1. 4

    I used to use m4 for generating my static site. Then when I went to write a blog post about m4, featuring m4 code snippets, it (understandably) started replacing the macros. It was hell to find a work around. I remember most of what I tried worked almost well enough with some odd exception. I ended up giving up on it eventually.

    1. 1

      Opinions on GNU and the Free Software Foundation being listed in the acknowledgements?

      1. 1

        I think it’s fair to acknowledge GNU when using GNU tools/programs in a project like this.

      1. 8

        That is gorgeous. I hope to, one day, justify a $400 computer case.

        1. 5

          It is a beautiful case though

          1. 1

            I’ve been eyeing it too for a while now; ever since I saw it on fabiensanglard.net. I picked up an M1 MacBook Air late last year to play around with powerful ARM hardware though, so it’ll be a while before I can justify another expensive machine.

            I wonder if it could dissipate the heat from a POWER9 chip/motherboard…

        1. 1

          The part near the beginning is by far the best introduction to x86 assembly I’ve read - As someone who currently knows nothing about it.

          1. 1

            “In the two years since Google’s Quantum Computer went live, a Chinese research team led by Jian-Wei Pan have upped the anti.” How can this get past any proof reading?

            1. 1

              The article is also much much more brief than I thought it would be.

            1. 6

              Maybe this (black and white mode) could be feature of a terminal emulator – rather than modifying every piece of software. e.g. Konsole has color schemes, where you can setup one, that ignores colors. ANSI metadata can be still present in the output stream of a program. It is similar to a web browser where you turn off CSS styles – the CSS metadata may be still present in the markup, just silently ignored.

              If we are talking about redirecting the output stream to another process or file – the program can detect, whether STDOUT is a terminal or not… and many programs do this (then simple | cat will remove the colors). If there are still some unwanted colors, there is a Perl one-liner:

              perl -pe 's/\e\[?.*?[\@-~]//g'
              
              1. 1

                I think setting your terminal to use a monochrome theme would be a quick workaround. I don’t know of any terminals that have it as a default theme option, but it might make for a reasonable first PR if anyone’s interested on working on it!

                1. 1

                  I knew someone who hacked suckless term to disable all color escapes/make them do nothing so the terminal was, always, black and white regardless of the program.

                1. 5

                  If anyone would like to share, I’ll ask: how and when did you end up joining the site?

                  I first found Lobsters in 2014, when someone mentioned it on HN as a more pleasant community. There were fewer comments then and the point totals were much lower, but I remember enjoying every post I read. I think a huge factor was how memorable the domain name was, I knew it without googling after seeing it once. I was a poor undergrad taking a leave of absence, and my phone and laptop were broken at the time, so I would read posts on workstations at my dad’s office while helping him with IT stuff. Honestly this site means a lot to me for that; at a real personal low, it reminded me that CS wasn’t just my experience with school.

                  1. 2

                    I’ve seen a mention on reddit and applied, somehow got in.

                    1. 2

                      2014 for me too. I had been thinking of leaving HN after the ridiculous pending comments scheme had been announced. Somewhere during the discussion of it back in those days, I saw Lobsters mentioned as an alternative. I took a look, liked what I saw, and asked in the queue for an invite.

                      1. 2

                        I’ve had the pleasure of knowing @pushcx for close to two decades at this point. He mentored me in programming fundamentals over that time and I found myself watching on of the Lobste.rs live programming streams for fun one evening. While discussing the stream he sent me an invite and I have thoroughly enjoyed having a sane source of news ever since.

                        1. 2

                          I was a lurker for a while before I actually got an invite.

                          I came across @jcs’s blog after getting into OpenBSD (it was probably around 2019, so fairly recent). On there I found an old post complaining about the state of the orange site’s moderation. There’s a tiny link at the bottom of the post to a website…

                          After finding Lobsters on that blog post I lurked here, reading stories, never bothering to get an invite until one day I came across someone (on Discord, funnily enough) who said they had an invite for someone who wanted it.

