1. 4

    As someone who is working in the telecom industry, I can assert, mobile network operators have become less composed of technical experts creating and doing their own things and more about managing and juggling multiple vendor solutions. It has become rare to encounter mobile operators that know what they are doing without relying on consultants hired for specific projects and delegating everything to the cheapest third party that fulfills the RFP written by that consultant. Even more absurd, sometimes the consultants have no idea what they are talking about and MNOs are buying things they have no clue about and will never use just for the hype of ticking a box on a sheet.
    Let’s add that the field is hard to get into, the documentation is fierce to dive in. That leads to many security vulnerabilities, which are in a lot of cases not really vulnerability but features and configurations that haven’t been set properly because no one had any idea what they were doing.

    1. 1

      How much did the complexity of the standards contribute to this disaster? Why is the world still hooked on this mobile crap instead of having good public Wi-Fi coverage everywhere?

      1. 8

        The Wi-Fi standard is not well-suited for medium-distance communication. The frequencies only work on short-distance. The mobile crap is like this because it is complex to build a good network with some distance between the nodes. Using Wi-Fi instead would not make it magically better, you’d have complex addendum to the Wi-Fi to make it minimally viable.

        Funnily, the frequencies for 5G will also favor short-distances, meaning only high-density cities will have proper coverage.

        1. 1

          The standards are amendments over amendments over amendments, all stacking one over the other and referencing one another. You literally have to jump between 10-20 documents all the time. So I think that yes, the standards being convoluted has pushed mobile operator away from implementing them and letting third party handle the complexity. As for Wi-Fi, you’d need a brand new infrastructure to cover everything, which costs money, time, and legal approval in many countries. Mobile has the premise of being seamless. Let’s also not forget the players here, sim card manufacturers are manufacturing credit and debit cards, passports, and sometime even cash money for countries. They are very big. Same for core network equipment manufacturers. There’s a whole ecosystem of actors that benefit from this.

          1. 1

            In many many countries that’s just not possible, while upgrading the existing infrastructure is easier to do and is almost invisible to the end-user.

        1. 2

          This is not just an EU thing, exactly the same has happened in Australia.

          I don’t believe this will be fixed until we are forced to by some geopolitical upheaval. It is important developers actively assume the communications network is hostile to prevent harm to users.

          1. 1

            It is important developers actively assume the communications network is hostile to prevent harm to users.

            Harm from whom? The service provider itself, for whom the user traffic is a valuable recurring revenue stream?

            The domestic government, who may be interested in preventing crime, tracking dissent, or other uses of “lawful intercept”?

            Or a foreign government, who may use backdoors to spy on the domestic government or on industry?

            1. 5

              The network is always hostile. There are many public 0-days currently affecting hundreds of mobile operators and millions of customers around the world, and most of them are not patchable. Some operators don’t verify source addresses for custom SMS senders, leading to easy phishing attacks as the SMS will be listed along with legit ones. Some operators are state owned and can tap on any form of 2FA using SMS. etc.. There’s a lot of cases like this, so it’s better to assume the network is like a clear-text channel unless it is wrapped in another layer of security.

          1. 7

            Nice article! I like the “low effort” framing and might use that. A lot of people probably don’t realize that their comments or suggestions are “low effort”, so it may deserve some explanation.

            One thing that I think is underrated is asking an honest question of a maintainer – that’s NOT low effort. What the low effort comments seem to have in common is:

            I have a preconception of “how things are done” and I’m just going to assume that everything works that way

            In other words, generalizing a limited view of software to every project that exists.

            I think people don’t ask honest questions because they’re afraid to be shot down, or maybe that they won’t understand the answer. But I think that is a better way to open the communication and most maintainers will appreciate it.

            1. 4

              One thing that I think is underrated is asking an honest question of a maintainer – that’s NOT low effort.

              Very much agree and I always love to receive questions asked in good faith. At least, that’s my ideal. My own personal problem is that sometimes the same questions are asked over and over—even if it’s in good faith—and it can just get tiring having to deal with those. That’s the asymmetry I was talking about. Certainly, I should try to answer those with the same patience and care that I answered it with first time. But it can be hard (again for me personally).

              1. 4

                Yes I can see that the most popular projects will have that problem. What’s interesting to me is that that a lot of the norms around open source software have withered away and been de facto set by Github.

                This sounds like an “eternal september” complaint and I suppose it is a little, but I also think the problem is on both sides. I grew up in the age of Usenet so I was used to “netiquette” as well – i.e. showing that you made a good faith effort to search before posting a question

                And it was also an age where you were “expected” to maintain a FAQ. FAQs solved a real problem. There was a “contract” for interaction.

                I remember encountering ESR’s doc a long time ago:

                http://www.catb.org/~esr/faqs/smart-questions.html

                and I remember reading this book 10+ years ago:

                https://producingoss.com/en/index.html (man lots of this feels quaint now, in a large part because of Github)

                But how many people on Github have read those types of docs? ESR’s doc has exactly the information people need, but many people have probably never heard of it. Unfortunately, it starts out overly aggressive and kind of talks down to the reader.

