1. 1

    Looking interesting; is there an RSS feed?

    1. 1

      Looking at the source it seems this is a JavaScript site with Gatsby. They need to do this if they want a feed: https://www.gatsbyjs.org/docs/adding-an-rss-feed/

    1. 33

      Ignoring completely conventions for how software should be updated on macOS (either via signed Sparkle updates, built-in updater ala Firefox, or via the Mac App Store), Google chose to implement a piece of malware known as GoogleSoftwareUpdate that resides in /Library/Google and ~/Library/Google. It is a specific kind of malware known as an APT (Advanced Persistent Threat), and several articles have been written on this subject (but I can’t find at the moment via a cursory search).

      Sometimes people have “legitimate” reason to use Google Chrome (i.e. because it supports some piece of DRM you might need which better browsers like Brave choose to not ship with). If you’re one of these users, to prevent Google Chrome from infecting your computer with its malware, you need to perform the following actions:

      # create folders if they don't already exist
      $ sudo mkdir -p /Library/Google ~/Library/Google
      # if they do exist delete everything inside of them
      $ sudo rm -rf /Library/Google/* ~/Library/Google/*
      # prevent Google from writing to these folders
      $ sudo chown -R root:wheel /Library/Google ~/Library/Google
      $ sudo chmod -R go-rwx /Library/Google ~/Library/Google
      
      1. 10

        In what world is this an APT? I deal with threat hunting, APT attack simulation, and TTP recreation on a daily basis and this is not the first time that I’ve seen a few people who don’t like Google try and pin the term on GoogleSoftwareUpdate. It makes no sense and you make your argument way weaker by throwing around terms like that and spreading FUD. APT’s are acting groups who create payloads for specific targeted purposes, not the payloads themselves. That’s like calling Stuxnet a APT.

        1. 11

          I consider it an APT. Even removing Chrome doesn’t remove it, and if you don’t excise it completely it will restore itself. It’s nasty. Really evil stuff on MacOS.

          1. 12

            That’s like calling Stuxnet a APT.

            The Wikipedia page calls Stuxnet an APT. Copied from there:

            The Stuxnet computer worm, which targeted the computer hardware of Iran’s nuclear program, is one example.

            GoogleSoftwareUpdate is an APT because, well, it fits the definition. It runs in the background, without your permission, it phones home to Google, and at any point in time it can modify your computer either directly or with a payload it downloads.

            1. 10

              An Advanced Persistent Threat (APT) is a stealthy computer network threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period

              I don’t mean to be inflammatory, but I honestly don’t even think you read the first sentence of the Wikipedia article you linked. It references to threat actors specifically. So this would generally be considered a tool used by an APT. Google is the actor, GoogleSoftwareUpdate is their payload/TTP (Tools Techniques and Procedures). We assign APT names and numbers to groups, not malware families, your description doesn’t fit that definition at all.

              1. 6

                It seems like the Wikipedia entry uses it in multiple ways as well, since it calls Stuxnet an APT, and later refers to its creators.

                If you’re used to hearing the term APT refer to the people behind the code, I can see being confused at the way that I’m using it here. Wikipedia does not use the term consistently, and others have also used the term to refer to the software itself, so I’m not alone in this usage.

                I think confining the term “APT” to the software’s creators can be unnecessarily limiting. In the case of GoogleSoftwareUpdate, it might not be accurate to call Google the APT, since their mechanism (GoogleSoftwareUpdate) can be hijacked by completely unknown entities to infect computers. In a sense, you could also say that GoogleSoftwareUpdate is the entity that’s doing the infecting, and I don’t think that’s an unreasonable expansion of the definition.

                1. 6

                  I’m saying that the entire computer security field has seemingly agreed (whether or not the terms are somewhat confused in Wikipedia) that APT refers to specific threat actors not their tooling, which means when you use those terms in technical groups they are going to misconstrue them since no one calls TTPs APTs. Whether or not you are meaning to, you are accidently leading people away from the in field terms. I have never once heard a threat hunter call a artifact an APT in my entire career.

                  Generally in the malware and analysis world GoogleSoftwareUpdate wouldn’t even count as malware, it would be a PUP (Potentially Unwanted Program) that functions in a known way but might do something unwanted. That’s not the same as malware either. Also if you are refering to the fact that GoogleSoftwareUpdate is installed in a user writable directory and can be replaced or DLL hijacked then you are further purposefully choosing to make that fit into you view. This is a common terrible practice, but can be mitigated by installing the Google Chrome Enterprise which installs system wide and doesn’t leave GoogleSoftwareUpdate writable by users.

                  1. 5

                    I’m saying that the entire computer security field has seemingly agreed

                    I thought my presence on Hacker News and Lobsters bringing in all the high-assurance and CompSci folk showed that popular security != entire computer security field. The popular ones also built many fewer systems highly-resistant to penetration. They knew nothing of those that did or even denied they existed. When they failed, they doubled down on their ways instead of relenting or admitting the other groups had anything of value. If anything, I’m skeptical when the “computer security field” that most know about make a pronouncement. The skepticism usually pays off.

                    Back to this, I see why @itistoday is talking like this. Many security and news pieces I read at the time talked about APT in terms of their methods. They highlighted how different the methods were. Who cares who the source is if the methods are the same things you already blocked. The “APT’s” were different using stealthier techniques that involved getting a foot in, bringing in more, and doing a lot of exfiltration of data under users’ noses. That’s basically Google minus outright hacking. Hence, hyperbole.

                    1. 1

                      Skeptisism is always fair and I appreciate being called out when I accidently arbitrate or overly claim authority, that was not my goal and very much not my objective either. Appeal to authority was a failure on my part. I know based on our conversations that I very much have respect for the HA world and the world outside of “pop-security”, but in both of those I have never heard the term get used as a reference to persistence techniques and only referred (even in the research I read) to as the groups executing real world attacks. I agree that the term “persistence” is of importance, and isn’t represented properly in the original acronym, but I have always heard and read about them in the terms of “persistence” in general.

                      For the second portion, the corporate world and enterprise land is almost the opposite of what you stated in my experience. They care much more about who, how to block them, and how to detect them than necessarily root cause detection/prevention. I think this is fundamentally flawed (as I bet you do too), but just look at something like the MITRE ATT&CK and show me how the Google example fits in? I think that the “outright” hacking and purest of intent is important to seperate out threats from potentially unwanted behavior. There is a fundamental difference between a risk and a threat no?

                      1. 2

                        “but in both of those I have never heard the term get used as a reference to persistence techniques and only referred (even in the research I read) to as the groups executing real world attacks”

                        Thanks for fairly evaluating what’s going on here. It could be the reporting media doing it. Being outside your group, what I was reading was a combination of actors and methods that were supposedly better than everything else. If anything, it looked like media and security companies were making excuses for bad security in general by making hackers look amazing. Hackers whose methods were sending loaded emails and such followed by gradual expansion of access. Not amazing.

                        “the corporate world and enterprise land is almost the opposite of what you stated in my experience. They care much more about who, how to block them, and how to detect them than necessarily root cause detection/prevention.”