                        1. 4

                          I made a dark, monochrome user style for lobsters a while ago. Although, I don’t actually use it anymore.

                          The contrast on mine isn’t great but it’s nice on my eyes.

                          1. 1

                            working

                            1. 1

                              I have never thought of myself as a “software engineer” or a “computer scientist” the only camp I’d actually put myself into is “programmer”.

                              This might be selling my skills short in the long run, but I’m not a scientist and I’m sure as hell not an engineer. I fit perfectly just with “computers” and so “programmer” - being it’s own thing solely related to computers (at least nowadays), makes more sense to me, personally.

                              1. 14

                                I would be very interested in a discussion around this. The author explicitly didn’t make any statements about differences in password managers. The claim is, they all have equally big attack surfaces if they use web extensions.

                                Counter example: bitwarden does not inject any elements (it adds properties to input fields though). The extensions drop down interface has to be used. Does that make it safer? Or am I missing something?

                                1. 10

                                  Isn’t there a standardised API for password manager inputs in browsers? If not, why not?
                                  Seems like it would stop all these password managers from reinventing the wheel every time; reduce some attack surface by having it built into the browser itself rather than injected elements.

                                  1. 15

                                    Both iOS[1] and Android[2] have standardised APIs. There is none for desktop browsers.

                                    [1] Password AutoFill [2] Autofill framework

                                    1. 1

                                      yeah it feels like having OS’s or browsers offer a standard hook for credential storage and having the tools use it would resolve a lot of this stuff. I think the iOS stuff works very well, though there’s a lot of uncertainty about what domain you’re on inside app stuff sometimes, but it usually “fails” in the right direction (not filling in credentials vs filling in incorrect credentials)

                                      1. 1

                                        It also does not work smoothly on Android inside browsers other than Chrome.

                                        1. 1

                                          Really? I use KeePassDX on Android, with Firefox, and it seems to work fairly smoothly through the autofill framework. It also provides a fake/specialized keyboard implementation for places where autofill doesn’t work.

                                          1. 1

                                            Fascinating. I should try that.

                                      2. 5

                                        Chromium is backed by your OS password manager. If your password manager syncs with your native password store then it should interop smoothly. https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/docs/linux/password_storage.md

                                      3. 5

                                        As another example, keepassxc

                                        • requires to pair the extension to the program first
                                        • checks that the web page you’re logging in to matches the one saved in the password entry
                                        • for good measure, asks for confirmation in a native popup before sending the password to the browser

                                        As long as those checks are performed by the program or by the extension and not by the injected script, I don’t see the problem.

                                        1. 1

                                          Well, that is really hard to tell, though. So I agree that people should recommend specific products.

                                        2. 4

                                          There’s just a fundamental risk when mixing things inside an untrusted sandbox (the web page) and out where your secrets are. It’s much easier to do that well if you’re building a browser than if you’re building an extension - and even then there’s a long history of bugs with how browsers have done it.

                                          I don’t know much about bitwarden, but a bit of poking around showed it injecting a few content scripts including one taken from 1password: https://github.com/bitwarden/browser/blob/master/src/content/autofill.js

                                          1. 4

                                            I haven’t looked too closely at the script, but it looks like it does two things: pull out the structure of the page, and then fill it. I have no clue whether either of these are exploitable, but it’s definitely not vulnerable to this sort of redress attack. In particular, the only way to trigger password fill is to click the extension icon or use the right-click menu, both of which are not vulnerable to the same sort of redress/IPC attacks that Tavis mentions. (Well, I guess you could write some JS to fake the right-click menu. But I’m not sure what the way around this is.)

                                            It does inject elements (I think) if you fill in a page to show a ‘would you like to remember this password’-type dialog box, but that’s not really much of an attack surface.

                                            Bitwarden can also be self-hosted, though this doesn’t protect you from the browser extension being malicious.

