        python-aptdaemon python-aptdaemon.gtk3widgets python-aptdaemon.pkcompat
                                                                                                        sessioninstaller software-center software-properties-gtk
                                                                                                        ubuntu-system-service ubuntuone-control-panel-common
                                                                                                        ubuntuone-control-panel-qt ubuntuone-installer update-manager
                                                                                                        update-notifier xul-ext-ubufox
                                                                                                      
                                                                                                      The following NEW packages will be installed
                                                                                                        consolekit:i386 docbook-xml libck-connector0:i386 libpam-ck-connector:i386
                                                                                                        libpam0g:i386 libpolkit-gobject-1-0:i386 sgml-data synaptic
                                                                                                      
                                                                                                      Need to download 3,432 kB; 20.6 MB disk space will be freed.
                                                                                                      8 to install, 46 to remove
                                                                                                      
                                                                                                      :: WARNING: this operation will REMOVE packages!
                                                                                                      
                                                                                                      Do you want to continue [y/N]?
                                                                                                      

                                                                                                      So much cleaner, and the default is now “no”, as it’s an unexpected dangerous operation. The warning text should probably stand out (bold, standout attr, colour, whatever your taste prefers).

                                                                                                      This is getting a bit off-topic, but commandline interfaces are user interfaces every bit as much as graphical desktop and web apps. It’s something that needs to thought about, designed, ideally it should be tested, and should be tweaked based on how people are actually using it.

                                                                                                      apt-get is a good example of a terrible user interface in many ways. It’s the commandline version of a chaotic ERP product or 2001-era webapp that has grown since. Sure, it may be powerful and the underpinnings are probably good, but the UX is … not ideal.

                                                                                                      apt has since replaced apt-get; I don’t know if it does better as I haven’t used any of this in a while, but this post suggests it may not :-(

                                                                                                      1. 4

                                                                                                        They already put REMOVED in all caps. Also, after you do a few thousand apt-get invocations, you certainly notice when the ‘removed’ stanza is present vs when it is not.

                                                                                                        Debian was the first OS I knew about that had a reliable, sane package manager.

                                                                                                        If the solution to the problem is to reinstall packages, then the system is NOT broken. If the solution to the problem is to reinstall the OS from scratch, then the system is BROKEN.

                                                                                                        I hope everybody understands that in this circumstance, Debian was preventing the system from becoming broken. Small price to pay…

                                                                                                    2. 2

                                                                                                      In attempting to do “the sane thing” apt-get is more likely to leave a system in a usable state, rather than the reverse.

                                                                                                      Never personally happened to me, but I know a bunch of people new to linux who have broken an ubuntu system with an apt command. This stuff never seems to happen on arch/fedora/whatever, but apt just seems to have a propensity for breaking stuff if you aren’t careful.

                                                                                            1. 16

                                                                                              Hmm. I can’t help but wonder why virtualenv + Docker is necessary in 95% of cases? Why not just install the requirements globally to the Python install… given, you’re in a container and running likely only 1 app… ?

                                                                                              1. 7
                                                                                                1. System python packages might occasionally conflict with packages in your virtualenv (see https://hynek.me/articles/virtualenv-lives/).

                                                                                                2. For multi-stage Docker builds, where you have compiler etc. in first stage, and then copy over compiled code (Python C extensions etc.) into second stage image that doesn’t have gcc etc so gives you a smaller image. In this case, installing directly with pip means some files end up in /usr/bin, others in site-packages, so it’s hard to copy everything over. Virtualenv solves that since everything is one directory.

                                                                                                1. 1

                                                                                                  This would be great context to add to the top of the post!

                                                                                                  1. 1

                                                                                                    Yeah. People asked this a lot, so going to write another article about that specifically and will then link to it from this article.

                                                                                                2. 6

                                                                                                  … and why not using the already great Python images: https://docs.docker.com/samples/library/python/ ?

