1. 11

    The ‘no third party / modified clients’ rule really makes me dislike Discord. It’s entirely possible that you could get banned for trying to fix an accessibility issue. :/

    1. 4

      Not sure why this is on the gov.uk website, but sharing it because it’s not something I’ve ever considered before (someone spoofing emails from a domain I don’t use for mails).

      1. 12

        This is probably something that Government Digital Services use as internal documentation, but GDS actually have a really good transparency policy (and open source!).

        GDS help a bunch of branches of government run their own *.service.gov.uk sites.

      1. 14

        This is (related to) one of the most frustrating parts of working with Kotlin for me: no package visibility.

        Kotlin chose to abandon Java’s package visibility modifiers, arguing that it didn’t really “protect” your code because anybody else could trivially write code under the same package name and then see all of your package-private code.

        But that’s missing the point. We don’t usually write “private” because we’re afraid of people seeing or using the code. We write it so that they don’t have to see the code. Having an interface that is as small as possible reduces the cognitive load of someone consuming your library/package/class.

        I feel like the cognitive load aspect is something not discussed as much.

        Aside: In Kotlin, the suggestion is to just use “modules” instead of packages if you want that kind of protection, since it offers “true” protection from consumers accessing the private parts of your sub-code. I hate that because it’s more effort to move pieces around between modules, to change the public/private interface of a module, etc.

        1. 3

          Historically, languages have been poor at dealing with levels of abstraction above the class. When they do deal with them, they often aren’t first class constructs. It’s a shame. One could argue that micro-services (and many other things like OSGi) came from the absence of these abstractions in languages. My sense is that language designers don’t want to commit to a deployment model. Sadly, protection loses too.

          1. 3

            Yes. It is a shame. I feel like Rust modules are pretty nice, but then, I also don’t mind Java’s packages at all, either.

            What I find uncomfortable is this recent trend of the language acknowledging the concept of a file when it comes to privacy/visibility (e.g., Swift and Kotlin). That just feels weird and wrong to me…

          2. 2

            Exactly! Every namespace is a precious resource to be maintained as neatly as possible.

            1. 2

              We write it so that they don’t have to see the code.

              I didn’t mention it in the article, but the “scissor test” is a concept that I like in regard to this. The idea is that if you were to print out a file of code on to paper, there should be a line that you could cut through with a pair of scissors that separates the interface from the implementation details. So if you want to use the class, you only need to read up until the scissor line, but if you want to understand how it works under the hood you can continue reading further. The scissor line is basically where private starts.

              1. 2

                Kotlin chose to abandon Java’s package visibility modifiers, arguing that it didn’t really “protect” your code because anybody else could trivially write code under the same package name and then see all of your package-private code.

                Interesting. My tendency would be to go the other way and eliminate private and protected, but keep package. Anything in the same package as a class that depends on implementation details of that class is easy to refactor at the same time as a change to my implementation, so I don’t gain anything much from private and protected that I don’t have from package.

                If you add a new class in my package, then you are effectively forking my package. That’s fine, it’s up to you to decide that the maintenance burden of doing so is worth it for the change that you want to make. If I refactor my package and break something that your class depends on, that’s your problem because you have a downstream fork of my package, not just something using the package.

                1. 1

                  Kotlin, as you mentioned, has internal visibility to hide things between modules. I find it nicer than package-private since you don’t need to have one package with many classes inside (subpackages’ classes can’t access the package-private members of a class in a parent package)

                  1. 2

                    I forgot that Java has no concept of subpackages, which is also disappointing. Rust modules seem to be the winner, then, from my experience.

                1. 18

                  IMO, give up on the bizarrely macho idea that hjkl is uniquely amazing and use the arrow keys.

                  1. 18

                    To me the advantage of using hjkl instead of the arrow keys is that I don’t have to move my fingers away from the home row to move the cursor around. I don’t see how that is a “bizarrely macho idea”.