                                        1. 11

                                          It is no longer necessary to remember to click on ‘Export’ in the PNG Export dialog, as the exporting will already happen after the click on ‘Save’ in the file selection dialog.

                                          Excellent, Inkscape realised that we were never going to learn!

                                          1. 2

                                            Surprisingly, I actually got used to this weird workflow. Shouldn’t be hard to un-learn it though, since it makes more sense the new way!

                                            1. 1

                                              Maybe in the future if I find a workflow weird I should consider filing a (friendly and constructively phrased) bug: workflows are subjective experiences and developers deserve to know if their design is not intuitive for some. It’s natural and the user gets to contribute something back.

                                          1. 1

                                            I have never understood the need for such things. Can someone explain a scenario when the standard flag package is not good enough for writing CLIs in Go? I don’t understand what more features one could possibly need.

                                            1. 1

                                              Can someone explain a scenario when the standard flag package is not good enough for writing CLIs in Go?

                                              Yes, I can. package flag provides no affordances for CLI tools with subcommands, and all of the complexity that arises from that kind of design, e.g. global vs. local flags.

                                              1. 1

                                                flag provides no affordances for CLI tools with subcommands

                                                I’ve done just that before. It isn’t overly complex.
                                                For each subcommand, I declare a new flag.FlagSet (local flags), and then use os.Args[1] to determine what subcommand the user has requested. I think you could even still use the normal flag. for global flags as well, though I haven’t tried that myself.

                                                I suppose I do actually see the benefit of a library to do all that for me though - I see your point.

                                            1. 1

                                              I don’t think it’s fair to call Windows “unstable”. Call it something else, but “unstable” is not what it is. (This is coming from someone who spends most of their off-time in Linux and OpenBSD).

                                              1. 4

                                                I haven’t read this yet but it looks pretty interesting. Monero is the one cryptocurrency I’ve consistently been interested in. Like others have already mentioned it seems to actually deliver on its promises of security and privacy.

                                                1. 2

                                                  It does seem to [he expounded, having skimmed ⅔ of the document skipping most of the math]. But I was disappointed to see that the coin mining is based on proof-of-work, which means that like Bitcoin it tends toward profligate energy consumption.

                                                  1. 4

                                                    The key difference between Monero’s PoW and Bitcoin’s though is that Monero is best mined with general-purpose hardware. This improves network security through decentralization of hashing power, and also should result in fairer reward distribution (since one does not have to make as significant a capital investment to become a miner). So at least with Monero’s PoW you get more bang for your buck per unit energy, in terms of network benefits.

                                                    1. 1

                                                      On the flip side of that coin, there is a lot more general-purpose hardware which could be repurposed to 51% attack Monero (imagine all of AWS co-opted for this purpose). Bitcoin ASICs are the most efficient silicon for mining SHA256 and would be resistant to attack even from massive corporate clouds. Through this lens, it’s Bitcoin which gets more “bang for your buck” in terms of network security per kWh.

                                                      Furthermore, the Monero devs have to keep hardforking in order to change their mining algorithm to keep it ASIC-resistant. Even if it helps decentralize hashrate, it puts lots of power in the hands of the developers, which is a different form of centralization.

                                                      Lastly, the lion’s share of energy spent on mining Bitcoin and Monero is to earn newly created coins, not transaction fees. Monero has permanent tail inflation to incentivize mining, whereas Bitcoin asymptotically approaches zero inflation (and therefore far less energy consumed per market cap).

                                                      All that said, Monero has very interesting cryptography and I hope we can learn from it. I’m not sure if RingCT privacy is worth sacrificing supply auditability, but better privacy is great if you can achieve it without significant tradeoffs.

                                                1. 16

                                                  I haven’t used Sublime Text since around 2010 but decided to install this latest version to try it out. I’m actually blown away by the speed and efficiency - beyond simply the startup speed.