                        I don’t have much experience there past what I read about they do. I appreciate the insight. They’re often reactive based on whatever is getting a lot of attention. This could be an extension of their habit to want to create an easy characterization of something, point blame at it, and have some solution that eliminates it entirely. It doesn’t work with IT security in general. I definitely can see them doing it.

                        “ I think that the “outright” hacking and purest of intent is important to seperate out threats from potentially unwanted behavior. There is a fundamental difference between a risk and a threat no?”

                        I agree in general. I already said it was likely hyperbole. Thing is, Google is a threat actor of its own sort trying to get as much secret and public information about its users and non-users as possible to sell influence attempts by third parties. Also, getting close with D.C. in a police state with whatever comes with that. And they do their own thing in a sneaky way.

                        I agree that the APT term doesn’t fit them in definition of mainstream, security community or news headlines I saw for some reasons. I do see how the sneaky, bring-in-backdoors, exfiltrate-data behavior justifies a comparison with hyperbole, though.

                    2. 1

                      I didn’t realize the APT Language Police were here, sorry!

                      I have heard various people use APT to refer to software. Multiple definitions for the same words often exist. This is how language works. Since you keep banging on about this, I’ll remind you that I’ve linked to one paper that uses “APT” in this way, that sentence from Wikipedia, and here’s another person:

                      The Advanced Persistent Threat (APT) has become the watchword for today’s cyber espionage. It frequently involves a piece of malware or group of malware programs that can evade detection

                      Re some people not considering it “malware”. Great, we can agree to disagree. I’m with Stallman on this.

                      1. 4

                        Multiple definitions for the same words often exist.

                        Yeah, we have to stop this in computing. We have enough complexity, and enough trouble communicating ideas. We don’t need to overload terms and make this worse.

                        Precision is a foundational aspect of why math is a universal language.

                        1. 4

                          Yeah, we have to stop this in computing.

                          Great idea, now let’s nominate you to be in charge of the definitions of the words everyone in computing uses. 👍

                          Precision is a foundational aspect of why math is a universal language.

                          And math is definitely not known for overloading the definitions of symbols.

                          1. 2

                            Great idea, now let’s nominate you to be in charge of the definitions of the words everyone in computing uses.

                            Thank you for your kind nomination!

                            And math is definitely not known for overloading the definitions of symbols.

                            There are very few “symbols,” but you can generate new words for your definitions by using the generalized concept of addition (which has axiomatic properties) and basic set theory primitives like subset. Put another way, assuming a function newword(L, N), where L is a tuple, containing production rules for valid words, P, and a set, C, of valid symbols (e.g. characters), I can call newword, to generate valid words contained in L of length N. While I’ll leave the proof as an exercise to the reader, it follows that incrementing N is all that is needed to create additional words in L, provided, that production rules in L are unbounded.

                          2. 2

                            Mathematics is the art of giving the same name to different things. (Henri Poincaré)

                            Math is precise when it comes to the definitions and what a word means in a context, but the keyword here is context.

                          3. 3

                            There is a difference between being the language police and accepting the fact that the common use terms in the industry itself (to which I have been taken part of IR engagements that discover named APT’s) are not confused in their day-to-day use. I think when you do that you are doing it on purpose to try and craft the narrative in a way that you are the language police and can redefine terms that are not confused inside of a field. It is purposefully trying to confuse people who are not part of the field and I think that’s just as dangerous.

                            It frequently involves a piece of malware or group of malware programs that can evade detection

                            Again even in the your quote you are are ignoring that entire sentence, APT’s do use malware to evade detections. That just solidifies my statement.

                            APTs often embed programs in a penetrated system

                            From the first summary sentence in the paper, which btw is describing how GoogleSoftwareUpdate would be a good model for malware used by an APT (not crafting an APT again).

                            EDIT: I’m bailing out of this argument for the sake of the length of the thread. I’ll squat in IRC or messages if you want to have a further discussion after your response to this.

                            1. 4

                              From the first summary sentence in the paper, which btw is describing how GoogleSoftwareUpdate would be a good model for malware used by an APT

                              This is the first sentence:

                              Google’s software update system can serve as a model Advanced Persistent Threat (APT).

                              The thing being called an “APT” in that sentence is “Google’s software update system”.

                              I’m bailing out of this argument for the sake of the length of the thread.

                              Good call. It was fun and I also have work to get done.

                  2. 7

                    Oh come on, it’s just some hyperbole about Google doing things with similarities to stealthy attackers. It was a warning and joke mixed together to get more attention to the issue. That’s on top of entertaining the Lobsters.

                    Far as APT’s, my favorite counter on the term back when it was hot was Luiz Firmino’s comment on Kreb’s blog. It just explained why the media was making a big deal about what was just hacking 101 for any careful party targeting enterprises. Heck, the whole post makes what they were doing look obvious. I threw in 2 cents worth of corroboration.

                    1. 2

                      I’ve read studies that only one out of four lobsters are born with a humerus bone in their body. The rest don the thick skin of an exoskeleton one should naturally expect.

                      1. 1

                        That’s great lol.

                    2. 3

                      APT’s are acting groups who create payloads for specific targeted purposes, not the payloads themselves.

                      Huh, I thought those were “threat actors”. But I’m not very in touch with threat hunting.

                      ETA: OK, from the top of Wikipedia:

                      An Advanced Persistent Threat (APT) is a stealthy computer network threat actor, typically a nation state or state-sponsored group

                    3. 3

                      Do you by any chance have the same directions for Windows, too? There were some official instructions that Google would post; I’ve followed all of those when they were still current, and yet sometime afterwards they’ve still broken out of their sandbox, and performed damage to my seldom-used copy of Google Chrome.

                      Also, you mention Brave, but Brave doesn’t quite have a way to disable autoupdate, either — unlike Firefox and SeaMonkey.

                      1. 2

                        I don’t have any direct directions, but Google provides Chrome Enterprise installers that have administrative templates that let you control the vast majority of these controls. They have Mac DMG’s too.

                        1. 1

                          Do you by any chance have the same directions for Windows, too?

                          I do not, sorry. Maybe someone else knows.

                        2. 2

                          Or you can (in this case at least) keep your operating system up to date, and not disable System Integrity Protection.

                          I realize SIP disable is required for 3rd party graphics cards on Macs. And possibly the version of whatever graphics software was required for these machines only run on older versions of MacOS. This raises the question of why they were running (presumably) non-mission critical software (Chrome) on machines that absolutely have to be running…

                          1. 3

                            Maybe they just wanted to use a 3rd-party GPU? I don’t see why the users are suspect because of a completely arbitrary MacOS anti-feature

                            1. 0

                              What anti-feature are you referring to? SIP or that lack thereof, or Google’s Keystone updater software?

                          2. 2

                            Somewhat similarly, on Linux (at least on Ubuntu) Chrome installs itself into /etc/cron.daily: so that even if you notice its existence in your repos and remove it from there, it will re-add itself.

                            1. 2

                              you need to perform the following actions

                              Also recommended, KnockKnock, which can tell you what launch agents, etc. can be installed:

                              https://objective-see.com/products/knockknock.html

                              And BlockBlock (which I haven’t tried yet), which warns you if software tries to install anything persistent.

