Threads for timvisee

  1. 2

    I’m not seeing this, at all, with a similar setup.

    I wonder if it isn’t just the Microsoft URL security/malware scanner that is visiting the URLs, rather than Bing indexing it and seeing random visitors.

    When using magic links like this, always use a POST, or require it to be opened in the same client (uniquely identified by a cookie).

    1. 6

      Fun story:

      Our company has put in place security training, which include sending fake phishing email that we are supposed to report without clicking on the “free iPad” link. For the first few months, everybody had abysmal score of 100% malware link clicked.

      Why?

      Office 365 security scanner systematically followed the link to inspect it for malware. So the poorly designed software assumed that we had clicked it. We complained and the training provider fixed it. I will note that this was not a free account but a big business paid for email service. They are certainly not the only security service to do this.

      So yes : “link in emails are opened by humans” is another one of those “thing programmer believe” that are completely wrong. You should avoid doing anything sensitive with them.

      1. 3

        Sending fake phishing emails to your own employees is a good sign that your CTO has no real work to do and should be fired. It’s just obviously a waste of time. Just add the external link banner to the emails and be done with it.

        1. 2

          This is really interesting to me. I’m in the middle of implementing something like this and in my research keep finding stories like yours.

          I’m thinking of emailing a one-time code to the user instead of sending them a link now

      1. 20

        Honestly, I don’t really have many problems with GitHub. It works decently, and if it goes to hell, I can just push somewhere else and deal with the fallout later. Actually finding projects/code is useful with code search (ignoring ML sludge), and I really don’t see how people can get addicted to the whole stars thing. Besides, if it’s public, something like Copilot will snarf it anyways.

        1. 23

          I was a long-time holdout from GitHub. I pushed every project I was contributing to and every company that I worked for to avoid it because I don’t like centralised systems that put control in a single location. I eventually gave up for two reasons:

          It’s fairly easy to migrate from GitHub if you ever actually want to. Git is intrinsically decentralised. GitHub Pages and even GitHub wikis are stored in git and so can just be cloned and take elsewhere (if you’re sensible, you’ll have a cron job to do this to another machine for contingency planning). Even GitHub Issues are exposed via an API in machine-readable format, so you can take all of this away as well. I’d love to see folks that are concerned about GitHub provide tooling that lets me keep a backup of everything associated with GitHub in a format that’s easy to import into other systems. A lot of my concerns about GitHub are hypothetical: in general, centralised power structures and systems with strong network effects end up being abused. Making it easy to move mitigates a lot of this, without requiring you to actually move.

          The projects I put on GitHub got a lot more contributions than the ones hosted elsewhere. These ranged from useless bug reports, through engaged bug reports with useful test cases, up to folks actively contributing significant new features. I think the Free Software movement often shoots itself in the foot by refusing to compromise. If your goal is to increase the amount of Free Software in the world, then the highest impact way of doing that is to make it easy for anyone to contribute to Free Software. In the short term, that may mean meeting them where they are, on proprietary operating systems or other platforms. The FSF used to understand this: the entire GNU project began providing a userland that ran on proprietary kernels and gradually replaced everything. No one wants to throw everything away and move to an unfinished Free Software platform, but if you can gradually increase the proportion of Free Software that they use then there becomes a point where it’s easy for them to discard the last few proprietary bits. If you insist on ideological purity then they just give up and stay in a mostly or fully proprietary ecosystem.

          1. 2

            Even if it’s possible, even easy, to copy your content from Github when they cross some threshold you’re no longer ok with, there will be very little to copy to unless we somehow sustain development of alternatives during the time it takes to reach that threshold.

            IMHO it would be better if the default was at least ”one of the three most popular” rather than ”Github, because that’s what everyone uses”.

          2. 7

            If you use their issue tracker, pull requests and so on, that will be voided too. That isn’t easily pushable to another git host. Such things can tell a lot about a project and the process of it getting there, so it would be sad if that was lost.

          1. 2

            Can I just say thank you so much for the detailed README! Even big professional projects sometimes are sometimes difficult to get a start with and understand with just the README. I was already familiar with FF Send but I feel like even if I wasn’t I would understand it deeply and know how to use it before I even cloned the repo.

            And also the tool is awesome! I was definitely sad when Mozilla shut down their public one.