                                                  1. 10

                                                    Yeah, how everyone got so excited by VS Code is beyond me. Sublime Text is the real deal :D

                                                    1. 32

                                                      Hm I think this should be pretty obvious, no? It’s pretty clear that ST is faster and more robust, but it’s also obvious that VS has more semantics-aware features. Some people value features over speed.

                                                      It’s beyond me how people can love any specific editor? Editing text sucks everywhere except in kakoune, only IntelliJ has enough polish&power to work efficiently with large projects, everyone except VS gets plugin ecosystem wrong, nothing but Emacs has efficient keyboard drive UX outside of mere editing, and only vim is installed on the server you ssh to.

                                                      1. 2

                                                        (That’s not real love, it’s mostly Stockholm syndrom).

                                                        1. 17

                                                          Eh, close. There’s a concern I’ve seen in many devs (including, in my younger years, me) that, if you’re not using the best tooling, then you’re doing it wrong. But if you spend a lot of time trying to decide what is The Best Tool, and then really learning it, then you end up feeling a really strong need to defend whatever choice you end up making. After all, you don’t want to admit you wasted that time by making the wrong decision, do you? The more time you spend defending your choice, the more you start to identify with the choice, which in turn makes you very resistant to anything that challenges you, and very quick to overly emphasize anything positive.

                                                          Anyway, that’s a long way of saying that the mindset that results in people loving editors is less Stockholm Syndrome, more political cult, but you’re not far off.

                                                          And besides, we all know that the best editor is unconditionally and with no qualifications ed.

                                                        2. 1

                                                          Editing text sucks everywhere except in kakoune

                                                          I would be very interested to hear more on this if you’re willing. For context I use (neo) Vim or Vim bindings with other editors/IDEs.

                                                          1. 2

                                                            See Why Kakoune section from this document: https://kakoune.org/why-kakoune/why-kakoune.html

                                                            The TL;DR is that we write ciw in vim, but iwc in Kakoune, and this gives you immediate visual feedback about what exactly you are going to c

                                                            1. 1

                                                              Kakoune’s grammar is object followed by verb, combined with instantaneous feedback, that means you always see the current object (In Kakoune we call that the selection) before you apply your change, which allows you to correct errors on the go.

                                                              I find great value in rich feedback (syntax errors, typing errors etc) from an editor/IDE so bringing this to the actual text operations is very interesting.

                                                        3. 4

                                                          A friend of mine told me; people use electron-based editors and then are blown away with the speed of something that isn’t electron. Like obviously with something like editors, being written in say C(++) for example, is going to be faster than something that runs off web technology.

                                                          1. 2

                                                            A proper MRU ctrl-tab and a built in split terminal easily togable without lifting my hands from the keyboard did it for me.

                                                            Opening file in project using quick open and a command palete, were also requirements of mine, but other editors already had these. Sublime being one of them.

                                                            I have been wanting these simple features in an editor since before vscode existed. Vscode offers me that, I use it. I would be fine with other editor offering them too.

                                                            Their multi edit support is also ofnmy liking and I.ve been including it in my work flow more and more often.

                                                        1. 2

                                                          Published 2016-05-04

                                                          How is this relevant today?

                                                          Note: ntpsec is apparently still alive here: https://gitlab.com/NTPsec/ntpsec

                                                          1. 1

                                                            Because their approach to hardening - simplifying, and removing code - is timeless.

                                                            I posted the article for that, not because I thought that five year old NTPsec news is particularly relevant :)

                                                            1. 1

                                                              I agree simplifying and removing code is timeless.

                                                              1. 2

                                                                I think it’s pretty hard to argue against that… (No?)

                                                                1. 3

                                                                  I’ve not seen it argued against, but I have seen it passed over or ignored as a viable strategy.

                                                          1. 6

                                                            There have been trojans found in ./configure scripts (look it up), which is why I regularly advocate for abandoning autotools. And the response I usually get is “Let’s not talk about that, please.” A plaintext blob is still a blob.