                    1. 1

                      I cannot imagine how that helps. Can you explain?

                      1. 7

                        You can keep your fingers in the middle of the typing area (home row) instead of going over to the cursors.

                        1. 0

                          Oh, hi ane!

                          You can keep your fingers in the middle of the typing area (home row) instead of going over to the cursors.

                          I cannot imagine how that helps. Can you explain?

                          1. 4

                            Hi!

                            I cannot imagine how that helps. Can you explain?

                            You… move around less? It saves time. Like a keyboard shortcut or macro does, basically. It depends on the form factor of the keyboard, but usually the arrow keys are further away from the regular text input keys.

                            1. 1

                              Perhaps 10 years of active piano practice makes this a moot point for me but not so much for others. Or I’m just being an asshole. Could be both ;)

                            2. 2

                              What I find helpful about it, is that I don’t have to look away from the screen to see where the arrow keys are, and likewise when going back to the home row. If there’s a lot going on on your screen it’s easy to lose your place, especially when reading lots of text.

                              Also it avoids the physical motion of moving your hand, it just feels more comfortable I think.

                      2. 16

                        I use a 60% keyboard without arrow keys

                        1. 1

                          By choice, though?

                          1. 2

                            Yes, it’s more portable and means i don’t have to reach as far for my mouse

                        2. 10

                          I used to think this way. Then I learned hjkl. Now I am in the cult of the ancient keyboard warriors

                          1. 2

                            Ancient keyboard warriors who didn’t have arrow keys? I used arrow keys, learned hjkl, thought it was nice, moved to dvorak, ditched hjkl for arrow keys. Nothing is magic about it. Why contort yourself to use hjkl on non-qwerty? Would hjkl be dhtn if the standard were dvorak at the time? Probably, but you can’t just remap dhtn now.

                            1. 5

                              There was once a really good reddit thread of a guy playing counter-strike with zqsd movement keys on a qwerty keyboard cause he copied a French (AZERTY) player’s keybinds. He did not realize this and posted about how much better these movement keys made him.

                              1. 5

                                Pedantic note: ScreaM is a Belgian, not French, player. The keyboard layout is still French though

                              2. 1

                                Would hjkl be dhtn if the standard were dvorak at the time? Probably, but you can’t just remap dhtn now.

                                If you’re using Dvorak in the “suggested sense”, even dhtn would be awkward since you’d be using your right index finger for both d and h. Maybe htns (or QWERTY jkl;) would be better.

                            2. 9

                              How did you come to the conclusion hjkl is “bizarrely macho”?

                              1. 8

                                Why is that macho?

                                I mean some people tried it, liked it and share the good experience of how great it feels when you get used to it.

                                1. 3

                                  I used to use hjkl. Then I started getting RSI. Now I appreciate the break my fingers naturally get every time I have to move my hands to the arrow keys.

                                  I can still use hjkl at a pinch, and probably use them many times a day without noticing. But yeah, it’s not worth getting worked up about.

                                  1. 8

                                    I can see this being the case, but I think it’s worth noting that RSI covers a large number of distinct problems, and that most RSI would only get worse by more frequently moving your hands away from the home position.

                                1. 3

                                  I don’t have any constructive commentary but I like the pridecat cameo here :D

                                  I installed NixOS the other day on a machine I rarely use, but I’ve yet to play around.

                                  1. 2

                                    and yet you still HIJACK MY SCROLLBAR

                                    1. 2

                                      I don’t see any scroll-jacking JS on the page, but there is a scroll-behavior: smooth declaration in CSS.

                                      1. 3

                                        I suppose that’s the lesser of 2 evils. At least this prompted me to add scroll-behavior: auto !important; to my user stylesheet.

                                    1. 3

                                      Disclaimer: I have only used Jami, for a short time, back when it was called Ring.