            1. 2

              Thanks a lot for the wholesome comment! :)

            1. 5

              Dev here! Happy to answer any questions.

              1. 10

                This is one of the reasons I started using DuckDuckGo. It doesn’t have these garbage widgets that suddenly pop up 2 seconds after the page is ‘loaded’ making everything jump around causing miss clicks.

                1. 5

                  Funny you should say that, because I have had that exact problem with DDG because of their “instant answers” or whatever they call it that pop in at the top of the results.

                  1. 1

                    DDG is similar in my opinion.

                    At least they have a decluttered version - DDG lite - that I switched to because I’m so fed up with the lack of results - 10 after the initial search plus other features I don’t like - “more results”, embedded image or video results above the actual results - there are already tabs for images or videos.

                    I set up 2 keyword searches (in firefox) - one for lite and one for regular search pages.

                    The good thing about keyword searches is that you can take full advantage of their URL parameter support to control the look, feel and functionality (including turning instant answers off). Some of those options may no longer work though but most of them do.

                1. 1

                  I’m having some serious annoyances with their window management (related to alt+tab, full-screen, windows vs apps) too. I don’t think they are bugs, just the way it’s implemented. I should make a list some time.

                  1. 2

                    When I use a mac, I have to install a program that changes alt+tab to be more like Windows/Linux, I think it’s actually called “Alt-Tab”.

                    1. 1

                      My favourite feature of that program is that it can set the timeout of the popup window to 0. That delay (which has unfortunately been copied by KDE at some point, too) is the most annoying anti-feature of them all and so far the only thing I really had to work around on macOS because it was driving me nuts.

                      According to Internet wisdom (no idea if that’s the actual motivation), the idea is that if you’re hitting Alt-Tab just once, you’re likely doing it in order to switch to the most recent window because you’re alt-tabbing back and forth between two apps. So in order to minimise the amount of visual noise, the icon list window is not shown immediately, but popped up after a certain delay.

                      That only really works if you have no more than two applications open in the first place, though, or if you alt-tab between two of your open applications every thirty seconds or so, and nothing else. If you do it less frequently (write code in a window, compile in a terminal window, watch some output in another one maybe etc.), by the time you alt-tab again, you’ve certainly forgotten what the next window in the stack is. So in practice, almost all the time, I find myself either pressing alt-tab for too little time and switching to the wrong app (because I’ve alt-tabbed to, say, the music player, but I’ve forgotten that I did, so alt-tabbing takes me to the music player again instead of the terminal). Or pressing it longer than I need to and tabbing way past the window I meant to switch to, because it was very close to the top of the stack, and now I have to alt-tab my way through the whole bloody list again.

                      inb4 “but virtual workspaces”: even with animations disabled in Accessibility options, the transitions are really slow (with animations on it’s unbearable, if I move back and forth a couple of times I get dizzy). I swear to God it’s like everyone in Cupertino has PTSD from Mac OS 9’s multitasking and doesn’t run more than two apps at a time because who knows what might happen.

                      1. 1

                        I might be misunderstanding, but I usually hit “option+tab”, and then release tab, but keep option down. This keeps the most recently accessed window selected, but shows the UI with all the windows. Then while holding “command”, I either release it and switch directly, or keep hitting tab to get the window I want. Alternatively, I then also start holding shift down and hit tab to go backwards. At this point it’s just muscle memory - I don’t really think about it.

                        The model of switching between applications instead of windows still annoys me though. I’ve switched between Windows, Linux, and Mac enough that regardless of the platform I’m on I forget and accidentally start using the wrong shortcut to switch (on Windows accidentally trying to “alt+", and on Mac forgetting that I need to use "option+”, and trying to using “option+tab” to switch browser windows).

                        My general philosophy is that I don’t think any model is correct, they’re all just arbitrary designs. So I do my best to learn the platform shortcuts, and if something still annoys me enough I will try and find a hack to change it.

                        1. 1

                          Nah, you got that right 100%, I just never managed to get myself to do what you’re doing. Having used systems with practically zero latency when switching windows since like forever, when the damn thing doesn’t show up immediately, I’m forever tempted to think it didn’t work, like, maybe I missed the Tab key, pressed it right on the edge or it didn’t go all the way through or whatever, especially since the rest of the interface is generally pretty snappy.