                              https://objective-see.com/products/blockblock.html

                              Ignoring completely conventions for how software should be updated on macOS (either via signed Sparkle updates, built-in updater ala Firefox, or via the Mac App Store)

                              Luckily, Microsoft now offers Office in the App Store. Another terrible installer/autoupdater that I hated.

                              1. 1

                                Although I haven’t verified it, using a portable version of Chrome should be a solution, as nothing is installed.

                                1. 1

                                  This is funny because I think you’ve heard the term APT and thought persistence meant persisting in memory or on disk, which is important in malware terms. But as far as I’ve known the term (in infosec for a few years) the persistent in APT means persistent in trying to get at you. Interesting that this whole time I never thought of confusing persistence of malware with the persistence in APT, but they are different meanings.

                                  APTs are groups, not code, a different approach would be crimeware groups that send out ransomware indiscriminately then take the profits where they can. Calling Google an APT seems hyperbolic since their primary goal is shareholder value not intel/influence/surveillance, a list of APTs and their inconsistent names (aka all infosec vendors come up with their own names) are here: https://medium.com/@cyb3rops/the-newcomers-guide-to-cyber-threat-actor-naming-7428e18ee263

                                1. 21

                                  does anyone else feel uncomfortable watching a security company so thoroughly embrace a get-rich-quick scheme?

                                  1. 7

                                    Frankly, I expect nothing less. An american company, their business being in centralizing decentralized data, their business model unclear, and now they’re trying to attract more users with make-believe money? Shocking /s

                                    I know I’m coming out as a catastrophic, and perhaps paranoic naysayer, but all sarcasm aside: what is Keybase really going for as a company? If altruism and the wellbeing of humanity is their operational objective, then what are their investors in for?

                                    Logically, if they’re trying to be a do-gooders and genuinely make people happy, then eventually they’ll be forced to monetize them somehow – either play the good guy and rely on donations Signal-style or find some way to make money off of their users directly. This could just be their way of doing that, hoping for an ethical revenue model that would actually sustain them.

                                    1. 3

                                      They don’t have that many unethical options given that everything is encrypted and open source. Still, I think they need some kind of clear funding model soon.

                                      1. 2

                                        everything is (…) open source

                                        Except the server: https://github.com/keybase/client/issues/6374

                                  1. -1

                                    Perl 6 gets it right, fwiw:

                                    > perl6 -e 'say "🤦".chars' 
                                    1
                                    
                                    1. 3

                                      technically the wrong emoji :) curious what it says if you copy and paste the one from the article.

                                      1. 5

                                        Must have been a copy paste error of some sort – an easy one to make since I don’t actually have proper emojis in my terminal (it looks like this)

                                        Perhaps this is correct-er?

                                        > "🤦🏼‍♂️".chars
                                        1
                                        
                                        1. 2

                                          Thank you for taking the time to do that :).

                                      2. 3

                                        So a character is an extended grapheme cluster?

                                        1. 3

                                          Except, of course, that the whole point of the article is that treating this behavior as “right” is an oversimplification. It is unstable, it requires tons of extra machinery, and it’s not helpful in most use cases.

                                          1. 1

                                            I mean if chars means symbols I guess it’s pretty accurate.

                                        1. 12

                                          I’m curious what Perl (either version) is used for these days.

                                          In the past I saw it used as a glue language for things like ad-hoc build/test pipelines, or a shell replacement when shell scripts became unwieldy. Nowadays CI tools or Python usually fill those roles.

                                          Personally I have no interest in working with Perl6. They doubled-down on everything I disliked in Perl5, and I think the language tries to be too clever. Too much “magic” and too many ways to do things for my liking. I’ve got better things to do than memorize a hundred special variable.

                                          1. 7

                                            Booking.com and DuckDuckGo run on Perl. (5, which is the only Perl.) I worked at Booking for two years, used Perl in anger, and grew to like it. It’s still and has always been a perfectly good Python/PhP/Ruby alternative.

                                            I wouldn’t write anything new in Perl, but more because of the difficulty of finding people who could work on it than any fault of the language. Fashion is a cruel top.

                                            1. 3

                                              I got in charge for a large Perl5 codebase by forking an abandoned project and we still consider Perl5 its original sin. I don’t think it’s an adequate alternative to anything but AWK one-liners (I still use it in that role and not going to give up—but that’s about it).

                                              Even with strict and warnings, so many things just pass silently. Sure, you can unit test it, but other languages that aren’t untyped can just detect it on their own, and produce an informative exception trace. The difference is especially noticeable in glue code that is hard to unit test. Its garbage collector still can leak memory in situations everyone else’s could handle a decade ago. The context thing (with default context almost never being documented) is still a minefield.

                                              The community part is important too. A lot of people had been telling us they would be happy to contribute, if it wasn’t for Perl. We’ve been steadily replacing it with Python, and it’s been an improvement all around. Code is easier to read, problems are detected earlier, and contributor activity is much higher.

                                              1. 4

                                                on the other hand the old farts who know perl might be more competent than the young hipster python programmers. that’s a heuristic i often use when evaluating projects: if the community is older they are less likely to do dumb shit.

                                              2. 7

                                                I use it for personal projects, mostly because I’ve invested the time to learn it well.

                                                I don’t think much new stuff is being written in Perl, but there’s plenty of maintenance.

                                                1. 6

                                                  Currently gainfully employed and writing perl is part of my job, yes some of it is maintenance, but I also write new things in it as well. I also write go, python (grudgingly), shell, and some C++ here and there too.

                                                  I, personally, would be very happy to see this change. Perl6 has some neat ideas that I’d love to flex some day, but Perl5 needs to move on. No reason they both can’t co-exist.

                                                  The notion that Perl is dead dead dead dead is a tiresome one at this point.

                                                  1. 5

                                                    I do it for a living in webdev (backend) and deployment automation.

                                                    1. 4

                                                      I’ve never used perl5, but I discovered perl6 recently and am in love. Good for: desktop applications (assuming they don’t get too big), scripts, web applications. It essentially obviates metaprogramming because anything you could possibly want to metaprogram is already in the language (including metaprogramming, in case you want that for some reason). That means that you have less to memorize than with any other language, because once you know it, you know it. There are no codebase-specific bespoke constructs you have to learn; it’s pretty much all straight perl6 because straight perl6 is already good enough.

                                                      1. 1

                                                        desktop applications web applications That’s interesting! What do you use?

                                                        1. 4

                                                          For desktop, there are various bindings to GTK and SDL; for web, cro is the current state of the art.

                                                    1. 14

                                                      Bullshit Jobs by David Graeber. Still going through it, but it nicely sheds some light on my nagging feeling that a lot of work being done every day is just a waste of time.

                                                      1. 8

                                                        Been meaning to pick this up recently - really liked Debt: The First 5000 Years.

                                                        1. 4

                                                          I loved Debt; one of my favourite non-fiction books of all times. I haven’t read Bullshit Jobs (well I read the article that inspired the book) but I’ve heard good things.

                                                        2. 2

                                                          Actually started that just two days ago. My partner had read it I think last year and generally liked it, though she said to feel free to skip ahead at times, as he seems to dwell quite a lot on some points.