                                      The linked site does not inspire confidence about the quality of the software:

                                      • There’s a large fixed nav that takes up a significant portion of vertical screen real estate (a lack of UX concern on the web might translate to using the app, too),
                                      • a picture that’s been grown from its original size, leading to some weird compression artifacts (is the application going to be flexible enough to support everyone’s hardware, if the website hasn’t done enough to throw a multi-size <picture> element in there?),
                                      • and a seemingly-infinite load icon replaces the favicon for the site (until I press the ‘stop’ button in my browser.)

                                      I also get a bad vibe from the social media share buttons, but it’s hard to qualify in words. I understand that there are probably separate teams on the browser and on the application, but the website is really screaming ‘just another corporate tool’ at me, with little regard for the average user’s .

                                      I wish the project luck, though. Centralised communication platforms are my major gripe with the current state of internet communications. I am really hoping we can get something that can feasibly replace Discord, with a lighter (native?) client and less trust in the servers.

                                      1. 2

                                        Another Windows + Korean fun fact! The default font on a Korean version of Windows has the backslash (\) symbol made to look like the Korean Won currency symbol (₩, often 원), so you get funny looking paths in cmd.exe, with path elements delimited by Won.

                                        1. 3

                                          Same with ¥ on Japanese locales.

                                        1. 6

                                          Happy 한글 day! Korean characters decompose to individual jamo under unicode normalisation NFD and compose back up to whole syllable characters with normalisation NFC :)

                                          As a Korean learner, it was really interesting seeing how the (seemingly simple!) alphabet is implemented under Unicode. I wrote a Minecraft mod for Korean input too!

                                          1. 6

                                            Probably gonna do some art of cute sharks and try to finish version 0.3.0 of my homebrew tabletop RPG system.

                                            1. 1

                                              I have been watching twitch.tv/ster while he creates a tabletop RPG. (It’s more art, than programming) I don’t know what systems he’s using, though.

                                            1. 4

                                              I remember getting a world to be decently popular (~1 million visits) back when I was very young in like 2008-2009.

                                              I’ve always had a soft spot for Lua since Roblox is where I learned to program.

                                              1. 6

                                                This reminds me of an infinite-distance teleportation exploit that we found in Minecraft since, for a few updates, Mojang were only checking for NaN values on the X and Y axes, checking the X axis twice.

                                                You could teleport from [orig_x, orig_y, orig_z] to [orig_x, orig_y, NaN] and then to [desired_x, desired_y, desired_z] and since the Euclidean distance between any two consecutive position vectors would be NaN, dist >= kick_threshold always turned out to be false.

                                                1. 1

                                                  Which versions were those? Minecraft’s been rather uniquely plagued by this issue, tho I suppose it’s gotten better in more recent versions.

                                                  Due to the difficulty of trusting a JVM without value types to have reasonable performance when allocating vectors at a Mississippian rate, vectors were nearly always passed around decomposed. Doing crap like world.getBlock(x + dx, y + dy, z + dz) gets tiresome very quickly, and expressive power is not a noted property of Java. You might make wrapper types, but then find that you run into an issue akin to function coloring, or C++ viral constness. You’re still going to have to compose or decompose the vectors at some point, and there’s still the performance concerns. A script called xyz, which turns x + max, into x + max, y + max, z + max, allowed me skip past the traditional copy-paste bugs.

                                                1. 3

                                                  This looks super cool! Thanks for posting it! I’d like to find an alternative to 1Password because they are an evil organization, so going to keep my eyes on this one! :)

                                                  I have a couple questions for anyone who may know and doesn’t mind!

                                                  When I enter the master password, does it go to the server or does it stay on the client? If it stays on the client, does that mean that all someone needs to download my encrypted data is my email address?

                                                  I’d like to use this but also think that the benefit 1Password has is either that the secret key is needed to grab someone’s encrypted data (which could be cracked at any future time) or that the master password is never sent to the server - but trying to figure out which model Bitwarden is taking here!