                                                                                                  1. 3

                                                                                                    Or on top of that, why bother activating at all? You can always just give the full path to your virtualenv python binary and it’ll know where everything else is.

                                                                                                    1. 3

                                                                                                      As I discuss in the article, this is definitely an option. However:

                                                                                                      1. This is repetitive, so it’s easy to forget when you add the 10th call to Python, in cases where you have complex setup.
                                                                                                      2. It doesn’t affect Python subprocesses, which some programs will run.

                                                                                                      The proposed solution suffers from neither problem.

                                                                                                  1. 3

                                                                                                    Still poorly distinguishable ‘o’ and zero. Just shows how committees can be wrong about things.

                                                                                                    1. 4

                                                                                                      I’m more annoyed by the almost-square parentheses.

                                                                                                      1. 3

                                                                                                        This matters a fair amount in the terminal where the context is often insufficient to differentiate between a number and a letter, but does it matter as much in a dashboard where the context is probably much stronger? I think a pilot won’t wonder too often if the plane is going 6OO mph or 600 mph.

                                                                                                        1. 4

                                                                                                          Idk if radio callsigns or transponder signals use 0/O in ways that can be conflated, but it seems an obvious confusion that could be removed. The NATO phonetic alphabet distinguishes ZEERO from OSCAR pretty clearly, after all.

                                                                                                      1. 4

                                                                                                        If I understand correctly the suspected malware was trying to snoop crypto keys from the environment? Obviously it sucks that this happened, but surely how you run your node application is also a big part of the problem.

                                                                                                        If you’re going to run it with sensitive information about other software available in the environment, isn’t that a bad practice to begin with? Likewise, if you run it with elevated privileges then aren’t you also making a mistake, from a defense-in-depth standpoint? I think we (as application developers using the node ecosystem) all need to take a bit more collective responsibility for letting issues like this affect us.

                                                                                                        Somewhat-relatedly, Ryan Dahl, the creator of Node, is now working on deno “A secure TypeScript runtime built on V8”. One of the features is

                                                                                                        File system and network access can be controlled in order to run sandboxed code. Defaults to read-only file system access and no network access. Access between V8 (unprivileged) and Rust (privileged) is only done via serialized messages defined in this flatbuffer. This makes it easy to audit. To enable write access explicitly use –allow-write and –allow-net for network access.

                                                                                                        1. 2

                                                                                                          If you’re going to run it with sensitive information about other software available in the environment, isn’t that a bad practice to begin with?

                                                                                                          In a server context yes, but node is also in use in a fair amount of desktop software as well where that’d be the norm rather than the exception.

                                                                                                          1. 2

                                                                                                            That’s a good point, I had forgotten about how common that use case is. And now I actually find that the most concerning of the three, for these kinds of vulnerabilities ( the others being: browser - fairly well sandboxed; server node app - securable by developer / devops / security policies).

                                                                                                        1. 4

                                                                                                          I remember the pidgin plugin that would send anyone who started composing an IM for you a message first. Good times!

                                                                                                          But, what I love even more are that all of the commits have been perturbed so their hash starts with cafe! The author notes he’s changing the timestamps, author and committer fields until he gets what he wants.

                                                                                                          1. 1

                                                                                                            Man, that brings back some fun memories with Pidgin plugins back when AIM was huge. My favorite was when I hooked up a copy of ELIZA, and had it chat with my girlfriend. I’m not whether it says a lot about my girlfriend, my conversational skills, or ELIZA that it took her quite awhile to figure out she wasn’t talking with me.

                                                                                                          1. 10

                                                                                                            I know this post will sound really bad no matter how I say it, but I wonder how much of sexism, in the present (unlikely) or future (more likely) will be more fear than misogyny.

                                                                                                            Womens are becoming a touchy subjects and, in today’s world where a trial is decided by the public before it goes to court, a false rape accusation does more damage than the trial itself (at least imo). If I were an employer I’d be worried of female employees, not out of hatred or anything, but because they would hold so much power to screw me over.