                                                            1. 4

                                                              Shouldn’t the solution be sandboxing the build? Instead of … what are you proposing instead of autotools that could eliminate the possibilities of trojans in the build process exactly?

                                                              1. 4

                                                                I absolutely love BSD Makefile syntax. A project I maintain is a good example of a simple BSD Makefile. For reference, I’ve posted it below.

                                                                SHLIB=	pushover
                                                                SHLIB_MAJOR=	0
                                                                SRCS=	libpushover.c sanity.c
                                                                INCS=	libpushover.h
                                                                
                                                                CFLAGS+=	-I${.CURDIR} -I/usr/local/include
                                                                LDFLAGS+=	-L/usr/local/lib
                                                                
                                                                LDADD=		-lcurl -lsbuf
                                                                
                                                                .if defined(PREFIX)
                                                                LIBDIR=		${PREFIX}/lib
                                                                INCLUDEDIR=	${PREFIX}/include
                                                                .endif
                                                                
                                                                .include <bsd.lib.mk>
                                                                
                                                                1. 1

                                                                  Which is fine if you are happy to depend on bsd.lib.mk existing, but if you’ve ever looked inside that file then you’ll be absolutely horrified if anyone claims it is simple or readable.

                                                                  1. 1

                                                                    I’ve hacked on bsd.lib.mk, wasn’t difficult for me.

                                                                  2. 1

                                                                    I meant to reply to the comment above yours. Sorry!

                                                                    1. 1

                                                                      I usually try to make my makefiles OS-agnostic by trying to adhere to the POSIX makefile spec (w/o the GNU or BSD extensions).
                                                                      But the neatness and brevity of BSD makefiles astounds me.

                                                                      1. 1

                                                                        Yeah. I generally don’t need to worry about supporting non-BSD systems.

                                                                    2. 1

                                                                      Sandboxing could prevent a trojaned shellblob from harming the build host, but it wouldn’t prevent it from tampering with the build product.

                                                                      One point worth making is that a configure.ac or configure.in is amenable to auditing, so projects that use autotools without distributing a prerolled ./configure shellblob don’t have this problem. It’s bad practice to check ./configure into git, so a lot of people don’t do that. Nowadays, a source tarball that is essentially output from git archive is really common. So it’s a point less worth arguing as time goes by.

                                                                      1. 1

                                                                        Sandboxing could prevent a trojaned shellblob from harming the build host, but it wouldn’t prevent it from tampering with the build product.

                                                                        That’s not a particularly interesting threat model. Anyone with the ability to trojan a configure script that you run also has the ability to trojan any of the source files in the build that the configure script is generating.

                                                                        1. 1

                                                                          You “regularly advocate for abandoning autotools”, and I was trying to ask what you propose for people to use instead that would be safe from trojans.

                                                                          1. 1

                                                                            I don’t have a one size fits all solution to advocate. CMake is okay; I’ve had some experience with it. Meson looks like it might be interesting.

                                                                            In a lot of cases a makefile and a judicious use of pkg-config is good enough.

                                                                            1. 1

                                                                              Nothing is truly safe, but the generated configure scripts is usually well over 10,000 lines of hard to read shell script, and few people will look at that, if any. It’s incredibly easy to hide something in there, even for larger projects with quite a few contributors. You can try to hide something in the main code or somewhere else too, but it’s much more likely to be noticed.

                                                                      1. 2

                                                                        Wow. I knew we could fairly easily bakdoor new elliptic curves, but a block cipher? I had no idea.

                                                                        1. 1

                                                                          There’s quite a few places a backdoor can hide in a block cipher; there are constants littered around some algorithms to help with diffusion (e.g. key-schedule constants). I suppose an algorithm’s S-box construction is another place a backdoor could be snuck into.

                                                                          A lot of algorithms try and prove they have nothing up their sleeve by selecting constants so that they’re above suspicion. For example Pyjamask uses the decimals of Pi for it’s key-schedule constants.