                So I think it would be nice to have an updated / condensed version of that. I think one problem is that I’m not feeling this enough now to be motivated to write such a doc. But anyone whose project becomes popular probably doesn’t have time to write such a doc! They’re busy fixing bugs, etc.

                1. 4

                  Actually the Github observation reminds me that I watched a talk by the creator of Elm about making better software for productive interactions. There’s some merit to that for sure. Like all social software, Github has certain “nudges” – it can’t be neutral. I largely like it, but lowering friction means that a lot of “low effort” comments appear.

                  Although I think the old-fashioned way of prominently link a FAQ and “correcting” people who behave badly may also work.


                  I also think negative interactions can come with “marketing”. Last time I looked, Elm breaks some norms with regard to compatibility without adequately documenting them. And it promises a lot of things. So to me it’s natural that users would get angry.

                  I didn’t follow the actix thing very closely, but I think part of it may come from trying to “beat benchmarks”, which is a form of marketing.

                  I try to stick to factual posts and acknowledge downsides for that reason. It also used to be norm of open source that you put BUGS in your docs, etc. That is, they assume that the user is knowledgeable, and didn’t market “down” to them. Although of course the explosion of open source use might mean this dynamic can no longer be the norm.

              2. 2

                “Asking questions” is a topic that’s been on my mind a lot recently and it seems to keep surfacing through all the culture related posts. For example: It’s fine to be elitist sometimes, or What’s I’ve learned over 10 years on StackOverflow. I’ve posted a comment about it on that last story and received interesting replies. Furthermore, I’ve attempted to hash out my ideas in the first paragraph of this article.

                1. 1

                  Yeah I think it would be great to have an short article showing some interactions / questions that are useful and those that are not. I took a peek at the ESR article again and it seems to have aged pretty poorly. The tone is way too aggressive, which starts things off on the wrong foot.

                  And the CoC are all about saying what’s not allowed rather than giving some good examples of what a normal interaction should be like.

                  Open source is probably different than any other interaction a person has in their life. You have never met the person and you’re looking for technical help or information. So it’s natural that it should need some guidance about how to do it productively.

                  I may attempt such an article but so far my experiences have been pretty good, and I have a big blog backlog I’m working through at the moment…

              1. 1
                • I’m preparing an article for my blog
                • Job hunting
                • Studying software architecture
                1. 2

                  The subject of how to ask questions and how can someone learn to ask better questions is something that has been bugging me lately, mostly because of personal reasons (mentoring and teaching). Does anyone have more articles on this topic, other than the classic ESR “how to ask questions”?

                  1. 2

                    Lately I’ve noticed that “how to ask questions” in a domain seems to be one of the best metrics for expertise. When you’ve learned the language of your topic well enough to form the kinds of questions StackOverflow prefers, you often won’t need StackOverflow - and when you do, you’ll also have the bedrock of clear language and details that help you get a response when there are other experts around.

                    Unfortunately, I’m not sure I have a good answer that generalizes well - and also no articles. I’m honestly not sure question-asking is a skill that generalizes between domains other than at very high levels of abstraction like “respect the readers’ time”, “show evidence of the problem and what you’ve done”, and “be humble about the whole situation”.

                    1. 2

                      I’ve liked Tatham’s guide to reporting bugs, because of the overlap.

                      1. 1

                        In my experience, if you want someone to learn how to ask good questions, put them to answer questions. They will quickly figure it out.

                      1. 3

                        All of the retrospectives of StackOverflow’s culture clearly state that asking questions effectively is a skill. They then repeat the same few bullet points about ensuring that questions are within the scope of the site, provide enough information, aren’t duplicates, etc. etc. What they don’t mention is that this will have approximately zero impact on your question getting answered. As far as I’ve been able to tell over the past decade on StackOverflow, what leads to your question getting answered is the size and popularity of the technology or programming language your question relates to. Ask a Javascript question? You’ll have a dozen replies almost before you hit submit, even if your question is poorly formed and has been asked a million times before. Ask a question about a relatively obscure technology, and it’s very possible that your question will never be answered.

                        1. 2

                          You can blame this on the network effect or simply probability. What’s the chance that an expert in an obscure domain would answer the question on StackOverflow, It would be better to send that person an email directly. There’s too much expectations of StackOverflow in my opinion.

                          1. 4

                            I think you can also blame it on the platform. There is no reward in answering a question that will be seen by 1 person a year.

                            1. 1

                              Sure, there is a bit of that. But the questions I’m referring aren’t that obscure. It’s mostly for things like Erlang, or F#. It’s the sort of thing where StackOverflow ought to shine, because there aren’t a whole lot of resources for these languages, whereas Javascript or Python tutorials are a dime a dozen.

                            2. 1

                              Ask a Javascript question? You’ll have a dozen replies almost before you hit submit, even if your question is poorly formed and has been asked a million times before.

                              I played with this briefly - if you’re quick enough you can get a couple of upvotes, the answer tick and the consequent dopamine hit before mods get around to marking it as a dupe. It does get boring very quickly though.

                            1. 2

                              binfmt_misc, it’s what makes anything that’s not an executable interpreted by the kernel directly work.