                                                  Thanks for any responses <3

                                                  1. 6

                                                    When you log in with Bitwarden, the client sends a request to /api/accounts/prelogin, which tells the client which key derivation function to use, and for how many rounds.

                                                    On registration, the Bitwarden server will accept a client-generated asymmetric keypair, with the private key encrypted with the master-password-derived key.

                                                    The client then:

                                                    1. Uses the KDF to derive a key from the master password,
                                                    2. Hashes the master password using this key
                                                    3. Sends the hashed password to the /api/identity/connect/token endpoint.

                                                    The server responds with the previously stored (encrypted!) keypair, which the user can decrypt using their master-password-derived key, and then use this private key to decrypt their passwords. This means that changing the master password only results in re-encrypting the private key, instead of the entire set of password entries that are stored.

                                                    1. 1

                                                      Cool! Thank you for the info! Seems pretty secure, I’m going to make the switch =^.^=

                                                    2. 5

                                                      1password has a very impressive and detailed security design document worth reading for anyone interested in this space. https://1password.com/files/1Password-White-Paper.pdf

                                                      What about 1p is evil btw?

                                                      1. 1

                                                        The organization itself has had questionable layoffs, has been called out by queer people for being a hostile work environment, etc.

                                                        1. 3

                                                          I was considering applying to 1Password, do you have any sources? A cursory web search doesn’t lead me anywhere useful.

                                                          1. 1

                                                            Hmm… Also can’t find them via search. My guess is that the Twitter feeds I have seen are private followers? If you end up working there, let us know how it goes =^.^=

                                                      2. 1

                                                        With all well known password managers, the master password stays on the client. Anything that did otherwise would be widely ridiculed on the internet.

                                                        Usually servers only give the encrypted data after authenticating (with a different hash of the master password, not the one that derives the encryption key). But IMO if you really trust your password manager, you should explicitly publish the encrypted vault.

                                                        1. 1

                                                          Not LastPass last time that I checked. You give them your password unhashed. It was widely ridiculed and people still use it. Their support team also won’t document their encryption process, saying it’s a “security risk”.

                                                      1. 2

                                                        You know your docs are bad (or nearly nonexistent) when it’s easier to write your own Matrix server than it is to install Synapse. Maybe this project will teach me how to do a “proper” HTTP-based service that my future jobs may involve.

                                                        1. 1

                                                          Did you find the document at https://github.com/matrix-org/synapse/blob/master/INSTALL.md ? I’m curious about what issues you’re having installing the software. I’ve done it a couple of times and it’s been basically fine for me at least – and I’m doing so on OmniOS, which is somewhat off the beaten path already.

                                                          1. 1

                                                            In terms of alternative homeservers, I am interested in Conduit, but I haven’t used it yet.

                                                            It seems to support most of the Matrix protocol aside from federation. If all you want out of a Matrix server is a set of internal chat rooms, it’d be cool to give it a try!

                                                          1. 1

                                                            As an unemployed student:

                                                            • .config/
                                                            • .cache/
                                                            • .dotfiles/
                                                              • .git/
                                                              • [various packages managed by GNU stow]
                                                            • Documents/
                                                              • Backups/
                                                                • yyyy-mm-dd-description.tar.zst.age
                                                              • Development/
                                                                • Hardware/
                                                                • Projects/ # Large scale, multi-subproject “Projects”
                                                                • Miscellaneous/
                                                                • Web/
                                                            • Music/
                                                            • Screenshots/
                                                              • yyyy/
                                                                • mm/
                                                                  • dd/
                                                                    • hh-mm-ss(-n).png
                                                            • Videos/
                                                              • Projects/
                                                              • Recordings/
                                                              • Movies/
                                                                • Subtitles/

                                                            Backups are manual: I copy the target folder, throw it in a tar, compress the tarball with zstandard, and encrypt it with a passphrase using age. It wouldn’t be hard to throw this workflow into cron though.