                                                        1. 26

                                                          The security issues outlined by this article are clear, so I won’t comment on them. I did want to comment on this peripheral point:

                                                          This same vulnerability also allowed the attacker to DOS any user’s machine. By simply sending repeated GET requests for a bad number, Zoom app would constantly request ‘focus’ from the OS.

                                                          I’ve long thought that OSes (or WMs, whatever) should pretty much never bring a window (or dialogue box, or any such UI element) into view, or take input focus (keyboard or mouse) without explicit user interaction (i.e. key press, mouse click or screen tap). Instead, they should indicate to the user that some application or widget “wants attention”, for example by making an application’s entry in the WM’s task bar blink/flash. Then, the user can choose to take explicit, manual action (e.g. in this example, click on the task bar) to bring the window or other UI element up to z-index 0 and allow it to take input focus.

                                                          Time and again, all through the years, we experience the UX pain of happily and intentionally typing (or clicking) in one UI element, and something pops up, takes input focus, and we unintentionally send keystrokes or mouse clicks into that surprise UI party crasher. How many decades of UI and UX research have come and gone since the earliest GUIs came on the scene? This kind of thing should never happen – yet, it does, and I find that just a little ridiculous.

                                                          I welcome any counterexamples showing a case where it would be a good thing for a new UI element to steal input focus without the user first performing an input.

                                                          1. 14

                                                            If you peruse Raymond Chen’s blog at Microsoft, there are multiple entries about customers who want to make sure that their window is placed front and center and grabs all input. It’s easy for even a non-malicious application developer to convince themselves that their product is so good that this behavior will actually be welcomed by users.

                                                            Chen does not agree, by the way.

                                                              1. 1

                                                                Thanks!

                                                                It does look like both items link to the same post, though.

                                                                1. 3

                                                                  Oops, copy/paste failure. Sorry about that! I’ve fixed the second one.

                                                            1. 5

                                                              I recently switched back to a Linux laptop, and a feature I love over OSX is that when an app wants focus, instead of just taking focus, PopOS (probably gnome?) displays a toast saying “NeedyApp is ready”. I can switch to it when I’m ready too.

                                                              1. 3

                                                                When my terminal opens a system dialog to unlock my password manager. I’ve hardcoded that as the only exception to “no stealing focus” in my i3 config.

                                                                1. 3

                                                                  What does your “no stealing focus” config entry(-ies?) look like?

                                                                  1. 2

                                                                    I see your point, and can accept that others have different preferences, but if it were me, I’d let such a thing remain not an exception, and just stay unfocused and flashing in the task bar. But then, I reboot scarcely 5 times a year, so unlocking like this is something I rarely do.

                                                                  2. 1

                                                                    Indeed – I’ve been thinking lately that UIs should be given much of the same consideration we give to APIs regarding things like race conditions (as in your example) and backwards compatibility. The user, after all, is ultimately another component interacting with other components of the overall system…

                                                                    1. 1

                                                                      Reminds me of the javascript popup-bombs from the early 2000s. A never ending stream of popup windows and dialogues, close one and three appear.

                                                                    1. 7

                                                                      Calling it “the real reason” is a bit of stretch (it’s more like “what I realized by accident after N years in the industry”), but the reason does actually sound quite compelling – to the point that I makes so much sense that struggled to remember why I preferred spaces all this time.

                                                                      I think the reason is alignment – I do things like

                                                                      $foo->bar()
                                                                          ->baz()
                                                                          ->etc(...)
                                                                      

                                                                      or

                                                                      sprintf("%s %s %s\n",
                                                                              $foo
                                                                              $bar
                                                                              $baz);
                                                                      

                                                                      regularly, and spaces guarantee that these will actually show up consistently. You could have the cake and eat it by using tabs for indentation and spaces for alignment – which makes sense when you think about it, but somehow “feels dirty” to mix the two.

                                                                      1. 8

                                                                        tabs for indentation and spaces for alignment

                                                                        This sounds reasonable to me.

                                                                        but somehow “feels dirty” to mix the two

                                                                        I think I can learn not to fee dirty if I remember that I wont actually be mixing the two. The tabs are strictly in prefix.

                                                                        1. 7

                                                                          The tough part is that if you are writing Python, mixed tabs and spaces are illegal, and the standard style guide for the language specifies spaces only. Outside of Python, it feels like tabs for indentation and spaces for alignment requires editor support: at a minimum, visible whitespace, but preferably also for automating the number of tabs and number when reindenting.

                                                                          I have always been a partisan of spaces-only, but this is the first argument for tabs that I find really strong. I do feel like I need to work towards adopting tabs.

                                                                          1. 12

                                                                            The tough part is that if you are writing Python, mixed tabs and spaces are illegal

                                                                            “Indentation is rejected as inconsistent if a source file mixes tabs and spaces in a way that makes the meaning dependent on the worth of a tab in spaces; a TabError is raised in that case.” That is, you can use spaces for alignment if you consistently use tabs for scoping.

                                                                            e.g. This works

                                                                            $ cat -t x.py
                                                                            def a(x):
                                                                            ^Iprint("1",
                                                                            ^I      "2"
                                                                            ^I      "3")
                                                                            a(1)
                                                                            

                                                                            And python does not complain.

                                                                            $ python -t x.py
                                                                            1 23
                                                                            
                                                                            1. 3

                                                                              Thanks, yes, you’re right. This leaves just the task of always maintaining perfect consistency in using tabs for scoping and spaces for alignment. Plus being willing to ignore the standard style guide (PEP 8) and avoid using code formatting tools like black.

                                                                        2. 4

                                                                          somehow “feels dirty” to mix the two.

                                                                          Why? Tabs are for indentation (semantic) whereas spaces are for alignment (visual). They’re different things.

                                                                          1. 1

                                                                            It’s “dirty” when different lines use different characters for indentation and alignment. e.g. line 1 uses 2 spaces for a single level of indentation, and line 2 uses 1 tab for a single level of indentation. (I’m not disagreeing with or discounting your point about having a rule to consistently abide by.)

                                                                            1. 2

                                                                              That is a different situation than what was described and called “dirty”.

                                                                          2. 4

                                                                            The main downside to using tabs + spaces is editor support. Back when I used it, I think kate was one of the few editors that didn’t mess up my code. I eventually moved to spaces only out of frustration with different editors.

                                                                            The other downside is all the derision you get for using tabs.

                                                                            1. 2

                                                                              You can’t use spaces for alignment for the same reason that tabs are apparently more accessible: different people will use tabs to mean different things. If you use space for alignment you are just moving the problem around, insisting that a tab is equal to N spaces – to keep your precious alignment correct.

                                                                              1. 12

                                                                                If you use tabs only for indentation, then your spaces will always line up. E.g. if you are 2 levels of indentation deep, and want to line up with the 3rd character, you have 2 tabs and 2 spaces. Regardless of tab length, 2 tabs and 2 spaces will end up at the same column as 2 tabs and 2 characters.

                                                                                Rule of thumb is if you are visually lining up to a previous line, use spaces. If you are adding a level of indentation, use a tab.