                          I’m not a big fan of the app/window split either but I could probably get used to it. The timeout, on the other hand, feels really to me. I use Electron applications that take less time to start up than it takes to pop up a window list, my brain is just unable to cope. Maybe I got some weird and super-specific form of OCD, hell knows :-).

                  1. 17

                    I’d also love to see an entry for Firefox with uBlock Origin. I have a lot of reasons not to use Brave, while Firefox seems to do quite bad with these synthetic tests. I’m sure that with such plugin, it would do much better.

                    1. 10

                      Another interesting comparison would be with FF with multi account containers and third party cookies disabled. It’s one of those “removing a bug class” ideas. What use is tracking for Facebook if they’ll only see their own pages in their own container.

                      It makes a few of the entries in the table irrelevant. Ok, you get some cookies or signatures. They’re not shared between pages, so they’re not going to cause privacy issues.

                      1. 2

                        I believe the first-party isolate setting in Fx obsolesces the security part of multi-account containers (though still useful for multiple accounts). CanvasBlocker may be a more valuable 2nd pick.

                        1. 3

                          True, but first party iso has some downsides. For example it breaks some cases of SSO.

                          1. 3

                            ISTM that any sort of privacy or harm mitigation on the web cuts across how it fundamentally works, and such, will always cause breakage. This seems to put anyone trying to make things better in the privacy direction in an impossible position.

                            1. 1

                              This is true, but it’s often safer to just have a separate password and 2FA

                              1. 4

                                For companies with many employees, SSO allows better security through things like easier offboarding, enforcing 2fa policies, forced credentials rotation on compromise, access auditing, etc. For a single person, sure, use a separate account rather than FB login. But for corps you want the opposite (still not FB though :-) )

                      1. 8

                        You can do quite a few smart things with native bookmark keywords, as they also support search queries:

                        https://timvisee.com/blog/firefox-tricks-quantumbar/#bookmark-keywords-smart-triggers

                        1. 6

                          I’m sorry, but this is stupid. The reasoning you give doesn’t make going TLS’less better. Serving LE TLS from a shared box is still much better than not using TLS at all, for a bunch of reasons.

                          E.g., now connections to you are open for attack from all points it goes through, rather than just a single (?) point. You can’t assume ISPs will just take care of link security.

                          1. 13

                            Wow, what a masterpiece of an article with numerous great visualizations! I learned a lot!

                            1. 2

                              Be sure to check out his archives. He has a lot of articles with amazing interactive visualizations.

                              https://ciechanow.ski/archives/

                              1. 2

                                I’m glad I read your reply, I was planning on skipping the article because I assumed I basically knew how GPS worked. Not only is it beautifully presented, it builds up each step very carefully and pointed me at quite a few bits of the problem that I’d skipped in my mental model (why the orbits were chosen and how the time synchronisation works, for example). Even the bits that I did know well, I thoroughly enjoyed reading the description and playing with the animations.

                                I’m going to keep this as my gold standard reference for how to do scientific communication.

                                I still find it amazing that this was launched at a time where there was still sufficient uncertainty about relativity that they built the system to operate in Einstein-was-right and Einstein-was-wrong modes, just in case they accidentally disproved his theories (as I recall, the first GPS satellites were the first clocks put into orbit that were sufficiently sensitive to measure relativistic effects). The fact that I can now buy a cheap consumer device that can receive signals from four such systems and tell me my precise location anywhere in the world is a phenomenal achievement. The fact that four such systems need to exist because four large political entities don’t trust the other three is much less of an achievement for the species.

                                1. 1

                                  GPS is just so well-designed, you put it well.

                              1. 2

                                Awesome! Great results. Thanks for linking my 2020 post as well.

                                This year I’m down to 50ms, though I still have to finish the last two days. Sadly I’m busy. https://github.com/timvisee/advent-of-code-2021

                                Funnily enough I did get better results with Dijkstra for day 15. I wonder which is better.

                                1. 3

                                  woha, 50ms is very impressive, well done.

                                1. 2

                                  This is fantastic! I use this a lot in Markdown on GitLab, which already supports this. It’s great for design documents.