                                                                                                            I personally don’t care what gender you are or religion or species.. I even like talking to assholes as long as they have something interesting to say. (Sadly I tend to be a bit of an asshole myself) But I would still be scared of talking to random women in a context like a conference because I might say something that puts me in a really bad place. It feels like I would be talking to someone with a loaded gun in my face.

                                                                                                            I think the best friends I have are those who made me notice my mistakes instead of assuming the worst of me, while the tech scene today seems more like a witch-hunting marathon to me.

                                                                                                            On that subject, why does the world have to work with cues and aggressive stances? Why can’t we be honest with each other? I see it every day, someone above me expects everyone to catch on her cues, if they don’t, they’re the bad guys, without even letting the other end knowing anything.

                                                                                                            Most angry tweets and blog posts about this topic are from people who just kept everything in or bursted out in anger at them and they got defensive or responded just as aggressively (kinda to be expected, honestly). I would love to see examples of people who were made aware of their behavior and everything went fine after that.

                                                                                                            1. 18

                                                                                                              a false rape accusation does more damage than the trial itself (at least imo).

                                                                                                              A genuine rape accusation also does more damage than the trial itself. In both cases, the victim is affected. It’s only how we perceive it that’s different.

                                                                                                              I think somewhere along the line communities started to encourage angry reactions as a way of maximising engagement. Somewhere along the line, we forgot to be kind by default, in a way we weren’t offline. I meet people who spend a lot of time in online communities, and you can see (amongst some people) that their online behaviour leaks into their personal offline behaviour, but rarely the other way.

                                                                                                              I think the recent furore over Equifax’s CSO having a music degree is a good example of this. Nobody should care about someone’s degree, but a marketwatch piece designed to provoke angry responses, provoked angry responses on the Internet. The Twitter algorithms designed to increase engagement increased engagement and the Internet went twitter crazy.

                                                                                                              There has to be a way to use a combo of the tools we use for engagement to promote de-escalation and de-engagement. Deprioritising inflammatory content to make the world a better place is not losing out. It’s winning.

                                                                                                              That’s what I really love about lobsters. People may have issues misinterpreting context and social cues here, but generally people are kind to each other.

                                                                                                              1. 10

                                                                                                                a false rape accusation does more damage than the trial itself

                                                                                                                That sort of accusation could, for example, prevent you from winning an Oscar. Or become elected US President.

                                                                                                                1. 11

                                                                                                                  [Note: Before reading this, readers should probably know I have PTSD from a head injury. The side effects of nervous eyes, mumbly voice, and shaky hands apparently make me look like an easy target for male and female predators alike. I’m like a magnet for assholes who I usually deal with patiently, dismiss, or stand ground. Mostly ignore them. This issue required special treatment, though, since I was always treated very differently when it as something like this.]

                                                                                                                  Far as scenario you’re worried about, it’s a real thing that’s happened to me multiple times. Not rape claims fortunately but sexual harassment or discrimination. I think I was getting false claims to managers two or three times a year with dozens making them to me directly as a warning or rebuke but not to my bosses. They just wanted me to worry that they could or would destroy me. Aside from the random ones, it was usually women who wanted a discount on something, wanted to be served ahead of other customers, or (with employees) not wanting to do the task they were given since it was beneath them or “man’s work.” Saying no to any of that was all it took…

                                                                                                                  However, I was in a service position dealing with thousands of people plus dozens of workers due to high turnover. With all those people, just a few claims a year plus dozens of threats shows how rare this specific kind of bully is. Those that will fully push a false, gender-oriented claim are rare but highly damaging: each claim led people [that didn’t know me well] to assume I was guilty by default since I was male, interrogations by multiple supervisors or managers, and a waiting period for final results where I wondered if I’d loose my job and house with no work reference. Employment gaps on resumes make it harder to get new jobs in the U.S.. I got through those thanks to what I think were coworker’s testimony (mostly women) and managers’ judgment that the good and bad of me they’ve seen versus straight-up evil stuff a tiny number of women were claiming didn’t match up.