                                                                                1. 4

                                                                                  That makes sense, I’m wrong :)

                                                                                  I suppose a follow-up question is, does spaces for alignment satisfy the usability concern which tabs help with?

                                                                                  1. 2

                                                                                    That’s a good question. I would imagine the answer isn’t so much that spaces for alignment helps, it’s the tabs for indentation that help. Spaces for alignment satisfies the “consistent alignment” part of the problem.

                                                                              2. 1

                                                                                If you drop the first method call/arg to a new line, indented one level more you get a similar effect with tabs only. And you save some horizontal space when the var/symbol on the first line is longer than one tab-width.

                                                                                JetBrains tools call this style “chop down” I believe.

                                                                              1. 6

                                                                                And here it is for those of us not using Google Play: https://github.com/mozilla-mobile/fenix/releases/tag/v1.0.0 :)

                                                                                1. 2

                                                                                  This won’t automatically update though, which is a bit of a problem for a browser imho

                                                                                1. 20

                                                                                  Been working as a programmer (Perl/Python, mostly the former) for a bit like the last 7 years.

                                                                                  With full-time employment I don’t think I ever put up more than 5 hours of work per day. The rest have been meetings, discussions or just general office distraction – lunches, coffees, etc. It felt frustrating to waste 8 hours a day (plus commute) to do what could’ve been done in 5 or less. My theory is that employers know perfectly well that pretty much no one can consistently produce 8 hours of solid work a day and that’s one of the reasons that they fill IT offices with toys: table tennis, poll, consoles – all these amenities just to admit to themselves that the 8 hour work day is an impractical relic but somehow they still want everyone around for a third of their lives.

                                                                                  I’ve moved to self-employment around 3 years ago and I’m not looking back. I average between 3-5 hours a day, I get paid by the hour, I do my job and then I switch to other things instead of wasting time. The rates are a bit higher than on full-time employment so it mostly balances itself out, allowing me to live a comfy life without feeling like I’m dangling my feet under the table for the sake of someone’s outdated ideas.

                                                                                  1. 9

                                                                                    Any tips on successfully going self employed? I’m wanting to make a similar move after several years working at large corporations, for these exact reasons (among others).

                                                                                    1. 1

                                                                                      It may be a good idea to start with something niche enough to have few competitors but still common enough to find customers. Having something to prove you can do it may help, for example, an open source tool related to the job, or some documentation. It’s also often a unique combination of skills that really helps getting hired rather than a unique skill. Class4 (transit) VoIP is hanting me for example—there aren’t many people who know something about VoIP and are also programmers and can architect and implement automation solutions. And don’t be afraid to openly advertise your services, people need to know you are available to get an idea to hire you.

                                                                                  1. 5

                                                                                    I’m maybe 80% de-googled (and de-Facebooked), with:

                                                                                    • Firefox
                                                                                    • DDG
                                                                                    • Zoho (mail with my domain, and contacts)
                                                                                    • Android without a Google account (I know this is flawed, but didn’t have much luck with microG)
                                                                                      • Aurora and F-Droid to sideload apps
                                                                                      • DAVx to sync calendars and contacts
                                                                                      • Newpipe and podsync+podcast republic to watch youtube
                                                                                    • Signal (chat)
                                                                                    • Mega (cloud storage)
                                                                                    • Site passwords rather than Google or FB OpenId, stored in pass
                                                                                    • Quarterly family email newsletter (to share things with family and friends I don’t chat with often)

                                                                                    I still use Google for:

                                                                                    • Docs. I have a few spreadsheets that are heavily scripted that I can’t be bothered migrating, and TBH zoho docs is rather lacking. I plan to move back to the “good old days” of local files + cloud storage
                                                                                    • Maps. OSM didn’t really work out that well, though it was OK
                                                                                    • Calendar. Maybe once I migrate my wife to Zoho for mail we can switch our calendar over, but we have a lot of time invested in it currently.
                                                                                    1. 5

                                                                                      Try the maps.me app. It uses osm data and has offline support

                                                                                      1. 1

                                                                                        There’s also this fork available on F-Droid, sans the binary blobs in the regular Maps.me app. I’m using OsmAnd - still early days but it seems pretty good (available for Android and iOS, open source).

                                                                                      2. 3

                                                                                        I think when in comes to a very specific tech, Google Maps cannot be matched. Actually, I would straight up pay for the service Google Maps provides if they asked for it.

                                                                                        1. 1

                                                                                          What specifically is it that you’re missing from, I’m assuming, OsmAnd?

                                                                                          1. 2

                                                                                            Personally, navigating to a street number and routing around traffic were the big ones.

                                                                                            1. 1

                                                                                              Routing around traffic is absolutely something OsmAnd won’t do today. It would imply data gathering and privacy infringement I assume they’re not comfortable with.

                                                                                              Navigating by street number though works well where I live. Though that will vary across the world and time.

                                                                                              1. 2

                                                                                                I believe Apple Maps do traffic routing with anonymized data gathering. I would that that you’d only need to know what the average speed of a given section of road is, which doesn’t require knowledge of individual location data.

                                                                                        2. 2

                                                                                          Maps. OSM didn’t really work out that well, though it was OK

                                                                                          I’ve been happily using Here Maps instead of Google Maps, as OSM is not quite good enough when it comes to car navigation.

                                                                                          1. 1

                                                                                            WRT. Google Docs you mighty want to give Collabora/Libreoffice Online a try by getting access to or installing a Nextcloud or Owncloud instance and installing the app. It is coming along nicely and is now able to run a complex spreadsheet which it børked at only a few months ago.

                                                                                            [1] https://apps.nextcloud.com/apps/richdocuments

                                                                                          1. 1

                                                                                            I have never done much Perl, but I enjoyed playing with it one spring at university. Who here is using Perl regularly?

                                                                                            1. 7

                                                                                              I used to work at Booking.com, which has about a million lines of Perl in production. It was good times, I quite enjoyed working with it.

                                                                                              1. 6

                                                                                                It was my main language from about 1998-2008. I don’t write programs in Perl anymore, but I regularly use perl -ne, perl -pe, and perl -i -p -e on the command line and in scripts.

                                                                                                1. 9

                                                                                                  Same here. Back in the days of “traditional sysadmin” I used Perl for most tasks, be it small processing scripts or CGI web apps. These days Perl has fallen out of fashion and as much as I still like writing things in Perl 5, none of my colleagues wants to touch Perl code, so I end up doing much more Go, or sometimes Python (but I’m not a huge fan of Python).

                                                                                                  That said, I did manage to semi-sneak some Perl 5 into production a while back, and recently replaced a complicated shell script which was doing all sorts of echo | grep | sed | xargs etc. - I put the Perl replacement up for review and most people said it was “surprisingly readable” and that no other language could have done it as well.

                                                                                                  Perl definitely still has its place, but there’s too much stigma around it now.