                                                            1. 0

                                                              I hate these use-ids & fragments for magical behavior - it messes up my browsing history and it’s annoying. I would expect a JS solution if JS is possible and an optional fallback to ids only when no JS is executed.

                                                              1. 22

                                                                This is literally plain HTML. If something is magical here, it is the usage of javascript to emulate a behavior that has been standard in the web since the nineties.

                                                                1. 5

                                                                  I gave up on the back button roughly a decade ago.

                                                                  1. 3

                                                                    I wanted to ask you what kind of browser would do such a silly thing, but apparently that’s (also?) what Firefox does: fragments do get added to history, and all the “back” button does is dropping the fragment.

                                                                    I still find it peculiar that there’s even a need for such button (on PC I have a Home button, and on mobile providing one should be the browser’s job imo), but seems like there is a good reason why people use JS for this after all.

                                                                    1. 24

                                                                      I like that it gets added to the history. You can press a link to a reference or footnote, and then press back to go to where you were.

                                                                      1. 4

                                                                        There has been a craze for “hash-bang URLs” that abused URL fragments for keeping state and performing navigation. This let JS take over the whole site and make it painfully slow in the name of being a RESTful web application.

                                                                        That was when HTML5 pushState was still too poorly supported and too buggy to be usable. But we’re now stuck with some sites still relying on the hashbang URLs, so removing them from history would be a breaking change.

                                                                        1. 2

                                                                          It’s always crazy to see how people abuse the anchor tag. My favourite personal abuse is I kept finding that SysAdmins and IT were always just emailing cleartext credentials for password resets and during pentests I’d often use this to my advantage (mass watching for password reset emails for example). So I jokingly ended up writing a stupid “password” share system that embedded crypto keys in the hash url and would delete itself on the backend after being viewed once: https://blacknote.aerstone.com/

                                                                          Again, this is stupid for so many reasons, but I did enjoy abusing it for the “doesn’t send server side” use case. EDIT: I originally had much more aggressive don’t use this messages, but corporate gods don’t like that.

                                                                          1. 1

                                                                            One useful trait of hash-bang URLs is that your path is not sent to the server. This is useful for things like encryption keys. MEGA and others definitely use this as lawful deniability that they cannot reveal the contents of past-requested content. Though, if given a court order I suppose they can be forced to reveal future requests by placing a backdoor in the decryption JS.

                                                                        2. 2

                                                                          Hmmm that’s a good point, and not something I had considered. Thanks for the feedback.

                                                                        1. 1

                                                                          I really enjoyed this post. I love macros and PLT, and rust’s proc_macros have always interested me.

                                                                          Unrelated: I like the typography and general styling on this website. The scroll-behavior took me by suprise, but it’s quite pleasant.

                                                                          1. 5

                                                                            Fwiw, I think I prefer the abrupt jump.

                                                                            I’ll take my 200ms of time over the slick experience.

                                                                            1. 3

                                                                              In a userstyle:

                                                                              * {
                                                                                scroll-behavior: auto !important;
                                                                              }
                                                                              
                                                                            1. 5

                                                                              I’m wondering what anti-abuse mechanisms are being employed. I’ve had to filter out several disposable email domains in the past (as per business directives). What’s to make this service any different from the rest? Granted, making a disposable gmail address is rather easy, but a counter argument would cite that gmail is more often used by legitimate people for legitimate purposes unlike other simple disposable email address solutions.

                                                                              1. 5

                                                                                As far as I know, this is only for receiving emails, which makes anti-abuse a lot easier.

                                                                                1. 4

                                                                                  Here, you should think of “abuse” as in “making a ton of accounts with one e-mail address”.

                                                                                  Most services ban specific services similar to this one. Some even whitelist domains such as gmail.com, so you can’t even use your own domain.

                                                                                  1. 4

                                                                                    The proposal appears to be a rate limit on new addresses over time