                                                                                                                  Quick example: As a team supervisor, I always gave jobs to people in a semi-random way to try to be equal in what people had to do. Some supervisors seemed to cave in if a worker claimed the work was better for another gender, esp labor vs clerical vs people-focused work. When giving an assignment, the most shocking reply I got was from a beautiful, racially-mixed woman who had been a model and so on. A typically-good, funny worker who had a big ego. She said the specific task was a man’s job. I told her “I enforce equality like in the 19th Amendment here: women get equal rights, equal responsibilities.” She gave me a snobby look then said “I didn’t ask for that Amendment. Keep it, get rid of it, I don’t care. (Smirked and gestured about her appearance) I don’t need it. And I’m not doing man’s work.” I was a little stunned but kept insisting. She grudgingly did the job but poorly on purpose to disrupt our workflow. I had to correct that bias in my head where I assumed no woman would ever counter law’s or policies giving them equality outside maybe the religious. I was wrong…

                                                                                                                  Back to false claims. That they defaulted against males, including other men who got hit with this, maybe for image reasons or just gender bias led me to change my behavior. Like I do in INFOSEC, I systematically looked for all the types of false claims people made esp what gave them believability. I then came up with mitigations even down to how I walk past attractive women on camera or go around them if off-camera. The specific words to use or avoid is important, esp consistency. I was pretty paranoid but supporting a house of five people when lots of layoffs were happening. The methods worked with a huge drop in threats and claims. Maybe the bullies had less superficial actions to use as leverage. So, I kept at it.

                                                                                                                  This problem is one reason I work on teams with at least two people who are minorities that won’t lie for me. The latter ensures their credibility as witnesses. Main reason I like mixed teams is I like meeting and learning from new kinds of people. :) It’s a nice side benefit, though, that false claims dropped or ceased entirely when I’m on them for whatever reason. I’m still not sure given I don’t have enough data on that one. I also push for no-nonsense women, especially older with plenty of experience, to get management roles (a) since I’ve always promoted women in the workplace on principle and because mixed teams are more interesting; (b) side benefit that a woman whose dealt with and countered bullshit for years will be more likely to dismiss a false claim by a woman. When I finally got a female boss, esp who fought sexism to get there, the false claims that took serious investigation were handled usually in minutes by her. There was just one problem while she was there with a Hispanic woman… highly attractive with excellent ability to work crowds… that wanted my position launching a smear campaign. It almost worked but she had previously tried something on same manager she needed to convince. Her ego was so strong she didn’t think it would matter because she’d win her over too. Unbelievable lol. She left in a few months.

                                                                                                                  So, yeah, I’d not go to one of these conferences at all probably. If I do, I’m bringing at least two women, one non-white, who barely like me but support the cause. If they leave me, I’m either going outside or doing something on my computer/phone against a wall or something. I’m not going to be in there alone at all given this specific type of bully or claim will likely win by default in such a place. Normally, though, I don’t mind being alone with women if there’s witnesses around that’s a mixed crowd, I’ve gotten to know them (trust them), or they’re one of the personalities that never pull stuff like this. I’ve gotten good at spotting those thanks to the jobs I did working with strangers all day. I get to relax more than you’d think from this comment, though, since vast majority of females on my team, other teams, and customers’ like me or at least neutral. The risk reducing behaviors are so habitual after years of doing them I barely notice I’m doing them until I see a post like this.

                                                                                                                  Not funny note: There was also real sexism and harassment against women, esp from younger crowd. We had to deal with that, too. On rare events, some physical assault and stalkers that required police and other actions to deal with. One of the problems in many organizations is people will say the woman is making it up. Then, justice won’t happen. Our women were honest enough and male assholes brazen enough that we usually knew who was lying. Similarly when the women were bullshitting about harassment. In many other places or in trials, the defense was the woman might have been making it all up to spite the male. The reason that defense often works is because of the kind of bullies and lies I describe above. I get so pissed about false claims not just since they impacted me but because a steady stream of them in the media is used to prevent justice for real victims. That combination is why I write longer and fight harder on this issue.