                                                                                                  1. 6

                                                                                                    It’s possible to write reasonable Perl, but it’s very easy to make unreadable Perl if one isn’t careful. Unfortunately, sysadmins under duress was the most significant Perl userbase, while not one known for taking time on scripts. (Not helping Perl’s reputation for readability also: JAPH)

                                                                                                    1. 7

                                                                                                      Agreed, TMTOWTDI is both good and bad. Perl lets you take shortcuts, so people take them. PHP is arguably just as bad for this (I guess because it evolved from Perl).

                                                                                                2. 5

                                                                                                  Never tried perl5, but I’ve been using perl6 quite a bit lately and I really enjoy it.

                                                                                                  1. 5

                                                                                                    I use Perl regularly, as my “secret weapon” when consulting and/or writing API backends.

                                                                                                    1. 4

                                                                                                      I used perl from 2005-2010 on closed source code (a fastcgi ad-server, of all things). I remember going through the camel book(s) at the same time, and quite enjoy it. I’ll miss the Perl conferences more than the language though. :p I never got to an expert level though, so it can be that.

                                                                                                      1. 4

                                                                                                        I don’t use much Perl anymore but I really miss how well regular expressions were integrated into the language.

                                                                                                        1. 4

                                                                                                          2/3 of my regular clients are Perl shops (the third is teaching, and that’s mostly Python), so Perl is basically my dayjob :)

                                                                                                          1. 3

                                                                                                            I use Perl(5) for fun (personal projects, coding challenges etc).

                                                                                                            I’ve broken it out in anger at work for some ad-hoc log parsing stuff too .

                                                                                                            1. 2

                                                                                                              Not only is it the scripting language I usually reach for, and have since 4.036, but most of the externally facing services on Floodgap.com are written in Perl including the HTTP and gopher servers.

                                                                                                              1. 2

                                                                                                                I’d just like to take the opportunity to thank you for making TTYtter back in the day!

                                                                                                                I still use Oysttyer daily. Best Twitter client bar none.

                                                                                                                1. 2

                                                                                                                  Hey, thanks! :)

                                                                                                              2. 2

                                                                                                                I believe The Register is still a perl shop :~)

                                                                                                              1. 2

                                                                                                                You can use emoji (and other graphical unicode characters) in URLs. And wow is it great. But no one seems to do it. Why?

                                                                                                                Well, frankly, I don’t because I find them disgusting :P I feel like a fool for advocating for the use of Unicode since I’ve learned about it now that I see what it turned into. It went from “An amazing idea for a proper i18n for all languages” to “this joke of a standard that introduces new variants of «front facing baby chicken» every year, which I hope will die like all the other fads but I know that it won’t”.

                                                                                                                Still, as much as I hate the tech itself, the use in URLs shown here is cool and creative, thanks for that :)

                                                                                                                1. 2

                                                                                                                  This should really come as no surprise to anybody. Reminds me of this piece by esr, written who-knows-how-many-years-ago about fetchmail:

                                                                                                                  Another lesson is about security by obscurity. Some fetchmail users asked me to change the software to store passwords encrypted in the rc file, so snoopers wouldn’t be able to casually see them.

                                                                                                                  I didn’t do it, because this doesn’t actually add protection. Anyone who’s acquired permissions to read your rc file will be able to run fetchmail as you anyway—and if it’s your password they’re after, they’d be able to rip the necessary decoder out of the fetchmail code itself to get it.

                                                                                                                  Source: http://www.catb.org/esr/writings/cathedral-bazaar/cathedral-bazaar/ar01s09.html

                                                                                                                  I’d be curious if the author knows any way of encrypting the password in such a way that the encryption key is not available on the hard drive and yet can pull the passwords out by itself :)

                                                                                                                  1. 2

                                                                                                                    Sure, you unlock the “vault” using a KDF such as PBKDF2 or Argon2. Ideally the “password” is the same as the login password, so that the user doesn’t have to enter it twice. You then keep this key in memory until the computer suspends.

                                                                                                                    This works great if your threat model is offline disk access. There is really no way to do it if your threat model includes other programs running as the user in question.

                                                                                                                    1. 1

                                                                                                                      I’m not sure the two compare. Fetchmail config would not be unlocked in any way, whereas a password database could be locked behind the user’s main account password.

                                                                                                                      The author assumes the attacker has access to the user account, but what of they don’t? What if they came in through a browser exploit?

                                                                                                                      Having the database encrypted sounds like it would at least make extracting its contents more difficult. (Possibly has portions in memory somewhere?)

                                                                                                                      Wondering out loud here, not an expert.

                                                                                                                    1. 2

                                                                                                                      I was confused when I started reading: “why would a DAV server have an issue tracker…?” But that’s Radicle, not Radicale. Doesn’t seem like a very fortunate choice of a name, especially if you end up with the less pronouncable one :/

                                                                                                                      1. 5

                                                                                                                        I’ve been using it for about 10 years now, since I moved, had no internet at home and needed something to do ;)

                                                                                                                        I never bothered to type quickly, but occasionally people ask me to do the typing speed test and say “wow, that’s actually quite above average” so I guess it kinda works in that regard?

                                                                                                                        One thing I noticed though: when I sit down to a qwerty keyboard these days, I subconsciously “tilt” my hands so that my wrists are more on the outside – with colemak they’re more straight, so to say. So I guess it may have a benefit regarding potential RSI.

                                                                                                                        From a hindsight, I’m not sure it was worth switching: qwerty feels stupid and awkward now, yes, but I’m not sure if the circumstantial benefits of colemak are worth it when I have to reconfigure the keyboard bindings of pretty much every single software I use :/ Especially the vim-alikes: hjkl is hnei for me, and so every other keybinding moves now and oh god I hope I won’t need all these keys after all…

                                                                                                                        1. 5

                                                                                                                          I learned Vim shortly after Colemak, and I just didn’t bother changing things around. Sure hjkl is messed up, but I don’t use them much anyway.

                                                                                                                          1. 4

                                                                                                                            I guess this is what one would call “chaotic neutral” in D&D. :-)

                                                                                                                            1. 1

                                                                                                                              I learned Emacs instead of Vim specifically because I knew Dvorak already and saw the hjkl stuff and thought it wouldn’t be a good fit.

                                                                                                                              1. 1

                                                                                                                                A bit late now, but after a month or two you largely stop using hjkl. There are generally better movement keys for a given situation. Using something like 5k to move down 5 lines is something I do regularly though.

                                                                                                                          1. 13

                                                                                                                            Every time I have to explain why encryption is important for privacy and why we should care for privacy I go for “let’s say your employer monitor which websites you go to and flags you accordingly; as an example you may want information about maternity leave, workplace litigation or whatever. This could be used to flag you as fire immediately and the next day your are put on a performance improvement plan that will lead ultimately at firing you”. Works every time.

                                                                                                                            1. 10

                                                                                                                              Yeah, I feel like we could really use some of examples of why privacy violations like these may be undesirable, that non-tech people can easily understand and relate to. Stuff like:

                                                                                                                              • Would you like to have a loan denied to you because your friends are poor and their existence lowers your credit rating?
                                                                                                                              • Would you like for your flight tickets to suddenly get more expensive because some of your friends are already on that flight?
                                                                                                                              • Would you like for your car insurance to go up because you recently started watching car racing videos?
                                                                                                                              1. 3

                                                                                                                                “No, that would never happen.”