                              Check those out:

                              1. 3

                                leetcode is fun from time to time to polish your algorithm knowledge but what I’ve found really helpful are code katas. They are the middle point between a pure algorithm exercise and a side project. I’ve found them super helpful at honing my methodologies skills.

                                1. 1

                                  I’m glad this article has dated well. The practices and methodologies have evolved since then.

                                  1. 1

                                    I agree that the actual title, “No, Alfa isn’t draining your data without your knowledge”, fits the article much better – why don’t you change it here? (Also, it’s “proving”).

                                    Nice write-up otherwise!

                                    1. 1

                                      The edit period has passed unfortunately.

                                    1. 3

                                      Unrelated to the content, but related to the title: the term “conspiracy theorists” doesn’t make sense. There is no such thing. There is no group of people you can point to and say, “Oh, those are the conspiracy theorists.” Just about everyone at some point in their life will make a theory about a conspiracy, and some of them will be right, and some of them will be wrong.

                                      So I do wish people would stop using it. It’s been turned into a derogatory, defamatory term, like “retards”. It serves primarily to inflame conflict, put down people, and isn’t needed to get whatever point you’re trying to make across.

                                      1. 2

                                        You’re definitely hitting a great point. The title was a dumb attempt at trying to make it click-baity. I agree it’s derogatory and doesn’t describe properly what I’ve been referring to, in the article I’m clearly saying I’m tackling the conspiracy itself not “conspiracy theorists”.
                                        Thanks for your valuable input!

                                        1. 1

                                          Some people seem to make a hobby of proselytizing many conspiracy theories.

                                        1. 21

                                          I really don’t buy the conclusion to be points to avoid bcrypt:

                                          – Be lulled into a false sense of security; and actually weaken your passwords
                                          – Waste your resources processing hard algorithms; and lose the real game

                                          Users are not aware of what hashing algorithm their passwords are stored with, only the backend devs are so this doesn’t apply. The enforcement and password rules are independent.

                                          On the other hand, if you consider password hashing a waste of resources then we’ve got an issue, there are way bigger fish to tackle. Security will always have a trade in performance. Also, SHA256 is hardware optimized which makes it more vulnerable to bruteforce attacks.

                                          1. 6

                                            But hey, this will not make your server waste resources./s

                                          1. 7
                                            1. 1

                                              A feat of architectural planning. I love it, real world example of well known patterns.

                                              1. 28

                                                I really appreciate this. It’s refreshing to see people care about purchasing power in places besides Anglosphere and Western Europe.

                                                In my country (Turkey) piracy was so common that there were hardly any companies importing video games and there were hundreds of shops dedicated to selling pirated copies of them. The reason is that nobody wanted to pay 10% of their monthly wage on a single video game.
                                                15 years later, this practice is completely dead. Piracy is still common through bittorrent but it declined considerably after Steam, Spotify, Netflix et al began to offer actually affordable legal alternatives with regional pricing.

                                                Once again, I want to say I appreciate websites that give me discount coupons based on my IP address, or vendors that ask me to pay for “a dinner for two in a mid-level restaurant based on your current location.”

                                                PS: Another pain point regarding online payment is that PayPal is unavailable in Turkey, forcing me to use third-party transfer brokers for PayPal, extremely expensive international wire transfers or even mailing an envelope with banknotes in it.

                                                1. 4

                                                  I can sympathize with your comment.

                                                  The situation is similar in Lebanon, regarding salaries, piracy, the now availability of cheap streaming services, and PayPal having blacklisted the country.
                                                  We also have issues with unbearably slow connection, but that’s something else.

                                                1. 4

                                                  An aside: The SVG is quite big and didn’t load directly, maybe compress it using https://github.com/svg/svgo

                                                  1. 4

                                                    It’s pretty small actually, file size and image dimensions both. Are you doing something odd with your web browser?

                                                    1. 5

                                                      Loading it was noticeably slow on my end, too, and I wouldn’t call 171 kB pretty small - not when a PNG version at the same resolution is ~14 kB, as converted by ImageMagick.

                                                      1. 4

                                                        You’re right, I ran it through svgo and got it down to 80K.

                                                  1. 1

                                                    You can similarly create a fantastically easy secure web service using stunnel and inetd/micro_inetd, or even the newest websocketd.

                                                        1. 6

                                                          There’s also headless Firefox, and a phantomjs equivalent… in case you don’t want to perpetuate the chrome monopoly

                                                          https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Headless_mode

                                                          https://github.com/laurentj/slimerjs

                                                          1. 1

                                                            Perfect – Interested to see how the various headless libraries compare. FF seems like a better option than Chrome; will find out.

                                                      1. 1

                                                        This sound to me like a rant from someone not knowing enough about crypto but trying to use an advanced crypto tool. I don’t think the openssl command line is made to be usable without knowing what you exactly want, it’s built as an interface to the crypto API it provides, you got all the knobs, cranks, and pedals you can dream of. It does a perfect job when it comes to this.
                                                        If you want a usable tool then try wrappers that hide those parameters. You can’t have both because crypto isn’t easy.