                                                                                                                  1. 9

                                                                                                                    a false rape accusation does more damage than the trial itself (at least imo)

                                                                                                                    In our society, a woman reporting a rape has to deal with a lot of shit from a lot of different people. Stuff like victim blaming, “What did you wear?”, “Oh you must’ve been reckless” make it already very hard for women to report rape when it happens. If anything we should be more concerned with women not reporting rape cases rather than false reports – especially since the latter is very small compared to the former. Sorry for not providing any sources, I’m on mobile right now.

                                                                                                                    1. 15

                                                                                                                      I know this post will sound really bad no matter how I say it,

                                                                                                                      It does sound really bad. My favorite part is when you use the phrase “witch hunting” to somehow excuse the fear of women being around.

                                                                                                                      but I wonder how much of sexism, in the present (unlikely) or future (more likely) will be more fear than misogyny.

                                                                                                                      Oh so very little. Do not fear for mysoginy, it will be around forever.

                                                                                                                      1. 16

                                                                                                                        My favorite part is when you use the phrase “witch hunting” to somehow excuse the fear of women being around.

                                                                                                                        I could not find a gender-neutral term that carried a similar meaning. This is definitely a fault on my part (my english dictionary is not that rich) but I was referring to the act of persecution by one or more individuals to the intended result of ruining someone’s life, humiliating them etc.

                                                                                                                        Oh so very little. Do not fear for mysoginy, it will be around forever.

                                                                                                                        What little hope for humanity and its self-improvement you seem to have. I understand the feeling.

                                                                                                                        My point was not whether misogyny will go away (it won’t), but how much of the perceived misogyny will be out of outright hatred rather than fear of consequences. Someone who doesn’t interact with women will be perceived as misogynous, but maybe he might just want to stay safe from ending up in a really bad situation? My “gun pointed at your head” analogy still stands. It feels uncomfortable and you can’t expect people to behave normally in those situations.

                                                                                                                        You seem to be the exact type of person I’m talking about, all going on the aggressive thinking I’m your worst enemy, not giving me the benefit of the doubt. I personally find it really hard to express my thoughts (it’s not just a language barrier, sadly), and getting attacked like that makes me really demoralized and demotivated to even talk. When I am not allowed to talk my mind without people instantly getting so aggressive at me, how am I supposed to not fear doing it?

                                                                                                                        1. 15

                                                                                                                          I personally find it really hard to express my thoughts (it’s not just a language barrier, sadly), and getting attacked like that makes me really demoralized and demotivated to even talk. When I am not allowed to talk my mind without people instantly getting so aggressive at me, how am I supposed to not fear doing it?

                                                                                                                          Thanks for saying this.

                                                                                                                          1. 5

                                                                                                                            I’m sorry that I sounded aggressive, because I was not trying to. I’m still not angry, nor replying out of spite or hate. :) I’m not a native english speaker (either?), so it can be that. Oh, and I also never thought of you as my worst enemy.

                                                                                                                            I could probably hug your right now, seriously, although I’m a little unsure how to understand your analogy that interacting with women is like having a gun pointed at your head.

                                                                                                                            As far as I can tell, we agree that misogyny will not go away – try to destroy an idea… – but we kinda disagree about how we should deal with it. I am not in a position to lecture anyone on the topic, and deeply nested threads tend to go off-topic easily, so I’ll happily reply to your emails if you’d like to.

                                                                                                                            1. 2

                                                                                                                              Thank you for your kind words, I’m sorry I misinterpreted your reply then!

                                                                                                                              I hate to link to it but I think that what best describes my analogy is a scenario like what ESR described. With no proof (even though the source claimed there had been attempts already) either back then or now, that was ruled as “unlikely” at best, but the fact that it doesn’t sound completely ridiculous and could be actually be put to action by a malicious group worries me.