                                                                                                                                … is what I find most folks respond with when presented with similar scenarios. At this point, I think the only way to get the point across is for there to be a high-profile incident where something like this happens, and there is real, widespread loss as a result. Then, at least briefly, people might understand the point and, briefly, lobby for some action to be taken until they get distracted by <insert next trendy cause/topic here>.

                                                                                                                              2. 5

                                                                                                                                You should also mention more employers are looking at that stuff, too. Maybe also the possibility that Facebook and Google will sell profiles to them as a service to assess potential hires.

                                                                                                                                1. 2

                                                                                                                                  Few years ago, Target found out this kind of information from their customers. I guess employers could do the same with browsing history…

                                                                                                                                  1. 1

                                                                                                                                    but why wouldn’t you want to improve your performance, that sounds great

                                                                                                                                  1. 4

                                                                                                                                    I like the Handoff support in OSX. It’s nice when you can be listening to a podcast in Overcast and keep listening when you sit down at your laptop/desktop.

                                                                                                                                    There are niceties I will miss when I finish eliminating OSX from my personal universe :)

                                                                                                                                    1. 3

                                                                                                                                      heh, I remember a music handoff app for Mac ↔ iOS from way before Apple’s official Continuity…

                                                                                                                                      In the free world, KDE Connect can do a lot, but no Handoff style functionality yet. I guess it’s really hard to do when you’re dealing with completely separate app ecosystems. Though it should be possible for some things that have standardized APIs. Like you can pick up the current song and position from MPRIS and you proooobably can tell Android “play this song from this position on the default music player”… maybe…

                                                                                                                                      Also: with Purism, there will be an app ecosystem that runs on both mobile and desktop, so maybe someone should start working on handoff between the same app on different devices

                                                                                                                                      1. 3

                                                                                                                                        KDE Connect seems pretty neat for sure. Pity that the entire commercial Linux world seems to be backing Gnome instead :(

                                                                                                                                        1. 3

                                                                                                                                          KDE Connect is not actually specific to KDE — the post I linked shows a frontend that’s a GNOME Shell extension. There’s also an AppIndicator based DE-agnostic frontend.

                                                                                                                                          1. 4

                                                                                                                                            Still terrible marketing. It’d be better if the thing was under XDG, with a name like “Open Connect” or “Mobile Connect”.

                                                                                                                                            Probably part of the problem is that KDE has the same reputation as Apple does, with people either buying in whole-hog or not-at-all, because KDE tends to take a very “holistic” approach to design (note tech like kdeinit, which runs a daemon in the background to make the whole system use less RAM, assuming you’re using a lot of KDE apps).

                                                                                                                                            1. 4

                                                                                                                                              Still terrible marketing

                                                                                                                                              That basically sums up KDE recently; did you know, that KDE no longer means “K Desktop Environment”? I only learned a few years ago. It’s now an umbrella name for a lot of projects, including Plasma, the Desktop Environment. I talked to them a bit on FOSDEM a few years ago, and they were all about how KDE is now a modular thing instead of this big monolithic blob, and how KDE Connect doesn’t actually require you to use KDE at all. And they’re not lying: I’ve successfully used it with bare i3 and it didn’t bring in that many dependencies.

                                                                                                                                              But yeah, people hear “KDE” and think “oh, this big, bloated DE I don’t want to use”. A bit of a naming problem, and those are really, really hard to fix (Perl 5 and 6 suffers from a similar thing).

                                                                                                                                              1. 1

                                                                                                                                                I think that’s true. You’d think they’d work harder on fixing that since the world seems to be passing them by :\

                                                                                                                                                Gnome is such an unstable beast and yet all the big distros are piling on board that bandwagon instead of stalwart KDE just chugging along getting more and more mature and awesome all the time :)

                                                                                                                                            2. 1

                                                                                                                                              Good point. Not helpful for me in any case because I use an IOS phone :)

                                                                                                                                              ( hate where Apple’s going these days with its computers and OSX but for mobile devices I still vastly prefer them for a number of reasons. I know, break out the tar and feathers :)

                                                                                                                                              1. 2

                                                                                                                                                Eh, no. I am also drifting away from the Mac, but until there’s a non-surveillance alternative to iOS, I’m still hooked into the Apple ecosystem.

                                                                                                                                                1. 3

                                                                                                                                                  Yeah, and this is another unpopular opinion but another reason I’m sticking with IOS for mobile is the apps. An iPad is one of the most amazingly capable platforms for creativity I’ve ever encountered. Full stop.

                                                                                                                                                  Android folks get haughty when I point out various applications where no counterpart exists, but the few who were honest enough to actually give more than a cursory look agreed.

                                                                                                                                                  Examples: Moog AniMoog, Procreate, Editorial

                                                                                                                                                  OSX is another story though. The thing that kept me there for years was the accessibility features, and now both Gnome and KDE on ubuntu offer the key thing I need (key chorded full screen zoom) so that’s not holding me.

                                                                                                                                      1. 3

                                                                                                                                        From a casual observer’s point of view (mine) browser dominance seems to go in very similar cycles. My first browser was Netscape. That seemed to dominate or at least be popular, but then internet explorer (which often confused me because at one point it also worked as a file browser - I think?) ate the world. Everyone built their websites to work on IE. Then came Firefox. I used Firefox, but I see I was still in the minority. Then came chrome. Chrome is the modern IE: if you don’t build your site to work on Chrome, everyone will complain.

                                                                                                                                        The problem is that gmail has eaten the world, the google suite of tools (docs, spreadsheet, presentation) has eaten the world, and Chrome integrates so tightly with them. And it’s all “free”. I’ve gotten so used to having my documents and my email from a “free” service that seems reliable and secure, it’s hard to break out.

                                                                                                                                        But this too shall pass. Remember Yahoo? I do, when it’s name had a (!) at the end. I wonder what’s coming next?

                                                                                                                                        I do have a question. Say I do want to step out of the google ecosystem, what do people suggest for

                                                                                                                                        • email
                                                                                                                                        • documents suite
                                                                                                                                        • photos
                                                                                                                                        • browser
                                                                                                                                        1. 17

                                                                                                                                          Hi, I’m Ted, I’m Google-free for about 5 years (Hi Ted!)

                                                                                                                                          • I use runbox.com for email, but I’m obviously biased since I also work there. I can vouch that we’re not assholes :)
                                                                                                                                          • I have no need for an online documents suite, and barely any need for any documents suite, but I use Libreoffice when I do have that need.
                                                                                                                                          • I sync the photos from my phone (SailfishOS, not android) to my nextcloud, which I host on my digitalocean VPS. The non-phone photos are stored on my NAS at home, organized slightly by Gnome’s Shotwell.
                                                                                                                                          • Firefox is my browser on all my devices.

                                                                                                                                          Feel free to ask about more things; going Google-free seemingly forces you to be a bit of a technical Amish, rejecting modern technology, but surprisingly a lot of stuff outside of Google is actually really good: it takes trying out and getting used to the alternatives to realize how godawful some of Google’s “products” actually are.