                                  1. 3

                                    Deezer web still leaks 10’s of MBs every minute. This makes it unusable as it craches the tab way too often.

                                    This has been going on for years with a lot of people complaining. But the devs are busy worsening other things instead.

                                    A good example of how this is still very relevant.

                                    1. 2

                                      I’ve reported this, but it seems like it’s a Linux only problem … I’ve had no problem on Windows 10. (And I have no idea how they manage to leak memory differently on a cross-platform environment, maybe something related to DRM ?) And obviously, since it’s linux they don’t want to investigate nor fix it.

                                    1. 2

                                      I complete 256 iterations/days in 2.8μs without a matrix. I wonder if a matrix will make it faster for such a small iteration count.

                                      https://github.com/timvisee/advent-of-code-2021/blob/master/day06b/src/main.rs

                                      1. 2

                                        94 microseconds here using the matrix in rust. I think your way is faster for inputs in that range!

                                        1. 2

                                          Thanks a lot for measuring!

                                      1. 2

                                        I will share my repo: https://github.com/tumdum/aoc2021 🦀

                                        1. 4

                                          https://github.com/timvisee/advent-of-code-2021

                                          This year I’ll be trying to solve all 50 puzzles combined in <1 second again.

                                          1. 2

                                            How difficult did that end up being last year?

                                            1. 3

                                              Since this is a year ago, I can’t express this in numbers. But yeah, it took me quite some effort to get the runtime of some solutions down. I had to be smart about using algorithms and minimizing runtime. I wrote about some of it here.

                                        1. 2

                                          $WORK: Getting our stack off of MongoDB permanently, one step at a time.

                                          $HOME:

                                          • 2 weeks after posting here that my laptop was barely hanging on, the battery just….stopped being recognized entirely. Ended up pulling the trigger on an M1 Macbook Air and that arrives tomorrow, so playing with that will constitute most of my week.
                                          • Playing around with modeling some custom enclosures for a couple electronics builds
                                          • Playing around with our dogs
                                          1. 2

                                            where’s your stack headed, db-wise?

                                            1. 2

                                              Nice and normal MySQL haha. The Mongo was leftover and horrible from back when the company was founded 7y ago and it was not managed properly, plus our data is headed far more in the relational direction now.

                                              1. 1

                                                And, mind to share why you’re moving off?

                                                1. 1

                                                  See other comment :)

                                            1. 2

                                              I find ZSH super slow compared to fish. It, in tmux, with a useful but fast prompt like starship and an awesome editor like vim makes me super fast boosting my productivity.

                                              1. 2

                                                I haven’t had any speed issues with zsh. In what way do you find it slow? On my slowest machine (which has a noticeably slow 1ghz mobile processor), zsh takes ~450ms to fully initialize and display a prompt. ~70ms on my $3.50/mo Vultr VPS.

                                                Note: I don’t use oh-my-zsh or other big zsh overhaul monstrosities.

                                                1. 1

                                                  My bad, yes, with a set of oh-my-zsh plugins. It makes ZSH insanely slow. Versus fish with a similar feature set out of the box, with no noticeable speed degradation.

                                                  1. 1

                                                    For most intents and purposes I recommend people to use grml’s zsh config. It’s a nice, feature rich, yet smaller and saner way if you just want a quick way to make use of what zsh has got to offer, not spending too much time to configure things on your own. It’s also well documented and you still get to pick and choose. It’s overall emphasizing more on being functional than pretty (or distracting).

                                              1. 1

                                                Do push notifications work with this setup?

                                                1. 2

                                                  I get Element, Signal and Conversations notifications .. and K8-Mail … I have to tap on those options to let them keep a notice in the bar so the OS doesn’t shut them down.

                                                1. 3

                                                  Hope it’ll stay. Medium has become a chore.

                                                  1. 2

                                                    I find the website font astonishing hard to read.

                                                    Edit: Fixed. Awesome.

                                                    1. 4

                                                      I’ve switched to the very minimalistic blog theme, which might now be better.

                                                      1. 3

                                                        It looks more legible to me!

                                                        1. 2

                                                          On your main site (libreserver.org), my mouse cursor doesn’t change to a pointer when I hover over links.

                                                        2. 1

                                                          And Reader View wouldn’t kick in for me, either. Annoying.