                                                                                                                              I honestly don’t think most women are like that at all, and as you said, this is going a bit off topic.

                                                                                                                              About “how to deal with it”, I’m not proposing a solution, I do wonder if being more straightforward with people and less “I’ll totally blogpost this unacceptable behavior” would make anything easier though.

                                                                                                                              For example, the author quotes Berry’s paragraph about not giving anything for granted, yet instantly assumes that assuming that females are less technical is a big drag for women in tech. What about a little understanding? With so many women in sales and PR positions, the guy might be just tired as hell of having to deal with marketers (although the CTO title should have spoken for itself.)

                                                                                                                              Not denying that some people are just sexist jerks, though.

                                                                                                                          2. 8

                                                                                                                            Both literal witch hunts and the more recent metaphorical sense were frequently directed at men. The notion that “witch” is female is an ahistorical modern one and simply not part of what the word means in the context of a “witch hunt”.

                                                                                                                            1. 0

                                                                                                                              …So? Are you reading that Internet comment in the 1700s when historical witch hunts were actually happening?

                                                                                                                              1. 3

                                                                                                                                The witches arrested during the Salem Witch Trials (in 1692-3, around 150 being arrested) and killed (24, 20 executed, 4 died in jail) weren’t all women. A cursory scan of the accused show plenty of male names (although it does seem to bias towards women).

                                                                                                                          3. -2

                                                                                                                            The post content here is a man relating his experience of seeing his cofounder get talked over and ignored because she is a woman, so you immediately comment about… how bothersome it is that a woman might one day accuse you of sexual assault?

                                                                                                                            What the actual fuck is wrong with you? You should be thoroughly ashamed of yourself. Delete your account.

                                                                                                                            1. 16

                                                                                                                              What the actual fuck is wrong with you? You should be thoroughly ashamed of yourself. Delete your account.

                                                                                                                              I generally avoid these topics like the plague, but this is the exact reason why. It’s absolutely appalling to me that anyone thinks this is a good response to any comment ever. If you are trying to persuade people or this person, then you have completely failed in backing up your comments with anything but insults. If you aren’t trying to persuade anyone, then you are just a troll who enjoys yelling at someone who is clearly (based on the other comments in this thread) is trying to genuinely learn. You took a teaching moment and made it a display of hatred.

                                                                                                                              1. -1

                                                                                                                                If you are trying to persuade people or this person, then you have completely failed in backing up your comments with anything but insults

                                                                                                                                This assertion is completely absurd. I’ve been this asshole, been told off and/or beaten up, and learned better. Violent complaint is precisely how signalling to people that their behavior is utterly abhorrent works in society.

                                                                                                                                1. 6

                                                                                                                                  How should I signal to you that your behavior here, in this thread, is utterly abhorrent? Should I threaten to beat you up? Tell you to delete your account? Scream aggressive obscenities at you?

                                                                                                                                  Whatever it is you think you need to hear to stop behaving this way, pretend that I said it.

                                                                                                                                  1. 3

                                                                                                                                    I’ve been this asshole, been told off and/or beaten up, and learned better.

                                                                                                                                    I’ll just say that I find this comment immensely more helpful than your previous comment. If you’d like to expound on how specifically you’ve “been this asshole” in the past, and what you’ve learned from the experience I’d wager that’s much more likely to convince Hamcha (and the rest of us) to change their mind and behavior.

                                                                                                                                2. 5

                                                                                                                                  I questioned the reason she was ignored and proposed a motivation for which people might fear dealing with women. I also questioned what would have happened if the guy would have put any effort in making the issue clear to the people he’s talking shit about other than vague clues before making accusations with circumstantial evidence.

                                                                                                                                  What is there to be ashamed of?