                                                                                                                                          1. 4

                                                                                                                                            My private identity is de-googlified (I have to use some services for work). There’s a french free software company “framasoft” that aims to provide an alternative for every service that Google offers. See https://degooglisons-internet.org/en/ as it has good pointers, though I use almost none of their services.

                                                                                                                                            Here’s what I use:

                                                                                                                                            • mailbox.org for email (I can also recommend posteo, protonmail, fastmail), built-in android email client
                                                                                                                                            • no cloud-document suite (libreoffice)
                                                                                                                                            • photos on nextcloud, with auto-sync from mobile to my own instance.
                                                                                                                                            • Firefox 🦊, mobile and desktop
                                                                                                                                            1. 2

                                                                                                                                              I’ve been using these:

                                                                                                                                              email

                                                                                                                                              ProtonMail and Fastmail

                                                                                                                                              photos

                                                                                                                                              Adobe Creative Cloud / Mega nz

                                                                                                                                              browser

                                                                                                                                              Firefox, switched to it during Firefox Quantum alpha and haven’t needed Chrome ever since.

                                                                                                                                              Documents suite I don’t really need, for text-documents I’ve used what ever text-editor I usually tend to use.

                                                                                                                                              1. 2

                                                                                                                                                I’ve been trying to deGoogle slowly over the past years and I do not like running my own servers for email, contacts, cloud sync, etc.:

                                                                                                                                                • email: I’ve been with my ISP since forever, however this is in Europe so we don’t have the nastiness US ISPs and telcos pull. Also, this has been a real solid ISP. For you, I would say FastMail or ProtonMail. I also use FastMail for my contacts and calendar (I wish my ISP offered this!),
                                                                                                                                                • documents suite: I have no good answer to this since I do not depend on a documents suite, I just use either Emacs with org-mode or Markdown,
                                                                                                                                                • photos: I use pCloud and sync them from my phone (also SailfishOS like Ted) with Rclone,
                                                                                                                                                • browser: I’ve been using Firefox for ages with NoScript and uBlock as most important addons, but I do have a Chrome handy for the very few sites that do not work. People always complain about Firefox being slow but it’s always been pretty similar to Chrome for my non-typical usage. Similar enough to not want to switch to Chrome anyway.
                                                                                                                                                1. 1

                                                                                                                                                  Out of curiosity, what’s the rationale for using both NoScript and uBlock? Seems a bit redundant?

                                                                                                                                                  1. 2

                                                                                                                                                    Hmm.. I don’t know actually, in the past the JavaScript-blocking and ad-blocking were in separate addons. I’ve always used NoScript to block JS and have gone through different ad-blockers over the years. I did not realize uBlock had functionality for blocking JS. How embarassing.

                                                                                                                                                    I’m used to NoScript’s UI though and I’ve got an extensive list of sites I do allow (some) JS for.

                                                                                                                                                2. 2

                                                                                                                                                  I’m Google-free in my private life – I use Fastmail for email, calendars, and contacts syncing; I use iCloud and SmugMug for photos; I don’t use a shared document suite; and I use Safari. I also block all of Google’s and Youtube’s (and Facebook’s) domains on my main browser, and I keep a Firefox instance around for looking at youtube videos and suchlike.

                                                                                                                                                  For my work computer, I do have to use Chrome, because we use Google stuff at work.

                                                                                                                                                1. 50

                                                                                                                                                  I found the article interesting; having presented Go as both horrible and good, it reminds me of C a bit: a “quirky, flawed and enormous success” language. Perhaps it’s no coincidence given the fact that they share some of their designers :)

                                                                                                                                                  However, as someone who wrote some code in both Go and Rust, I couldn’t disagree more with “I think the reasons why Go’s popularity skyrocketed, will apply to Rust.” I think you’re missing one, very important bit: Go is easy to write. It may be stupid, it may be flawed, but you write your code quickly and it gets the job done. Go has succeeded in attracting Python programmers, because it also allowed them to build their programs quickly, with not much effort, and they ran quite a lot faster.

                                                                                                                                                  The barrier of entry to Rust is massive. Yes, there are obvious advantages to code that you’ve already written in it and made compile, but as far as development effort goes, Rust is not the kind of thing you choose if you want a thing done quickly.

                                                                                                                                                  I think Go’s success is more similar to Javascript’s or Python’s rather than Rust’s. It’s easy to pick up and good enough in practice. Rust goes for the opposite: it makes itself harder to learn and use, but for a superior long-term benefit. I don’t think it’ll reach quite the same audience, or popularity.

                                                                                                                                                  1. 19

                                                                                                                                                    +1. I feel like the reasoning in the article is a bit skewed: it considers programming languages to be formal artifacts and compares them on their technical merits. It is a perfectly valid thing to do and the analysis in the article is thoughtful.

                                                                                                                                                    Then it starts making predictions based on the assumption that technical merits of a language define its success, completely missing the wetware side of programming languages. Programming languages are made to be used by both humans and computers, and their human effects can be very subtle: even some stupid little thing like long compilation times or quirky syntax can be disruptive.

                                                                                                                                                    Go is good enough at the machine level (much better than Python/Ruby and the like), at the same time cutting many corners to be easy for humans (simple, minimal and familiar syntax, small number of concepts in the language, simple and unobtrusive type system, low-latency GC, good tooling, very fast compilation times and feedback loop, a simple but effective concurrency model, large and actually useful standard library). Sometimes Go feels almost like cheating: it is full of high-quality implementations of complex things with very simple/minimal/hidden human interfaces (GC, goroutines, the standard library). Go consistently makes it harder for humans to make wrong choices, compared to most other mainstream programming languages (one subtle example: structures are value-types which are copied by default, unlike pass-by-reference craze of Java/Python/Ruby, making unintended sharing harder and even alleviating absence of immutability to some degree).

                                                                                                                                                    Rust is excellent for machines, but its human side is much more uneven than in Go. It is much better than Go in preventing humans from making mistakes in many areas. At the same time, it brings non-trivial, large, open-ended interfaces and does not hide implementation complexity as well from the programmer. It brings huge learning curve and cognitive overhead. Implementation/language complexity can be a minefield in itself: humans might get confused, might miss a simpler way to do something, etc. Rust is designed for very patient and conscientious programmers who are willing to spend time and efforts to get things right. Sadly, this is often not the recipe for success in many parts of the software industry.

                                                                                                                                                    I’d be happy to see a world where Go fills a high-level niche and Rust makes systems foundation.

                                                                                                                                                    1. 5

                                                                                                                                                      I think the trouble with discussions about a language’s “technical merits” is that somewhere along the way some people have lost sight of the purpose of programming languages: to act as an interface to make it easy for programmers to create software. Good languages remove resistance to getting programs written. Bad languages make it harder.

                                                                                                                                                      Go is very good at satisfying a particular niche - making it easy to write software without sacrificing much performance. I’d argue that this is a niche which is in high demand and that explains the popularity of Go.

                                                                                                                                                      Rust has a different niche - minimising memory access errors while providing sophisticated language features and having good performance. The trade-off is that the language is much harder to master than Go and programming is in general more difficult. Rust’s features are all laudable things but given it’s lower popularity it seems like there’s just less demand for languages of this type.