                                                                                                                                  1. 3

                                                                                                                                    Normal people can have conversions with members of the opposite or same gender without constantly panicking about rape allegations. Do you specifically avoid female waiters at restaurants or cashiers at supermarkets? Is this somehow different to taking to a woman in a nontechnical role? If not, why do you think it is reasonable to pretend a woman who codes is any different? Hell, how on earth can you pretend the possibility of rape allegations is a valid reason to pretend that a person does not exist while in a meeting with multiple participants?

                                                                                                                                    Your regurgitation of sexist crap is shameful. Your lack of thought about it is bewildering. Delete your account.

                                                                                                                                  2. 3

                                                                                                                                    Who taught you to shame people for their feelings and beliefs?

                                                                                                                                    1. 0

                                                                                                                                      Some beliefs are horrendously evil. Your freedom to believe harmful crap does not constitute immunity from being yelled at for spouting it in public.

                                                                                                                                1. 5

                                                                                                                                  I dislike how this leaks metadata by storing the site names in plaintext. I’d care more about people finding out I had a Neopets account than I would about the password to that (entirely hypothetical) account.

                                                                                                                                  Also, is it possible to store a username for a site as well as a password? It doesn’t look like it from the examples. Sometimes remembering what username you used for a site is harder than the password.

                                                                                                                                  1. 3

                                                                                                                                    Also, is it possible to store a username for a site as well as a password? It doesn’t look like it from the examples.

                                                                                                                                    Yes, you can store a username or any arbitrary data. See the section titled Usernames, Passwords, PINs, Websites, Metadata, et cetera.

                                                                                                                                    1. 2

                                                                                                                                      See the section titled Usernames

                                                                                                                                      Oh, duh. I searched the man page for “username” but not the website.

                                                                                                                                      1. 2

                                                                                                                                        Sounds like they need to patch their man page.

                                                                                                                                    2. 3

                                                                                                                                      You can name the files whatever you like. You could create an encrypted file that was a map of random filenames to the account name if wanted. I’ve thought about creating a patch that would do that storing and lookup for you.

                                                                                                                                      1. 1

                                                                                                                                        I’m not associated with pass, but I think that would be a much-welcomed optional feature, should you find the time to implement it.

                                                                                                                                      2. 2

                                                                                                                                        You can store any data you want. However I do agree I don’t like storing the site names in plaintext, but in general I find pass a really handy tool. I have just migrated from keepassx2 to pass.

                                                                                                                                      1. 2

                                                                                                                                        I’ve got two sites using Python and Reportlab. It gets the job done, but certain layout tasks are particularly painful. In places where performance isn’t quite as much of an issue and you’re not super picky about the output, wkhtmltopdf and it’s associated libraries are super easy to get up and running with.

                                                                                                                                        Lambda does seem like it’d be particularly well suited for this.

                                                                                                                                        1. 2

                                                                                                                                          Why not? Considering the type of task, the process seems a good candidate for going the"serverless" way. It’s a simple 1:1 pipeline , am I missing something?

                                                                                                                                          1. 1

                                                                                                                                            I think you inserted a “not” into my last sentence (I probably could’ve found a better way to word it).

                                                                                                                                            I would absolutely give Lambda a shot for this.

                                                                                                                                        1. 3

                                                                                                                                          In order for the fix to be enabled, the code calling addJavascriptInterface must be compiled against API 17 or above – that is, you must target Android 4.2 or later.

                                                                                                                                          Yikes! Sadly this means anyone making the business decision to target older devices leaves their app vulnerable even on modern devices. (I don’t think version splitting is popular on android, is it?)

                                                                                                                                          1. 2

                                                                                                                                            I don’t develop anything super complex on Android, but I always just set my targetSDK setting to the current highest API level. I’ve never come across anything where this has created a backwards compatibility issue. As long as you don’t actually use any new API feautes (which IntelliJ will warn you about), old devices can use your app fine. So I suspect that most vulnerable apps in their search, could fix the problem by bumping their targetSDK version and recompiling.

                                                                                                                                            I’d be interested in hearing about any common issues caused by just always using the latest targetSDK.